Archive for category Windows
TO log on to this remote computer, you must be granted the Allow log on through Terminal Services Right.
There are a few places that need to be configured properly for TS to work.
1) The “allow logon through terminal services” right must be assigned to the user or group in question. This can be done through group policy or local policy. By default, remote desktop users is granted this right locally, you can do the same with a domain policy for good group organization.
2) Permissions to the RDP protocol must be added in (admin tools->Terminal services config->connections->RDP-tcp properties->Permissions). Usually remote desktop users is already listed but you may have to add it.
3) The “HKLM\system\currentcontrolset\control\terminal server\fDenyTSConnections” dword must be set to “0″. This can also be accessed by right clicking “my computer” and choose properties, go to the “remote” tab, and check the box for “enable remote desktop on this computer.
Typically, I add “authenticated users” to the local remote desktop group, then grant remote desktop users permissions to the RDP-tcp protocol. I then grant the “allow logon through terminal services” right via group policy to the terminal server(locally or domain) to “authenticated users”. This method allows all users to logon, you would have to use a security group if you only want to grant specific users access.
You can define the permissions for the user’s/groups however you want. It is usually easiest to add the users you wish to allow to the domain group “remote desktop users”, add the domain group to the local “remote desktop users” on the server for good measure, then reference the domain group in RDP permissions and the “allow logon..” policy setting.
Let me know if this helps.
Perform Authoritative Restore of Entire Directory
This step restores the entire Active Directory, and marks it as authoritative for the enterprise.
Requirements
• Credentials: local Administrator
• Tool: Ntdsutil.exe
To perform authoritative restore of the entire directory
1. Open a command prompt and type ntdsutil and then press ENTER.
2. At the ntdsutil: prompt, type authoritative restore and then press ENTER.
3. At the ntdsutil authoritative restore: prompt, type restore database and press ENTER.
4. At the Authoritative Restore Confirmation dialog box, click OK.
5. Type quit and press ENTER until you have exited Ntdsutil.exe.
6. Restart the server. It is now authoritative for the domain, and changes will be replicated to the other domain controllers in the enterprise.
Command Line Hack for: “Terminal Server Has Exceeded the Maximum Number of Allowed Connections”
If you’ve worked on a network with Windows servers, you’ve encountered this error message at least 37,000 times:
“The terminal server has exceeded the maximum number of allowed connections. The system can not log you on. The system has reached its licensed logon limit. Please try again later.”
This problem happens because Windows only allows two remote terminal services connections when you are in administrative mode, and you’ve either got two people already on that server, or more likely, you’ve got a disconnected session that still thinks it is active.
The problem with this error is that you have to actually get on the server console to fix the problem if the server isn’t in a domain. (If you are in a domain, then just open Terminal Services Manager and log off or disconnect the sessions)
To use the command line hacks, you might need to run them from another server if your local operating system doesn’t include the commands. You will also need to make sure that you are logged onto that server with an administrative account. The easiest way to do that is just map a drive (you don’t have to use a drive letter unless you choose to)
net use /user:[username] \\servername\share
Here’s a command line hack that you can use to figure out what sessions are connected to the server. Note that you could substitute the IP address for the server name.
query session /server:servername
Sample output:
Now we know that the session ID of the offending session is 2. We can use that in the next step, which is using the reset command to log off that user.
reset session [ID] /server:servername
Sample:
This command won’t display any output, but when we run the query command again, we should see that the session has now been disconnected:
Note: Thanks to my friend Todd for this one.
Use Entourage with Exchange Server 2007
Recently, my company implemented a new Exchange 2007 server for our email. No special changes or accommodations were made to support OS X. After a bit of searching and trial and error, I figured out the settings for Entourage to work when connected to the corporate network: email, contacts, and calendar all work.
