In a previous entry, guest blogger Sean Kearney shared a new feature in Windows Server 2008 R2 directory services called the Active Directory Recycle Bin.  Sean is back to show us how to recover those deleted objects.

-------------------------

So you’ve done it.  We all have.  Deleted a user, group, OU by accident but thankfully you have 2008 R2 in place and the AD Recycle Bin enabled.  To recover now is a breeze!  Start by launching Powershell V2 on Server 2008 R2 and run the following command

GET-ADOBJECT –filter {name –like “missingitem*”} –includedeletedobjects | RESTORE-ADOBJECT

That’s it.  Nothing harder than that. Was that so hard?  The great thing, is as long as it’s an object in Active Directory, it’s protected by this new feature for 180 days.  Also, this just does restore the object.  It’s restores the object, its security, its trusts!

If you’d like to learn more about the Active Directory Recycle Bin, Check out these great resources on Technet.com

Active Directory Recycle Bin - Instructional Video on Technet Edge

Regular TLA reader Chris Sanders has contributed the following list of frequently asked questions about WSUS.

Windows Server Update Services Q&A

I have deployed several WSUS servers in networks of all sizes. This Microsoft technology is one that I believe is a necessity for any network that includes Microsoft servers or clients. Unfortunately, I still see a lot of network admins who don’t deploy it just because they have misconceptions about it. The purpose of this Q&A is to address some of the most common answers I get from those who are looking to deploy WSUS.

Q: What is WSUS?

A: Windows Server Update Services, known as WSUS, is a technology that runs on Windows Server 2003/2008 and allows network administrators to distribute and manage updates to Microsoft products.

Q: How much does it cost?

A: WSUS is provided FREE of charge. However, it does require a server operating system to run, so you must have a valid license for that operating system, as well as Client Access Licenses (CALs) for each computer being updated by the WSUS server.

Q: What products will it update?

A: WSUS will manage updates for virtually every Microsoft product. This includes the Windows Server 2000, 2003, 2008, and Small Business Server operating systems. Client operating systems that can be managed include Windows 2000, XP, and Vista. Also included are Exchange 2000, 2003, and 2007, Forefront Security, Internet Security and Accelerate Server (ISA), SQL Server 2000 and 2005, Systems Management Server (SMS), and Microsoft Office 2003 and 2007. For a complete listing, check the official WSUS website, at http://technet.microsoft.com/en-us/wsus/default.aspx.

Q: What are the server prerequisites for WSUS?

A: WSUS must run on Windows Server 2003 SP1 or Windows Server 2008. The other components that are required include Internet Information Service (IIS) 6.0, .NET Framework 2.0, MMC 3.0, and Microsoft Report Viewer 2005.

Q: Do I have to have a dedicated server for WSUS?

A: Although isolation of services is always recommended, this isn’t a requirement. As a matter of fact, in smaller networks most people piggyback WSUS off of an existing file server or backup domain controller. WSUS is pretty flexible so you can typically place it where you see fit. It is also not uncommon to see WSUS running within a virtual machine.

Q: How much disk space does WSUS require?

A: If you are storing the downloaded updates locally on the server, then you will need at least 6 GB of free space. Depending on the products you will be updating you may need as much as 30 GB of space.

Q: My network spans multiple locations. How can I effectively use WSUS?

A: WSUS was designed with this in mind. It provides the ability to utilize upstream and downstream servers in order to fit most any network topology. Using this model, you can configure multiple downstream servers to synchronize with a locally housed upstream server. This removes administrative burden and conserves bandwidth.

Q: Can I use WSUS on a network that is disconnected from the Internet?

A: Yes. You can export the updates from a WSUS server that is connected to the Internet and import them into an offline WSUS installation. Doing this, you can manage update approvals just as you would with an online WSUS installation.

Q: Where can I get WSUS?

A: WSUS can be downloaded directly from Microsoft. The latest version, WSUS 3.0 SP1 can be downloaded here: http://www.microsoft.com/downloads/details.aspx?FamilyId=F87B4C5E-4161-48AF-9FF8-A96993C688DF&displaylang=en#Requirements.

Q: Where can I get support for WSUS troubleshooting issues?

A: Since WSUS is so widely used, the community support for it is quite large. One of the best WSUS support sites is http://www.wsus.info, which is run by a Microsoft MVP in software deployment. I also write about WSUS quite a bit on my personal blog at http://www.chrissanders.org. You can stay up to date on new release information at the official Microsoft WSUS team blog at http://blogs.technet.com/wsus/.

