Anything for sysadmins!


Creating a GPO Central Store

If you're using GPOs, which you most likely are, then you're best off with a central store for your GPOs. The central store is located in the sysvol of the domain. You can find it on your domain controller or through \\domain\sysvol\.

To create a central store you have to create a folder in the sysvol for the policy definitions.

  • Navigate to \\<domain>\sysvol\<domain FQDN>\Policies\
  • Create the folder PolicyDefinitions
  • Create a subfolder in PolicyDefinitions

Now you have a central store, but what's a central store without contents. Let's copy the default files to it.

  • On your DC navigate to C:\Windows\PolicyDefinitions
  • Copy all the files and folders to your central store (ADMX files and language folders like en-US)

If you have any other ADMX files that you want to copy to your central store this is the time!

The central store is automatically consulted by the Group Policy Management Editor. All the installed ADMX templates should now be visible in the GPME under the Administrative Templates section. Here you'll also see that it's pulling from the central store.


Send as distribution group

In the Exchange GUI there's no option to provide someone the send-as permission on a distribution group. To do this you'll have fire up the Exchange Management Console.

[Powershell]Add-ADPermission <distribution group> -ExtendedRights Send-As -User <user> -AccessRights ExtendedRight | fl[/Powershell]

User: domain.local\<username>
Identity: domain.local/Distribution Groups/<distribution group>
Deny: False
AccessRights: {ExtendedRight}
ExtendedRights: {Send-As}
IsInherited: False
InheritedObjectType :
InheritanceType: All

You can use the Get-DistributionGroup command to pipe distribution groups to the Add-ADPermission command.

[Powershell]Get-DistributionGroup <distribution group name> | Add-ADPermission -ExtendedRights Send-As -User <user> -AccessRights ExtendedRight | fl[/Powershell]

Note: The settings need to propagate through the Exchange server's cache. This can take up to 2 hours. Until this time when you try to send from the distribution list, you'll get a message back stating that it's not allowed to send as this distribution list. You can force an update by restarting the Information Store, however the mailboxes will be unavailable until the service has restarted.


Kaspersky Admin Kit data backup task

During the setup of a new Kaspersky Administration Kit instance, I ran into a couple of issues. One of which was that the Administration Server data backup task was giving errors. The error was:

Severity: Error
Application: Kaspersky Administration Kit
Version number: 8.0.2090
Task name: Administration Server data backup
Computer: Administration Server <*********>
Group: Managed computers
Time: tuesday 24 august 2010 2:00:53
Description: Backup operation failed, check if SQL Server has access to the destination folder.

Unlike a lot of error messages this one is quite descriptive (Thank you Kaspersky!). Due to this it didn't take me long to figure out where the problem was.

I'm running the Admin Kit with a remote SQL server instead of running it with the SQL Express engine. The Admin Kit task assumes that the database is on the same server, thus local paths are used by default. To solve the problem create a share somewhere and provide access to the service account of the Admin Kit. Restart the backup task (this will take down the Admin Kit service for a couple of minutes) and presto!


Kaspersky Administration Kit service not starting

I've recently reinstalled the Kaspersky Administration Kit but after the installation the console wasn't able to connect. Soon I figured out that this was caused by the service of the admin kit that wasn't running. I tried starting the service manually, but after a refresh the service had stopped again. The event viewer didn't show any problems and there were no mentionable log files that showed what was going on.

As I installed the admin kit on a domain controller, I wasn't able to add the service account to the local administrators group. After adding the service account to the domain administrators group the service started as normal.

I'm still looking into how to make it work without adding it to the domain admins group. If you have any ideas, please let me know in a comment!


Event 10016 – DistributedCom

Although I've seen the DCOM error a lot, the one below needed a different approach than usual.

Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 23-8-2010 8:40:12
Event ID: 10016
Task Category: None
Level: Error
Keywords: Classic
Computer: server.domain.local
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} and APPID {B292921D-AF50-400C-9B75-0C57A7F29BA1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Event Xml:
<Event xmlns="">
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="49152">10016</EventID>
<TimeCreated SystemTime="2010-08-23T06:40:12.000000000Z" />
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Security UserID="S-1-5-18" />
<Data Name="param1">application-specific</Data>
<Data Name="param2">Local</Data>
<Data Name="param3">Launch</Data>
<Data Name="param4">{24FF4FDC-1D9F-4195-8C79-0DA39248FF48}</Data>
<Data Name="param5">{B292921D-AF50-400C-9B75-0C57A7F29BA1}</Data>
<Data Name="param6">NT AUTHORITY</Data>
<Data Name="param7">SYSTEM</Data>
<Data Name="param8">S-1-5-18</Data>
<Data Name="param9">LocalHost (Using LRPC)</Data>

The event was triggered after installing and enabling the Kaspersky Administration Kit service. After some research I found a post on the Technet forums which told me what to do.

Seems like this error is related to the Network Access Protection Agent service. If this service isn't started, this error will occur. To stop the error change the startup type to automatic and start the service.

