Sunday, October 31, 2010

WMI Issue - WinMgmt could not open the repository file

I had the following problem on a client's server:

Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 27
Date: 1/11/2010
Time: 2:31:11 PM
User: N/A
Computer: ORIONCH
Description:
WinMgmt could not open the repository file. This could be due to insufficient security access to the "<%SystemRoot%>\System32\WBEM\Repository", insufficient disk space or insufficient memory.




Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1090
Date: 1/11/2010
Time: 4:38:53 PM
User: NT AUTHORITY\SYSTEM
Computer: ORIONCH
Description:
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.




This was resolved by performing the following:

1. net stop winmgmt
2. rename the e:\winnt\system32\wbem\repository directory
3. net start winmgmt
4. wmi should recreate the repository



WMI Database successfully showing up:

Tuesday, October 26, 2010

Syncing user attributes cross forest VBScript

Syncing user attributes cross forest. I wrote a script that can be used to sync user attributes cross forest. Run this script in the destination forest. The example below syncs the email address attribute on the user account.

' Active Directory Const's
' Active Directory Const's
Const ADS_SCOPE_SUBTREE = 2
Const ADS_PROPERTY_UPDATE = 2

Set rootDSE = GetObject("LDAP://rootDSE")

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADSDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Page Size") = 1000
objCommand.CommandText = "SELECT * FROM 'LDAP://olddomain/dc=olddomain,dc=local' WHERE objectCategory='user'"
Set objRecordSet = objCommand.Execute

On Error Resume Next

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Set objType = GetObject(objRecordSet.Fields("ADsPath").Value)
strDistinguishedName = Replace(objType.distinguishedName, "DC=olddomain,DC=local", "DC=newdomain,DC=local")
strEmailAddress = objType.mail

ADChanges()

objRecordSet.MoveNext
Loop

Wscript.echo "Email Addresses have been Migrated"

Function ADChanges()
Set objUser = GetObject("LDAP://" & strDistinguishedName)
objUser.Put "mail", strEmailAddress
objUser.SetInfo
End Function

How to set an AD Attribute using LDAP in VBScript

How to set an AD Attribute using LDAP in VBScript. In this instance I'm setting the mail attribute.

Const ADS_PROPERTY_UPDATE = 2
Set objUser = GetObject("LDAP://CN=Clint Boessen,OU=Corporate Information Services,OU=Corporate Services,DC=kbomb,DC=local")
objUser.Put "mail", "clint@kbomb.com.au"
objUser.SetInfo

List all users in domain cross forest

Below is a VBScript I wrote that lists all users by the distinguishedname attribute across a forest trust.

If you search through all users using a while statement as per:

http://clintboessen.blogspot.com/2010/10/how-to-find-locked-out-user-accounts.html

It does not work cross forest! The below script does:

' Active Directory Const's
Const ADS_SCOPE_SUBTREE = 2

Set rootDSE = GetObject("LDAP://rootDSE")

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADSDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = "SELECT * FROM 'LDAP://stirling/dc=stirling' WHERE objectCategory='user'"
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Set objType = GetObject(objRecordSet.Fields("ADsPath").Value)
strDistinguishedName = objType.distinguishedName
wscript.echo strDistinguishedName
objRecordSet.MoveNext
Loop

How to find locked out user accounts VBScript

How to find locked out accounts using VBScript and LDAP:

Const ADS_UF_LOCKOUT = 16

ldapFilter = "(&(sAMAccountType=805306368)(lockoutTime>=1))"

Set rootDSE = GetObject("LDAP://rootDSE")
domainDN = rootDSE.Get("defaultNamingContext")

WScript.Echo "Locked accounts:"
WScript.Echo

Set ado = CreateObject("ADODB.Connection")
ado.Provider = "ADSDSOObject"
ado.Open "ADSearch"
Set objectList = ado.Execute("<LDAP://" & domainDN & ">" & ldapFilter & ";ADSPath,distinguishedName;subtree")
While Not objectList.EOF
Set user = GetObject(objectList.Fields("ADSPath"))

user.GetInfoEx Array("msDS-User-Account-Control-Computed"), 0
flags = user.Get("msDS-User-Account-Control-Computed")
if (flags and ADS_UF_LOCKOUT) then
WScript.Echo objectList.Fields("distinguishedName")
End if

objectList.MoveNext
Wend

Scripting Active Directory users using VBScript

I came across a website by ActiveXperts with lots of script examples of modifying user attributes via LDAP and VBScript. Please check it out!

http://www.activxperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/users/

Very good article.

