Following my last post - I wanted to track down when the Administrator password for my domain was changed. Realising that Windows 2008, Server Core would not have a GUI for the Event Log, I assumed the easiest way to access the Security event logs of my Domain Controller would be to use another Windows 2008 server (Standard), open Event Viewer and remotely connect to my Windows 2008, Server Core Domain Controller. However, I was presented with the error message;
"Event Viewer cannot connect to computer DC01. The error reported is: The RPC server is unavailable"
My first thoughts were whether this was related to another Server Core feature or whether my POC network had issues due to being neglected for so long after being moved to a different ESX host. It turns out that the Windows Firewall in Windows 2008 Server Core is not configured to allow remote management. The following commands needed to be run on all my Windows 2008, Server Core Domain Controllers;
Netsh advfirewall firewall set rule group=”Windows Firewall Remote Management” new enable =yes
Netsh advfirewall firewall set rule group=”remote administration” new enable=yes
Some Links
Using the Netsh Advfirewall Command-Line Tool
Netsh Commands for Windows Firewall with Advanced Security
There are other Firewall Rule Groups available (taken from Technet)
Event Viewer = "Remote Event Log Management"
Services = "Remote Services Management"
Shared Folders = "File and Printer Sharing"
Task Scheduler = "Remote Scheduled Tasks Management"
Reliability and Performance = "Performance Logs and Alerts" and "File and Printer Sharing"
Disk Management = "Remote Volume Management"
Windows Firewall with Advanced Security = "Windows Firewall Remote Management"
To allow only specific MMC snap-ins to connect, at a command prompt, type:
Netsh advfirewall firewall set rule group=“%Rule Group%” new enable=yes
Tuesday 18 November 2008
Q: How secure is your Windows 2008 Active Directory?
A: Only as secure as the physical access to any one of your Domain Controllers. If I have physical access to any of your Domain Controllers I will have administrative access to your domain within 10 minutes.
After several weeks of being away from my Hosted Exchange project (it got extended again!) I was back to work on it this week. Whilst I was away I was asked if the Development team could move my Proof of Concept environment to a different ESX host. Of course I had no issue with this as it was not being used whilst I was away. When I attempted to log on today I found that the administrative password I had set was no longer working. I always set the same password for all my development passwords (there is no real requirement for them to be secure) so I know I had not just forgotten it. The team that moved my VMs had no knowledge of the change of password. With it being a POC environment, I had no reason to create other administrative users in the Domain either.
I now have a scenario where I have a dozen servers configured with HMC4.5 and Exchange 2007 that I cannot access. It would take a week or so to reproduce this environment again, so I set about trying to hack the Domain Administrator password. ERD Commander and LockSmith allows you to reset the password on most new Windows Operating Systems. I have in the past tried this on a Windows 2003 Domain Controller to see what would happen and it did allow me to change the Domain's Administrator Active Directory password! As my first port of call I tried this boot disk and tool to see if it would work with a Windows 2008, Server Core Domain Controller. And guess what? It does! This has saved me a lot of work.
I guess this is not really new news, but it is relevant that it also works with Windows 2008 Domain Controllers. So - better make sure that Server Room door is always locked - eh?
After several weeks of being away from my Hosted Exchange project (it got extended again!) I was back to work on it this week. Whilst I was away I was asked if the Development team could move my Proof of Concept environment to a different ESX host. Of course I had no issue with this as it was not being used whilst I was away. When I attempted to log on today I found that the administrative password I had set was no longer working. I always set the same password for all my development passwords (there is no real requirement for them to be secure) so I know I had not just forgotten it. The team that moved my VMs had no knowledge of the change of password. With it being a POC environment, I had no reason to create other administrative users in the Domain either.
I now have a scenario where I have a dozen servers configured with HMC4.5 and Exchange 2007 that I cannot access. It would take a week or so to reproduce this environment again, so I set about trying to hack the Domain Administrator password. ERD Commander and LockSmith allows you to reset the password on most new Windows Operating Systems. I have in the past tried this on a Windows 2003 Domain Controller to see what would happen and it did allow me to change the Domain's Administrator Active Directory password! As my first port of call I tried this boot disk and tool to see if it would work with a Windows 2008, Server Core Domain Controller. And guess what? It does! This has saved me a lot of work.