Tagged as: No Comments

How to setup mirroring for SQL databases

A good way of having a standby SQL server is to setup database mirroring. This will at least make sure that if the server goes down, you still have a hot standby. Having a witness server also enables you to do automatic failover. However setting this up using the GUI isn't well documented. Since I'm not that sure about my Transact-SQL skills, I rather use the GUI.

Start by making a backup of the DB and restore it on the designated mirror server.

Open the SQL Server Management Studio and expand the Databases folder.

Right-click the database you want to mirror and go to Tasks > Mirror

Click configure Security to continue.

Make sure that your firewall allows inbound connections on TCP port 1433 otherwise you won't be able to find your mirror server. Also make sure that the port set in the mirror security wizard is also allowed in your firewall.

If needed fill out the services accounts screen, otherwise just click next.

If you run into any errors, just check the logs. This error:

This means that the server is unreachable (firewall) or that the account that is trying to connect doesn't have connect permissions on the endpoint. This will show in the logs as well. All SQL service accounts of the principal, mirror and witness server need this permission!

Happy mirroring!


Migrating a mailbox from Exchange 2007 to Exchange 2010

Moving a mailbox from one forest with Exchange 2007 to a second forest with Exchange 2010 is always scary, even after extensive testing. However you have to do it at some point. Here's what you see at both ends.

Start with the Prepare-MoveRequest.ps1 command:

.\Prepare-MoveRequest.ps1 -Identity &lt;distinguishedname remote user account&gt; -RemoteForestDomainController &lt;remote dc&gt; -RemoteForestCredential $RemoteCredentials -LocalForestDomainController &lt;local dc&gt; -LocalForestCredential $LocalCredentials -LinkedMailUser -TargetMailUserOU &lt;distinguishedname local ou&gt; }

When successful, run the New-MoveRequest command:

New-MoveRequest -Identity &lt;distinguishedname local user account&gt; -RemoteLegacy -RemoteGlobalCatalog &lt;remote dc&gt; -RemoteCredential $RemoteCredentials -TargetDeliveryDomain &lt;domain.local&gt;

This will queue the MoveRequest and if there are no other MoveRequests running, it'll change to InProgress and start moving the data. When it's all done it will show that it's completed.

During the data move the mailbox can remain open. The changes made during the move will be copied afterwards.

After a short while Outlook will presented the user with a dialog: "The Microsoft Exchange administrator has made a change that requires you quit and restart Outlook.". Restart Outlook and see that it's connecting to the new server and forest. Experience shows that it might take a couple of minutes for the connection to the new exchange server to be made.

I've got to say that MS made this process quite unobtrusive! Kudos for that!


Outlook 2010 Social Connectors

Social connectors are perhaps one of the best new features of Outlook 2010. As the name implies, they allow you to get updates on your contacts through Outlook. It started out with only 1 connector, and 3 more have been added. You can find the links below:


Generating a certificate request for Exchange

Certificates are quite important in your Exchange environment. Most of us will have a certificate server that will be used to generate certificates for internal communications. If you have such a server and have to install certificates or renew your certificates, you will have to create a certificate request. To do this you have follow the steps below:

Make sure that you have a list of the alternate URLs that your certificate will be servicing, like: CAS array hostname, AutoDiscover hostname, webmail hostname, common server name, etc.

Do the following for all servers in your farm.

Using the Exchange Management Console

  1. Click on Server Configuration and select a server in the EMC
  2. Click on New Exchange Certificate
  3. Enter a friendly name for your certificate
  4. It's possible to use a wildcard certificate, however I don't recommend this as it loosens the security internally quite a bit!
  5. Check all the options that apply to you. This will generate a list that you'll able to edit later and assign the certificate to services. I've checked the following:
    1. Outlook Web App is on the Intranet
    2. Outlook Web App is on the Internet
    3. Exchange Active Sync is enabled
    4. Exchange Web Services is enabled
    5. Outlook Anywhere is enabled
    6. AutoDiscover is used on the internet (Long URL)
  6. Add all domains on your list in the certificate domains window
  7. Fill out all fields in the Organization and Location window also define a location for the request file

Using the Exchange Management Shell

Edit the following command and execute it in EMS:

New-ExchangeCertificate  -Server 'SERVER1' -FriendlyName 'Your Exchange Certificate Name' -GenerateRequest -PrivateKeyExportable $true -KeySize '2048' -SubjectName 'C=Country code,S="Region",L="City",O="Organization name",OU="Department Name",CN=CAS Array hostname' -DomainName 'server1.domain.local','server2.domain.local',''

You've now generated the certificate request file time to generate the certificate itself.

  1. Go to the URL of your certificate server (http://<servername>/certsrv/) and log in.
  2. Click on Request a certificate
  3. Click on advanced certificate request
  4. Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
  5. Copy and paste the contents of the request file we generated earlier into the Base-64 encoded certificate request field
  6. Set the certificate template to Web Server (this option might not be available if you're using an account without the appropriate permissions)
  7. Click the submit button to have your request generated.

Download the certificate and import it in Exchange EMS or EMC (Import-ExchangeCertificate). You only have to assign the services to the certificate and you're all done except for testing if it works properly on all services.

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "C:\Path\to\certnew.p7b" -Encoding byte -ReadCount 0)) -FriendlyName "Exchange Certificate Name you've entered with the creation"