I’d say about 90% of the WSUS related questions I receive in my inbox can be answered by reading this FAQ. There really is no valid reason why your network shouldn’t be running some form of software update distribution, and unless you are running some type of managed services software or SMS, then WSUS is the best way to do that.

About Chris Sanders:

Chris Sanders is a Senior Support Engineer for KeeFORCE, a technology consulting firm in western Kentucky. Chris writes and speaks on various topics including packet analysis, network security, Microsoft technologies, and general network administration. His personal website at www.chrissanders.org contains a great deal of information, articles, and guides related to these topics.

Now after checking the entire pre-installation components, if we start the setup we will get some error messages such as this one:

Setup encountered a problem while validating the state of Active Directory: Domain Controller Operating System version is 5.0 (2195) Service Pack 4. The minimum version required is 5.2 (3790) Service Pack 1.

This a common issue actually, the reason behind this is that the setup is checking all the DCs that they must be 2003 sp1 as well as the GCs, because of that we have to point the setup to the specific 2003 dc.. This issue will be fixed in exchange 2007 sp1.  So, I am going to start the setup in an unattended mode starting by prepare the forest by running the mentioned switches previously but with specifying /dc: parameter to point to the windows 2003 DC.  The first thing we need to do in deploying Exchange 2007 into a legacy Exchange Organization is to run

Setup.com /PrepareLegacyExchangePermissions

•After that we have to prepare the schema, this can be done by running the following command

Setup.com /PrepareSchema /dc:NameofWindows2003DC

Prepare AD, by typing the command:

Setup.com /PrepareAD /dc:NameofWindows2003DC

Note: you can run the Setup.com /PrepareAD command before running /PrepareLegacyExchangePermissions and /PrepareSchema, this will run the /PrepareLegacyExchangePermissions and /PrepareSchema commands automatically.

Now we can start the setup, but we have to start the setup in an unattended mode as we said, by combining a couple of switches with the setup command, depending on your needs:

setup /m:Install /roles:M,HT,C,MT /dc: /EnableLegacyOutlook /LegacyRoutingServer: /t:”d:\program files\Microsoft\Exchange Server”

This command will install the management tools, Hub Transport role, Client access role and the Mailbox role.

That is it, exchange 2007 had been installed, and now we have to move the mailboxes to the new exchange 2007 and finally decommission the old 2000 server.  For more details, you can follow up with Henrik article on moving the mailboxes and decommissioning the old exchange server.

For More Information:

Transitioning from Exchange 2000 to 2007 (Part 1)

Transitioning from Exchange 2000 to 2007 (Part 2)

Thelazyadmin.com Exchagne Category

Before we get started with the installation of Exchange 2007 it is recommended to run the latest version of Exchange Best Practice Analyzer tools now, and choose Exchange 2007 readiness check, in my case, the tool gave me the following report:

So, my exchange organization is in mixed mode, it must be changed to native mode.  In general, there is three prerequisites that must checked before installing exchange 2007, they are:

• Active Directory forest:
  • the domain functionality level must be windows 2000 or Windows Server 2003
  • the domain controller that is the schema master is running Windows Server 2003 SP1 or higher
  • the Global Catalog server is running Windows Server 2003 SP1 or higher

There are some switches that you can run them to prepare the environment by preparing the permission required for exchange 2007, preparing the schema, preparing active directory, and preparing domain.  Those switches are:

Setup.com /PrepareLegacyExchangePermissions
Setup.com /PrepareSchema
Setup.com /PrepareAD
Setup.com /PrepareDomain or Setup.com /PrepareAllDomains

Note: you can run the 32-bit version of Exchange 2007 from the trial CD to prepare you environment.

• Exchange organization
  • it is a must to run the exchange organization in native mode
  • because of this all Exchange servers running Exchange 5.5 or earlier must be removed

In my case I have to change the organization mode simply by opening the exchange system manager, right click exchange organization, choose properties then choose the change mode button you will get a warning message, click yes, as simple as that.

Server requirements:

• .Net framework 2.0
• Update KB926776
• MMC 3.0
• Windows PowerShell 1.0
• HotFix for Windows x64 (KB904639)

Also, there are some additional components that you have to install on the server depending on the role you are planning to implement, those are:

For Mailbox server role, you need the following components:

• Enable network COM+ access
• Internet Information Services
• World Wide Web Service

For Client Access Server, you need the following components:

• WWW
• RPC over HTTP proxy
• ASP.NET 2.0

For Hub transport server role, no more components are needed but be sure that the SMTP AND NNTP is not installed.  Finally if you are going to use the Edge Transport Role you will need to install ADAM and again make sure that SMTP and NNTP are not installed.  In the next article we going to start the setup……..

