IT Uncovered

How to troubleshoot a locked account that keeps locking in Active Directory

// October 13th, 2009 // No Comments » // Windows Server 2003, Windows Server 2008

1. Login to a domain controller and download the Account Lockout Tools from Microsoft (http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en)
2. Extract the Contents to a directory on the server
3. Open LockoutStatus.exe
4. Select File and choose Select Target
5. Type the user name that is locked and hit OK
6. All the domain controllers should show up with the user state of the account.  If you look at the far right there is a table column.
7. Now choose the domain controller that enabled the lock and right-click on it choose Set Netlogon Logging
8. Check the box for Misc Debug to enable logon errors to be recorded and click OK (this sets the flag for DBFlag to 0×4 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters)
9. Now right-click the original lock domain controller and choose Unlock Account.  Right-click a DC and choose Refresh All.  If any DC is still showing the account locked then right-click on that DC and choose Unlock Account.
10. Once the account is locked again right-click on the DC that originated the lock and choose Open Netlogon Log
11. Scroll to the bottom of the log and look for [LOGON] entries and then look at the error code at the end.  If it is 0×000006A the account is being submitted with a bad password.  This line entry should also list the IP or the Computer name where the bad logon attempt originated.
12. If the Netlogon.log file is too big then you can go to the DC and use nlparse.exe included in the Account Lockout Tools to choose which flags you want to parse from a Netlogon.log file and dump to a CSV.  The Netlogon.log is located in C:\Windows\Debug\ on a DC.  The output from nlparse.exe will dump a file to that same directory called Netlogon.log –Out.csv.

After finding the root cause of the lockout it’s advised to go back in and disable the Misc Debug flag to minimize the amount of logging being done in the Netlogon.log file.

Microsoft releases Microsoft IT Environment Health Scanner

// August 10th, 2009 // No Comments » // SBS 2008, Windows Server 2003, Windows Server 2008

This tool is great for any consultant or IT technician who needs to validate a domain’s health before going through an upgrade process.    This is just one more tool that Microsoft has released that makes our job even easier.  Here’s a description courtesy of Microsoft:

“The Microsoft IT Environment Health Scanner is a diagnostic tool that is designed for administrators of small or medium-sized networks (recommended up to 20 servers and up to 500 client computers) who want to assess the overall health of their network infrastructure. The tool identifies common problems that can prevent your network environment from functioning properly as well as problems that can interfere with infrastructure upgrades, deployments, and migration.

When run from a computer with the proper network access, the tool takes a few minutes to scan your IT environment, perform more than 100 separate checks, and collect and analyze information about the following:

• Configuration of sites and subnets in Active Directory
• Replication of Active Directory, the file system, and SYSVOL shared folders
• Name resolution by the Domain Name System (DNS)
• Configuration of the network adapters of all domain controllers, DNS servers, and e-mail servers running Microsoft Exchange Server
• Health of the domain controllers
• Configuration of the Network Time Protocol (NTP) for all domain controllers”

You can download it here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=dd7a00df-1a5b-4fb6-a8a6-657a7968bd11&displaylang=en

How to Commit SP2 to Windows Server 2008 and Vista

// July 27th, 2009 // No Comments » // Windows Server 2008, Windows Vista

When I say commit, I mean cleaning up the service pack and removing your ability to rollback.  Microsoft provides a tool called COMPCLN.exe (Windows Component Clean Tool) that allows you to simply commit SP2 and clean up some space.  Obviously if you want to ever have the ability to remove SP2 then DO NOT follow this.  If you find that SP2 works great and you want to clear space do the following:

1. Click Start and in the Search Bar type command.
2. Right-click on Command Prompt and choose Run as Administrator.
3. Now just type COMPCLN.exe and hit enter.
4. You will get the following prompt: This operation will make all service packs and other packages permanent on this computer. Upon completion you will not be able to remove any cleaned packages fr
   om this system.
5. Type Y to accept and reclaim the disk space.  You should reclaim about 700 MB of space.

Windows Server 2008 Step-by-Step Guides

// May 11th, 2009 // No Comments » // Windows Server 2008

This is a huge time saver for testing and deploying Windows Server 2008:

http://www.microsoft.com/downloads/details.aspx?FamilyID=518d870c-fa3e-4f6a-97f5-acaf31de6dce&DisplayLang=en#filelist

Dynamics CRM 4 Email Connector and IIS 7 Issue

// April 28th, 2009 // No Comments » // Dynamics CRM 4, IIS 7

I was recently rolling out a test environment for CRM 4 and trying to get the email connector working. I was looking through the logs and I couldn’t figure out why suddenly the mail connector would stop searching email. I noticed that it was getting a 401 error so I did some troubleshooting and it looks like it’s an issue with IIS 7 and how CRM 4 sends multiple requests. I was able to fix the problem by simply going through and and turning on double-encoded requests. This normally is turned off to protect against attacks but to get it working internally I had to disable it. To enable double escaping just drop to a command prompt and type the following (if the site is different please change it):

c:\windows\system32\inetsrv\appcmd set config “Default Web Site”
-section:system.webServer/security/requestfiltering -allowDoubleEscaping:true

If you want to read more about the protection please go here:

http://learn.iis.net/page.aspx/143/how-to-use-request-filtering/