1 month plus ago, when I was trying to DCPromo a Server to be a Domain Controller in my environment and I encountered an error that really freak me out! Fatal Error Code 0x80010643.
Error Message is:
“Attempt to install "Role/Feature Name" failed with error code 0x80010643. Fatal error during installation.”
I was like wow… Something wrong with my DNS? or Some firewall rules that my network engineer has amended wrongly?
But after troubleshooting a while, I decided to perform the standard drill… removing of our friend antivirus software (FOR A WHILE)! And guess what? I can now DCPROMO! COOL~
Of course, after the DCPromo, I re-install the antivirus software and patch it up-to-date!
Then today.. my another team ask me if we have encounter issue when adding Windows Deployment Services (WDS).
I look at the error message and the error code is the same. This time, we search online and found that McAfee had acknowledge that it is a bug and published an article on their knowledge base website as follow:
So, if your environment is having the following combination:
- McAfee VirusScan Enterprise 8.8 (unpatched)
- McAfee VirusScan Enterprise 8.7 (with Patch 5)
- Microsoft Windows 2008 R2
Please following the instruction as stated in the McAfee Knowledgebase. Either you upgrade to VSE 8.8 Patch 2 or… perform workaround as follow:
-------------- Extracted from the Website ----------------------------
Use the following steps to temporarily disable the rule triggered during the Windows Role or Feature installation:
- Disable Report and Block on Access Protection Rules that protect McAfee processes and directories:
- Click Start, Programs, McAfee, VirusScan Console.
- Right-click Access Protection, and select Properties.
- Select Common Standard Protection.
- Deselect Report and Block for Prevent modification of McAfee files and settings.
- Deselect Report and Block for Prevent termination of McAfee processes.
- Click OK.
- Exit the VirusScan Console.
- Install the Windows Role or Feature.
- Revert back to the previous configuration.
- Enable Report and Block on Access Protection Rules that protect McAfee processes and directories
-------------- Extracted from the Website ----------------------------
Have Fun folks!…. Now, we need to work on a plan to upgrade VSE~
Was troubleshooting recent issue on AD Replication. What we found out is that we actually need to open up the following port on our firewall appliance.
TCP-UDP 135 and TCP 5722
Note: TCP 5722 is needed for Windows Server 2008 domain controllers.
One may want to take note of TCP-UDP 135. As according to the TechNet website, it only indicate TCP 135. But based on our sniffing of network while troubleshooting, we need to turn on UDP 135 too. Weird. Maybe someone can confirm on this too?
Refer to the website:
Just want to record this down on my Blog so that I can use this as again.
I encounter a scenario where I need to group item in such a way for my recent report that is using Microsoft Excel.
1. Group by Item Type
2. Group by Year and Month
3. Sum up the Qty of the Item
The Item type is nothing. The challenge is in the raw data excel sheet, the date is in format of DD/MM/YYYY but I need it to be YYYYMMM.
I tried to play with formulae such as =Year()&Month() and tried with date format… It did not turn out what I want.
With changing date format, I almost got it but when I use the raw data for pivot table, the original date format appears with the “days” and I did not managed to group the item by YYYYMMM format.
Screen shot below shows what I mean:
Using Custom Format to “YYYYMMM”
Yup.. It works. But….
Under Pivot table, It shows the actual date again. NOT what I want!
I know I can always copy and paste the value back but I want something that fast. So, I explore on formulae further.
So.. what Formulae I used in the end in Microsoft Excel?
=TEXT ( CELL, “yyyymmm”)
Below screen shot shows the formulae I used to convert my cell containing the date.
With that, even under my pivot table, data is able to be grouped accordingly!
YES! With that, I can do my data analysis faster!
Finally, the approach is matured thanks to my team-mate – Lee Chung Ming and Lim Choon Seng. They found the way to inject the printer driver to the Windows 7 Client machine, overcome the UAC.
Here, under my blog, I will share what my team is doing to deploy printers via GPO and GPP to more than 1000 Windows 7 machine under the same Domain.
