Author Archives: Geneva Sibanda

About Geneva Sibanda

I assist companies in the Areas of Network Infrastructure Design and Implementation: (from Windows Active Directory Security, networking, etc.).

Verification of replica failed. The forest functional level is Windows 2000.

Symptom – The client was unable to promote the Windows 2012 server named “pta_t30” as an additional domain controller in their windows 2003 domain t6.local.

Cause – We were getting the error: Verification of replica failed. The forest functional level is Windows 2000. To install a Windows Server 2012 domain or domain controller, the forest functional level must be Windows Server 2003 or higher.

Resolution – We performed the following steps so as to get the issue resolved:

– Ensured that the health of the Domain is good.

– Corrected the Time settings in the registry on secondary domain controller.

– The windows 2012 server named “pta_t30” was getting the IP address from DHCP so we assigned the Static IP address.

– Corrected the NIC binding and the provided order on “pta_t30”.

– Ensured that we are able to ping the domain and DC’s from 2012 server named “pta_t30”

– Raised the forest functional level to Windows 2003 and forced Active Directory replication.

– Ensured that we are able to promote the 2012 server as a Domain controller.

Reference Articles:

• How to Promote Windows Server 2012 as a Domain Controller:http://social.technet.microsoft.com/wiki/contents/articles/14505.how-to-promote-windows-server-2012-as-a-domain-controller.aspx
• Understanding Domain and Forest Functional Levels:http://technet.microsoft.com/en-us/library/cc771294.aspx.

• Understanding Active Directory Domain Services (AD DS) Functional Levels: http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx

• Configure an authoritative time server: http://support.microsoft.com/kb/816042

 If you have any request regarding Magwinya Wired support, we would be glad to hear from you. If you would feel more comfortable speaking with someone else regarding our service, Themba Twala or Deon van der Walt would be very happy to hear your comments and suggestions.

How to view and transfer FSMO roles in Windows Server

Transfer the Schema Master Role

Use the Active Directory Schema Master snap-in to transfer the   schema master role. Before you can use this snap-in, you must register the   Schmmgmt.dll file.

Register Schmmgmt.dll

  1. Click Start, and then click Run.
  2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
  3. Click OK when you receive the message that the operation succeeded.

Transfer the Schema Master Role

  1. Click Start, click Run, type mmc in the Open box, and then click OK.
  2. On the File, menu click Add/Remove Snap-in.
  3. Click Add.
  4. Click Active Directory Schema, click Add, click Close, and then click OK.
  5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
  6. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
  7. In the console tree, right-click Active Directory Schema, and then click Operations Master.
  8. Click Change.
  9. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the Domain Naming Master Role

  1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
  2. Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.
    NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
  3. Do one of the following:
    • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
      -or-
    • In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
  4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.
  5. Click Change.
  6. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.
    NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
  3. Do one of the following:
    • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
      -or-
    • In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
  4. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
  5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.
  6. Click OK to confirm that you want to transfer the role, and then click Close.

Only one PPTP session is allowed only by TMG

Problem:
========

Only one PPTP session is allowed only by TMG…if the second user tries to initiates its outbound VPN connection…it would fail.

Cause and Analysis:

========
– From the Network package captured on TMG, the Client caller ID was changed by external router device and thus the connection was discontinued. – Research and  found this issue might be related to the below article: http://blogs.technet.com/b/isablog/archive/2009/01/07/a-pptp-client-might-fail-to-connect-to-a-vpn-server-on-the-internet-through-an-isa-server-2006.aspx – Changing the External Gateway device to Cisco 857w to have a try, and we find everything works fine now.

Solution:

========
To solve the issue, we need to contact the router vendor to check if a firmware update exists that fixes the issue or even change the router vender to another one like Cisco 857w.

=========

Client Response:
=========

Please close this case because prior to deploying the Cisco 857W router, only one user is allowed to VPN to Southern Africa VPN server. After the Cisco 857w was deployed, TMG was able to service two simultaneous VPN sessions from the LAN to External.

Thanks again Magwinya Wired Support!

South African SMTP Servers

Here is a list of the most common Outgoing servers:.