I guess this is not really new news, but it is relevant that it also works with Windows 2008 Domain Controllers. So - better make sure that Server Room door is always locked - eh?
Wednesday 12 November 2008
Orphaned Exchange Store recovery
Guest blog entry by Rick Eveleigh (rick_eveleigh at hotmail dot com)
Got an intact Exchange Store but the Active Directory has gone? Save yourself thousands by following this procedure. No need for EDB recovery tools, Quest, OnTrack PowerControls, etc
Note: this is not a mail migration method: there are better textbook ways of doing that.
Note: this process is not warranted but comments are welcome.
This is Exchange 2003 but may well work on 2000 or 2007. The instructions cover all steps but are not fully detailed as they assume you know the basics of Exchange administration.
Install Exchange 2003 into any domain but with:
1. same server name as the orphaned store
2. same Org name as the orphaned store
3. same Admin Group name as the orphaned store
(You might only find out what the last two should be if installed wrong: the correct ones are in the Application Event Log when the stores fail to mount. In this case you will have to uninstall Exchange and reinstall with the correct Org & Admin Group names)
Make empty Stores in the Exchange System Manager (ESM)
Move to desired location
Mark as 'can be overwritten by a restore'
Dismount
In Windows Explorer, rename the new store names as .bak
Copy the recovered stores into the newly created file location
Rename the recovered stores to match newly created stores
Cross fingers and mount in ESM.
If it doesn’t mount you might have the wrong names as above.
Once mounted:
Expand the store
Right click Mailboxes
Choose Run Cleanup Agent. All will be marked as disconnected.
In Tools, choose Mailbox Recovery Center
Right click Mailbox Recovery Center and click Add Store
Type the first word of the relevant Store (e.g. Staff) and click Check Names
Store should be resolved, click OK
If there are a lot of mailboxes the 'resolve with AD' will take a minute or two
All the mailboxes will be listed
Click Mailbox to sort by Mailbox name (very important!)
Hit CTRL+A to select all Mailboxes
Right click (might be a delay if there are a lot of mailboxes) and choose Export
In the wizard, click Next, Next
Click Browse and find an OU for the users to be made in e.g. 'Recovered Staff Mailbox accounts' (you might need to make this first in AD Users and Computers)
Click Next
Type a name for the exported file (e.g. d:\temp\staff.ldf), choose Replace existing content and click Next
When the export has been completed click Finish
Run a command prompt
Type ldifde -i -f and hit enter
It is very likely there will be an error: all you get is a line number e.g. 'Add error on line 1481: Already exists', if this happens:
Open Active Directory Users and Computers
Browse to the new OU
Open your file (e.g. staff.ldf) in Notepad: for convenience arrange the notepad window alongside the ADUC window
See which account was the last to be created (this is why the list was alpha sorted before export).
Very likely the next account in the ldf file is the problem (might already exist e.g. Administrator, might be a duplicate to the last imported account, might just exist elsewhere in AD, or might be an 'invalid' account e.g. SMTP).
Delete all records from the ldf file up to and including the 'problem' account
Save (don’t close!) the ldf file.
Leave AD Users and Computers and Notepad open and run the ldifde command again.
Repeat until the result of the ldifde command is "The command has completed successfully"
In ESM, Mailbox Recovery Center, ensure all the mailboxes are still selected, right click and choose Find Match.
In the wizard, click Next. The Task will progress and the User Name column in the Mailbox list will populate.
Click Finish when the wizard completes.
Click the User Name heading to bring unmatched mailboxes to the top of the list
Press CTRL+A to select all mailboxes, then holding CTRL, click the mailboxes to deselect them.
Right click on the selected mailboxes and choose Reconnect
In the Reconnect Wizard click Next, Next.
The mailboxes will be reconnected to the newly created AD accounts
When the wizard completes, click Finish
Right click Mailbox Recovery Center and choose Remove Store
Type the first word of the relevant Store (e.g. Staff) and click Check Names
Store should be resolved, click OK.