Understand the Fundamental - Revisit the Manual Way to Setup TCPIP Printer
First, lets visit the fundamental, what we have been doing when we tried to install TCPIP printer on a Windows 7 machine.
As refer to the picture below, we need to have the network configuration of the TCPIP Printer; Drivers of the Printer (32bit or 64bit) and of course an administrative accounts to install the printer via UAC.
Translate Manual Setup to Settings in GPO and GPP and Necessary Setup in the backend Infrastructure
Part 1 - Injection of Drivers to Client Machine – How?
You will need a Print Server for to share out the TCPIP Printers for Client to obtain 32bit or 64 bit Drivers via GPP and GPO (64 Bit drives depends on availability of Printer Manufacture); and of course for later GPP to inject the TCPIP Printer.
Step 1 – Add Role – Print Management
Step 2 –Add Driver – both 32bit and 64bit – Via the Add Driver Wizard
Step 3 – Share out the driver
Step 4 – Add Printer (TCPIP) via the Wizard
Note – Add only when printer is able to be communicate by the print server to increase success rate on ability to print after the printer is installed on the client machine. Why? It is best for the print server to determine the printer processor.
Part 2 - Installation of Printer and Network Settings to Client Machine – How?
Create a GPO that will have GPP setting to inject the TCPIP Printer with network settings.
*For Print Server – FQDN
Part 3 - GPO Settings to overcome UAC in Windows 7
In the same GPO that contains the Part 1’s GPP setting, configure the following GPO setting. This GPO setting is to direct the client machine to the print server to download the printer driver and to overcome UAC during installation of printer driver.
Computer Configuration > Administrative Template … > Printers > Point and Print Restrictions
Deploy TCPIP Printer to Client!
After complete Part 1- Part 3. You are ready to deploy the TCPIP printer by linking the GPO to the OU that contains the computer objects that you wish to target the installation!
After you link the GPO, on the client machine that is connected to the correct network, you can run the command “GPUPDATE /FORCE” and see the printer appearing under “Device and Printers” Windows.
Simple Troubleshooting Tips
If the printer does not appear, check on the FQDN that you have entered under the GPO and GPP. And remember to share out the driver under your Print Server!
If you do not want the printer to keep appearing or you are deploying many printers, please explore the setting under the GPP – “Apply Once Only”!
Recently got many questions about how GPO works.. Why does it not work that way.. Why Computer Configuration setting is not working and more.
I start to think and realised the the root cause is those people are not familiar with the basic~ You will be shock that IT Pro here may have been managing their IT environment for years but knows nothing about Group Policy Objects.
Guess once I am done with this major project I am handling now, I will start to push more sharing session on how to use GPO to manage the environment.
Well, after much thought, before we talk about the individual settings within the GPO which is thousands of lines. I feel that one should know what comes first which is the GPO processing and precedence.
Many many years ago when I started to explore the power of GPO, no one really knows how it works in my team and I really hit a lot of “walls”.
So for those who is new in GPO and always have question on why this setting is overwritten by another GPO. You all may want to read and understand this following articles from TechNet:
My suggestion to you is to draw out the diagram when you are reading it to have a better understanding the flow.
Start simple and you start to do some paper play by adding more GPOs with different setting.
To add on, Please read this following settings to let you know about more rules when configuring GPOs – “Loopback processing with merge or replace”
By understand the logic on when to use “Loopback with Replace” and “Lookback with Merge”, you can understand how you should arrange your OU and link your GPOs.
O… almost forgot – Please read on GPP too! – Download the document on GPP, understand the difference – the document is Great~ Just that you have to spend some time to read. But please understand the above fundamental first!
Link to download GPP Documentation from Microsoft:
Ok! Time to get back to my Work now.. I will start to prepare my sharing session on how to use GPO and GPP to deploy TCPIP Printer over this weekend~ FUN!
Last night… was shock to see some of my groups are been shifted \ landed up into wrong OUs in my Active Directory.
