Thursday, April 25, 2013

Active directory users / computer Migration Check list ,,,

I found the below on NASA website somewhere , but I have modified a lot of the contents and added more questions to Help me in Migration , once I finish the process I will update my experience and how I did it:




Active Directory Pre-Migration Checklist
 Domain Information Worksheet:
Prepared by: Ahmad Sabry El Gendi

  1. What is your domain type? (NT 4.0, WIN2K, 2003 , 2008 ?) __________
  2. How many domain controllers are in your Main sites and Branch sites? ________
  3. What are the names of your domain controllers?
    Main site:_____________________
    Branch sites:_____________________
  4. Should user accounts ,service accounts or computer accounts be migrated or will they be recreated?
  5. Can you provide test machines (or virtualized VM) of every critical Operating system /service that you currently have in your domain for testing ? __________________________
  6. Can you provide lab verification virtualized environment to authenticate each Application  / service that you currently have in your Branch domains for testing ? __________________________
  7. Does your Backup system (Which vendor?) cover all your Branch site Domain Active directory and / or application? what is the restore time window ?
  8. How long down time allowed for service out of working hours ?
  9. Do you have verification check list to confirm all the  services running after migration ?
  10. Do you mind to install Manage Engine Audit Plus for each Branch Site Domain Controller to collect as much as information for logged on user source / destination servers / workstations ?
  11. Do your domain controllers (Main site & Branches) run any enterprise applications ? Do they authenticate against any of Active directories ?  _________
  12. What enterprise applications do you run in your domain? ___________________________
  13. Does any enterprise applications (or service accounts or configuration files or services login as) authenticate through the Branch Domain controllers?
  14. Do you have any MS Cluster Servers , NLB , Exchange DAGs or SQL in Branch site domain? _______
  15. Is there any non-windows infrastructure is integrating or authenticating against any branch Domain?
  16. Do you have any VPN , published services , or third party suppliers software authenticate against your any of your branch Active directory Domain ?
  17. Do you currently have Microsoft Exchange dedicated for your Branch site Domain? _____________
  18. How are your Branch site users E-mail accounts configured with Exchange ?
  19. Would you please give a small summary about how your Mail system configured in multiple sites ?
  20. Is each Branch site Domain has its own Exchange ? or all  users belong to main site Mail system ?
  21. Do any user in Branch site Domain has PST outlook files or archive in local PC ?
  22. Is there any user data (NOT Settings) are stored with user local profiles ?
  23. Do you have any policies in place in Branch site Domain? _______ If so, please explain the function:____________________________________________________
  24. How many login scripts do you have in Branch site Domain? ______ If so, please explain the function:____________________________________________________
  25. How many file or print servers do you have in Branch site Domain? _______
  26. Is File and Printer Sharing for Microsoft Networks turned on, on all of your computers (workstations and servers) that will be migrated?______________________
  27. Is there any file server or mapped drives in workstation or member servers or domain authenticating in Branch site Domain ?
  28. are there any cross forest shares with cross branch site share permissions?
  29. Is there any client workstations sharing any production files with cross forest permissions ?
  30. Do you have any application or licenses relay on user or computer Account SID in Branch site Domain?
  31. How many active users in each branch (User Accounts) do you have in your domain that need to be migrated? __________­­­­­­
32.  Is there any application configured to use Branch site Domain groups for permissions ?
33.  Is there any Branch site Domain accounts are added in local member server in any of Branches ?
  1. Will users /computers that have been inactive / disabled be migrated ?
  2. How many groups are in your domain? _______
                                   (Complete table below)
Group Name
Local
Global
Universal
Has cross forest membership ?
 