I started with version 11.3.6 (070618) of Entourage, and added a new Exchange email account. I then tried the automatic setup, but it failed so I went into manual mode. During the setup, i found two fields that require surprising entries:
Under the Account Settings tab, the Exchange Server field. Here is what works for me:
https://my.internal.owa.server.name/exchange/username@domain.com
Be sure to use /exchange/ rather than some other directory, and include your full email address afterwards. This was surprising because to connect with Safari, the URI is:
https://my.internal.owa.server.name/owa/
On the Advanced tab, for the Public folders server, I use this URI:
https://my.internal.owa.server.name/public/username@domain.com
Once again, use /public/ not some other directory.
Evidently /exchange/and /public/ are virtual folders that Exchange 2007 creates for backward compatibility. The data for the rest of the fields was as expected.
Terminal server patch windows XP
http://www.kood.org/terminal-server-patch/
- Download the termserv.zip file below and extract it somewhere. (You have to be registered to see the file)
- Reboot into Safe Mode. This is necessary to remove Windows File Protection.
- Copy the termserv.dll in the zip to %windir%\System32 and %windir%\ServicePackFiles\i386. If the second folder doesn’t exist, don’t copy it there. Delete termserv.dll from the dllcache folder: %windir%\system32\dllcache
- Merge the contents of Concurrent Sessions SP2.reg file into the registry.
- Make sure Fast User Switching is turned on. Go Control Panel -> User Accounts -> Change the way users log on or off and turn on Fast User Switching.
- Open up the Group Policy Editor: Start Menu > Run > ‘gpedit.msc’. Navigate to Computer Configuration > Administrative Templates > Windows Components > Terminal Services. Enable ‘Limit Number of Connections’ and set the number of connections to 3 (or more). This enables you to have more than one person remotely logged on.
- Now reboot back into normal Windows and try out whether Concurrent Sessions in Remote Desktop works. It should!
Configure Exchange 2007 to Receive E-Mail for other Domains
by Daniel Petri – January 7, 2009
Exchange 2007 will only accept e-mail traffic for the e-mail domain that is identical to the name of your Active Directory domain. However, in some cases, we would like to allow our Exchange server to also receive e-mail for domains other than our own, internal domain name. On my “Configure Exchange 2000/2003 to Receive E-Mail for other Domains” article. I have explained how to configure previous versions of Exchange to receive e-mail for domains other than the ones configures as their internal Active Directory domain. In Exchange 2007 things are a bit more complex since it does not natively accept ANY sort of incoming mail from the external world, therefore we need to go through some more steps to get things rolling.
There are several new features included within Exchange Server 2007, which some of my articles touch on briefly. However, if you are looking for training that takes you from installation to integration with Outlook and management of Exchange Server 2007 then you need Train Signal’s training videos. The Exchange Server 2007 training videos are taught by Microsoft MVP and MCSE, David Shackelford, who teaches with a “Hands-on” approach.
Daniel Petri
You can see the Exchange Server 2007 training with video instruction here.
For example, if you have an AD domain called PETRI.LOCAL and you’ve installed Exchange 2007 on it, each recipient you have will automatically have an e-mail address of ALIAS@PETRI.LOCAL, and the Exchange organization will treat the PETRI.LOCAL SMTP domain name as an internal domain. To follow on the example, let’s say that one day you’ve decided that you’d like to have an Internet presence, so you bought PETRI.CO.IL and you’d like to begin using it on your Exchange server. Luckily, you don’t need to rename your AD domain for that, but you DO need to configure Exchange to receive e-mail for the new domain, along with any traffic you might have had for the old domain name.
This example can also be extended to instances where a company has had its Internet domain name changed, or when one Exchange server is used to host mailboxes for more than one company.
In Exchange 2007, in order to allow your Exchange servers to treat any other SMTP domain as internal, you need to configure an Accepted Domain entry for that SMTP domain name.
What are Accepted Domains
An accepted domain is any SMTP domain name for which the Exchange organization sends or receives e-mail. Accepted domains include those domains for which the Exchange organization is authoritative. An Exchange organization is authoritative when it handles mail delivery for recipients in the accepted domain. BTW, accepted domains also include domains for which the Exchange organization receives mail and then relays to an e-mail server that is outside the Active Directory forest for delivery to the recipient.
