Wednesday, July 27, 2011

W2K8 R2, AD Recycle bin and FIM


Turned on the Active Directory only to find out the FIM (Forefront Identity Manager) has not stoped synchronising some objects? Well fear not, they are in sync, but to the trash folder!

Below shows an object that is in sync, but to the delete item. There is a hotfix for it that installs on the DC. KB979214 is the patch.


Here is the KB article:

Consider the following scenario:

You enable the Active Directory Recycle Bin feature in a Windows Server 2008 R2-based domain.
You delete an object from Active Directory Domain Services (AD DS). For example, assume that you delete a user account.
You modify an object that has a relationship to the recently deleted object.
You perform an Active Directory directory synchronization (DirSync) control search to poll for the Active Directory changes in this domain.

In this scenario, the DirSync control search does not return the deactivated linked attributes from the modified object. Therefore, you cannot replicate these changes back to another database if you try to synchronize Active Directory Domain Services (AD DS) and another database.

For example, assume that you delete a user account that has the "testuser" name, and assume that this user account is a member of a group that has the "testgroup" name. Then, assume that you verify that the "testgroup" group does not include the "testuser" user account in the Active Directory Users and Computers window. In this scenario, a DirSync control search that polls for the Active Directory changes and for the request deactivated links cannot detect that the "testuser" account is joined to the "testgroup" group as an inactive member. Additionally, the "testgroup" group in another database does not include the user account "testuser" if you use the returned results from the DirSync control to synchronize Active Directory Domain Services (AD DS) and another database.

The Active Directory directory synchronization (DirSync) API functions do not identify the deactivated linked attributes correctly. This behavior causes the deactivated links not to be returned in the DirSync control search.

Hotfix information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

For all supported x64-based versions of Windows Server 2008 R2
File name    File version    File size    Date    Time    Platform
Ntdsa.mof    Not applicable    227,765    10-Jun-2009    20:34    N/A
Ntdsai.dll    6.1.7600.20621    2,721,280    19-Jan-2010    10:29    x64

Monday, July 25, 2011

What an Active Directory AS-Built Document should contain


Table of Contents

1. Executive Summary

1.1. Domain Controllers Summary

2. ServerNameHere01

2.1. System Information

2.2. System BIOS Information

2.3. Operating System Information

2.4. Network Information

2.5. Processor Information

2.6. Disk Information

2.7. Programs Installed

2.8. Patches Installed

2.9. Roles and Features Installed

2.10. Local Administrator Group

2.11. Network Shares

2.12. Windows Services

3. NextServerNameHere01


10. Directory Artefacts

10.1. SID History

10.2. Password Synchronisation

11. Scheduled tasks

11.1. Daily Tasks and Their Importance

11.2. Weekly Monitoring Tasks

11.3. Monthly Monitoring Tasks

12. Backup

12.1. What to backed up

12.2. Backup process

13. SQL Databases

14. Interdependencies

14.1. Consumers of Active Directory

15. Maintenance

15.1. System maintenance window

15.2. AD-Hoc

15.3. Planned events

15.4. Periodical operational tasks (daily, monthly, weekly etc)

15.5. System start-up procedure

15.6. System shut-down procedure

15.7. System restart procedure

16. Known Support Issues

16.1. Manually running a SYNC from the FIM server

17. System diagnostics

What an Active Directory design should contain


Table of Contents from my last AD Design, just over 50 pages.

