Publish Print server 2012R2 with CNAME record

Published on in Management, Windows Server by Elvis

As you probably know, there is no real high availability scenario for the print server in Windows Server 2012R2 environment. Many times we need that in case of a single server failure, users can do their job also when situations like this happens.
In these cases, it is possible to reduce the down time of a server deploying the second print server and use DNS CNAME to publish print servers. Anyway, there are negative parts in this solution:

  • DNS needs to be refreshed, so users can point to another server (consider to have short TTL on DNS record)
  • there is no supported way to publish that printers in AD. Publishing printers in AD is done thru computer name (A record) and printer shared name. As we need to publish printer thru CNAME record, this is not possible. There is a workaround with ADSIEDIT and changing published name, but this is not suggested. (I will cover this in a separate post)

Whatever, you can deploy printers with GPO preferences and this is not a so difficult process. You have just to be careful that every user has mapped the right printer (this can be done with GPO preferences filtering).
To create the discussed situation, first you must to have two print servers (in our case we will name them PS1.domain.com and PS2.domain.com). On the first server, you have to install and configure all printers that you need and you can share them, but not publish them in AD. Of course it will work also publishing them in AD, but if a user will choose a printer from AD, the failover will not work for him.
After doing this, you have to create a name and a CNAME record for our print server (I will name it PrintSvr) that point on the first print server. In our example:

CNAME PrintSvr PS1.domain.com TTL = 5 min

Keep TTL time small, because this time is critical when failover occours! Changing TTL it is not necesary if you plan to use Round robin.

With this, we can resolve our PS1 server with the name PrintSvr and you will be able to browse printers with CNAME, but if you try to install them, you will receive an error 0x00000709.

This is because we need some additional registry changes on the print server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
DisableStrictNameChecking QWORD 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
OptionalNames MultiString CNAME
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
BackConnectionHostNames MultiString CNAME
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print
DnsOnWire QWORD 1

The first and the last registry have to be DWORD type if you have Server older than 2012R2
This are all the changes that you need to do. As we changed the registry, do not forget to reboot the server. When everything is completed, you can export the print server configuration from Print Management console to file. This we be useful on the second server.

Print
On the second server, you have just to install the print server role and add the same registry values. After doing this, you can import all printers in the same way as you exported them on the first server. This will import all your printers with exactly the same names and with the same share names. So, there will not be any problem when you will switch the server. Restart the server.
Now you are ready to test the environment. Change the DNS CNAME record in the way that will point to the second server and test if printers still work (of course you can wait that TTL expire or you can flush cache of DNS servers and client where you are testing).
Good work!.

Add Groups and Users to AD with PowerShell

Published on in PowerShell, Windows Server by Elvis

When I have to manage a bigger environment, with many groups and users, I always think to PowerShell. Of course, the first step to work with PowerShell is that you have all users or groups listed in a CSV (or similar) file. The first problem for many administrators is the structure of the CSV and data needed by AD. I want to talk about this, because CSV stands for comma separated value, what means that all fields are separated by comma. Nothing strange or new, but as we know also AD structure is using commas to delaminate OU’s, domains etc. Because of this, please be careful when you create your CSV file. I prefer to create CSV file with semicolon as delimiter and then all the things are going right.
The second step that I use is to create at maximum three CSV files; one containing new AD groups, the second containing Group nesting (groups that are members of groups) and the last one containing users (Users and groups that have to be members). If you receive that data form other sources, be careful and first just test if all data are correct (if users really exist, if there is no typing error) and after this step begin with the implementation. This could be done with the same script, just delete the lines that contains write actions and export results in a test file for the future control.
Creating a CSV files: For me, the best program to create CSV files is Microsoft Excel. Everyone knows the program in the way that can type names and some data in (not all, you will have to type some attributes yourself) I always use the same structure of CSV and for this reason I never have problem with the script. Fundamentally is first line, where you have to define columns. So there are my columns:

For Groups CSV (New groups to be created):

  • Name – The name of the group
  • DisplayName – Display name of the group
  • Description – Group description (non mandatory)
  • OU – OU, where group will be created (Strucure OU=MyOU,DC=Domain,DC=com)
  • GroupType – Security or Distribution
  • Mail – E-Mail address of the group, if it will exist

For GroupMember CSV (Defines membership of Groups in groups – nesting):

  • Group – Name of the group which will have a group inside
  • Member – Name of the group which will be added as a member

For Members CSV (Define users who will be added to groups):

  • GroupName – Name of the group where users will be added
  • Member – Display Name of the user

This is all that you need. The next step is to test that Names of all users and all names are typed correctly. After you find that all data are OK, just run the scripts. I always use this order: first, I create groups, than I add groups to groups and finally I add Users into groups. This gives me certainty that I always have object that I need created previously.

The script can be downladed here:

GroupsAD.zip.