  1. How many active computers are in your Branch site Domain? __________

  1. What Operating Systems are utilized within in your Branch site Domain? Please list all:
    __________________________________________________________
  2. Do you have any firewalls in your environment that may prevent proper communication during the migration? _________________
  3. Will you be able to provide additional Back-up Domain Controller while migration in process? ______
  4. Are you currently running any Microsoft Certificate Authorities? _________
  5. Do you have any application using LDAP and authenticating based on OU structure ?
  6. Do you have any backup software dedicated for branch sites and authenticating via its Domain Controllers  ?
  7. Is there any service account used in Proxy , antivirus , IIS or sharepoint authenticating against branch sites Domain Controllers ?
General Comments or Concerns: ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________


Posted by at No comments:

Wednesday, February 20, 2013

My Active Directory 2003 troubleshooting



Collect diagnostic information on DCs:

netdiag /v
dcdiag /v
repadmin /replsum
dcdiag /test:Connectivity /e /v /f:c:\DCDIAG\dnsConnectivity.log
dcdiag /test:Replications /e /v /f:c:\DCDIAG\dnsReplications.log
dcdiag /test:Topology /e /v /f:c:\DCDIAG\dnsTopology.log
dcdiag /test:CutoffServers /e /v /f:c:\DCDIAG\dnsCutoffServers.log
dcdiag /test:NCSecDesc /e /v /f:c:\DCDIAG\dnsNCSecDesc.log
dcdiag /test:NetLogons /e /v /f:c:\DCDIAG\dnsNetLogons.log
dcdiag /test:Advertising /e /v /f:c:\DCDIAG\dnsAdvertising.log
dcdiag /test:KnowsOfRoleHolders /e /v /f:c:\DCDIAG\dnsKnowsOfRoleHolders.log
dcdiag /test:Intersite /e /v /f:c:\DCDIAG\dnsIntersite.log
dcdiag /test:FsmoCheck /e /v /f:c:\DCDIAG\dnsFsmoCheck.log
dcdiag /test:RidManager /e /v /f:c:\DCDIAG\dnsRidManager.log
dcdiag /test:MachineAccount /e /v /f:c:\DCDIAG\dnsMachineAccount.log
dcdiag /test:Services /e /v /f:c:\DCDIAG\dnsServices.log
dcdiag /test:OutboundSecureChannels /e /v /f:c:\DCDIAG\dnsOutboundSecureChannels.log
dcdiag /test:ObjectsReplicated /e /v /f:c:\DCDIAG\dnsObjectsReplicated.log
dcdiag /test:frssysvol /e /v /f:c:\DCDIAG\dnsfrssysvol.log
dcdiag /test:frsevent /e /v /f:c:\DCDIAG\dnsfrsevent.log
dcdiag /test:kccevent /e /v /f:c:\DCDIAG\dnskccevent.log
dcdiag /test:systemlog /e /v /f:c:\DCDIAG\dnssystemlog.log
dcdiag /test:RegisterInDNS /DnsDomain:nrdc.net /e /v /f:c:\DCDIAG\dnsRegisterinDNS.log
dcdiag /test:CrossRefValidation /e /v /f:c:\DCDIAG\dnsCrossRefValidation.log
dcdiag /test:CheckDRefDom /e /v /f:c:\DCDIAG\dnsCheckDRefDom.log
dcdiag /test:VerifyReplicas /e /v /f:c:\DCDIAG\dnsVerifyReplicas.log
dcdiag /test:VerifyReferences /e /v /f:c:\DCDIAG\dnsVerifyReferences.log
dcdiag /test:VerifyEnterpriseReferences /e /v /f:c:\DCDIAG\dnsVerifyEnterpriseReferences.log
dcdiag /test:CheckSecurityError /e /v /f:c:\DCDIAG\dnsCheckSecurityError.log
dcdiag /test:DNS /e /v /f:c:\DCDIAG\dnsDNS.log


=======================================================

Force Domain Replication:
1- repadmin /syncall OR Repadmin /syncall ABCdc /APed
2- then run dcdiag
3- In the Allow Dynamic Updates box, click Yes.
4- Stop and then restart the Netlogon service on YourDomainController.

