Chris Conklin's Weblog

Trying to answer for my supervisor what seems like a simple enough question “how many users do we have in Active Directory.”  Good old Active Directory users and computers (ADUC, aka dsa.msc) is kinda kludgy in this respect: I can search for all disabled user objects… I can search for all users and groups (do math and get all active users and groups)… but what about just user objects?

I go to play with this new-fangled Active Directory Administrative Center (ADAC, aka dsac.exe) which seems better-suited, but it bitches at the size of my domain:

…which begs the question – where is the Management List options.  Oh, of course – silly me – it is HIDDEN – you have to press the ALT button to see the additional menus.  Our friends at Microsoft’s Ask the Directory Services Team blog has the explaination at Fun with the AD Administrative Center – I quote “

The error tells you what to do – just change the “Management List” options. Right! So… ehhh… where is the management list? You have to hit the ALT key to expose that menu. Argh…

Then you can set the turned object count as low as 2000 or as high as 100000. If you have to do this though, you need to work on organizing your objects better.”

Nice, except there is no reason to sort down our students into multiple groups.  An argument can be made that we don’t need to have/keep 20,000+ students – but that is a deprovisioning question left to people in a higher pay grade than I.

Many of you at UNI know we’ve had a problem over the past couple of years – oh, since Windows Server 2008r2 was installed on our domain controllers seems to be the timeline.  Various webpages when loaded from a workstation using ad.uni.edu’s AD-integrated DNS resolvers will load partially or not at all, even though they are live and can be resolved against UNI’s Unix DNS recursers (dns2.uni.edu and dns3.uni.edu)

Well, well – after finally getting three URLs that fail every time (previous examples of cisco.com, bn.com, priceline.com would fail, but once the AD DNS server’s cache was flushed they would work again for days or months) I opened a Microsoft service call for $259 and found the magic hotfix that the Googles and the Bing failed to find.

DNS Server service does not use root hints to resolve external names in Windows Server 2008 R2

This fixed our problem (when a foreign DNS responds with NS and Glue records to the same name) – BUT what really chafes me (or in Peter Griffin’s words “Grinds my gears”) is that this hotfix was released a year ago and is still a request-only hotfix that hasn’t been tested and released as a AU patch.  Come on!  This cannot be that rare: a Windows AD server providing DNS recursion to AD clients via root hints (rather than DNS forwarding to another DNS server – which has its own set of problems).

So you’re out of the office, but accessing your domain workstation via Remote Desktop.  Notification area says “your password expires in 1 day – change by hitting ctrl+alt+del” – but when you do this, you’re of course bringing up your portable Windows environment not the one back at your office.

Ctrl+Alt+End while in a Microsoft Windows Remote Desktop (6.1 or newer at least) session sends C+A+Del to the remote computer.  Voila!

The blessings of Windows Server 2012 and Windows 8 have descended to us mere mortals with Microsoft software assurance.  Alright, how are we going to activate these new installs?

You remember the game from 2008/Vista and then 2008R2/Win7… and again you don’t have to setup a new server you can reuse your existing KMS.  However it appears if you have played our KMS games for a long time and not upgraded the server to 2008R2 you are out of luck!

Hotfix for Windows Server 2008R2 to support Win8 and WS2012 (and if you don’t have server SA, you can install KMS on Win7 workstation with this patch allowing you to activate Win8/WS2012).

Sigh – fill out form and await email.  At least I received in under 20 seconds.  (BTW – WTF Microsoft, I – a human failed your first two CAPTCHAs??)

My last gripe: Microsoft provided the same KMS code for Windows Server 2012 Standard and Data Center… when installed, it says Windows ServerStandard… but /dlv shows “KMS_2012_C Channel” which if things are the same from 2008R2 implies DataCenter is covered and will be activated.  Time will tell…

Contrary to ‘what’ you’d expect’ and several help forums on the interwebz – on a Windows XP, Vista, 7 client machine using PEAP for wireless or wired 802.1x network access you cannot configure the “connect to these servers” with a value of  “*.foo.com” – it won’t work – users will get a splat on connection – and if they accept, the CN of the certificate will be added after a semicolon – such as “*.foo.com;radius1.foo.com”

Correct configuration at UNI is shown here – this allows rad1.its-ns.uni.edu and rad2.its-ns.uni.edu etc.

Rather than provide portable computers for staff, the culture at my day job is for people to use iPads and other data consuming devices to remote back to their office desktop computer and do *all* their work.  Since leaving 3389 (the common Remote Deskop {RD} or Terminal Services {TS} TCP port) open to the Internet guarantees a bunch of door-knocking probes, we force everyone through the VPN or to use Microsoft’s RD Gateway.