You must configure an accepted domain before that SMTP namespace can be used in an e-mail address policy. The accepted domain is automatically populated to the e-mail address policy editor. Each domain or sub-domain that you want to use as part of an e-mail address policy must have an explicit accepted domain entry. To read more about E-mail address policies please look at my “Configure Specific E-Mail Addresses for Specific Exchange 2007 Recipients” article.
Types of Accepted Domains
There are three types of accepted domains: authoritative, internal relay, and external relay.
- Authoritative Domains – As noted in the example above, an organization might have more than one SMTP domain. These are the authoritative domains. In Exchange 2007, an accepted domain is considered authoritative when the Exchange organization hosts mailboxes for recipients in this SMTP domain. Meaning, Exchange 2007 will treat any incoming mail destined for a recipient on an authoritative domain as internal, and will “expect” to find a recipient with that SMTP address. If no such recipient exists, Exchange will return an NDR. By default, when the first Hub Transport server role is installed, one accepted domain is configured as authoritative for the Exchange organization. The default accepted domain is the fully qualified domain name (FQDN) for your forest root domain. The Edge Transport servers should always accept e-mail that is addressed to any of the organization’s authoritative domains, and by default, no accepted domains are configured on the Edge Transport server role.
When dealing with e-mail destined for external SMTP domain names, we must configure the Exchange servers to “know” that they should accept incoming e-mail for these external domains, and perform a relay action on them. Needless to say, if we allow relaying of ALL external SMTP domains, spammers will soon find this out and begin using our servers as open relays, spamming the world through our servers. We can prevent this open relay by rejecting all e-mail that is not addressed to a recipient in the organization’s authoritative domains. However, there are scenarios where an organization wants to let partners or subsidiaries relay e-mail through the Exchange servers. You can allow this by configuring accepted domains as relay domains. The Exchange organization receives the e-mail and then relays the messages to another e-mail server.
There are 2 options for configuring external domains: Either as an internal relay domain or as an external relay domain.
- Internal Relay Domain – When configuring an internal relay domain, the recipients in this domain do not have mailboxes in this Exchange organization but do have contacts in the global address list (GAL). Mail from the Internet is relayed for this domain through Hub Transport servers in this Exchange organization. In this scenario, the MX resource record for the external relay domain references a public IP address the Exchange 2007 organization that is relaying messages. The Edge Transport server receives the messages for recipients in the external relay domain and then looks for contacts in the GAL for those recipients. If it finds such a recipient, it will route the message to the e-mail system for the internal relay domain. The connector configuration of your organization determines how messages are routed. To read more about that please read my “Configure MX Records for Incoming SMTP E-Mail Traffic” article.
- External Relay Domain – When you configure an external relay domain, messages are relayed to an e-mail server that is outside the Exchange organization and outside the organization’s network perimeter. The messages are relayed by the Edge Transport server. In this scenario, the MX resource record for the external relay domain references a public IP address the Exchange 2007 organization that is relaying messages. The Edge Transport server receives the messages for recipients in the external relay domain and then routes the messages to the e-mail system for the external relay domain. A Send connector from the Edge Transport server to the external relay domain is required in this scenario.
Working with Sub-domains
When you create an accepted domain, you can use a wildcard character in the address space to indicate that all sub-domains of the SMTP address space are also accepted by the Exchange organization. For example, to configure PETRI.CO.IL and all its sub-domains as accepted domains, you will need to enter *.PETRI.CO.IL as the SMTP address space.
Where to configure Accepted Domains
Accepted domains are configured on the Organization level, on Exchange servers that have the Hub Transport server role installed, or on servers that have the Edge Transport server role installed on them. When working with Edge servers, the best approach towards Accepted Domains would be to configure them only on the Hub Transport server role, and then populate that data on the Edge Transport server by using the Edge Subscription process. When the Edge Subscription process runs, the accepted domain configuration information is replicated to the subscribed Edge Transport server.
Note: To configure Accepted Domains you use must be delegated the with an Exchange Organization Administrator role. To perform the task on servers that have the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.