Wednesday, October 20, 2010

Powershell - List all users in domain

The following powershell script lists all users in an active directory domain.

$strFilter = "(&(objectCategory=User))"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 10000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
$objSearcher.SearchRoot = "dc=domain,dc=local"

$colProplist = "name"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
{$objItem = $objResult.Properties; $objItem.name}

Wednesday, October 13, 2010

Move Active Mailbox Database Error

I went to move a mailbox database to another node by using "Move Active Mailbox Database" from Exchange Management Console or Move-ActiveMailboxDatabase from the shell. When performing this action I received the following error:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00


Move-ActiveMailboxDatabase
Failed

Error:
An Active Manager operation failed. Error: The database action failed. Error: An error occurred while trying to validate the specified database copy for possible activation. Error: Database copy 'LABEXCH04 Database 02' on server 'LABEXCH04.lab.local' has content index catalog files in the following state: 'Failed'.. [Database: LABEXCH04 Database 02, Server: LABEXCH03.lab.local]

An Active Manager operation failed. Error: An error occurred while trying to validate the specified database copy for possible activation. Error: Database copy 'LABEXCH04 Database 02' on server 'LABEXCH04.lab.local' has content index catalog files in the following state: 'Failed'..
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.140).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex92D94B

Exchange Management Shell command attempted:
Move-ActiveMailboxDatabase -Identity 'LABEXCH04 Database 02' -ActivateOnServer 'LABEXCH04' -MountDialOverride 'Lossless'

Elapsed Time: 00:00:00


My passive database was coming up as healthy!

The problem was resolved by:

- Suspending the database copy
- Activating the database copy - wait for resync
- Performing the move active mailbox database command again.

Very weird for the fact that it was displaying as a healthy copy!

Thursday, October 7, 2010

Exchange 2010 Redirect or Proxy

When dealing with Exchange 2010 and legacy exchange servers such as 2003 or 2007, Exchange 2010 CAS servers will either redirect or proxy the request.

Some web services are proxied and some web services are redirected. To get an understanding around what web services are redirected and what services are proxied please view the following blog post:

http://blogs.technet.com/b/mbaher/archive/2009/12/17/exchange-2010-proxy-or-redirect.aspx

I found this article very handy also:

http://technet.microsoft.com/en-us/library/ee332348.aspx

Monday, October 4, 2010

Autodiscover issue with ISA2006 or Forefront TMG

I had a client where autodiscover was working fine internally however external clients could not perform autodiscover requests. The client is running forefront threat management gateway 2010.

When running the exchange remote connectivity analyzer from http://www.testexchangeconnectivity.com I received the following error:

ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.vnc.qld.edu.au/AutoDiscover/AutoDiscover.xml for user administrator@vnc.qld.edu.au
Failed to obtain AutoDiscover XML response.
Tell me more about this issue and how to resolve it
Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL.

ExRCA is attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.vnc.qld.edu.au in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 203.206.132.236

Testing TCP Port 80 on host autodiscover.vnc.qld.edu.au to ensure it is listening and open.
The port was opened successfully.
Checking Host autodiscover.vnc.qld.edu.au for an HTTP redirect to AutoDiscover
ExRCA failed to get an HTTP redirect response for Autodiscover.
Tell me more about this issue and how to resolve it
Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL.

ExRCA is attempting to contact the Autodiscover service using the DNS SRV redirect method.
Failed to contact AutoDiscover using the DNS SRV redirect method.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.vnc.qld.edu.au in DNS.
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it




To resolve this open the exchange rule on your ISA server or TMG. On the public names tab add the autodiscover record.



On the paths tab add in the autodiscover directory.