Author Archives: Geneva Sibanda

About Geneva Sibanda

I assist companies in the Areas of Network Infrastructure Design and Implementation: (from Windows Active Directory Security, networking, etc.).

How to view and transfer FSMO roles in Windows Server

Transfer the Schema Master Role

Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.

Register Schmmgmt.dll

Click Start, and then click Run.
Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
Click OK when you receive the message that the operation succeeded.

Transfer the Schema Master Role

Click Start, click Run, type mmc in the Open box, and then click OK.
On the File, menu click Add/Remove Snap-in.
Click Add.
Click Active Directory Schema, click Add, click Close, and then click OK.
In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
In the console tree, right-click Active Directory Schema, and then click Operations Master.
Click Change.
Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the Domain Naming Master Role

Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
Do one of the following:
- In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
  -or-
- In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.
Click Change.
Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
Do one of the following:
- In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
  -or-
- In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.
Click OK to confirm that you want to transfer the role, and then click Close.

Only one PPTP session is allowed only by TMG

Problem:
========

Only one PPTP session is allowed only by TMG…if the second user tries to initiates its outbound VPN connection…it would fail.

Cause and Analysis:

========
– From the Network package captured on TMG, the Client caller ID was changed by external router device and thus the connection was discontinued. – Research and found this issue might be related to the below article: http://blogs.technet.com/b/isablog/archive/2009/01/07/a-pptp-client-might-fail-to-connect-to-a-vpn-server-on-the-internet-through-an-isa-server-2006.aspx – Changing the External Gateway device to Cisco 857w to have a try, and we find everything works fine now.

Solution:

========
To solve the issue, we need to contact the router vendor to check if a firmware update exists that fixes the issue or even change the router vender to another one like Cisco 857w.

=========

Client Response:
=========

Please close this case because prior to deploying the Cisco 857W router, only one user is allowed to VPN to Southern Africa VPN server. After the Cisco 857w was deployed, TMG was able to service two simultaneous VPN sessions from the LAN to External.

Thanks again Magwinya Wired Support!

South African SMTP Servers

Here is a list of the most common Outgoing servers:.

For Telkom ADSL, outgoing server is smtp.dsl.telkomsa.net or smtp.saix.net
For Telkom Analogue Dial Up, use smtp.saix.net or smtp.dsl.telkomsa.net
For 8TA (Eita), the outgoing server is smtp.saix.net
For MWEB ADSL, outgoing server is smtp.mweb.co.za or smtp.mweb.net

For Vodacom 3G, outgoing server is smtp.vodacom.co.za
For MTN 3G, the outgoing server is mail.mtn.co.za
For Cell C the outgoing server is mail.cmobile.co.za

For Iburst, outgoing server is smtp.iburst.co.za
For I.S. ADSL the outgoing server is smtp.isdsl.net
For I.S. 3G the outgoing server is smtp.isgsm.netor smtp.dial-up.net
For goggaconnect outgoing server is smtp.vodacom.co.za

For Neotel, outgoing server is smtp.neomail.co.za
For ABSA, outgoing server is smtp.absamail.co.za or mail.absa.co.za
For @lantic (ADSL,Dialup, ISDN) : smtp.lantic.net

For NetActive (ADSL,Dialup, ISDN) : smtp.netactive.co.za
For Polka (ADSL,Dialup, ISDN) : smtp.polka.co.za
For Web Africa (ADSL,Dialup, ISDN) : smtp.wa.co.za

For Cybersmart : smtpauth2.cybersmart.co.za or smtp.cybersmart.co.za

Installing the Windows Server 2008 R2 Hyper-V server role

Hyper-V requirements

To install and use the Hyper-V role, you must have the following:

An x64 processor. Hyper-V is available in x64-based versions of Windows Server 2008—specifically, the x64-based versions of Windows Server 2008 Standard, Windows Server 2008 Enterprise, and Windows Server 2008 Datacenter.
Hardware-assisted virtualization. This feature is available in processors that include a virtualization option, specifically, Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V).
Hardware Data Execution Protection (DEP). Hardware DEP must be available and enabled. Specifically, you must enable Intel XD bit (execute disable bit) or AMD NX bit (no execute bit)

To install the Windows Server 2008 R2 Hyper-V server role, complete the following steps:

1. Click Add Roles. If this is the first role being added to the server, you may see a page describing the process for adding roles. Click Next.

2. Check the box for Hyper-V and click Next. Review the Windows Server 2008 R2 Hyper-V overview and then click Next.

3. Choose the NICs to configure as virtual networks for use by guest OSs. Click Next.

4. Review the summary installation. Make a note of which NICs require configuration as virtual networks.

5. When prompted, choose to reboot the server to complete the installation. After the server reboots, log in as Administrator to finish the installation process.

After adding the Windows Server 2008 R2 Hyper-V role, you can create and configure virtual machines.

How To set up the BlackBerry’s email client with Google Apps email

Depending on what your requirements are and what you wanting to spend there are two options available to use:

1) BIS (Blackberry Internet Service) – Local application built into the Blackberry (No costs involved)
2) BES (Blackberry Enterprise Service) – Special software for Blackberry (Costs involved)

Note: While setup instructions are provided below, Google Apps IMAP1 access is not officially supported for BlackBerry devices at this time.

First you need to ensure IMAP is enabled on your Google Apps account by performing the following steps:

To enable IMAP in Google Apps
1. Sign in to Gmail.
2. Click Settings at the top of any Gmail page.
3. Click Forwarding and POP/IMAP.
4. Select Enable IMAP.
5. Click Save Changes

To set up the BlackBerry’s email client with Google Apps email (IMAP), just follow these steps:

1. On your BlackBerry device, navigate to your home screen
2. Select the icon that lets you set up email (this can be called Setup, Setup Wizard, Email Setup, BlackBerry Set-up, E-mail settings, or Personal Email Set-up)
3. Follow the setup instructions provided on your device to create a new e-mail account
4. Be sure to enter the following:
o Mail Server: imap.gmail.com
o Username: [your full Google Apps email address]
o Password: [your Google Apps password]
o IMAP Port: 993
5. Allow the system to add your account, but do not enter your Google Apps password into the utility boxes (this causes the system to default to POP3 instead of IMAP)
6. Select Next
7. Select Next again (bypassing the ‘Additional Information Required’ section)
8. Select your account type, then select Next

You may encounter a ‘We were unable to configure…’ error. Select I will provide the settings to continue

9. Select the option that mentions ‘IMAP/POP’
10. Select I will provide the settings…, then select Next
11. Select Set up existing email account…
12. Enter your Google Apps account information here, with ‘imap.gmail.com’ as your mail server
13. Select Next
14. Select Save

If setup is successful, you should receive a confirmation message and a new mailbox icon should appear on your device’s home screen, labelled with your Google Apps email address.

If you encounter a problem during setup, please make sure you have enabled IMAP in your main Google Apps Mail settings.

Let us know if this helps and if we can assist you further.

Google Public DNS IP addresses

The Google Public DNS IP addresses are as follows:

8.8.8.8
8.8.4.4

You can use either number as your primary or secondary DNS server. You can specify both numbers, but do not specify one number as both primary and secondary.

sesecurityprivilege access is denied

http://support.microsoft.com/kb/314294

Z:\MSExchange2003Enterprise\SUPPORT\EXDEPLOY>POLICYTEST.EXE

This tool will check every domain controller in the local domain to see if the “Manage auditing and security logs” privilege granted to the Exchange Enterprise Servers” group by DomainPrep has replicated to that DC. If the policy change has not yet replicated to all DCs, then you should avoid making policy changes on any DC that has not received those changes yet.

You must have Domain Admin rights to run this tool successfully. If you see an error that says: !! LsaEnumerateAccountRights returned error 5 !! then you don’t have permission to open the LSA on the given DC.
===============================================
Local domain is “magwinya.lan” (magwinya)
Account is “magwinya\Exchange Enterprise Servers”
========================
DC      = “ESG_CEN14”
In site = “Default-First-Site-Name”
!!! Right NOT found !!!
========================
DC      = “ESG_CEN16”
In site = “Default-First-Site-Name”
!!! Right NOT found !!!
========================
DC      = “ESG_CEN18”
In site = “Default-First-Site-Name”
!!! Right NOT found !!!
========================
DC      = “ESG_DC01”
In site = “Default-First-Site-Name”
!!! Right NOT found !!!
========================
DC      = “ESG_DC02”
In site = “Default-First-Site-Name”
!!! Right NOT found !!!