Creating Accepted Domains
As always, you can do this in one of two ways:
Using Exchange Management Console (EMC):
- 1. Open the Exchange Management Console. Perform one of the following steps:
- On an Edge Transport server: Select Edge Transport, and then in the work pane, click the Accepted Domains tab.
- On a Hub Transport server: Expand Organization Configuration, select Hub Transport, and then in the work pane, click the Accepted Domains tab.
- On an Edge Transport server: Select Edge Transport, and then in the work pane, click the Accepted Domains tab.
- In the action pane, click New Accepted Domain. The New Accepted Domain wizard appears.
- On the New Accepted Domain page, enter the name of the new accepted domain. Use this field to identify the accepted domain in the user interface. You can type any name that you want, but you should select a meaningful name that helps you easily identify the purpose of this accepted domain.
- Next, enter the Accepted Domain itself. Use this field to identify the SMTP domain name for which the Exchange organization will accept e-mail messages. You can use a wildcard character to accept messages for a domain and all its sub-domains.
- Next, select one of the following options to set the accepted domain type:
- Authoritative Domain, Internal Relay Domain, or External Relay Domain.
- Click New then on the Completion page, click Finish.
Using Exchange Management Shell (PowerShell prompt):
Open the Exchange Management Shell prompt, then type:
New-AcceptedDomain -Name "Petri.co.il" -DomainName petri.co.il -DomainType Authoritative
To create an internal relay domain type:
New-AcceptedDomain -Name "Dpetri.net" -DomainName dpetri.net -DomainType InternalRelay
To create an external relay domain type:
New-AcceptedDomain -Name "Message-Pro.com" -DomainName message-pro.com -DomainType ExternalRelay
Changing the Default Accepted Domain
You cannot modify the default accepted domain. To change which accepted domain is the default accepted domain, you must create a new accepted domain, and then set the new accepted domain as the default by using the Exchange Management Shell.
If you try to remove the default accepted domain from the list without configuring a different default accepted domain you will get an error:
In order to find out which of the accepted domains is the default one, you MUST use the Management Shell (PowerShell prompt) and run the following command:
Get-AcceptedDomain
For example, in case you would like to totally remove the PETRI.LOCAL domain from the list of accepted domains, you will first need to create the PETRI.CO.IL accepted domain (see above example), then run the following command in the PowerShell prompt:
Set-AcceptedDomain -Identity petri.co.il -MakeDefault:$true
Deleting an Accepted Domain
Next, if you want to, you need to delete the old accepted domain from the list of accepted domains:
Using Exchange Management Console (EMC):
- Open the Exchange Management Console. Perform one of the following steps:
- On an Edge Transport server: Select Edge Transport, and then in the work pane, click the Accepted Domains tab.
- On a Hub Transport server: Expand Organization Configuration, select Hub Transport, and then in the work pane, click the Accepted Domains tab.
- Click on the accepted domain you wish to remove. In the action pane, click Remove.
- Click Yes on the prompt.
Using Exchange Management Shell (PowerShell prompt):
Open the Exchange Management Shell prompt, then type:
Remove-AcceptedDomain –Identity petri.local
Summary
Accepted Domains are Exchange 2007’s implementation of Recipient Policies meaning they allow the Exchange organization to “know” which SMTP domains should be accepted by the Exchange servers (either the Edge Transport role holders, or the Hub role holders), and what they should do with them after receiving them. We need to create additional accepted domains in order to allow usage of additional SMTP domain names that we own and want to use in addition the the defauld accepted domain.
Related Articles
Exchange 2007 Install
Instalación básica de Exchange 2007.
Exchange 2007 es la nueva versión del servidor de correo de Microsoft, aunque en realidad Exchange es mucho mas que un servidor de correo.
* El servidor tiene que tener el IIS funcionando pero no el SMTP ni el NNTP.
Bien, ya tenemos Exchange instalado, el siguiente paso será crear el primer buzón de correo.
El paso siguiente sera indicarle a Exchange que acepte correo del domino publico que tengamos.
Por defecto Exchange 2007 aceptaría correo del dominio DNS del AD a través de un servidor de Exchange con el rol de Edge.
