SamErde's questions

I'm building some new Exchange 2019 servers in my environment and do not want clients to immediately use their AutoDiscover service connection points (SCP) that get created in Active Directory during installation. We should be able to update the default InternalUrl/ExternalUrl values and test before these become active. What is the best way to hide, block, or disable the default SCP until I am ready to use them?

Our options appear to be:

• Update the URL values as quickly as possible after the installation completes.

Or run a looping script that looks for the creation of the SCP during installation, and performs an action immediately, such as:

• Remove "Domain Users" read permissions when it is found (or add a 'deny', but 'deny' ACEs...).
• Set the AutoDiscoverSiteScope attribute to a non-existent AD site as quickly as possible after the installation completes so the new one is not considered authoritative for an AD site.
• Set the IsOutOfService attribute to $true.

Or something else to make them start out in a 'disabled' or 'out of service' state?

I'm trying to solve a conundrum for my DBAs and developers. We have an application that is running under a gMSA (group managed service account) identity. This application needs to access a SQL database, and we prefer to grant access by using groups whenever possible. However, when adding the gMSA to a security group that has access to the DB, SQL Server is unable to resolve the account as a member of the group. Here's the kicker: when the gMSA is added directly to the DB permissions, it works flawlessly. Are there any restrictions around nesting gMSAs in security groups that I am not aware of?

I am building a report of certain mailbox attributes from Exchange Server 2010 using PowerShell. The following code worked perfectly from my management workstation using a remote session.

$Mailboxes = Get-mailbox -ResultSize Unlimited 
foreach ($Mailbox in $Mailboxes)
{
$Mailbox | Add-Member -MemberType "NoteProperty" -Name "MailboxSizeMB" -Value (Get-MailboxStatistics $Mailbox).TotalItemSize
}

However, when I added the .Value.ToMb() method to the TotalItemSize attribute, the script failed with the following error:

$Mailboxes = Get-mailbox -ResultSize Unlimited 
foreach ($Mailbox in $Mailboxes)
{
$Mailbox | Add-Member -MemberType "NoteProperty" -Name "MailboxSizeMB" -Value ((Get-MailboxStatistics $Mailbox).TotalItemSize.Value.ToMb())
}

You cannot call a method on a null-valued expression. At line:6 char:6 + $Mailbox | Add-Member -MemberType "NoteProperty" -Name "MailboxSizeMB" -Val ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull

Cannot process argument transformation on parameter 'Identity'. Cannot convert the "[Mailbox Name Redacted]" value of type "Deserialized.Microsoft.Exchange.Data.Directory.Management.Mailbox" to type "Microsoft.Exchange.Configuration.Tasks.GeneralMailboxOrMailUserIdParameter". + CategoryInfo : InvalidData: (:) [Get-MailboxStatistics], ParameterBindin...mationException + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-MailboxStatistics

And yet...the second block of code (converting the TotalItemSize value to MB) works perfectly when I run it locally on the Exchange server. Can anyone explain why this only fails remotely?

I recently downloaded and ran ExMon while trying to troubleshoot Outlook connectivity problems due to high CPU usage on Exchange Server 2010 SP2 UR8.

The tool provides a great set of data, but I have not yet figured out how to make great use of it.

My first question is why the Exchange Server itself shows up as a high-use MAPI client in the ExMon data.

• Among the users' client versions I see build numbers listed for Outlook 2013, 2010, and yes, even 2007 clients. I also see build number 14.2.387.0, which represents Exchange Server 2010 SP2 Update Rollup 8 (+/- some other patch that makes it not quite match the UR8 number).
• There are many user rows that list only "::1" and/or the short hostname of my Exchange server in the 'Client IP Addresses' column. Some other columns include the end-user's actual IP address and the Exchange server's IP address.
• ExMon shows that it is actually Exchange Server that is utilizing the highest percentage of CPU that is used for MAPI calls.

I had expected to see 1 IP address and version number for each user reported by ExMon. Instead, most records show multiple version #'s (Exchange ver and Outlook ver) and multiple IPs (Exchange IP and client IP).

Can anyone explain the reason for this to me, please?

My Google-fu is failing me today. I would like to blame the bad office coffee, the fact that it is a Monday, and the lack of information online...but maybe it is my fault. Either way, I hope that you can help:

Can the IPAM role on Windows Server 2012 R2 discover and manage WS2008R2 DHCP clusters, or can it only manage standalone DHCP servers?