If you are doing this on a temporary or test server you can now run exmerge to extract the mail. Or your Exchange Stores are now recovered.
Repeat for any other stores.
You can contact Rick via rick_eveleigh at hotmail dot com
Got an intact Exchange Store but the Active Directory has gone? Save yourself thousands by following this procedure. No need for EDB recovery tools, Quest, OnTrack PowerControls, etc
Note: this is not a mail migration method: there are better textbook ways of doing that.
Note: this process is not warranted but comments are welcome.
This is Exchange 2003 but may well work on 2000 or 2007. The instructions cover all steps but are not fully detailed as they assume you know the basics of Exchange administration.
Install Exchange 2003 into any domain but with:
1. same server name as the orphaned store
2. same Org name as the orphaned store
3. same Admin Group name as the orphaned store
(You might only find out what the last two should be if installed wrong: the correct ones are in the Application Event Log when the stores fail to mount. In this case you will have to uninstall Exchange and reinstall with the correct Org & Admin Group names)
Make empty Stores in the Exchange System Manager (ESM)
Move to desired location
Mark as 'can be overwritten by a restore'
Dismount
In Windows Explorer, rename the new store names as .bak
Copy the recovered stores into the newly created file location
Rename the recovered stores to match newly created stores
Cross fingers and mount in ESM.
If it doesn’t mount you might have the wrong names as above.
Once mounted:
Expand the store
Right click Mailboxes
Choose Run Cleanup Agent. All will be marked as disconnected.
In Tools, choose Mailbox Recovery Center
Right click Mailbox Recovery Center and click Add Store
Type the first word of the relevant Store (e.g. Staff) and click Check Names
Store should be resolved, click OK
If there are a lot of mailboxes the 'resolve with AD' will take a minute or two
All the mailboxes will be listed
Click Mailbox to sort by Mailbox name (very important!)
Hit CTRL+A to select all Mailboxes
Right click (might be a delay if there are a lot of mailboxes) and choose Export
In the wizard, click Next, Next
Click Browse and find an OU for the users to be made in e.g. 'Recovered Staff Mailbox accounts' (you might need to make this first in AD Users and Computers)
Click Next
Type a name for the exported file (e.g. d:\temp\staff.ldf), choose Replace existing content and click Next
When the export has been completed click Finish
Run a command prompt
Type ldifde -i -f
It is very likely there will be an error: all you get is a line number e.g. 'Add error on line 1481: Already exists', if this happens:
Open Active Directory Users and Computers
Browse to the new OU
Open your file (e.g. staff.ldf) in Notepad: for convenience arrange the notepad window alongside the ADUC window
See which account was the last to be created (this is why the list was alpha sorted before export).
Very likely the next account in the ldf file is the problem (might already exist e.g. Administrator, might be a duplicate to the last imported account, might just exist elsewhere in AD, or might be an 'invalid' account e.g. SMTP).
Delete all records from the ldf file up to and including the 'problem' account
Save (don’t close!) the ldf file.
Leave AD Users and Computers and Notepad open and run the ldifde command again.
Repeat until the result of the ldifde command is "The command has completed successfully"
In ESM, Mailbox Recovery Center, ensure all the mailboxes are still selected, right click and choose Find Match.
In the wizard, click Next. The Task will progress and the User Name column in the Mailbox list will populate.
Click Finish when the wizard completes.
Click the User Name heading to bring unmatched mailboxes to the top of the list
Press CTRL+A to select all mailboxes, then holding CTRL, click the
Right click on the selected mailboxes and choose Reconnect
In the Reconnect Wizard click Next, Next.
The mailboxes will be reconnected to the newly created AD accounts
When the wizard completes, click Finish
Right click Mailbox Recovery Center and choose Remove Store
Type the first word of the relevant Store (e.g. Staff) and click Check Names
Store should be resolved, click OK.
If you are doing this on a temporary or test server you can now run exmerge to extract the mail. Or your Exchange Stores are now recovered.
Repeat for any other stores.
You can contact Rick via rick_eveleigh at hotmail dot com
Subscribe to:
Posts (Atom)
