ItsPronounced's questions

I was trying to create a new Receive Connector on my older Exchange 2007 SP3 server (planning underway to upgrade later this year) and when it failed I did some research. The solution I found Here (I got the exact same error) included running setup.exe /PrepareSchema from the SP3 setup files on the server to correctly setup the active directory schema. Before trying this I wanted to find out if running the prepareschema on an existing server would cause any issues. I came across one blog here that worried me. It said in short, that if inherited permissions were disabled for objects in Active Directory, the prepareschema command would fail and might give problems with mailflow.

I followed the steps to and downloaded adfind and ran the command he supplied and the adfind tool returned several user and group objects, but I'm not quite sure if it's telling me they have inherited permissions disabled or not.

It's a small server, with only about 20 mailboxes, but when I ran the command

adfind -b "DC=domain,DC=name" -sddl++ ntsecuritydescriptor -onlydaclflag -resolvesids -list -csv | find /i "(FLAGS:PROTECTED INHERIT)" | find /v /i "CN=Policies,CN=System"

it returned a row for several users that hav a mailbox on the server, and some WMIPolicy and System objects, and it looked like this:

"CN=FirstName LastName,CN=Users,DC=domain,DC=com","[DACL]  (FLAGS:PROTECTED INHERIT)"
"CN=VolumeTable,CN=FileLinks,CN=System,DC=domain,DC=com","[DACL]  (FLAGS:PROTECTED INHERIT)"
"CN=Cert Publishers,CN=Users,DC=domain,DC=com","[DACL]  (FLAGS:PROTECTED INHERIT)"
"CN=Schema Admins,CN=Users,DC=domain,DC=com","[DACL]  (FLAGS:PROTECTED INHERIT)"
"CN=Replicator,CN=Builtin,DC=domain,DC=com","[DACL]  (FLAGS:PROTECTED INHERIT)"
"CN=WMIPolicy,CN=System,DC=domain,DC=com","[DACL]  (FLAGS:PROTECTED INHERIT)"
"CN=SOM,CN=WMIPolicy,CN=System,DC=domain,DC=com","[DACL]  (FLAGS:PROTECTED INHERIT)"

It seems to be a mixture of users and group objects but I'm not really sure, and I'm not sure if it's saying they indeed have inheritance disabled, and if that's a bad thing or not. All these objects are in my BUILTIN or USERS organizational unit from what I can tell, and it's only 28 objects.

Would it be safe to run the PrepareSchema command considering this information?

I migrated all my mailboxes, OAB, etc to a new Exchange 2007 Server (from 2007) last week. The only issue I'm having now is uninstalling the old Exchange from the server so I can shut down. When I try I get the error:

    Mailbox Role Checks              ......................... FAILED
     Uninstall cannot continue. Database 'Public Folder Database': The public fo
lder database "EXCHSVR2007\Second Storage Group\Public Folder Database" is t
he default public folder database for the following mailbox database(s):
EXCHSVR2007\First Storage Group\Mailbox Database
EXCHSVR2007\First Storage Group\second
. Before deleting the public folder database, assign a new public folder databas
e to the mailbox database(s).

I tried pointing the old mailbox store to the new public folder store on the new server and when I try again it gives me this error:

        Mailbox Role Checks              ......................... FAILED
     Uninstall cannot continue. Database 'Public Folder Database': The public fo
lder database "PXE-EXCHSVR2007\Second Storage Group\Public Folder Database" cont
ains folder replicas. Before deleting the public folder database, remove the fol
ders or move the replicas to another public folder database. For detailed instru
ctions about how to remove a public folder database, see http://go.microsoft.com
/fwlink/?linkid=81409.

I've run the MoveAllReplicas script last week. I'm not sure how else to remove the replicas.

I'm working on migrating our current terminal server (Windows Server 2008 R2) to a new server with Server 2016. I've installed all the roles on the new server and setup my apps. Works perfectly (almost) through RemoteApp Website. However I can't figure out for the life of me how to create an MSI executable of any of my apps I publish on the Server 2016 terminal server. This was so simple in Server 2008 (see below).

How can I do this in Server 2016? I was able to create one by logging into my Server 2008 TS REMOTE APP MANAGER and connecting to my Server 2016 Terminal server. It created the MSI but it's dicey and when I install the app on a client the icon is "damaged" and corrupted looking.

Is there a better way to make an MSI Executable directly on the Server 2016 terminal server? I plan on decomissioning the old 2008 Server anyway once I have the new Server 2016 up and running.