With Windows Server 2008 Microsoft introduced TS Gateway (renamed RD Gateway with 2008R2).  You connect to the gateway over TCP port 443 (also gets around the common coffee-house WiFi limits on connecting to only web pages) and the gateway makes the 3389 connection to your workstation inside your campus/building/office network.

Clients are somewhat limited: Windows XP can use gateway with version 6.1 of Remote Desktop Connector.  Windows 2008, Vista, 2008 R2, Windows 7 all support RDGateway natively.  There is no Macintosh client (to my knowledge… Microsoft’s client and CoRD that I use both lack this capability) nor is there a xNix RD client with gateway connectivity.  On the iPad there are PocketCloud and iTap.

Client error messages are less-than-specific, unfortunately.

You will get the following message under two scenarios,

1. You’ve entered an incorrect DNS name or IP address
2. Name or IP address is correct, but no device is responding to 3389TCP connection by the RDGateway… which means either powered off or the machine is firewalled in a way that it doesn’t reply to the connection request from the gateway.

Another scenario, not unique to using a gateway, is attempting to connect to a machine with a user account that isn’t authorized (usually, isn’t in the Remote Desktop Users security group on that workstation).

The final scenario I have is if your RDGateway is down, you have no route to it, or you simply fat-fingered the host name:

I’ve been asked “how many Winders XP machines ya got left” – off to Active Directory Users and Computes (aka ADUC, aka dsa.msc)

Find the domain/CN/OU you wish to search, right-click Find – then in the find drop-down list choose Custom Search

Then the Field Button –> Computer –> Operating System

Enter in the value for what OS you want to report on.  Some options are (you can specify full field with Pro, Ultimate, etc… If you grok ADSIEdit or Attribute editor, the attribute we are looking at is operatingSystem)

• Windows XP
• Windows Vista
• Windows 7
• Windows Server 2003
• Windows Storage Server
• Windows Server 2008
• Windows Server 2008 R2

Click Add – then Find now.  Voila!

Overall, I’m happy with this new Dell 3130cn color printer, but their drivers are *odd* – and you cannot setup a Windows server print queue to this printer by creating a TCP/IP port and feeding Windows the INF drivers.

I unboxed this printer, jacked it into a /24 network in my office then proceeded to setup a new printer on  a Windows 2008r2 core print server in another routed network.  New port – TCP/IP – hostname – autodetects as LPD… well fine, but I changed it to 9100 port.  Drivers, download R308589 from Dell.com – point to the INF, get a choice of PCL5, PCL XL and PS… humm, lets go PostScript.  Done.  Print test page – queues, queue is empty (as if job sent to printer and accepted) but nothing comes out printer.  Again, nothing.  Check embedded web server on printer – Printer Jobs- completed jobs – nothing but the test page from the unit.  Humm.

Got busy doing other stuff, came back later – and a Port 9100 job was in the completed jobs list from a Mac user in my office that printed directly to the device.  Odd.  Can I do that too – yup, setup the printer on my Win7 workstation using same driver.  “What the heck, a routing issue from server’s network to the workstation network?”  No, because I can get to the EWS – and the routers treat 80/443/9100 all the same.

Answer: Dell’s Admin Guide to Open Print Driver.  You must install all 3 print drivers to your server – then your Configure tab on the printer properties shows the printer model rather than just showing Generic Laser printer

I don’t know the voodoo behind the driver, model selection, and networking – when Active Model=Generic you can print over port 9100 TCP to the printer if you are in the same subnet.  If printing device (server or your workstation) is in a different subnet – you better follow the Dell instructions to install all 3 drivers (even though you only “use” one of them).

If I had it to do over, I might buy the Zotac ZBOX Nano XS AD11 Plus Mini PC rather than build my own … however now that I read – 19vdc instead of 12/13.8vdc means not suitable for car-puter or in a radio install with 12 volt emergency power.

Zotac US Web site – AD11 Plus product page

My earlier Blog entry on DC Powered Micro Computer

Was looking for a way to remove an AD user attribute (profilePath) – which is way more complicated that just using your favorite Perl, vb or other scripting language to write an LDAP attribute.  In this case you really are removing an attribute.

I’ve seen this before, but don’t recall using it.  Freeware from Microsoft on their codeplex site. 

GUI based, so somewhat the opposite of scripting – but worked well in my situation where I had an entire organizational unit that I wanted to set every user object to the same NULL value for one (or more) attributes.

http://admodify.codeplex.com/