Check below services , start if not running:
file replication
windows time
netlogon

=======================================================

Configure Time on windows 3002 domain:
ntdsutil
roles
connections
connect to server ABCdc
q
Select operation target
List roles for connected server
-----------------
OR
-----------------

netdom query /domain:ABC.bh.com fsmo
net time /querysntp
w32tm /config /manualpeerlist:172.16.1.135 /syncfromflags:MANUAL
net time /querysntp
net stop w32time && net start w32time
w32tm /config /update
net time /querysntp

-----------
Show replication:
repadmin.exe /showrepl shows the replication-status for the domain controller the tool are being run from.

repadmin.exe /showrepl servername shows the replication-status for the domain controller with the provided servername,

repadmin.exe /queue shows the replication-queue for the domain controller the tool are being run from.

repadmin.exe /queue servername shows the replication-queue for the domain controller with the provided servername,

repadmin.exe /replsummary shows a brief summary of the replication status.
------------

Reset Group Policy on client#


DEL /S /F /Q "%ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History\*.*"
gpupdate /force
Posted by at No comments:

Sunday, October 21, 2012

The mailbox database 'ABC_100MB' cannot be deleted


--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
The mailbox database 'ABC_100MB' cannot be deleted.

Get-Mailbox -Database ABC_100MB
Failed
Error:
This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, or arbitration mailboxes. To get a list of all mailboxes in this database, run the command Get-Mailbox -Database .


To get a list of all mailbox plans in this database, run the command Get-MailboxPlan. To get a list of archive mailboxes in this database, run the command Get-Mailbox -Database -Archive.

To get a list of all arbitration mailboxes in this database, run the command Get-Mailbox -Database -Arbitration.


 To disable a non-arbitration mailbox so that you can delete the mailbox database, run the command Disable-Mailbox .



To disable an archive mailbox so you can delete the mailbox database, run the command Disable-Mailbox -Archive. Arbitration mailboxes should be moved to another server; to do this, run the command New-MoveRequest . If this is the last server in the organization, run the command Disable-Mailbox -Arbitration -DisableLastArbitrationMailboxAllowed to disable the arbitration mailbox. Mailbox plans should be moved to another server; to do this, run the command Set-MailboxPlan -Database .


=============
[PS] C:\Windows\system32>Get-Mailbox -Arbitration -Database "ABC-1GB"

Name                      Alias                ServerName       ProhibitSendQuota
----                      -----                ----------       -----------------
SystemMailbox{1f05a927... SystemMailbox{1f0... ABC-mb-01        unlimited
SystemMailbox{e0dc1c29... SystemMailbox{e0d... ABC-mb-01        unlimited
FederatedEmail.4c1f4d8... FederatedEmail.4c... ABC-mb-01        3 MB (3,145,728 bytes)
================
Get-Mailbox -Arbitration -Database “ABC-1GB”| New-MoveRequest -TargetDatabase “ABC_100MB”
You may get an error like:
Exchange 2010 - Error on FederatedEmail box move www.oostdam.info picture 1
Connect to ADSI edit:
Change values as below:



Refference:
http://www.oostdam.info/index.php/sectie-blog/46-verschillendesoftwareproducten/329-federatedemail-mailbox-error-on-move

Posted by at No comments:

Sunday, August 5, 2012

Configure BalckBerry mail with Exchange 2010

 

ON THE BLACKBERRY SERVER

TASK 1

1.      Click Start > Administrative Tools > Computer Management.

2.      In the left pane, expand System Tools and click Local Users and Groups.

3.      In the right pane, double-click Groups.

4.      Right-click Administrators and click Properties.

5.      In the Select Users, Contacts, Computers, or Groups window, select the BlackBerry Enterprise Server service account name.

6.      Click OK.

Task 2

To assign Local Security Policy permissions to the BlackBerry Enterprise Server service account, complete the following steps:

Note: This allows the BlackBerry Enterprise Server service account to access the local computer and to run the BlackBerry Enterprise Server software as a Windows® service.

  1. Click Start > Administrative Tools > Local Security Policy.

If the computer is a domain controller, click Start > Administrative ToolsDomain Controller Security Policy.