The whole process for managing terminal services in 2016 seems to have taken a step back and become difficult. At this point I kind of regret purchasing the licenses for it.

Yesterday I demoted a domain controller, removed it from the domain and shut it down. My new Primary Domain Controller is up and running just fine (along with a secondary). Replication status is normal and doesn't show the old DC.

However, when I go into Active Directory Sites and Services -> SITE NAME -> Servers I still see the old DC. If I expand it there is nothing (unlike the other DC's which have NTDS Settings).

Is it ok to delete this server? It doesn't show up in the DOMAIN CONTROLLER organizational unit under Active Directory Users and Computers.

I'm getting ready to promote our current domain from a Server 2008 R2 server to Server 2016. All dcdiag checks and replmon checks are good and looks to be ready. However I've been doing reading on DFSR and realized we are still on FRS.

My question is do I need to migrate to DFSR (this is recommended over FRS) now, or is this done when the new Domain Controller is promoted? Or if I should migrate AFTER I promote my domain to 2016?

I have a GPO I created that adds a registry value (USER CONFIGURATION -> PREFERENCES -> WINDOW SETTINGS -> REGISTRY). I want it to target a specific group of users that are in a security group I created. The security group I created is called Remote Access VPN Users. I've added myself to said Security Group (did this over a week ago), confirmed replication. Under the SCOPE tab, under Security Filtering, I removed Authenticated Users and added the Remote Access VPN Users security group. Saved and forced gpupdate but it never creates the registry entry.

I tested using Group Policy Results and it keeps telling me that the GPO was Denied because it's inaccessible. Why is it not applying to my Security Group? When I removed the Security Group and add Authenticated Users back to the GPO Scope filtering it works as expected. However, I don't want this to apply to Authenticated Users

Do I need to use a Distribution Group instead of a Security group? The policy is linked to my domain.

Exchange 2007 environment. A user on our domain tries sending an email to an external recipient and receives the following:

host mail.recipient.com[xxx.xx.xxx.xx] said: 554 5.7.1 This message has been blocked because the HELO/EHLO domain is invalid. (in reply to MAIL FROM command)> #SMTP#

This is coming from the recipient's server and I assume they are blocking us because the EHLO doesn't match the SMTP address of the user.

Basically here's our setup: We have our legacy domain name that's only used internally (name of our domain), let's call it LegacyDomain.com We have newer domain that we use as default outgoing SMTP addresses (NewDomain.com). Note that NewDomain.com is not an actual domain in our system, we just have MX records for the domain pointing to our mail server. So even though our internal domain is LegacyDomain.com when we send and receive emails we use NewDomain.com. If I'm guessing right, this message bounced back from the recipient because the Legacy and New domain don't match?

I have two Receive Connectors (not sure why) in my EMC under Server Config -> Hub Transport:

• Client EXCHANGEHOSTNAME
• Default EXCHANGEHOSTNAME

Both are enabled. Under Client EXCHANGEHOSTNAME my setting is blank for 'Specify the FQDN this connector will provide in responseto HELO or EHLO'.

Under Default EXCHANGEHOSTNAME my setting for the same field is the internal FQDN of my exchange server (hostname). Is this the problem?

Would I just be able to create a PTR record somewhere in these domains? I'm really confused why this is happening, and it only happens to this one recipient. We can receive emails from them just fine.

If it helps there's the debug info from the message header thats bounced back:

X-ASG-Debug-ID: 1383598536-03fb9372a0451d30001-Qq21RH
Received: from mail.LegacyDomain.com ([192.168.200.16]) by
 barracuda.LegacyDomain.com with ESMTP id JEGiO7Vbax65pvhn; Mon, 04 Nov
 2013 14:55:36 -0600 (CST)
X-Barracuda-Envelope-From: [email protected]
Received: from ExchangeServerHostName.LegacyDomain.com
 ([fe80::dc2f:93c1:195a:40d]) by ExchangeServerHostName.LegacyDomain.com
 ([fe80::dc2f:93c1:195a:40d%11]) with mapi; Mon, 4 Nov 2013 14:55:36 -0600

A couple of years ago I configured my primary domain controller with WDS (not MDT) and would capture and push images from and to clients. Well now I have to do it again (less than 20 workstations) and decided to use MDT 2012 instead since I heard it was better.

So far:

• I've installed the WDS role (this is my secondary domain controller, I removed WDS from the primary domain controller).