I have approx 300 over OUs and there are just so many groups to be moved back to their respective OU…
This is where powershell cmdlet comes in handle! Imagine using vbscripts… Yes, we can do it. But the script needs to be modify and it is quite lengthy~
In my environment, I am using Quest AD Cmdlet… I find it easier to use. Just imagine, for vbscript, you will need to comb through the whole AD for the user-group and compare before you know where to move it to. For powershell, you just need one line as there is a ready cmdlet that does what I want!!
Here is the command I use..
Get-QADObject <Group Name> -type Group | Move-QADObject –to <FQDN of Domain>/OU_01_LEVEL/OU_02_LEVEL
<Group Name> – just state the group you want to move.
For my case, I am looking for group that starts with site code “ABCD_”
My Command will be:
Get-QADObject ABCD`_* -type Group | Move-QADObject –to tanchee.panda.local/OU_01_LEVEL/OU_02_LEVEL
This command will search the whole domain for group that is like “ABCD_Tan”, “ABCD_Chee” and “ABCD_PAN” and move the Group to the target site “tanchee.panda.local/OU_01_LEVEL/OU_02_LEVEL”
So… is there anything stopping you as a AD administrator from learning powershell? STOP THINKING AND GIVING YOURSELF REASON… START LEARNING AND START PLAYING WITH POWERSHELL!
Tested working in 2008 R2 and 2003 AD environment.
Link to download quest powershell cmdlet (free) for active directory.
Was busy writing powershell script and met some issue… Troubleshoot for a while and wonder what went wrong till I look carefully on what I was using… We had a good laugh in the end… I went to use Single Quote as Escape Character instead of the Back Quote.. LOL~
So, I think I will share this information with you all~ And to remind myself of my silly mistake…
Escape character for Powershell is back quote - “ ` ” The button beside on the left of “1” on the Keyboard (My Laptop).
Just in case you are not sure where is the Single Quote is “ ‘ ” - The button beside on the left of the “Enter” button on the Keyboard.
One good Website to Share
The website has good example to explain to you when to use double quote and single quote too! Good one!
So, Happy Reading and Scripting!!
Today, yes.. Today (Sat), I got a last minute request to set all the users “password never expires” to “yes” for a short period of time.
For this AD I am working on consist several OU contain users (approx 100 per OU). About 100 OUs.
So, lazy to write script (vbscript), I thought of DSquery and DSmod command that can do the trick!
Happily preparing my batch file that will comb through all the OUs and modify the users’ setting using the following command:
dsquery user "OU=TanCheeOU,dc=Tan,dc=Chee" | dsmod user -pwdneverexpires yes
So, when I am testing on my development environment, I just had a weird thinking.. What if the user has not change password as the account is newly created?
Why I have concern? The reason is one can never set “Password never expires” if “User must change password as next logon”!! If you insist to set “Password never expires”, the other option will be “unchecked” (Not Set). <Screen shot below shows what happened if you want to do it by GUI way>
What could be the possible impact if I were to run the DS command?
This is what will happen – Examples:
After running the command, user account in the AD will change as following:
For account A that does not have “User must change password at next logon” will have the “Password never expires” set (Checked)
For account B that has “User must change password at next logon” set, the setting will be cleared and the “Password never expires” will be set (Checked).
Account A logon to machine as usual.
Account B logon to machine and start using the account will not get prompt to change password upon next logon.
After period of time… when we need to revert the setting using the command:
dsquery user "OU=TanCheeOU,dc=Tan,dc=Chee" | dsmod user -pwdneverexpires no
After running the command, user account in the AD will change as following:
For account A that does not have “User must change password at next logon” set will remain unchecked;and the “Password never expires” will be cleared (Unchecked).
For account B that has “User must change password at next logon” set, the setting will be reverted! (Checked);and the “Password never expires” will be cleared (Unchecked).
So.. End-User Experience (Impact arise…)
Account A will logon as usual.
Account B will be prompt to change password at the next logon!!! Oh My!!
Must write a script to check if the user’s must change password at next logon, before setting the “password never expires” to YES~
One method if you do not know how to write vbscript…
Use DSquery | DSget command to get the list of users from all the OU.
Massage the data using Excel.. Then use DSquery | DSmod to set the setting!