For More Information:

KB Article 904639 - An access violation may occur when you try to run a 64-bit program that uses the interface remoting component of MDAC 2.8 on a computer that is running Windows Server 2003

KB Article 926776 - Microsoft .NET Framework Upgrade

Transitioning from Exchange 2000 to 2007 (Part 1)

Transitioning from Exchange 2000 to 2007 (Part 3) Coming Soon

Here is another great guest post from: Jason Boche, MCSE NT4/2000/2003, MCSA 2000/2003, MCP, VCPx2, CCA, A+

If you have used Compaq/HP brand server hardware, you are most likely familiar with RILOE boards (Remote Insight Lights Out Edition) and ILO boards (Integrated Lights Out). These are hardware devices that provide remote access to Compaq/HP server hardware. A key benefit is their “out of band” management attribute, meaning they operate independent of the server’s native host operating system, network, and CPU. They’ve got their own CPU, memory, and a built in web server which listens on ports 80 and 443 and serves as the configuration and management tool. Another benefit is the encrypted traffic that passes along the wire between RILOE/ILO and the client web browser which is accessing it. By default, this traffic is passed on TCP port 443. If you’ve used the RILOE/ILO before, you are probably used to seeing the following all too familiar screen:

The underlying reason for this is that your client knows nothing about the certificate authority from which the certificate for the RILOE/ILO was generated, other than it is not trusted. This is no cause for alarm as long as you trust the Hewlett Packard company from Houston, TX, however, failure to address this will cost you an extra mouse click each and every time you access this or any other RILOE/ILO on your network. Considerably more harmful is the numbing effect this screen will cause for each administrator who is presented with it. The danger here is that the administrator develops an acquired immunity to the warning which the administrator has learned he or she can immediately bypass by clicking the middle link “Continue to this website (not recommended)”. At a later time when a similar warning is presented for legitimate reasons, the administrator’s click happy impulse may kick in, inviting internet treachery to the environment.

RILOE and ILO boards support certificate requests which allows us to import trusted certificates into the RILOE/ILO’s built in web server. If you own and/or operate a Microsoft Certificate Authority (CA), this is one solution that you can follow. An Enterprise CA is the most ideal since all clients who are members of the domain the CA resides in, will automatically trust certificates issued by that CA.

In the following demonstration, I will show you step by step how to use the RILOE/ILO to request a certificate from an internal Microsoft Enterprise CA, retrieve the certificate, and then import the certificate into the RILOE/ILO. I will use a CA from my home lab for this demonstration. The domain is boche.mcse and the Microsoft Enterprise CA is named boche.mcseca. The screens are from a RILOE but I assure you the screens from an ILO are nearly identical.

The first step to this process would be to make sure you have the fundamental components in place to make it work.

Enterprise CA? Check.

My Enterprise CA is among those in the Trusted Root Certification Authorities list? Check.

http://<servername>/certsrv/ integrated web page? Check.

Of course we need a RILOE or ILO. Check. (Note that since I do not have a trusted certificate installed, or if the host name in the issued certificate is different than the encrypted URL being accessed, we see a Certificate Error in Internet Explorer 7 along with the red background. This is meant to raise red flags.

With that, let’s dig in. Don’t worry, it’s not difficult. One thing I’d like to point out with certificates is that you should try to use fully qualified domain names (FQDN) as much as possible. It’s not absolutely required in all cases (think local intranets) but it should be followed as a best practice because anything done over the internet will need to use FQDNs.

Step 1: Access the Certificate Administration menu in the RILOE/ILO.

Step 2: Use the RILOE/ILO to generate a certificate request for it’s built in web server. Note this will be a base64 encoded request.

Step 3: The base64 encoded certificate request is generated. Select all text in the window using CTRL + A, then copy using CTRL + C. The base64 encoded certificate request is now on your clipboard. It is important to leave this web browser window as is. Do not close it or surf to a different web page until this process is complete. If you do, you’ll have to start over at Step 2.

Step 4: Using a new browser window, surf to the certsrv URL of your Enterprise CA. /certsrv/”>http://<yourservername>/certsrv/ Choose Request a certificate.

