There may come a time when you need to perform a full synchronization of FRS data. The steps below outline both an authoritative and non-authoritative synchronization.
Non-Authoritative mode Restore - Downloads a fresh copy of the FRS data
1. Stop the File Replication Service Service
2. Edit the following registry key and set the BurFlags value to D2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore/Process at Startup
3. Restart the File Replication Service Service
4. Open event viewer and check the File Replication Service source you should see a 13565 Event logged to signal that a non-authoritative restore has started. When the process has completed a 13516 event is logged to signal FRS is operational.
Authoritative mode Restore - Downloads a fresh copy of the FRS data
1. Stop the File Replication Service Service on all downstream partners.
2. On the authoritative node edit the following registry key and set the BurFlags value to D4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore/Process at Startup
3. Restart the File Replication Service Service
4. Open event viewer and check the File Replication Service source you should see a 13566 Event logged to signal that a authoritative restore has started. When the process has completed a 13516 event is logged to signal FRS is operational.
Reference:
http://support.microsoft.com/kb/290762
October 19, 2015
Whats new in Windows 2016 Directory Services
Windows 2016 will be released later this year and along with it a few additions will be added to the Directory Services piece. Below are a few of the notable additions that i am looking forward to.
New Features
1. Group Membership Expiration - You will be able to add a user to a group for a certain period of time. The one drawback is this feature requires windows server 2016 functional level.
2. Azure AD Join -
3. Deprecation of the File Replication service
4. Deprecation of Windows Server 2003 Functional Level
October 9, 2015
Deleting Message from Exchange Mailboxes with Powershell
From time to time it may become necessary to search a users mailbox for a message or delete a specific message from a mailbox. Below are a few powershell commands you can use with Exchange 2010 to search a mailbox for a particular email message.
Delete All Messages with a specific subject
get-mailbox -identity "SOURCEMAILBOX" -resultsize unlimited | search-mailbox -SearchQuery "Subject:"SUBJECTSTRING"" -DeleteContent
Delete All messages with a specific attachment
get-mailbox -identity "SOURCEMAILBOX" -resultsize unlimited | search-mailbox -SearchQuery "attachment:FILENAME.DOCX" -DeleteContent
Search Mailbox by subject and date and copy the message out of the source mailbox into the targetmailbox
get-mailbox -identity "SOURCEMAILBOX" -resultsize unlimited | search-mailbox -SearchQuery "subject:""SUBJECTSTRING"" Sent:"MMDDYYYY" -TargetMailbox DESTINATIONMAILBOX -TargetFolder TARGETFOLDER –LogOnly -LogLevel Full
Search Mailbox by subject and date and copy the message out of the source mailbox into the targetmailbox and then delete the email from source mailbox
get-mailbox -identity "SOURCEMAILBOX" -resultsize unlimited | search-mailbox -SearchQuery "subject:"SUBJECTSTRING" Sent:"MMDDYYYY" -TargetMailbox DESTINATIONMAILBOX -TargetFolder TARGETFOLDER –LogOnly -LogLevel Full -deletecontent
October 1, 2015
Managing Local Administrator Passwords on Windows Workstations
Microsoft offers the Local Administrator Password Solution (LAPS) to allow administrators to set random and unique passwords on each workstation/server joined to active directory. This tool works by installing a small application on the client machine and then configuring a GPO to apply the specific settings for the password format and expiration intervals. Below are the steps required to configure LAPS.
Server Setup
1. Download LAPS from https://support.microsoft.com/en-us/kb/3062591
2. Run the install on your management workstations and select the three items under the management tools and select next to complete the install.
3. Next run the following command to extend the schema to add the ms-Mcs-AdmPwd & ms-Mcs-AdmPwdExpiration attributes to the computer objects class
4. Next run the following command to set the permission to allow the computer account to update itself and allow domain admins to reset the password.
September 20, 2015
Customizing the AD FS Sign-In Page
If you are not happy with the default design of the AD FS Sign-In page you can use the commands below to update the page. Below are a few of the commands that i have used to customize the page but other options are available.
Default Sign-in Page:
Change Company Name
You can change the company name with the following powershell command:
Set-AdfsGlobalWebContent -CompanyName "New Company Name"
Change Company Logo
When changing the company logo Microsoft recommends the dimensions for the logo to be 260x35 @96 dpi with a file size no larger than 10KB.
Set-AdfsWebTheme -TargetName default -Logo @{path"c:\images\logo.png"}
Change Graphic on the left
To change the image on the left you can use the following powershell cmdlet. Microsoft recommends that the illustration be 1420x1080 @96 dpi and no larger than 200KB.
Set-AdfsWebTheme -TargetName default -Illustration @{path="c:\images\illustration.png"}
Add a description to sign-in page
You can use the following powershell command to change the description on the sign in page. The text for "signInPageDescriptionText" paramter supports html tags.
Set-AdfsGlobalWebContent -SignInPageDescriptionText "For assistance please visit our support site here.
"
Additional Resources:
https://technet.microsoft.com/en-us/library/dn280950.aspx
September 8, 2015
SAML Authentication with Jive 8.0 and Active Directory Federation Services 2.0
Overview:
This document outlines the process required to configure Jive 8.0 to work with Active Directory Federation Services 2.0.
This document only outlines how to setup a new installation of Jive to authenticate using ADFS it does not outline how to migrate from
an alternate authentication source to ADFS.
Assumptions:
1. Active Directory Federation Services 2.0 on Windows 2012 R2 is installed
2. AD FS will be using Active Directory to authenticate users.
3. Jive 8.0 (Jive 7 & 6 *should* work also) is installed
4. Your Jive instance must be using https for this to work
Configuring ADFS
1. Open AD FS console and expand trust relationships and right click on the Relying party trusts and select Add relying party trust
2. Click start and on the next screen enter the URL for your Jive SP Metadata in the first section. By default the URL is "https://
3. Type a displayname to identify this trust. Click Next
4. On the multi-factor authentication step makre sure "I do not want to configure multifactor authentication settings....." is selected and click next.
5. Accept the default option "Permit all users to access this relying party" and click next
July 6, 2015
Finding Expensive LDAP queries in LDS or Active Directory
Overview
This is a quick guide on how to find expensive & inefficient LDAP queries running against Active Directory or Lightweight Directory Services.Steps
1. While the CPU is running high change the following registry key to "5"- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold = 10,000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold = 1,000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Search Time Threshold (msecs) = 30,000
4. Open the Directory Services Log
5. The events with 1644 as the eventID should give you an idea of where the traffic is coming from and what queries are being ran against the server.
Note: Dont forget to change the "15 Field Engineering" value back to 0 when you are done troubleshooting.
Subscribe to:
Posts (Atom)