1. Executive Summary

1.1. Key Objectives

1.2. Assumptions

1.3. Future Environment

1.4. Current Environment

1.5. Existing MetaDirectory Services

2. Active Directory Domain Services (AD DS)

2.1. Overview

2.2. Design Decisions

2.3. Hardware

2.4. Software

2.5. Forests

2.6. Schema

2.7. Domains

2.8. NetBIOS name

2.9. Trusts

2.10. Active Directory and DNS

2.10.1. Active Directory Integrated DNS

3. Active Directory Services

3.1. Domain Controllers

3.2. Read-Only Domain Controllers

3.3. Global Catalogue Servers

3.4. FSMO Roles

3.5. DNS Services

3.6. WINS Services Placement

3.7. DHCP Services Placement

3.8. Time Support

3.9. Forest and Domain Functional Levels

3.9.1. Domain Functional Levels

3.9.2. Forest Functional Levels

3.10. Legacy Clients

3.11. Non-Windows Clients

3.12. Federation services

4. Active Directory Organisational Unit Design

5. Active Directory Administration Design

6. Group Policy Design

7. Active Directory Site and Replication Design

7.1. Replication Overview

7.1.1. Intra-Site Replication

7.1.2. Inter-Site Replication

7.2. Site Link Bridges

7.3. SMTP Replication

7.4. SYSVOL Distributed File System Replication (DFS)

7.5. SYSVOL File Replication Service (FRS)

8. Active Directory User Account Policy

8.1. Service accounts

9. Certificate Services

10. Active Directory Auditing

11. Microsoft Key Management Services (KMS)

12. Naming Standards

13. WAN Diagram

13.1. Active Directory

13.2. SYSVOL


14. Test Success Criteria

Appendix A. Acceptance

Appendix B. Server Specifications

Appendix C. Anti-virus Exclusions

Appendix D. Sources

Appendix E. Definitions

Saturday, July 16, 2011

Convert MKV to AVI on linux


I recently wanted to convert some of my 720p and 1080p Matroska Video (MKV) files to the Xvid format so that I can play them on my PS3. The video quality and Dolby Digital 5.1 audio would remain intact, and was pleased to get the job done with mencoder.

In the following example, I decided to use a single pass, fixed quantizer value of 4. The audio will simply be copied.

mencoder movie.mkv -channels 6 -ovc xvid -xvidencopts fixed_quant=4 -vf harddup -oac copy -o movie.avi


Original article:

Friday, July 15, 2011

Fuppes on Natty 64bit (11.04)


sudo apt-get install ffmpeg build-essential \
libavutil-dev libavformat-dev libavcodec-dev \
subversion libtool libsqlite3-dev libpcre3-dev \
libxml2-dev libpcre3-dev pkg-config

Install fuppes from source

get the latest fuppes sources, unpack them and change in the fuppes directory
$ gunzip fuppes*
$ tar -xvf fuppes*
$ cd fuppes*

configure the source
$ ./configure
$ make

to install fuppes run (as root)
$ sudo make install

try and run it, you may get this error…

$ fuppes
fuppes: error while loading shared libraries: cannot open shared object file: No such file or directory

if so, run:
$ sudo ldconfig

Try again:
$ fuppes

Now go and configure the conf file.

Friday, July 01, 2011

"Not enough storage is available to complete this operation"


Clients not logging on correctly? Not mapping drivers, not running GPOs and GPPs. specifically after a domain migration or SIDmigration.

The following Warning message may be logged in the System log on the client computer:

Event Type: Warning
Event Source: Kerberos
Event Category: None
Event ID: 6

The kerberos SSPI package generated an output token of size 36E7 bytes, which was too large to fit in the 36D3 buffer provided by process id 0. If the condition persists, please contact your system administrator.

This problem occurs because the Kerberos token that is generated during authentication is more than the fixed maximum size. In the original release version of Microsoft Windows 2000, the default value of the MaxTokenSize registry entry was 8,000 bytes. In Windows 2000 with Service Pack 2 (SP2) and in later versions of Windows, the default value of the MaxTokenSize registry entry is 12,000 bytes.

For example, if a user is a member of a group either directly or by membership in another group, the security ID (SID) for that group is added to the user's token. For a SID to be added to the user's token, the SID information must be communicated by using the Kerberos token. If the required SID information exceeds the size of the token, authentication is unsuccessful.
To resolve this problem, increase the Kerberos token size. To do this, follow these steps on the client computer that logs the Kerberos event.

    Click Start, click Run, type regedit, and then click OK.
    Locate and then click the following registry subkey:
    Note If the Parameters key is not present, create the key. To do this, follow these steps:
        Locate and then click the following registry subkey:
        On the Edit menu, point to New, and then click Key.
        Type Parameters, and then press ENTER.
    On the Edit menu, point to New, and then click DWORD Value.
    Type MaxTokenSize, and then press ENTER.
    On the Edit menu, click Modify.
    In the Base area, click Decimal, type 65535 in the Value data box, and then click OK.

Note The default value for the MaxTokenSize registry entry is a decimal value of 12,000. We recommend that you set this registry entry value to a decimal value of 65,535. If you incorrectly set this registry entry value to a hexadecimal value of 65,535, Kerberos authentication operations may fail. Additionally, programs may return errors.

For more information, click the following article number to view the article in the Microsoft Knowledge Base: 297869  ( ) SMS administrator issues after you modify the Kerberos MaxTokenSize registry value
    Exit Registry Editor.
    Restart the computer.

For more information about how to use the Tokensz tool to compute the maximum token size, visit the following Microsoft Web site: (
For more information about how to address problems that occur because of access token limitations, visit the following Microsoft Web site: (
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
327825  ( ) New resolution for problems with Kerberos authentication when users belong to many groups
263693  ( ) Group Policy may not be applied to users belonging to many groups


Original article:

Blog Archive