ERROR: dcdiag warning on userAccountControl

On a new build-up DC, running dcdiag I found this problem:

Starting test: MachineAccount
Warning:  Attribute userAccountControl of myDC is:
0x82020 = ( PASSWD_NOTREQD | SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGAT ION )
Typical setting for a DC is
0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )
This may be affecting replication?

Using ADUC with “Advanced Features” enabled, on “Attributes Editor” you can change userAccountControl for your DC’s Computer Object

UserAccountControl values:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)

Via: https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-properties

How to connect Remotely to SQL Express using SSMS

If you have SQL Sever Browser stopped (as generally is using SQL Express), to connect remotely using “Microsoft SQL Server Management Studio” you should specify the port on server/instance string.

First check if SQL Server Browser is stopped with “SQL Server Configuration Manager”

SQL_ServiceConf

Then check the TCP Port of your SQL Express Instance (in this case is a Dynamic Port):

SQL_TCP_DynamicPort

Then you can connect to your SQL Express instance specifying as “Server Name” this string (pay attention to the comma after SQL instance name):

SQLServer\Instance,TCPPort

 

SSMS_sqlexpress_Login

How to Find which DC is pruning your printer queues

When you publishing printer queues on Active Directory, by default the printer spooler save the shared printers info as object inside the printserver computer object.

On DC (generally the site DC of the printserver) by default is running a printers pruning; this job check if the printserver is reachable and if the printer is still shared and if not, delete the printQueue object from AD.

  • Printserver publish by default the printers only at startup (if you what to force the printer publishing just restart the printspooler service)
    This Setting is managed by “Computer Configuration / Administrative Templates / Printers / Check Published State”
  • Dc try to contact the prinserver/printer for 3 time every 8 hours. If for 3 time the prinserver/printer is not reachable then will be unpublished.
    This Setting is managed by “Computer Configuration / Administrative Templates / Printers / Allow Pruning of Published Printers”, “Directory Pruning Interval”, “Directory Pruning Retry”
“The Print Pruner is a thread that runs under the spooler context on all DCs. It
uses ADSI calls ( ADsGetObject, IID_IDirectorySearch->ExecuteSearch) to get the
list of all the printQueue servers in the AD.
To check whether the server is in same site it uses Winsock call (gethostbyname)
and other net APIs (DsAddressToSiteNames,DsGetDcSiteCoverage).
To check if the print queue\print server availability it uses OS APIs
(NetServerGetInfo, OpenPrinter,GetPrinter).
So all the work by pruner is done using ADSI, WinSock and OS functions.”

 

Can happen that for some firewall/network misconfiguration, a DC start to pruning some/every published print queues on regular basis. To find which DC is making too much cleaning, we first try to find the deleted printQueue object:

Find deleted Object

  1. Run ldp.exe as Domain Admin.
  2. On “Connection” menu click “Connect”. You can leave the server name black to connect to the DC on your site.
  3. On “Connection” menu click “Bind”
  4. On “Browse” menu click “Search”. Select the “Base DN” of the domain where you want to retrive tombstones. In “Filter” box use filter “(objectclass=printQueue)”. Under “Scope” select “Subtree”. Click “Options” and under “Search Call Type” select “Extended”. Then add “1.2.840.113556.1.4.417” on “Active Controls” using “Check in”.
    ldp_DeletedObject_PrintQueue_Conf
  5. Close “Search Options” and on “Search” dialog box, click “Run”
  6. On results, find your deleted printer and copy the CN of the deleted printQueue:

ldp_DeletedObject_PrintQueue

 

Find origin of change

Then using repadmin you can find from where this object was updated:

repadmin /showobjmeta [myDC] [CN of object]

repadmin_DeletedObject_PrintQueue

 

Via: https://blogs.technet.microsoft.com/askpfeplat/2012/03/05/how-to-track-the-who-what-when-and-where-of-active-directory-attribute-changes-part-i-the-case-of-the-mysteriously-modified-upn/

https://blogs.technet.microsoft.com/askpfeplat/2012/03/05/how-to-track-the-who-what-when-and-where-of-active-directory-attribute-changes-part-i-the-case-of-the-mysteriously-modified-upn/

How to Delete/Rename files with Path Too Long

The maximum length of a path according to the Windows API, is defined as 260 characters. A subset of Win32 APIs allow you to work around the MAX_PATH restriction by adding the “\?\” prefix. This support up to 32K characters in length but application support is also required (File Explorer do not support it :-))

Windows 10 AU add a “Win32 long Path Support” but not enabled by default and Powershell has finally built-in support for that.
https://blogs.msdn.microsoft.com/jeremykuhne/2016/07/30/net-4-6-2-and-long-paths-on-windows-10/

As workaround you can try to use short filename notation:

cmd /c for %A in ("C:\Documents and Settings\User\NTUSER.DAT") do @echo %~sA

or use subst to map a drive letter to a folder:

subst x: "C:\Very long directory\that exceed\length limit\"

To remove the temporary drive letter:

subst x: /d

How to create Print queue with Powershell

Due to a new printserver rollout I write a powershell script to easily install network printers on the new Windows 2012 R2 printserver.

The script can be found here: https://github.com/lscarso/Powershell/blob/b6eb1a31790774a0433765551c9aeb455cedbd76/New-ProvisioningPrinter/New-ProvisioningPrinter.ps1

If the driver is not on driver store of your printserver, you need to install it before via GUI or using pnputil and Add-PrinterDriver:

pnputil -i -a "C:\Temp\Printers\Ricoh_UniDrv_plc6\x2DSPYP.inf"
Add-PrinterDriver -name "RICOH PCL6 UniversalDriver V4.12"

To create a new Printer Port and the Printer then just run this command:

.\New-ProvisioningPrinter.ps1 -ComputerName MYPRINTSRV -PrinterName PR01 -PrinterAddress 192.168.1.1 -PrinterLocation "Italy, Milano, Reception" -PrinterComment "Asset Number: 01987" -PrinterDriver "RICOH PCL6 UniversalDriver V4.12"

Change ComputerName to your printserver, PrinterName to the name of new print queue you want to create, the PrinterAddress to the IP/HostName of network printer, PrinterDriver to the label of driver to use.

The script create the print queue PR01, shared with the same name and a printer port linked to that printer, named with the IP or HostName you specified on PrinterAddress parameter. SNMP is enabled too on “public” community.

You can also pipe a CSV file with PrinterName, PrinterAddress, PrinterLocation, PrinterComment columns to this script for bulk printers creation:

Import-Csv "C:\Data\Working\printers.csv" -delimiter ";" -Encoding UTF8 | .\New-ProvisioningPrinter.ps1 -ComputerName PRINTSRV

You have now all the printers installed to the new printserver. You need now to configure the default settings:

Set-PrintConfiguration -ComputerName MYPRINTSRV –PrinterName PR01 -PaperSize A4 -Color $False

this configure the PR01 printer with default Paper Size to A4 and to Black & White.

How to Change Skype for Business Spell Check Language

If you enable “Check Spelling as I type” (Options/IM) on Skype for Business (Lync) the spell check language is managed by Windows settings. You can quickly change it from the “Input Method” icon near the clock. On the example, I select english check spelling (with italian keyboard). If you are missing languages, add if from “Control Panel (Settings)/Region & Language”

language_keyboard