  1. In the Local Securities window, click Local Policies > User Rights Assignment.

  2. Do one of the following:

    • For Windows Server® 2000, double-click Log on Locally

    • For Windows Server 2003, double-click Allow Log on Locally

  3. Click Add User or Group.

  4. Select the BlackBerry Enterprise Server service account name and click Add.

  5. Click OK.

  6. In the Local Security Settings window, double-click Log On As a Service.

  7. Click Add User and select the BlackBerry Enterprise Server service account.

  8. Click OK.

 

 

 

Microsoft Exchange 2010

Create a Windows account that has a Microsoft Exchange 2010 mailbox

You must create a Windows® account with a Microsoft® Exchange 2010 mailbox so that the Windows account can authenticate with the Microsoft® Exchange Server.

1.     On the computer that hosts Microsoft Exchange, log in using an administrator account that has the permission to create accounts.

2.     Open the Microsoft Exchange Management Console.

3.     Create an account and mailbox that you name BESAdmin.

4.     To permit the BlackBerry® Enterprise Server to check if a BlackBerry device user has permission to access a public folder, assign the Owner permission for all public folders to the administrator account.

  • To verify that you created the Windows account, log in to a computer using the Windows account.

  • Verify that the Windows account is not a member of the Domain Administrators group in Microsoft® Active Directory®.

  • Verify that BlackBerry device users have Read permissions and Visible permissions to public folders.

  • To permit BlackBerry device users to check the availability of meeting participants using BlackBerry® Device Software 4.5 or later, configure the Schedule+ Free/Busy information for the system public folder. For more information, visit http://technet.microsoft.com to read articles 629523 and 691129.

Configure Microsoft Exchange 2010 permissions for the Windows account

1.     On a computer that hosts the Microsoft® Exchange Management Shell, open the Microsoft Exchange Management Shell.

2.     Type Get-MailboxDatabase | Add-ADPermission -User "BESAdmin" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin.

3.     Type Add-RoleGroupMember "View-Only Organization Management" -Member "BESAdmin".

4.     Type Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "CN=Users,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>" where <domain_1>, <domain_2>, and <domain_3> form the name of the domain. For example, if the domain name is www.example.com, type www for <domain_1>, example for <domain_2>, and com for <domain_3>.

If you create a new mailbox database for Microsoft Exchange, repeat step 2.

Turn off client throttling in Microsoft Exchange 2010

By default, Microsoft® Exchange 2010 uses client throttling policies to track the bandwidth that each Microsoft Exchange user consumes and enforce bandwidth limits, as necessary. The policies affect the performance of the BlackBerry® Enterprise Server negatively, so you should turn off client throttling for the Windows® account that has a Microsoft Exchange mailbox.

1.     On a computer that hosts the Microsoft Exchange Management Shell, open the Microsoft Exchange Management Shell.

2.     Type New-ThrottlingPolicy BESPolicy.

3.     Type Set-Mailbox "BESAdmin" -ThrottlingPolicy BESPolicy.

Increase the maximum number of connections to the Address Book service in Microsoft Exchange 2010

By default, Microsoft® Exchange 2010 limits the maximum number of connections from the BlackBerry® Enterprise Server to the Address Book service to 50. To permit the BlackBerry Enterprise Server to run, you must increase the number of permitted connections to a large value (for example, 100,000).

1.     On the computer that hosts the Microsoft Exchange CAS server, in <drive>:\Program Files\Microsoft\Exchange Server\V14\Bin, in a text editor, open the microsoft.exchange.addressbook.service.exe.config file.

2.     Change the value of the MaxSessionsPerUser key to 100000.

3.     Save and close the file.

4.     Restart the Address Book service.

 

In the Active Directory

1. On any computer within your domain, on the taskbar, click Start > Administrative Tools > Active Directory Users and Computers.
2. In the View menu, click Advanced Features.
3. Right-click the domain root.
4. Click Properties.
5. On the Security tab, click Advanced.
6. Click Add.
7. Type BESAdmin.
8. Click Check Name.
9. Click OK.
10. In the Apply Onto drop-down list, click (Descentant ) User Objects.
11. In the Allow column, select the Send As, Receive As and Allow to authenticate check boxs.
12. Click Apply.
13. Click Ok.

Posted by at No comments:
Subscribe to: Posts (Atom)