• Installed MDT 2012, created a deployment share. On this Deployment share I've added Applications, Operating System, Out-of-Box Drivers, and added a Task Sequence using this tutorial HERE

• Updated Deployment Share

I know I'm missing something. WDS is installed but I haven't done anything to the settings ( I thought the point was to use MDT ). I don't plan on capturing any images, just pushing this image out and using the task sequence to update, etc...

When I try to boot PXE from a workstation, DHCP seems to give it an IP, but I get two errors:

PXE-E55: ProxyDHCP service did not reply to request on port 4011
PXE-M0F: Exiting Broadcom PXE ROM

Are remnants of my first WDS server (the primary domain controller) preventing PXE boot?

We have a separate archiving appliance that archives messages as they come in using a journal account. Before this I would have to manually archive each mailbox to a PST file and then store the file on our storage server. Luckily I don't have to do that anymore.

My question is, using Powershell, is it possible to go in to each (or all at once) mailbox and remove email messages before a certain date? This would prevent me from still having to archive each mailbox to a PST file, even though I could delete the PST file later. I don't want to touch calendar items, only mail items (folders and subfolders).

About 6-7 months ago I did a Windows 7 deployment using Windows Deployment Services. I successfully deployed the clients but I honestly still don't understand how WDS works. It seems like a really convoluted process (boot images, capture images, answer files for OOBE and Unattended, etc.). For example I want to add another image for just my laptops and I don't even think I can use the same capture boot image.

So now I need to deploy Windows 7 to 10 laptops along with our company software and settings. I went back to my WDS server and realized I had lost what understanding I had on the WDS server. I can still push the image I created 6-7 months ago but that's about it.

So should I attempt to do this with MDT instead? I have it installed but never used it. Or should I stick with WDS and find a much better step-by-step for it? I'm overwhelmed at the thought of it at the moment.

Ideally, I'd like to build my image the way I want it, sysprep, then capture and deploy. Also it would be nice if it was easy to deploy the same image in the future, update it, and capture again. This seems so difficult in WDS to me (probably because I don't understand the way it works).

We have our own internal DNS server inside our network on our domain. I just changed the nameservers of a bunch of our domain names through our registrar. Now on my home PC (off the network) the changes were almost immediate. How ever inside our network the changes are not immediate. In fact I went into my DNS Manager and I have a few of these domains setup as zones (not all of them) and I notice the records still have the old IP address of the old namespace, and the timestamp is STATIC. Will I have to manually edit these or can they somehow be automatically updated like everything else once the DNS has propgated on the internet.

I'd like to connect my home network with my office network. At my office (host) I have a Cisco ASA 5510 ready to go. At my home network I'd like only work traffic to flow through the tunnel (meaning my home network relies on its own gateway and internet). What device would be best for my home network to connect it? I use to use Cisco 877 between remote offices but I remembered running into issues where domain workstations on the remote network could never hostnames of the servers on my host network (like my file or mail server).

I also have an IP Phone on the home network I'd like to be able to hit our phone systems IP address, but if it is on a different subnet would it?

Trying to wrap my head around this. Thank you!

I just setup a new FreeNAS .7.2 box with two 1TB drives mirrored. Configuration seems solid and I can even browse the SMB shares I created from any computer on the network. However when I try to add a folder or drop a file to be uploaded I get the message that I don't have proper permissions.

I don't want to authenticate users, I want it to be open. I have anonymous authentication setup in the config for the SMB service and the hosts allow and hosts deny field is blank. I even added the ip address of the computer I was trying to upload from to the HOSTS ALLOWED field and I still get the permissions error (I even confirmed the changes). I've changed this to be local user authentication and want to use a global user.

Is there something I'm missing? I can browse the shares fine, but I can't upload or create folders.

BIG EDIT:
I'm not sure if I should make a new post for this or not, but here goes:
I decided to give up on anonymous access. Everything I tried and you guys suggested just didn't work. Also I'm not fond of manually editing the smb.conf because if I do, and then change permissions or users in the webgui, it resets all my manually changed settings.

I went in and set authentication to Local User and created a user for all connecting clients. I put them in the wheel group which has full read, write and execute permissions for the mount point (see screenshot http://imgur.com/m4N5b). This works on existing shares in the mount. I can view, add folders, add files, etc to all existing shares. Now if I add a new share, I can browse it, but I cant add files or folders. The shares are exactly the same and should have the same permissions. It doesn't make sense to me. Here's the config, the [Backup] share works and I can read, edit, execute. The [Storage] share I can only read.

