Lock Your Workstation

I’m sure you are like me when it comes to locking your desktop.  You ALWAYS do it.  Most if not all corporations today have a group policy in place that at least sets the Screen Saver on after a certain amount of time and requires a password for security reasons (User Configuration – Administrative Templates – Control Panel – Personalization – Password protect the screen saver).

You know as well as I do that there is always that one person that seems to always forget to lock their workstation.  Sure the group policy will kick in…eventually.  During that time the system is unlocked and the data vulnerable.

Since i’m such a huge fan of shortcuts I have two for the price of one today.  I will show you two methods to lock your workstation…even for those very forgetful people.

Method 1 (and what I think is the easiest)

By pressing the Windows key and L on the keyboard you effectively lock the system.  I use this one ALL the time.  It is the quickest method that I know.  However some people are not so keyboard shortcut friendly.

Method 2

For the people that prefer to use their mouse here are several steps to create a desktop shortcut.  This method is very similar to the post I had on creating a shortcut for the Network Properties in Server 2008.

1. From where ever you want the shortcut create, Right click and select New –> Shortcut  (I recommend the Desktop)

 

2. Put the following path into location rundll32.exe user32.dll,LockWorkStation



3. Click Next and type whatever you would like the name of the Shortcut Icon to appear as and click Finish.



4. Time to change the way the Icon looks – Right Click on the newly created Shortcut and select Properties

 

5. Click the Change Icon… button and change the path to %SystemRoot%system32SHELL32.dll and now pick whichever Icon you prefer.

 

6. We finally have an icon available to lock the workstation on the Desktop.

 

I personally love when people at work leave their workstations unlocked.  Like a lot of you i’m sure you like to teach that person a lesson.  Perhaps mess with the background…a nice screensaver message on how much they look up to me!

Initiate Replication across all Partitions and DCs

It seems I”m always trying to remember this little command and its about time I put here where I can always access it in the future.  This isn’t a new command but it is a nifty little one that will initiate replication across your environment. 

Repadmin /syncall  /APed

I prefer to run it from the DC (thus the reason DC_name is taken out after /syncall) and from the  command line to pipe it out to a text file.

Windows Event log limitations

Not sure how many people modify the size of the Windows Event Logs but it is something that I like to do simply because the default sizes of most them is just not enough.  For example you may remember the default for your System and Application log files was a measly 512kb.  That logged all of about a day of a really busy application server. 

The problem with Server 2003 was the recommended maximum size for a log file was only around 300mb and the maximum total size for all Event Log files was around 400mb.  You do the math and you can see that realistically you aren’t going be able to realize the benefits of having larger Event Log file sizes.

This has to do with Windows storing the logs in memory.  As you can tell a 32bit system would run into some serious memory issues if you wanted to expand the size of several of these.  Thankfully in Server 2008 this has changed.  Microsoft has increased the recommended maximum size of a log file up to 4gb and all of them up to 16gb.  Of course you will want to make sure you’re running the x64 flavor of Server 2008 to really see this advantage.

Take a look at the following knowledgebase from Microsoft for more info.

What W32tm is it anyway?

My daughter Alyssa and I play a game…well she might not consider it a game but she is constantly  asking me “What time is it without looking”.  I’ve actually gotten pretty good at it and can usually get within a few minutes.  Not sure why she likes to play but perhaps time is something they recently talked about at school but she seems obsessed with it.  I keep telling her that at 6 she really shouldn’t worry to much about time.

Although time may not be important for my daughter, it is immensely important for Active Directory.  Most AD admins know that domain controllers and clients need to be within 5 mins of each other to work correctly.  If your time was out by 5 or more minutes the client would not be able to authenticate.  What most AD admins might not know is that time just doesn’t affect AD, it also can affect certain time sensitive applications.   I don’t know of any out of the box ones from Microsoft but organizations have plenty of custom built apps that may use time syncs.  I’ve seen custom applications that need to be accurate within less than a second.

Let’s take a look at how time synchronization works in an Active Directory forest.  The magic all starts in the root domain (I always wanted to use that in my blog).  The PDC Emulator (PDCe) is solely responsible for time synchronization and uses the Network Time Protocol (NTP) on port UDP 123.  You will want to sync the PDCe with a reliable source, either internal (perhaps a router) or external.  The problem with going external is that there is less security because of the lack of authentication and verifiable authenticity. 

Clients and servers in your forest root domain will sync their time with any DC in the forest root.  This is all configured in the registry at the following location: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters.  Domain members have Nt5DS set for the TYPE key which configures them to use the domain hierarchy for time.  Some people change this to NTP which means it will go to a specific time source besides the PDCe but I prefer to keep the default here because it works!  If you’re crazy enough you could configure it so that it relies on the CMOS clock…I just don’t have enough faith in the batteries for that.

