Technical posts about IT

Posts tagged Windows Server 2008

More information on RODCs and why they are special

Apr03
2013 Leave a Comment Written by Sean Metcalf

The ASK PFE Platform blog provides more insight into Read-Only Domain Controllers (RODCs) and why they are so special.

Read the blog post: MailBag: RODCs – krbtgt_#####, Orphans, and Load Balancing RODC Connection Objects

 

Google+FacebookEmailPrintShare
Posted in Deployment, Microsoft Products, Tech - Tagged , ,

Windows 2008 NSPI Connection Changes

Feb19
2012 Leave a Comment Written by Sean Metcalf

Windows 2008 changed the NSPI from unlimited to 50 connections. This can affect a number of applications including Symantec , Blackberry , and others.

The real issue involves 3rd party (non-Microsoft) products (again, like Symantec & Blackberry) .
While Symantec may recommend setting this value to 0xffffffff (~4 billion) effectively rolling back this setting (to be fair, they do state it may not be desirable to set the max limit and provide a formula). I would not recommend setting NSPI to such a high value. Set it to 100 or 150 to see if that resolves the issue first. Then gradually increase the number by about 100.
The real issue is the application needs to be tweaked to handle the connection limit.

From Microsoft KB 949469:
To resolve this issue, check all NSPI connections that processes on the client create for connection leaks. For example, a call to the NspiBind function must have a corresponding call to the NspiUnbind function when an NSPI connection is no longer required. This operation may require that you debug any custom scripts or applications that are using NSPI. If this issue affects external applications, contact the software vendors for updates.

Note The Outlook NSPI MAPI provider that is installed with Microsoft Outlook is only intended for use with Microsoft Outlook. External scripts and applications that rely on the Outlook NSPI MAPI provider are not supported.

References:

Google+FacebookEmailPrintShare
Posted in Deployment, Microsoft Products, Tech, Technical Reference, Troubleshooting - Tagged , , , , ,

Log onto a Domain Controller in Directory Services Restore Mode (DSRM) when the Directory Service (DS aka AD) is Stopped

Oct28
2011 Leave a Comment Written by Sean Metcalf

With Windows 2000 & Windows 2003, the DC had to be rebooted to enter Directory Services Restore Mode (DSRM).  With Windows 2008 & 2008 R2, since Active Directory (now Directory Services) run as a service on the DC that is no longer necessary. However, Microsoft has added a limitation to logging onto DSRM on the DC. If the Directory Services service is stopped, one is unable to logon to DSRM.

Microsoft has an article that describes DSRM in Windows Server 2008.

 

DSRM Logon Settings:

Value Description
0 (default for Windows Server 2008) The DSRM Administrator account cannot be used to log on.You can only log on to the domain controller with a domain account. This requires an additional domain controller to authenticate the request and working connectivity, name resolution, authentication, and authorization between the local domain controller and the authenticating domain controller.
1 (default for Windows Small Business Server 2008) The DSRM Administrator account can be used to log on only when the AD DS service is stopped.This value can improve functionality by allowing more options for logging on to a domain controller.You might change the entry to this value in a domain that has a single domain controller, or on a domain controller that is on an isolated network, or on one that points to itself or other offline domain controllers exclusively for name resolution.
2 The DSRM Administrator account can be used to log on at any time. Using this value is not recommended because the DSRM Administrator account password is not checked against any password policy.

Run this Powershell command to enable DSRM Logon on a DC with a stopped Directory Services service:

New-ItemProperty “HKLM\System\CurrentControlSet\Control\Lsa\” -Name “DsrmAdminLogonBehavior” -Value 1 -PropertyType “DWORD” 

Modify the Value # in the Powershell command to match the value desired in the table above.


Set the server to boot into DSRM:

bcdedit /set safeboot dsrepair
Restart-Computer

Remove the DSRM boot default (set to boot normally):

bcdedit /deletevalue safeboot
Restart-Computer

http://technet.microsoft.com/en-us/library/cc732714(WS.10).aspx

 

 

Google+FacebookEmailPrintShare
Posted in Deployment, Microsoft Products, Powershell Code, Tech - Tagged , , , ,
Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog do not represent the views of Metcorp Consulting, LLC or its partners. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2012