Yesterday is one interesting day… First of all, I would like to take this chance to thank my dear friend who shows me how to use Microsoft Network Monitoring tool – Uncle Pom.
Problem – No network Adaptor shows up in NetMon tool
More interesting is after we install Netmon tool on our production machine… NO network adaptor shows up in the tool for us to capture network traffic in \ out the machine!
Findings and Solution (Part 1) – Missing Driver
After much troubleshooting, we found out that it is because that the “Microsoft Network Monitor 3 Driver is not installed as network services under the “Local Area Connection Properties”
So, we tried to add it back! But guess what?… We hit another issue! Error message pops up saying that “Filters currently installed on the system have reached the limit”
LOL~ More issue? Never mind, we always understand that there is always a workaround. How?
Finding and Solution (Side track) - Workaround to resolve "Filters Currently Installed on the System Have Reached the Limit” is as follow…
Step 1 – “Regedit” (Note: Please ensure you know what you are doing first, if not, please backup the registry key first!)
Step 2 – Locate the registry key “MaxNumFilters” under HKLM\System\Currentcontrolset\Control\Network\
Default Value is “8” that means you can have up to 9 adaptors (Count from “0” to “8”)
Step 3 – Change the Value to “A”, means the we can have up to 11 adaptors (More than enough for me~)
Step 4 – Click “Ok” and reboot the machine! (MUST REBOOT!!)
Note: Above steps to increase the limit are not supported in Microsoft. Ok? Do it as your own risk!!
Workaround to resolve "Filters Currently Installed on the System Have Reached the Limit” ends here.
Findings and Solution (Part 2) – Adding Back the Missing Network Monitoring Driver
Ok… Once machine is rebooted, let us re-install the Microsoft Network Monitoring tool under “repair” mode. (Trust me, this is the safest way…)
Locate the installer (remember, if your machine is 64bit.. get the correct version!)
" border="0" alt="clip_image001" src="http://sgwindowsgroup.org/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/panda/clip_5F00_image0016_5F00_thumb_5F00_58C9C64F.png" width="244" height="96" />
Select “Repair” and click “next”
" border="0" alt="clip_image002" src="http://sgwindowsgroup.org/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/panda/clip_5F00_image0026_5F00_thumb_5F00_0D6A228B.png" width="289" height="225" />
Once completes, you will see that the “Microsoft Network Monitor 3 Driver” appears!
Then, you can happily launch the Microsoft Network Monitor 3.4 tool and see the network adaptors to select from as shown below!
Other possible cause why you cannot use netmon… Rights issue!
If you install the tool with local administrator account but need to run as domain user, please remember to add the necessary account into the “Netmon User” group!
Hope above sharing is useful to anyone who is keen to use netmon!! I am getting to Love this tool..
Got a last minute request to set permission to more than 200 over OUs. Each OU are to be granted the rights to reset password and unlock users accounts to specific domain user groups.
If you were to use the GUI method to grant password reset rights, it will works! But how about the rights to unlock user accounts in the OU? And are you going to do that for all the 200 over OUs one by one?!
For unlock account rights, note that you need to configure “Allow” for both “Read LockoutTime” and “Write LockoutTime” (shown in the picture below)
So.. just imagine if one were to use GUI method to configure all the 200 over OUs.. Haha. One is effort and the other is how to ensure that there will not mistake after a while?
Well, this is time when our good old “DS” commands can come into handy!
First, we find out what will the GUI method to grant user groups rights to reset user password…
For Unlock Of User account, Following needs to set.
Therefore, the command to use to achieve above settings are shown as below:
Setting 1 - Part 1 of Granting User Group A to Reset Password for User in Team A OU
dsacls "OU=TeamA,dc=SWUG,dc=com,dc=sg" /I:S /G "swug\groupA:CA;Reset Password";user
Setting 2 – Part 2 of Granting User Group A to Reset Password for User in Team A OU
dsacls "OU=TeamA,dc=SWUG,dc=com,dc=sg" /I:S /G "swug\groupA:rpwp;PwdlastSet";user
Setting 3 – To allow User Group A to unLock User Account in Team A OU
dsacls "OU=TeamA,dc=SWUG,dc=com,dc=sg" /I:S /G "swug\groupA:rpwp;lockoutTime";user
Using Microsoft Excel, I will be able to generate out the batch file to execute above commands accordingly to all the 200 over OUs. Within an half and hour, DONE!!