If it can manage DHCP clusters, should I have the IPAM service discover the cluster service name, or the individual DHCP cluster nodes?

Any ideas why the group policy diagnostic utility GPOTool would report a GPO version mismatch between two domain controllers if the version numbers are a match?

Policy {GUID} 
Error: Version mismatch on dc1.domain.org, DS=65580, sysvol=65576
Friendly name: Default Domain Controllers Policy
Error: Version mismatch on dc2.domain.org, DS=65580, sysvol=65576
Details: 
------------------------------------------------------------
DC: dc1.domain.org
Friendly name: Default Domain Controllers Policy
Created: 7/7/2005 6:39:33 PM
Changed: 6/18/2012 12:33:04 PM
DS version:     1(user) 44(machine)
Sysvol version: 1(user) 40(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{GUID}]
Functionality version: 2
------------------------------------------------------------
DC: dc2.domain.org
Friendly name: Default Domain Controllers Policy
Created: 7/7/2005 6:39:33 PM
Changed: 6/18/2012 12:33:05 PM
DS version:     1(user) 44(machine)
Sysvol version: 1(user) 40(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{GUID}]
Functionality version: 2

I am building an Enterprise Wiki in SharePoint 2010 for an IT department with several teams. It looks like our scenario would benefit from using sub-sites for each team that is using the enterprise wiki. Common information would be in the parent wiki site, and each team's specific information would be in sub-sites.

The one problem that I am having is that there is a shared list with information in the parent wiki site, but the sub sites can no longer link to it.

When editing pages in the enterprise wiki's sub-sites, is there a way to create a link (using the [[ function) to a list item or page in the parent site?

In Windows Server 2008, Active Directory's automatically created connection objects for domain controllers have an attribute called options with a value of 0x1 = ( IS_GENERATED ). This value tells the KCC (Knowledge Consistency Checker) that the connection object was automatically generated and can be automatically modified or optimized by the KCC. If the connection object is modified by an admin, this attribute is then changed to 0x0 = ( ). Of course, if you can answer my question, you already know all of this...

I need to change the default schedule from "Once Per Hour" to "Four Times per Hour" but still want the KCC to otherwise manage the connections automatically.

Q: If one changes the schedule, and then switches the options attribute back to 1, will the KCC continue to automatically manage the connection?

I have inherited an Active Directory environment that is at the Windows Server 2003 forest and domain functional level.

The DNS domain name has no special characters--it looks like sampledomain.org. The NetBIOS domain name has an underscore in it and looks like sample_domain.

Some have told me that because of the underscore, this domain cannot be "upgraded" to Windows Server 2008 R2.

Documentation that I have seen on TechNet seems to simply state that a DNS domain name cannot have an underscore in it. I see nothing that states the NetBIOS domain name would prevent me from upgrading to 2008 R2 domain controllers and raising the forest/domain functional levels.

Which is correct?

I have a Windows Server 2003 member server that is running IIS 6 in our test environment. It is a VM and was reverted to a snapshot about 4 days old. After doing this, attempts to log into the domain fail with system event ID 3210:

This computer could not authenticate with %dcin.mydomain.com, a Windows DC for domain %MY_DOMAIN, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

All network and DNS issues have been ruled out.

After doing some research I have a hunch that the issue is the computer account password that by default changes every 30 days is out of sync. Issuing the "reset account" command from ADUC did not help the issue.

Attempts to reset the account also failed when using:

NetDom reset svrname /d:mydomain.com /uo:[email protected] /po:*

with a result of the Logon Failure: The target account name is incorrect.

If this were any other server that wasn't running IIS.... I would just remove it from the domain and rejoin it and move on with my life. But I don't know what effects doing that would have on IIS.

After I get through this I'm going got set HKLM/system/currentcontrolset/services/netlogon/paramerters/DisablePasswordChange to "1" But until then I'm not sure if the "NetDom reset" command is even the correct thing to do short of readding the server to the domain.

Thoughts?

I am trying to uninstall a DLL from the C:\Windows\Assembly "folder" on Windows Server 2008, but am getting a "permission denied" error. How do I go about removing a DLL without uninstalling the entire application?

An application vendor has sent me new DLL's, with no instructions on how to remove the old version or add these new ones. Google hasn't been as helpful as usual, either...

How can I find the GUID of an MSI package? I would like to script the removal of a program on a large number of desktops by using:

msiexec.exe /x ProductCode

Any reason why this would not work for any applications listed in "Add/Remove Programs?"