Saturday, December 31, 2005

Link to info about IE Enhaced Security Configuration.

Here is a link to a useful document on the Microsoft website about how to automate the configuration of IE Enhanced Security Settings:

Link

http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

Another link to Google groups about RIS domain joining.

Link

RIS/Unattended setup what does DoOldStyleDomainJoin do?

Hi,

Here is some info about joining machines to a domain during unattended setup in my case using RIS.

Regarding the difference between using "DomainAdmin=" and using "
DoOldStyleDomainJoin=Yes ", when we configure DoOldStyleDomainJoin=Yes, it will
force unattended setup to override the Windows security and join the domain
using the old Windows NT 4.0 style domain join. This means, if you have a
computer account pre-created in the domain, you do not need to provide domain
account credentials to join the computer account to the domain.

Friday, December 30, 2005

The Microsoft Hosting solution.

Here is a link to the Microsoft Hosting Solutions site.

Link

RIS images won't join domain, Why?!

On the site linked below is an interesting discussion about why RIS images don't join to the domain in full unattended mode when W2K3 SP1 is in the environment!

Link

I applied the advice by enabling the Network access: Named Pipes that can be accessed anonymously group policy on the Default Domain Controllers Policy and then ensuring the following entries were present:

COMNAP
COMNODE
SQL\QUERY
SPOOLSS
LLSRPC
EPMAPPER
LOCATOR
TrkWks
TrkSvr
Browser
Netlogon
LSArpc
samr

Site to customize language settings in answer files.

Link to site.

Interesting Blog entry about changing CD key types.

Blog entry link.

Various RIS Notes

I have decided to use RISETUP images for deployment with RIS instead of using RIPREP images. I did this because I want more flexibility to install on any hardware and because I want to be able to enter the CD key on install where required.

To install apps after the initial deployment you should create a directory:

RemoteInstall\Setup\Language\Images\ImageName\$OEM$\$1\Applications

Put install files in the above directory. Then you can call the apps either from Cmdlines.txt or from [GuiRunOnce] if using MSIs.

You can use different answer files to create different images from the same setup files. Answer files live in the following location:

RemoteInstall\Setup\Language\Images\ImageName\I386\Templates
For info about answer file syntax look in the Deploy.cab file from the support tools. Look in the Reference section under "unattend.txt" (ensure ref.chm and deploy.chm are in the same folder).

I will next look into what extra drivers I may require and what apps I want to deploy.

Then I will begin customizing the CIW to prompt for more info about each install.

For lots more info see the deployment kit here: Link

Finding and Removing an old DHCP server in/from AD

My home network has been running in its most recent form for around two years now. As you can imagine, in that time it has seen a large number of changes, with hardware dieing and virtual server coming and going.

There is therefore rather a lot of old data knocking around in AD!

One particular problem I have found recently, was when I looked at the list of authorised DHCP servers in the DHCP MMC snap-in. It shows an old server "DC2" which is long since dead.

However, when looking in AD, under the "CN=NetServices,CN=Services,CN=Configuration,(cont)
DC=gaots,DC=co,DC=uk" branch, there was no mention of DC2. This was strange!!

To confirm the entry, I tried the command:

netsh dhcp show server


This also showed the old server.

To track down the offending entry, I began by posting on the Mark Minasi fourms. Here is a link to the post:

http://web2.minasi.com/forum/topic.asp?TOPIC_ID=16882

This lead me down the route of using LDP.exe to search the directory. Personally, I found this rather tricky and something which would require a little more study of LDAP syntax! Some articles to get you started are at:

http://support.microsoft.com/kb/255602/en-us
http://support.microsoft.com/kb/224543/en-us

Anyhow, I started thinking of another way to search. In the end I used LDIFDE to export the configuration partition of AD. The command I used was as follows:

ldifde -f c:\out2ad.ldf -d CN=Configuration,DC=Gaots,DC=co,DC=uk

This output all 4741 entries in the partition to the out2ad.ldf file on the C:.

Next I opened the file in Notepad and used the search funtion to search for "DC2".

This turned up the following object:


dn: CN=DhcpRoot,CN=NetServices,CN=Services,CN=Configuration,DC=gaots,DC=co,DC=uk
changetype:
addobjectClass:
topobjectClass:
dHCPClasscn:
DhcpRootdistinguishedName: CN=DhcpRoot,CN=NetServices,CN=Services,CN=Configuration,DC=gaots,DC=co,DC=uk
instanceType: 4
whenCreated: 20030118180051.0Z
whenChanged: 20050604125912.0Z
uSNCreated: 8226
uSNChanged: 8226
showInAdvancedViewOnly: TRUE
name: DhcpRootobject
GUID: byMqK1mKH02svsUyn66oTw==dhcp
UniqueKey:
0dhcpType:
0dhcpFlags: 0dhcp
Identification: This is a server
dhcpServers: i192.168.1.11$rcn=dc2.gaots.co.uk$f0x00000000$sdc2.gaots.co.uk$
objectCategory: CN=DHCP-Class,CN=Schema,CN=Configuration,DC=gaots,DC=co,DC=uk


So, it turns out that the entry is under the DHCPRoot object. Having discovered this, I had to decide what to do next.


Obviously I want to get rid of the DC2 entry but how? First, I compared the DHCPRoot object with one in another domain. I found that it had one extra attribute: dhcpServers:

Having discovered this, I then opened ADSIEdit.msc and navigated to the DHCPRoot object. I cleared the attribute "dhcpServers" so that it showed as "Not Set" as on the test network I used to check as mentioned above.

I then closed down all the utilities I had open and opened up the DHCP MMC snap-in. On checking the Authorised servers list I found that the DC2 entry had gone!

Hope this helps someone. It was certainly interesting tracking it down and has pointed out to me that I need to spend a little time looking at LDP.exe and LDAP queries!

Cheers

Nathan

Thursday, December 29, 2005

A Cool Exchange Blog

http://blogs.technet.com/exchange/default.aspx

MSDTC group/resource setup for Exchange 200X clusters

It, looks like MS are about to change the best practise for the MSDTC resource on Exchange 2000 or 2003 clusters.

Exchange requires MSDTC for workflow apps, however, it is rarely used. Therefore it is really only called upon during install and service pack updates so certain components can be updated etc.

Up until now the recommendation has been to give the MSDTC resource a group (IP, Disk, Name) of its own.

MS now realise that as Exchange setup's use this so rarely in most cases, it is fine to put it in the main cluster group.

See the following link for more:
http://blogs.technet.com/exchange/search.aspx?q=MSDTC&p=1

Wednesday, December 28, 2005

Exmerge permissions setup:

http://support.microsoft.com/?kbid=292509

Useful group policy site

http://www.gpanswers.com

For adding pictures:

Link for free picture hosting:
http://www.hello.com

Welcome.

Hi,

Welcome to my blog!

As it says in the description, I am intending to use this blog to post items relating to Microsoft Windows OSes. I am an I.T. Consultant currently working for a services company called PandA Computing in Reigate, UK.

I want to use this blog to share tips and tricks I learn from projects I work on.

One day, I hope to be an MVP so I am getting started with blogging to help me on my way!

Currently, I am working on RIS deployment and am about to rebuild my home network.

Hope people will find this useful and interesting, I am sure I will!!

Cheers

Nathan Winters