For Telkom ADSL, outgoing server is smtp.dsl.telkomsa.net or smtp.saix.net
For Telkom Analogue Dial Up, use smtp.saix.net or smtp.dsl.telkomsa.net
For 8TA (Eita), the outgoing server is smtp.saix.net
For MWEB ADSL, outgoing server is smtp.mweb.co.za or smtp.mweb.net

For Vodacom 3G, outgoing server is smtp.vodacom.co.za
For MTN 3G, the outgoing server is mail.mtn.co.za
For Cell C the outgoing server is mail.cmobile.co.za

For Iburst, outgoing server is smtp.iburst.co.za
For I.S. ADSL the outgoing server is smtp.isdsl.net
For I.S. 3G the outgoing server is smtp.isgsm.netor smtp.dial-up.net
For goggaconnect outgoing server is smtp.vodacom.co.za

For Neotel, outgoing server is smtp.neomail.co.za
For ABSA, outgoing server is smtp.absamail.co.za or mail.absa.co.za
For @lantic (ADSL,Dialup, ISDN) : smtp.lantic.net

For NetActive (ADSL,Dialup, ISDN) : smtp.netactive.co.za
For Polka (ADSL,Dialup, ISDN) : smtp.polka.co.za
For Web Africa (ADSL,Dialup, ISDN) : smtp.wa.co.za

For Cybersmart : smtpauth2.cybersmart.co.za or smtp.cybersmart.co.za

Installing the Windows Server 2008 R2 Hyper-V server role

Hyper-V requirements

To install and use the Hyper-V role, you must have the following:

  1. An x64 processor. Hyper-V is available in x64-based versions of Windows Server 2008—specifically, the x64-based versions of Windows Server 2008 Standard, Windows Server 2008 Enterprise, and Windows Server 2008 Datacenter.
  2. Hardware-assisted virtualization. This feature is available in processors that include a virtualization option, specifically, Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V).
  3. Hardware Data Execution Protection (DEP). Hardware DEP must be available and enabled. Specifically, you must enable Intel XD bit (execute disable bit) or AMD NX bit (no execute bit)

To install the Windows Server 2008 R2 Hyper-V server role, complete the following steps:

1. Click Add Roles. If this is the first role being added to the server, you may see a page describing the process for adding roles. Click Next.

2. Check the box for Hyper-V and click Next. Review the Windows Server 2008 R2 Hyper-V overview and then click Next.

3. Choose the NICs to configure as virtual networks for use by guest OSs. Click Next.

4. Review the summary installation. Make a note of which NICs require configuration as virtual networks.

5. When prompted, choose to reboot the server to complete the installation. After the server reboots, log in as Administrator to finish the installation process.

After adding the Windows Server 2008 R2 Hyper-V role, you can create and configure virtual machines.

How To set up the BlackBerry’s email client with Google Apps email

Depending on what your requirements are and what you wanting to spend there are two options available to use:

1) BIS (Blackberry Internet Service) – Local application built into the Blackberry (No costs involved)
2) BES (Blackberry Enterprise Service) – Special software for Blackberry (Costs involved)

Note: While setup instructions are provided below, Google Apps IMAP1 access is not officially supported for BlackBerry devices at this time.

First you need to ensure IMAP is enabled on your Google Apps account by performing the following steps:

To enable IMAP in Google Apps
1. Sign in to Gmail.
2. Click Settings at the top of any Gmail page.
3. Click Forwarding and POP/IMAP.
4. Select Enable IMAP.
5. Click Save Changes

To set up the BlackBerry’s email client with Google Apps email (IMAP), just follow these steps:

1. On your BlackBerry device, navigate to your home screen
2. Select the icon that lets you set up email (this can be called Setup, Setup Wizard, Email Setup, BlackBerry Set-up, E-mail settings, or Personal Email Set-up)
3. Follow the setup instructions provided on your device to create a new e-mail account
4. Be sure to enter the following:
o Mail Server: imap.gmail.com
o Username: [your full Google Apps email address]
o Password: [your Google Apps password]
o IMAP Port: 993
5. Allow the system to add your account, but do not enter your Google Apps password into the utility boxes (this causes the system to default to POP3 instead of IMAP)
6. Select Next
7. Select Next again (bypassing the ‘Additional Information Required’ section)
8. Select your account type, then select Next

You may encounter a ‘We were unable to configure…’ error. Select I will provide the settings to continue

9. Select the option that mentions ‘IMAP/POP’
10. Select I will provide the settings…, then select Next
11. Select Set up existing email account…
12. Enter your Google Apps account information here, with ‘imap.gmail.com’ as your mail server
13. Select Next
14. Select Save

If setup is successful, you should receive a confirmation message and a new mailbox icon should appear on your device’s home screen, labelled with your Google Apps email address.

If you encounter a problem during setup, please make sure you have enabled IMAP in your main Google Apps Mail settings.

Let us know if this helps and if we can assist you further.