En esta instalación no tendremos un servidor Edge y nuestro domino interno no es igual que el externo, asi que hay que realizar algunos cambios.
Añadimos el dominio:
Nos conectamos por telnet y lo probamos:
Ops, no nos deja, el servidor que estamos usando no es un Edge, nos estamos conectando al SMTP del rol de Hub Transport, este rol esta preparado para que otros servidores de nuestra organización se conecten para enviar correo, por lo tanto exige que estos servidores se validen.
Tendremos que modificar el conector de recepción de correo para que acepte validación anonima.
Para hacer esto correremos otro script de powershell.
set-ReceiveConnector -identity "Default w2k3srv" -PermissionGroups AnonymousUsers
Y probamos de nuevo
Y con el domino externo también
add a default route
To add a default route with the default gateway address of 192.168.12.1, type:
route add 0.0.0.0 mask 0.0.0.0 192.168.12.1
Redirect New Users and Computers to an OU
When you create a new user or computer account in Active Directory the accounts are created in the CN=Users and CN=Computers containers by default. Although these accounts will inherit GPO’s linked to the domain, it is not possible to apply Group Policy directly to these containers.
There are two tools included with Windows Server 2003, Redirusr.exe and Redircmp.exe, with which you can change this behavior and cause new user and computer accounts to be created in a specific OU. Redircmp.exe and Redirusr.exe modify the wellKnown attribute on the PDC Emulator to accomplish this. These two tools are located in %windir%\system32. Before you try this you must ensure the following:
* Your domain must be running at the 2003 Domain Functional level (All DC’s must be 2003 Server)
* You need Domain or Enterprise admin privlidges
* Your PDC must be online and responding to requests
* The OUs must be created before you run these tools
To redirect any new user accounts to a specific OU run the following command:
c:\%windir%\system32\redirusr.exe containerDN
For example to redirect new user accounts to an OU called NewUserAccounts run the following command:
c:\%windir%\system32\redirusr.exe OU=NewUserAccounts,DN=thelazyadmin,DC=com
It is just as easy to redirect new computer accounts to a specific OU with this command:
c:\%windir%\system32\redircmp.exe containerDN
For example to redirect a new computer account to an OU called NewComputerAccounts run the follwing command:
c:\%windir%\system32\redircmp.exe OU=NewComputerAccounts,DC=thelazyadmin,DC=com
Automatically redirect new users and computers to a lockdown OU
Shijaz Abdulla, MVP
www.shijaz.com/windows
This article explains how to change the default container for newly created users and computer accounts in Active Directory. This is offers increased security. All machines that are joined to the domain will automatically have a computer account created in the Active Directory in the Computers OU by default. This article explains how this default container can be changed for both users and computers. You can then apply a highly restrictive policy on the lockdown OU. If the joined computer is legitimate, then you can move the computer account to the Computers OU or any other OU as per your organizational norms.
Prerequisites
* Domain functional level should be at least Windows Server 2003
* Logged on user must have domain admin privileges
Step 1. Create an OU Apply a highly restrictive GPO
1. Create an OU named Lockdown
2. Create a GPO and make it strongly, highly restrictive. (Paralyze the users & computers if you’d like!). Apply this GPO to the Lockdown OU.
(Discussing how to create and edit GPOs is out of the scope of this article)
Step 2. Redirecting new user accounts to an OU named “Lockdown”
1. Open Command Prompt.
2. Type the following command:
c:\windows\system32>
redircmp ou=mycomputers,DC=company,dc=com
Step 3. Redirecting new user accounts to an OU named “Lockdown”
1. Open Command Prompt.
2. Type the following command:
C:\windows\system32> redirusr ou=lockdown,DC=company,dc=com
Step 4. Test whether redirection works
1. Open Command Prompt.
2. Type the following commands:
net computer \\compname /add
net user username password /add
3. Open Active Directory Users & Computers. You will find that user account and the computer account you just created are redirected to the Lockdown OU.
mount nfs share windows 2008
mount -o 172.16.2.24:/nas X: