Export All DNS Zones

I was in the process of enabling DNS scavenging following the steps in this blog post. I’m used to it already being on but going into an existing environment with it disabled & enabling it could be bad. I was at the “enable” phase mentioned in the blog when I thought that it would be nice to have an export of all the zones just in case. While I’m sure there are other solutions, this is mine.

• Browse to C:\Windows\System32\dns.
• Create a folder called export.
• Open a command prompt.
• Browse to C:\Temp.
• Run the following commands:

dnscmd /enumzones > AllZones.txt

for /f %a in (AllZones.txt) do dnscmd /ZoneExport %a export\%a.txt

• In the export folder you will now have a text file with an export for every zone (forward & reverse) in your DNS server.
• Now create a subfolder in the YYYYMMDD format under the export folder created earlier.
• Move all the text files to that folder.

Quick Post: Exchange Server Errors

This is just a quick one for my reference. KB2025528 explains it in more detail.

Log Name:      Application
Source:        MSExchange ADAccess
Event ID:      2601
Level:         Warning
Description: Process MSEXCHANGEADTOPOLOGY (PID=1276). When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account <WKGUID=ABCDEF1234567890ABCDEF1234567890,CN=Microsoft Exchange,CN=Services,CN=Configuration,…> – Error code=8007077f.  The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.

Log Name:      Application
Source:        MSExchange ADAccess
Event ID:      2604
Level:         Error Description: Process MSEXCHANGEADTOPOLOGY (PID=1276). When updating security for a remote procedure call (RPC) access for the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object EX01 – Error code=8007077f.  The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.

Log Name:      Application
Source:        MSExchange ADAccess
Event ID:      2501
Level:         Error Description: Process MSEXCHANGEADTOPOLOGY (PID=1276). The site monitor API was unable to verify the site name for this Exchange computer – Call=DsctxGetContext Error code=8007077f. Make sure that Exchange server is correctly registered on the DNS server.

Solution – Run NLTest /DSGetSite to verify that that the proper Active Directory Site is being returned by Windows. Once that has been verified, restart the MSExchange ADTopology service. Depending of the role of the server it may cause a service disruption due to dependent services having to restart as well.

Small Text in Process Monitor

If you have to go back to using an older version of ProcMon the text may become small & difficult to read.

This was driving me crazy for a few minutes but was really easy to fix. Click Options>Font. The font size was set to 6.

Change font size to 8 & all is legible again.

Login Script Maintenance

Note – This post deals with making bulk changes to Active Directory. If you’re not careful you could really screw things up. Always test in a lab before making such changes in production.

In Active Directory all our users had a login script configured. We were needing to do some testing that required all those scripts to be removed. After testing was done we had to add all the scripts back. I sure don’t feel like typing all that manually so PowerShell to the rescue.

I’m using the Quest ActiveRoles Management Shell for Active Directory because they just rock. Modify the domain & OU structure to fit your environment.

First, export some data on every user that has a login script. If you want to be able to import the login scripts back then do not loose the CSV file!

Get-QADUser -SizeLimit 0 -SearchRoot 'abc.com/Company/Users' -ObjectAttributes @{scriptPath='*'} | select Name,sAMAccountName,scriptPath,DN | Export-Csv C:\Temp\LoginScript.csv

Next, remove the login script from everyone’s account.

Get-QADUser -SizeLimit 0 -SearchRoot 'abc.com/Company/Users' -ObjectAttributes @{scriptPath='*'} | %{Set-QADUser $_ -scriptPath ""}

Finally, add the login script back to each account based on the exported CSV file. This one is a two liner.

$File = "C:\Temp\LoginScript.csv"

Import-Csv $File | %{Set-QADUser -Identity $_.SamAccountName -scriptPath $_.scriptPath}

Unknown Host

After installing KB2585542 if you browse to an SSL webpage when going through a proxy you may receive an error that says, “Unknown Host. Description: Unable to locate the server named “localhost.localdomain” – the server does not have a DNS entry. Perhaps there is a misspelling in the server name, or the server no longer exists. Double-check the name and try again.”

According to security bulletin MS12-006, “This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.”

In my case the workaround was to uninstall the patch. Once the vendor of our proxy server came out with a patch for their system we were able to install the patch back on the computers.

iDRAC Not Working

I wasn’t able to connect to an iDRAC on a Dell PowerEdge R710. It was plugged into an active switchport but just would not get link. With OpenManage Server Administrator installed on the server I looked at the Configuration tab in the Remote Access section.

I noticed that NIC Selection was set to Shared. That seemed odd so I compared that setting to another R710. The other one was set to Dedicated. I switched the problem one from Shared to Dedicated & it started working.