Google Public DNS IP addresses

The Google Public DNS IP addresses are as follows:

8.8.8.8
8.8.4.4

You can use either number as your primary or secondary DNS server. You can specify both numbers, but do not specify one number as both primary and secondary.

sesecurityprivilege access is denied

sesecurityprivilege access is denied

http://support.microsoft.com/kb/314294

Z:\MSExchange2003Enterprise\SUPPORT\EXDEPLOY>POLICYTEST.EXE

This tool will check every domain controller in the local domain to see if the “Manage auditing and security logs” privilege granted to the  Exchange Enterprise Servers” group by DomainPrep has replicated to that DC.  If the policy change has not yet replicated to all DCs, then you should avoid making policy changes on any DC that has not received those changes yet.

You must have Domain Admin rights to run this tool successfully.  If you see an error that says:   !! LsaEnumerateAccountRights returned error 5 !! then you don’t have permission to open the LSA on the given DC.
===============================================
Local domain is “magwinya.lan” (magwinya)
Account is “magwinya\Exchange Enterprise Servers”
========================
  DC      = “ESG_CEN14”
  In site = “Default-First-Site-Name”
  !!! Right NOT found !!!
========================
  DC      = “ESG_CEN16”
  In site = “Default-First-Site-Name”
  !!! Right NOT found !!!
========================
  DC      = “ESG_CEN18”
  In site = “Default-First-Site-Name”
  !!! Right NOT found !!!
========================
  DC      = “ESG_DC01”
  In site = “Default-First-Site-Name”
  !!! Right NOT found !!!
========================
  DC      = “ESG_DC02”
  In site = “Default-First-Site-Name”
  !!! Right NOT found !!!

To resolve this I followed the step-by-step below:

Start the Active Directory Users and Computers snap-in.
Right-click the Domain Controllers container, and then click Properties.
Click the Group Policy tab, click Default Domain Controllers Policy in the Group Policy Object Links box, and then click Edit.
Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment. In the right pane, double-click Manage auditing and security log, click Add, click Browse, and then add the Exchange Enterprise Servers group. In the Add user or group dialog box, click OK. Then, click OK.
Quit the Group Policy snap-in, and then click OK in the Domain Controllers Properties dialog box.

NB: Interestingly,

Z:\MSExchange2003Enterprise\SUPPORT\EXDEPLOY>POLICYTEST.EXE

This tool will check every domain controller in the local domain to see if the “Manage auditing and security logs” privilege granted to the  Exchange Enterprise Servers” group by DomainPrep has replicated to that DC.  If the policy change has not yet replicated to all DCs, then you should avoid making policy changes on any DC that has not received those changes yet.

You must have Domain Admin rights to run this tool successfully.  If you see an error that says:   !! LsaEnumerateAccountRights returned error 5 !! then you don’t have permission to open the LSA on the given DC.
===============================================
Local domain is “magwinya.lan” (magwinya)
Account is “magwinya\Exchange Enterprise Servers”
========================
  DC      = “ESG_CEN14”
  In site = “Default-First-Site-Name”
  Right found:  “SeSecurityPrivilege”
========================
  DC      = “ESG_CEN16”
  In site = “Default-First-Site-Name”
  Right found:  “SeSecurityPrivilege”
========================
  DC      = “ESG_CEN18”
  In site = “Default-First-Site-Name”
  Right found:  “SeSecurityPrivilege”
========================
  DC      = “ESG_DC01”
  In site = “Default-First-Site-Name”
  Right found:  “SeSecurityPrivilege”
========================
  DC      = “ESG_DC02”
  In site = “Default-First-Site-Name”
  Right found:  “SeSecurityPrivilege”

Enable PowerShell to Run locally

PS C:\Users\Sibanda\MyScripts> Set-ExecutionPolicy RemoteSigned

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic. Do you want to change the execution
policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is “Y”): Y
Set-ExecutionPolicy : Access to the registry key ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft
.PowerShell’ is denied.
At line:1 char:20
+ Set-ExecutionPolicy <<<<  RemoteSigned
    + CategoryInfo          : NotSpecified: (:) [Set-ExecutionPolicy], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetExecutionPolicyComma
   nd

PS C:\Users\Sibanda\MyScripts>

Solution to the above error message.

You need to click start – Go to Powershell – [Right Click and Select Run AS Administrator.]

Now when you try to ” Set-ExecutionPolicy RemoteSigned ” all will work without errors.

Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic. Do you want to change the execution
policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is “Y”): Y
PS C:\Windows\system32>

NB: This action enables the powershell scripts to run locally on your Laptop.

What’s in SBS 2011 Std?

  • Windows Server 2008 R2 Standard
  • Exchange Server 2010 Standard with SP1
  • Microsoft Sharepoint Foundation 2010
  • Microsoft SQL Server 2008 R2 Express
  • WSUS 3.0 with SP2