To resolve this I followed the step-by-step below:

Start the Active Directory Users and Computers snap-in.
Right-click the Domain Controllers container, and then click Properties.
Click the Group Policy tab, click Default Domain Controllers Policy in the Group Policy Object Links box, and then click Edit.
Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment. In the right pane, double-click Manage auditing and security log, click Add, click Browse, and then add the Exchange Enterprise Servers group. In the Add user or group dialog box, click OK. Then, click OK.
Quit the Group Policy snap-in, and then click OK in the Domain Controllers Properties dialog box.

NB: Interestingly,

Z:\MSExchange2003Enterprise\SUPPORT\EXDEPLOY>POLICYTEST.EXE

You must have Domain Admin rights to run this tool successfully. If you see an error that says: !! LsaEnumerateAccountRights returned error 5 !! then you don’t have permission to open the LSA on the given DC.
===============================================
Local domain is “magwinya.lan” (magwinya)
Account is “magwinya\Exchange Enterprise Servers”
========================
DC      = “ESG_CEN14”
In site = “Default-First-Site-Name”
Right found: “SeSecurityPrivilege”
========================
DC      = “ESG_CEN16”
In site = “Default-First-Site-Name”
Right found: “SeSecurityPrivilege”
========================
DC      = “ESG_CEN18”
In site = “Default-First-Site-Name”
Right found: “SeSecurityPrivilege”
========================
DC      = “ESG_DC01”
In site = “Default-First-Site-Name”
Right found: “SeSecurityPrivilege”
========================
DC      = “ESG_DC02”
In site = “Default-First-Site-Name”
Right found: “SeSecurityPrivilege”

Enable PowerShell to Run locally

PS C:\Users\Sibanda\MyScripts> Set-ExecutionPolicy RemoteSigned

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic. Do you want to change the execution
policy?
[Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): Y
Set-ExecutionPolicy : Access to the registry key ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft
.PowerShell’ is denied.
At line:1 char:20
+ Set-ExecutionPolicy <<<< RemoteSigned
    + CategoryInfo          : NotSpecified: (:) [Set-ExecutionPolicy], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetExecutionPolicyComma
   nd

PS C:\Users\Sibanda\MyScripts>

Solution to the above error message.

You need to click start – Go to Powershell – [Right Click and Select Run AS Administrator.]

Now when you try to ” Set-ExecutionPolicy RemoteSigned ” all will work without errors.

PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned

NB: This action enables the powershell scripts to run locally on your Laptop.

What’s in SBS 2011 Std?

Windows Server 2008 R2 Standard
Exchange Server 2010 Standard with SP1
Microsoft Sharepoint Foundation 2010
Microsoft SQL Server 2008 R2 Express
WSUS 3.0 with SP2

Windows Small Business Server 2011

Windows Small Business Server 2011 Standard helps protect your business’ information from loss by performing automatic daily backups and allows them to be more productive by providing features like e-mail, Internet connectivity, internal Web sites, remote access, and file and printer sharing.

Increase Data and Network Protection. Windows Small Business Server 2011 Standard helps you focus on your core business objectives and not worry about the status of your IT, by providing automatic local backup and restoration of all their business critical data on the server. Take Advantage of a Scalable Platform that Grows with the Business.

As your business needs change, Windows Small Business Server 2011 Standard grows with you and meets your changing demands with a highly scalable platform. Easily add users, servers and applications, or expand into other Microsoft technologies as business needs evolve. Stay Connected. Enable your users to easily access e-mail, contacts, and calendar to connect with their clients, vendors and suppliers seamlessly from virtually anywhere.

Benefits of Windows Small Business Server 2011 Standard include:

•Automatic backup of business data and simple recovery features
•Affordable and easy to deploy, use and maintain
•Enterprise quality functionality and productivity capabilities
•Organize and access files from virtually anywhere

Windows Small Business Server 2011 Standard includes the following component technologies:

•Windows Server 2008 R2 Standard technologies
•Microsoft Exchange Server 2010 SP1
•Windows SharePoint Foundation Services 2010
•Windows Server Update Services 3.0 SP2

Ideal Environment

Designed and priced especially for small businesses with up to 75 users, Windows Small Business Server 2011 Standard continues to be an ideal first server solution that includes key workloads that small businesses need to be productive and competitive.

SBS 2011 Standard is designed to provide a range of solutions tailored to meet the needs of small business customers at various stages of growth.