Hope this will be one stop solution for those who wish to do it even for a single OU~
One lesson learnt the hard way… That is why I must share this with everyone.
If you think that all GPO settings supports different OS version with methodology - a baseline version and above OS version under the “requirements”. Then you will make one mistake like me.
Below screen shot show a typical console view when on is administrating GPO.
What shown below is a GPO setting that the requirements is “At least IE6 in WinXP SP2 or Windows Server 2003 SP1”
Let me share with you all the the requirement do not works in such as way all the time…
Take a closer look at this GPO setting – “Turn Off Reminder Balloons”
If you read carefully – “Supported On”, you will notice that it only supports on Windows Server 2003, Window XP and Windows 2000!!
Therefore, if one to configure GPO blindly and thinking why the expected result never turns out on Windows 7, one thing you may want to check is… if the GPO setting is supported on Windows 7.
Hope that by sharing this with you all, can help to save a bit of your precious time.
Key take away, never think if everything works the same…
Going back to fundamental
When I say going back to fundamental, what I mean is actually – One should do proper design and planning before implementation.
Active Directory Service
During the past few months, I have been working on designing an enterprise level Active Directory Service. Then I realised something – most people feel that Active Directory Service mainly serves as network logon for domain users. Domains are created by simply launching the command “dcpromo” and all the namespace are created on the spot. Some people may be laughing when reading this but its true out there.
Going back to the fundamental, one should spend more time on designing and testing before execute the plan. This is taught as part of a module during my school days and I believe in it a lot, a lot. Just to share my personal experience is that proper planning can really help to avoid many predictable issues.
One were to ask where to lookout for information for planning for Active Directory, I will usually recommend them the site from Microsoft which is the “Infrastructure Planning and Design”. One can download many guides for Microsoft infrastructure technologies such as Active Directory Certificate Service, Active Directory Domain services, File Service, MED-V, Internet Information service and many more!
What I advise is to download the Active Directory Domain Service and spend time to plan out properly. The reason why is because all other services integrate/rely on the Active Directory. Therefore, any issue to the Active Directory due to poor planning may affect other services in the infrastructure.
Group Policy Objects (GPO)
My recent encounters recently is that people knows about Group Policy Objects when we design Active Directory Service, but they do not understand what and how GPO works…
I would like to use this chance to state something clearly is that Active Directory Service and Group Policy Objects are 2 separate component. They are just closely integrate very closely together. Why I see is that way is because, we can deploy Local Group Policy Objects (LGPO)even there is Active Directory Service or not.
Therefore, during any consultant session, if you never indicate that you need consultant service on GPO during Active Directory Service consultant service, do not be shock that the consultant firm will tell you that GPO is not part of the scope of work.
My advise to IT Pro out there is that they should learn how to use GPO – Local and Domain and with in-depth understanding and properly planning. Why? It is because domain GPO can really help to IT pro to manage their IT Environment. For example, I can use GPO to deploy software (mainly MSI format), standardize client machine settings, lockdown client machine; And with Group Policy Preference (GPP), one can deploy TCPIP printers without using any complex script and many other settings.
So, if anyone were to ask me about GPO, I will recommend them to read the following sites to under what GPO can do first.
Group Policy Collection
How Core Group Policy Works – READ THIS!!
Both AD and GPO integrates closely together. During planning, one should plan out AD and GPO together (If client ask for it, if not, do cater for changes). Therefore, under Planning of AD, during planning of the Organization Unit (OU) structure, you need plan with the thought of “How can GPO be applied?” in your mind. This is very important.
One more advise… Once you domain is ready, create policy to lockdown the right for all domain users to add workstation to the domain. This will allow you to manage your domain better.
Hope my experience helps.
Everything made so easy to migrate my blog from livespace to wordpress… Just follow the simple instruction and within minutes, migration completed!
