How to Delegate Rights to Modify SPNs in Active Directory

With Kerberos taking over as the preferred authentication protocol, system administrators need to be able to modify the SPN for their service accounts and computer objects in Active Directory. And you don't want to make all of your system administrators domain admins. To delegate this right, you can run the command below on your domain controller.

Before you run it, you need to change "OU=users,DC=domain,DC=suffix" to the distinguished name of the OU or object that you want to delegate the rights for. Then change "DOMAIN\GroupName" to your domain and the group or user that you want to grant the rights to.

dsacls "OU=users,DC=domain,DC=suffix" /I:S /G "DOMAIN\GroupName:RPWP;servicePrincipalName"

You can also limit this right to a specific class of object (e.g. user, computer, etc) by adding ";<InheritedObjectType>" immediately after "servicePrincipalName" in the command. Make sure to replace <InheritedObjectType> with the name of the class you want the right limited to, like this.

dsacls "OU=users,DC=domain,DC=suffix" /I:S /G "DOMAIN\GroupName:RPWP;servicePrincipalName;user"

Read More

You have not entered a valid product key or the key is incorrect

The following two errors show up for Microsoft Office 2007 and 2003 users for a couple of reasons.

Error #1
The key is incorrect. Verify that you have the correct key, and then retype it.

Error #2
You have not entered a valid Product Key. Please check the number located on the sticker on the back of the CD case or on your Certificate of Authenticity.


The first, and most obvious reason you might get this error is because you entered the product key incorrectly. Check the key you entered, and make sure it's correct. Some characters can look a lot alike. For example, zeros and the letter O look alike, eights and the letter B, and so on.

If you already have another version of Microsoft Office installed, you can get this error. You need to decide which version on Microsoft Office you want to use, and uninstall the version of Office that you aren't going to use.

Read More

Forceful Demotion of a Dead Domain Controller

If one of your domain controllers dies on you, then you cannot gracefully demote it. So, when this happens there are a few things that you need to do to remove it from the domain and cleanup the mess that this failure created.

The first step is to jump on one of your remaining domain controllers that's running Windows 2003 SP1 or newer.

Make sure that you are a member of the "enterprise admins" group. If you weren't a member already, add yourself to the group, then log off of the domain controller and back onto it.
Open up a command prompt, and enter ntdsutil.

At the ntdsutl: prompt type metadata cleanup and hit enter.

At the metadata cleanup: prompt, type remove selected server <distinguished name of DC you want to remove> and hit enter. The distinguished name of the domain controller object in the configuration partition of Active Directory, not the directory services partition.

If you get a message like this, your probably pointing to the wrong object in Active Directory.

Binding to localhost ...

Connected to localhost using credentials of locally logged on user.

LDAP error 0x20(32 (No Such Object).

Ldap extended error message is 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:

        'CN=DC-Name,OU=Domain Controllers,DC=domain,DC=local'

Win32 error returned is 0x208d(Directory object not found.)

)

Unable to determine the domain hosted by the DC (5). Please use the connection menu to specify it.

Disconnecting from localhost...
 

Look at the distinguished name and make sure it is something like this and try the command again:
CN=<DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<Domain>,DC=<suffix>

When you do this correctly, it should look like this:

Binding to localhost ...

Connected to localhost using credentials of locally logged on user.

Transferring / Seizing FSMO roles off the selected server.

Removing FRS metadata for the selected server.

Searching for FRS members under "CN=<DC Name>,OU=Domain Controllers,DC=<domain>,DC=<suffix>".

Removing FRS member "CN=<DC name>,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=<domain>,DC=<suffix>".

Deleting subtree under "CN=<DC Name>,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=<domain>,DC=<suffix>".

Deleting subtree under "CN=<DC Name>,OU=Domain Controllers,DC=<domain>,DC=<suffix>".

The attempt to remove the FRS settings on CN=<DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<suffix> failed because "Element not found.";

metadata cleanup is continuing.

"CN=<DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<suffix>" removed from server "localhost"

 Yes, there is a line in there that says:

The attempt to remove the FRS settings on CN=<DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<suffix> failed because "Element not found."

This can be ignored. Microsoft actually says "Even though there was an error reported, the operation was successful. The error reported is misleading as the object in question was deleted by NTDSUTIL."

Now, go into Active Directory Sites and Services and delete the server object for the DC you are decommissioning. If it is the last DC in a particular site, you may need to reassign the subnets from that site to another site, depending on whether you are replacing that DC or not.

The DC should already be gone from the Domain Controllers OU in AD Users and Computers, but it's a good idea to check it anyway.

You will probably need to do some DNS cleanup too. Remove the “(same as parent folder)” Host(A) record from DNS for the IP address of the DC you removed. If that DC was a DNS server, there will probably be an NS record that you need to get rid of as well. Then, remove the A record for the computer name of the DC you removed. And finally, you will probably need to remove the A record for (same as parent folder) ender _msdcs > gs.

 

Read More

How to Configure Windows Event Logs as SNMP Traps

There are a lot of different monitoring suites out there that monitor servers by using SNMP traps. If you want to be alerted when a specific error or warning occurs in any of your event logs, you need to configure those events to send an SNMP trap.

To do this, you need to launch %windir%\system32\evntwin.exe to start configuring them. That opens up a window like this.

 

Select the Custom radial button, then click Edit.

 

 

That opens this "Event to Trap Translator". First, you need to expand the event log that you want to look in from the "Event sources" window. That shows you all of the event sources that have registered events in that event log. Select one of the event sources, and the related events shows in the events window. In the example image I selected Kerberos. Then, in the "Events" window you select the event that you want to start sending SNMP traps for. Click Add to configure that event send SNMP traps.

 

You can click OK for it to generate a trap every time that event occurs. Or, you can modify some the settings in the "Generate trap" section to limit the amount of traps it sends out.

 

 

 

Click OK, and you are done.

Read More