Step 5: Choose advanced certificate request.

Step 6: Choose Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Step 7: In the Saved Request box, paste the contents of your clipboard which should be the base64 encoded certificate request which the RILOE/ILO made. For the Certificate Template, choose Web Server. Then choose Submit.

Step 8: Chose Base 64 encoded and click Download certificate.

Step 9: Choose Save

Saving to your desktop is fine:

Step 10: Go back to your RILOE/ILO certificate request window and click the Next Step button.

Step 11: You are presented with an empty box in which you need to paste the newly issued certificate:

Step 12: Find the saved certificate on your desktop and open it with notepad.exe.

Step 13: What you’re looking at is the base64 encoded certificate. Once again, select all by using CTRL +A and copy by using CTRL + C

Step 14: Paste the contents of your clipboard (which should be the base64 encoded certificate) into the X.509 Certificate Data window, then click the Import Certificate button.

Step 15: If all went as planned, you should see a successful screen with the request to reboot the RILOE/ILO. Go ahead with the reboot. This will take about 15-30 seconds.

Note that if a step was missed or goofed along the way, you’ll need to start over from step 2. Note that you will also want to “REVOKE” the certificate you requested in your failed process. This can easily be done using the CA console.

Step 16: While RILOE/ILO is rebooting, let’s take a look at the Certificate Authority console on the Enterprise CA and identify the newly issued certificate along with some of its attributes:

Step 16: With the RILOE/ILO rebooted, we should now be able to access the device using a trusted certificate with no warnings or alarms. Notice that when I access the website, I have a padlock now instead of a warning with red background. This padlock ensures the SSL encryption along with a certificate which was issued by a trusted Certificate Authority (CA). Notice the additional information that is displayed when clicking on the padlock.

Going back to the Certificate Administration applet in the RILOE/ILO, I see some details on the imported certificate.

16 steps sounds like a lot but try to remember these are baby steps. With the proper infrastructure in place and basic familiarity, you could really summarize this whole process down to just four steps.

1. Generate a certificate request.

2. Send the certificate request to a CA and receive a certificate.

3. Import the certificate into Remote Insight Lights-Out Edition II.

4. Restart Remote Insight Lights-Out Edition II.

This great article come from Michael Khanin (MCP, MCP+I, CNA, CNE, MCSE) who also blogs on his blog site http://TheSystemAdministrator.com 

Recently there was a necessity to install a Virtual CD/DVD on many computers on the same network. And it was necessary, that the virtual CD/DVD would be set to a special letter in the system. Right now there are a lot of programs which emulate CD/DVD and can mount any CDs/DVD images, as I wished to make all installation and configuration run remotely (well laziness by me, not wanting to run from computer to computer) It was necessary for the program to install in silent mode. After a quick search I chose ÐœagicDisc.

I’ve selected this program for several reasons:

1. The program is free-of-charge (but not all options work in the free-of-charge version, but what is necessary for me, works)

2. There is opportunity to run setup in silent mode.

3. It is possible to operate all necessary functions from a command line.

For a more satisfiying management experience from the command line one more file, Miso.exe is required.

The given file can be found on the ÐœagicDisc site.

For the installation I have written a script, INSTALL-V-CD.bat.

INSTALL-V-CD.bat is very simple and contains just one line:

setup_magicdisc.exe /S

To start the script on a remote system I used psexec.exe which can be downloaded here.

After the installation of ÐœagicDisc, it was necessary to copy miso.exe to the remote computer. It is important to note that miso.exe should be located in a directory which is registered in the system PATH.

Now the most interesting part. We create virtual a CD and assign to it the letter we want. For this purpose I have written one more script, MOUNT-ISO.bat. MOUNT-ISO.bat contains:

@ECHO off

miso NULL -sdrv 0

miso NULL -sdrv 1

For /F “tokens=4 delims=(,) ” %%a in (’miso NULL -vlist^|find “[1]”‘) do Set VCD=%%a

@ECHO select volume %VCD% > %TEMP%\ChangeCDDrive.txt

@ECHO assign letter=S >> %TEMP%\ChangeCDDrive.txt

@ECHO exit >> %TEMP%\ChangeCDDrive.txt

Diskpart /S %TEMP%\ChangeCDDrive.txt

Del %TEMP%\ChangeCDDrive.txt /Q

In my case, I assigned the virtual CD the letter “S”.

To mount an ISO file, execute a following command:

miso NULL -mnt S: “ISO-IMG.ISO”

The End! :)