My new blog will be http://vbzine.wordpress.com/.
Time to blog when I get the time.
Really quite lock down with work recently. But I think this blog is rather interesting to share.
Got this project recently to deploy a printer to approx 150 machine. The requirement is that the user will print direct – TCPIP Printer.
The environment is running Windows Server 2008 R2 and Windows 7 Enterprise. AD is Windows Server 2008 R2 functional level.
Printer is configured on site with static IP address.
In the past, we can use logon script to deploy TCPIP printer. Customizing the script can be done but will require certain level of knowledge.
To utilize the GPP (Group Policy Preference). How? I will explain in detail on this blog with screen cap from my test environment. :)
Summary of the approach
1. Prepare Print Server – For client to pull the printer drivers during deployment of TCPIP printer through GPO
2. Prepare GPO to deploy TCPIP Printer – To deploy
On Windows Server 2008 R2, turn on Print and Document Service.
Add TCPIP Printer through the friendly wizard (You need to know what is the static address of the printer)
Using the wizard, you can add the TCPIP printer. The reason why you need a print server is for client to download the drivers when using GPO to deploy TCPIP printer.
Share out the printer (Use a name for ease of administration)
Share out the printer using a name for ease of administration.
Step 4 – Create GPO to Deploy TCPIP Printer (Computer Configuration)
Under GPMC, create a new GPO – “Add_TCPIP_Printer”
I link to computer OU as the requirement is to deploy printer to all the machine in the site. Therefore, I will configure the GPO on the computer configuration. If the requirement is to make the TCPIP printer to follow the user, I will create it on the user configuration.
Under Computer Configuration > Preferences > Control Panel Settings > Printers > Right Click and Add TCPIP Printer.
Following are recommended setting:
- Action – Update (Default)
- IP address – Static IP address of the TCPIP Printer (NOT PRINT SERVER IP Address)
- Local Name – Name which you want it to appear on the client machine
- Printer Path – Enter the UNC to direct the machine to obtain the printer drivers.
Click Ok to finish
(Do explore more the tab common as it has lots of function you can customize such as configure condition to update the printer only when user is within an IP range!)
Step 5 – Link the GPO to OU (Computers to target for deployment of Printer)
Link the GPO to the OU containing the computers to deploy the TCPIP printer.
Once the computer reboot or you perform a command on the machine - “GPUPDATE /Force”, the printer will appear on the computer’s devices and printers as TCPIP printer.
Step 6 – To roll back the TCPIP printer deployed
If you want to delete the TCPIP printer, you can reuse the same GPO, change “update” to “delete”.
Printer did not appear – You may want to check if the printer driver is available for Windows 7 (By right, if you can install on Windows Server 2008 R2, it will be able to roll down to Windows 7 client machine)
Check DNS to ensure the client machine is able to resolve the hostname of the print server on the client machine by performing a nslookup command.
Advise and Conclusion
Before any rollout, proper testing should be perform – Proof of Concept should be perform.
If GPO is used with proper planning, managing of client machine will no longer be a nightmare. However, if implementation of GPO is not plan and just keep adding and apply, troubleshooting of any issue arise in the long run can be a headache!
Sometime, we really think too much when we read the words – folder redirection under the GPO.
Or maybe just me. :)
Share with you all something that I was working on recently using GPO for Windows 7. I have a project asking me to provide a solution to end user for backing up a portion of data. And the requirement is that the data must be available to the end user even when there is no network.
My first though will be using of folder redirection through GPO especially the environment is Win 7 and Win Server 2008.
So, through GPO, we can turn on the redirection of Documents and other profile related directories.
In order to make the redirected folder to be available, we can turn on Offline File through GPO and the advance setting under Sharing from the Wintel File Servers.
However… from the feedback is that the end users has been using the Document heavily. So, if we were to redirect the Document folder, there will be a surge in file storage and file transfer over the network.
So, new requirement is to provide a customize folder for the user to dump a certain amount of file into it.
So, what will you do? :)
I will leave this open first and let you all think about the solution. I will share with you all what I do.
More Posts Next page »