[global]
#max protocol = smb2
encrypt passwords = yes
netbios name = freenas
workgroup = WORKGROUP
server string = FreeNAS Server
security = user
dns proxy = no
# Settings to enhance performance:
use sendfile = yes
strict locking = no
read raw = yes
write raw = yes
oplocks = yes
max xmit = 65535
deadtime = 15
getwd cache = yes
socket options = TCP_NODELAY SO_SNDBUF=64240 SO_RCVBUF=64240 
# End of performance section
unix charset = UTF-8
store dos attributes = yes
local master = yes
time server = yes
guest account = ftp
display charset = LOCALE
max log size = 10
syslog only = yes
syslog = 1
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 1
dos charset = CP437
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
passdb backend = tdbsam

[Backups]
comment = Any Backup Files
path = /mnt/mnt1/Backup/
writeable = yes
printable = no
veto files = /.snap/
hide dot files = yes
guest ok = no
inherit permissions = yes

[Storage]
comment = Storage for Files
path = /mnt/mnt1/Storage/
writeable = yes
printable = no
veto files = /.snap/
hide dot files = yes
guest ok = no
inherit permissions = yes

If I create any new shares then I only have read access. Like I said it doesn't make sense to me. Any light shed on the subject will be appreciated.

Thanks for all your help by the way. Sorry for shifting gears so quick on this question.

I have a Printer Server running server 2008. I'm trying to setup some Samsung ML printers on it (ML-3050, 2150 and 2570 printers). The print server is server 2008 and all my clients are Windows 7 x86. I just never know which drivers to get for the server. On the site they have Universal, PCL5 and PCL6, PostScript, and SPL drivers. From what I've read PS is the best right?

I just have problems getting them installed on the server and having clients connect. Which driver type is the best?

I'm pushing out a new Win7 image to several machines using WDS, unattend.xml, and oobeunattend.xml.

Naturally you have to create the local user in the OOBE experience but it isn't something I want to keep there.

I added this to my OOBE.xml but it isn't working, its even after my domain joining component:

<settings pass="auditUser">
- <component name="Microsoft-Windows-Deployment" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 - <RunSynchronous>
   - <RunSynchronousCommand wcm:action="add">
      - <Credentials>
           <Domain>DOMAIN</Domain> 
           <Password>PASSWORD</Password> 
           <Username>administrator</Username> 
        </Credentials>
        <Order>1</Order> 
        <Description>Removes original test user</Description> 
        <Path>net user temp /del</Path> 
      </RunSynchronousCommand>
    </RunSynchronous>
  </component>
</settings>

Possible Duplicate:
Can you help me with my software licensing question?

I have an old Server 2003 domain controller I'm ready to decommission. I notice in Server 2003 there is a Licensing module under Administrative Tools that seems to manage and track user CAL's for the domain controller. I don't see this on my newly promoted Server 2008 domain controller, nor do I see any roles to add it. Does this need to be transferred to my new Server 2008 domain controller or will it all happen when the old server is decommissioned?

I've already transferred all my Terminal Server licenses to the new server.

Thank you!

I need to force a DHCP renewal on all my clients (to make them point to my new DNS server).

Some of them have about 4 days left in their leases. Can I just delete the leases from the server? Will this force them to check in to DHCP again and grab another lease or is this a bad idea?

Thanks

Usually I create a new user, then set the home folder, logon script, etc...

Is it possible in Active Directory when I create a new AD user object, that it goes out to my share drive and automatically creates a folder for them (naming it their username), and then assigns that folder as their home drive?

It would also be helpful if it would automatically assign them a specific logon script at user creation too. Thank you!

I can go down to my local graybar right now and purchase some AllenTel 48 Port Cat 6 Patch panels I need (part number AT66-PNL-48). They are $275 each. That seems a bit high considering I've seen other brands for far cheaper -- $165 for this brand.

Is there a considerable difference between the two? All I'm doing is running cable from my network rack to my server rack (which are about 10 ft away from each other in the same room) under an elevated floor using cat6.

Is this something i can 'cheap out' on and save a bit of money and still have the same performance? Thanks!

Currently on our domain, when a new user is created, they are automatically added to the Domain User group which is fine.

Also, when a new computer is added to the domain, the Domain Admin group is automatically added to the local Administrators group.

Where do I configure these settings? For example, when a new computer is added to the domain, I want to automatically add the Domain User group to the local computer's Network Configuration Operators group so that domain users can edit their IP address if they need to (when travelling on hotel networks).

Thanks