If you have child domains or other tree roots in your forest realize that the forest root PDCe is STILL the authority for forest wide time synchronization.  The PDCe for the child domains will sync their time with the forest root PDCe or any DC in the root (but those root DCs get their time from the PDCe).  The clients and servers in the child domain will always go to a DC in their domain, so they should never go up to the forest root domain.  Clients poll the time every 45 minutes by default.  After three successful synchronizations it will increase that polling time to 8 hours.  Below is a great illustration of how time works in a multi domain forest.

image

To configure your forest root PDCe with a valid time source you should use the w32tm command:
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update
You can and I recommend adding multiple peers but simply putting a space between them.  Please don’t forget to run this command on the DC that you have designated as the DC to fail the PDCe role over to during downtime (for example, patching).

To test how close your time is synced you can use the w32tm command again, except this time we can get a really cool command prompt chart…hey its the simple things in life that get me.
w32tm /stripchart /computer:target /samples:n
Replace target target with the name of the forest root PDCe.  I prefer to get 10 samples but you can go for whatever amount you like.  This will tell you the difference between the clocks.   More info can be found on the w32tm here.

The Microsoft Directory Services team has a great blog that talks about high accuracy in w32tm and why they don’t support it.  This is a must read for all AD admins.  Don’t forget to set up an RSS feed to the Windows Time Service blog as well.

I would recommend baseline the time difference in your environment so that if an issue does occur you will know what the norm state is for your time differential.  You may also want to include some monitoring that can alert you of time drift using the baseline numbers you’ve collected.  I would also recommend talking to your developers and ensure they understand how time works in the environment.

Hopefully this sheds some light on how time works in an Active Directory forest but also how you can control and tweak it.  Oh and if you’re bored try playing the time game…its a great exercise for your mind and internal clock! :,,)

Easy Way to View Windows Server 2008 and Vista’s Network Card Properties

That has to be the longest title I’ve ever had in any blog.  In my opinion this has the ability to the best post I’ve ever created too.  The reason being that I’m always looking for ways to make my life easier…and then share them with you.  EVERY single person I’ve spoken to about Windows Server 2008 has been frustrated with the amount of clicks and initial confusion on how to get to the Network Card properties.  Hopefully this will help.

The plan is the create a custom shortcut and copy it to the desktop for easy access (isn’t it always about easy access?).

1. From where ever you want the shortcut create, Right click and select New –> Shortcut  (I recommend the Desktop)

 

2. Put the following path into location C:windowsSystem32ncpa.cpl



3. Click Next and type what ever you would like the name of the Shortcut Icon to appear as.



4. Time to change the way the Icon looks – Right Click on the newly created Shortcut and select Properties



5. Click the Change Icon… button and pick whichever Icon you prefer.



6. We finally have an icon available to view the Network Interfaces on our Windows Server 2008 and Vista machines

     

NOTE:

Unlike Windows 2000 and 2003 where you had to right-click and select Properties here you will have to double click the icon…which I think is just a bit easier.

RSAT Missing Tabs in Active Directory Users and Computers

Some of you may have noticed there were some missing tabs in Active Directory Users and Computers after you installed RSAT on Windows Vista.  Specifically the Terminal Services Profile, Remote Control, Environment, and Sessions tabs are not there.  The reason behind this is because Windows Vista is missing the TSUSEREX.DLL…basically it can”t be a Terminal Server.

Ned from the Directory Services team has posted an unsupported fix for this on the Directory Services blog.  I snagged the fix here for you to see.
  1. You can use your Windows Server 2008 AD Users and Computers snap-in by terminal serving into the remote administration sessions.
  2. You can make your RSAT DSA.MSC work the way you’d expect by taking the following unsupported steps:

A. Locate a Win2008 Server which has DSA.MSC installed via Server Manager features/roles. The installed OS platform architecture must match your client (so use 32-bit OS server if using 32-bit OS client, and the same for 64-bit).

B. Locate the following two files:

%systemroot%system32tsuserex.dll %systemroot%system32en-ustsuserex.dll.mui

(NOTE: If not running US English, the path would not be EN-US; it would be the language(s) running on the server)

C. Copy these two files to the Vista machine running RSAT tools and place them in the same paths.

D. Run as an administrator:

regsvr32.exe tsuserex.dll

E. Start DSA.MSC on the Vista machine and look at a user”s properties – the tabs will now be there.

Windows Vista Remote Server Administration Tools (RSAT) Finally Released

It looks like Microsoft finally released RSAT for Windows Vista.  What a relief.  We can finally effectively manage our environment with Vista.  It can be downloaded in two versions, 32bit or 64bit

What Is Included in RSAT?


This is the list of Windows Server 2008 administration tools which are included in RSAT:


Role Administration Tools:


·         Active Directory Certificate Services (AD CS) Tools ·         Active Directory Domain Services (AD DS) Tools ·         Active Directory Lightweight Directory Services (AD LDS) Tools ·         DHCP Server Service Tools ·         DNS Server Service Tools ·         Shared Folders Tools ·         Network Policy and Access Services Tools ·         Terminal Services Tools ·         Uniiversal Description, Discovery, and Integration (UDDI) Services Tools


Feature Administration Tools:


·         BitLocker Drive Encryption Tools ·         Failover Clustering Tools ·         Group Policy Management Tools ·         Network Load Balancing Tools ·         SMTP Server Tools ·         Storage Manager for SANs Tools ·         Windows System Resource Manager Tools


The tools in the following list are fully supported managing Windows Server 2003 servers as well:


·         Active Directory Domain Services (AD DS) Tools ·         Active Directory Lightweight Directory Services (AD LDS) Tools ·         Active Directory Certificate Services (AD CS) Tools ·         DHCP Server Tools ·         DNS Server Tools ·         Group Policy Management Tools ·         Network Load Balancing Tools ·         Terminal Services Tools ·         Universal Description, Discovery, and Integration (UDDI) Services Tools  



 Thanks Kendall for the heads up email on this.
Posted in Tools, Windows Vista. 1 Comment »

Group Policy Spreadsheet for Server 2008 and Vista SP1

I”ve always loved these spreadsheets as they allow a quick and easy way to search for Group Policies.  With Server 2008 live and Vista SP1 out Microsoft has updated their reference sheet to add all the new Group Policy settings.  There are now over 2700 settings you can apply in your environment…have fun!

AdminPak (Remote Server Administration Tools) for Windows Vista Almost Ready

This is been a hot topic here for a long time. Back in May I mentioned that there was going to be no AdminPak and sure enough that was confirmed. Microsoft”s decision was to create a new tool called the Remote Server Administration Tools. Back in June Microsoft said it would be released with Vista SP1.

We now finally have the ability to test the Remote Server Administration Tools out by participating in the beta. Go here to get involved and PROVIDE your feedback directly to Microsoft http://connect.microsoft.com/windows/Downloads/DownloadDetails.aspx?DownloadID=9561It appears the link is currently not working.  Keep trying to ensure you get into the beta.  I’ll update here when I confirm it works.

There will be a chat hosted by Microsoft on the 3rd of December so this would be another great time to let them know how it works:


Please join Microsoft for a live chat on Monday, December 3, 2007 at 12:00 – 1:00 pm PST and get all your questions about Remote Server Administration Tools answered:
Link: http://www.microsoft.com/communities/chats/chatrooms/beta.aspx 
Password: 43322110SAT


I haven”t had time yet to play with this so I would love to hear what you think of the new tools. Please leave comments and let the community know.

Windows Vista Performance and Reliability Patches

While it”s not Service Pack 1 it these next two patches definitely contain quite a few needed fixes with Windows Vista.

This first one addresses the following issues:

  • You experience a long delay when you try to exit the Photos screen saver.
  • A memory leak occurs when you use the Windows Energy screen saver.
  • If User Account Control is disabled on the computer, you cannot install a network printer successfully. This problem occurs if the network printer is hosted by a Windows XP-based ora Windows Server 2003-based computer.
  • When you write data to an AVI file by using the AVIStreamWrite function, the file header of the AVI file is corrupted.
  • When you copy or move a large file, the “estimated time remaining” takes a long time to be calculated and displayed.
  • After you resume the computer from hibernation, it takes a long time to display the logon screen.
  • When you synchronize an offline file to a server, the offline file is corrupted.
  • If you edit an image file that uses the RAW image format, data loss occurs in the image file. This problem occurs if the RAW image is from any of the following digital SLR camera models:
    • Canon EOS 1D
    • Canon EOS 1DS
  • After you resume the computer from hibernation, the computer loses its default gateway address.
  • Poor memory management performance occurs.

The second one addresses the following issues:

  • The screen may go blank when you try to upgrade the video driver.
  • The computer stops responding, and you receive a “Display driver stopped responding and has recovered” error message. You can restart the computer only by pressing the computer”s power button.
  • The computer stops responding or restarts unexpectedly when you play video games or perform desktop operations.
  • The Diagnostic Policy Service (DPS) stops responding when the computer is under heavy load or when very little memory is available. This problem prevents diagnostics from working.
  • The screen goes blank after an external display device that is connected to the computer is turned off. For example, this problem may occur when a projector is turned off during a presentation.
  • A computer that has NVIDIA G80 series graphic drivers installed stops responding.
  • Visual appearance issues occur when you play graphics-intensive games.
  • You experience poor playback quality when you play HD DVD disks or Blu-ray disks on a large monitor.
  • Applications that load the Netcfgx.dll component exit unexpectedly.
  • Windows Calendar exits unexpectedly after you create a new appointment, create a new task, and then restart the computer.
  • Internet Connection Sharing stops responding after you upgrade a computer that is running Microsoft Windows XP to Windows Vista and then restart the computer.
  • The Printer Spooler service stops unexpectedly.
  • You receive a “Stop 0x0000009F” error when you put the computer to sleep while a Point-to-Point Protocol (PPP) connection is active.

I hope if you were having issues with your PC running Vista that this helps.

Posted in Windows Vista. No Comments »