LepideAuditor for File Server

Published on in Essentials Server, Management, Windows Server by Elvis

LepideAuditor for File Server is a nice and powerful tool for auditing file servers. It has many good characteristics and it is one of my preferred auditing tools.
When I installed it for the first time, it seemed to me that I did something wrong; I was not able to realize that you can install and configure auditing software so easy. However, it was true. Installing and configuring this software is very easy and Lepide did a great job here. The next thing that surprised me was the fact that I had two completely separate modules – one for configuration and monitoring and the other for reporting. This approach gives me the opportunity to give to someone of the non-administrative stuff (company manager) the opportunity to control who is accessing the files and what is he / she doing in the system, without the ability to change audit parameters and with no need of any knowledge of configuration.

Lepide1
After installing the software from the install package, it is time to configure the software and this step is easy to do. For the first thing, you have to add the file servers which you want to monitor. This is done with a wizard in few steps and here you have to specify servers (you can browse from AD), select the SQL server and database, install the agent and add servers to Audit server group. Here I saw an opportunity for small companies, where administrators many times have problems with budget and buying a SQL server is not an option – Lepide File Server Auditor can work with SQL Express! This is not a limitation if you have a bigger company as you can choice a dedicated SQL server and in this way store more data.

Lepide2 Lepide3
There is also a very simple and effective way to create Audit policy and this enable administrators with not so many knowledge to use preconfigured policies or quickly create a new one. Another great functionality is the object lists, which allows you to exclude some file types (like TMP) from logging or include just file types that you need to monitor. As it seems that is not so important, you will quickly find that is very useful to have smaller log databases. You can also set up logging for some users only or just for a group of users, but here I prefer always to log all users. You never know what will happen!
In addition, don’t forget to setup alerts! Alerting is done very good, you can choose all types of alerts and how you want to deliver them.
Lepide4
The reporting console is very nice organized, with many possibilities how to show and filter our data. It is nice structured and logically done, so anyone can fine his needs. I like a lot the concept of the console, where when you open it, you can immediately determinate some options and review the results. You can simply choose the event you are searching for (read or write file, change permissions, create or delete folder…) and apply on them additional filters true success or failure. It is simple!
Of course, you always need some special filters, where you have to search events and those are present on the top. They are very accurate and choosing the right combination will give you any expected result with only data that you search. It is one of my favorite reporting console, because you are able to find any result you need quickly and logically. Don’t forget that this console is many times used by IT and non-IT people. It is done very nice also for management or non-IT people; they will love it.
Lepide5
Conclusion:
Lepide did a great job with this product. It is very easy to manage and easy to install and configure. I can say that is reliable, so the results you will get are useful for all needs, printed reports are nice done and it is simple to explain the content to anyone. Alerting is very well done and I like the SMS and mail options, but here you have to be careful as you can quickly receive a lot of alerts on mismatched configuration.
I can recommend this software to everyone. It is a good solution for small and bigger companies, you can also think on integrating other excellent Lepide products together and in this way, you will have a very nice monitoring environment.

You can download LepideAuditor for File Server trial version from http://www.lepide.com/file-server-audit/download.html. .

PowerShell Script for implement Mail Signature

Published on in Exchange Server, Office, Office 365, PowerShell by Elvis

At the beginning, we have to create a docx file. This is a normal file, containing a signature design as you want to appear and all variables from the script that you want to change (look at the end of the post for more information). This file has also to be saved on a share, where all the effected users have a read permission.
The script is written to create an Outlook signature and it is working if you have installed MS Word 2013 and MS Outlook 2013. It has been developed from a basic script on the Technet, but with additional checks and conditions as variables:

  • $SignatureVer – A version of signature – Change it when you have to deploy a new signature;
  • $UseSignOnNew – Use this signature when you send a new mail;
  • $UseSignOnReply – Use this signature when you send a mail as reply;
  • $ForceSignatureNew – Force this signature on a new mail. The user will not be able to change it (it will also force it on reply);
  • $ForceSignatureReply – Force signature on reply to mails.

Be careful because using forcing signature, will create registry values. Cancelling these settings means that you have to delete manually the registry values.

Two new registry values used by the script are introduced:

  • In the Path HKCU:’\Software\Microsoft\Office\15.0\Common\MailSettings, in the value VersionSignature, it is written a current version of the installed signature.
  • In the Path HKCU:’\Software\Microsoft\Office\15.0\Common\MailSettings, in the value ADChangeDate, it is written the date when the signature was applied.

We need both values to determinate if the company changed the version of signature and the new one has to be deployed in addition if something changed in AD user object, since the last deployment of the signature. If the AD user was changed, the user can choose if deploying the changes or not (reason / example: AD User will also change if the user changes the password and we do not deploy the new signature).
The script should be run as a logon script and it is divided into two blocks:

  1. The purpose of the first block is to determinate if the signature has to be deployed to user. Here we can see if the user already has a signature deployed and if something has changed from the last deployment. This block query AD User object and compare data from AD with local data.
  2. The second block effectually deploys the signature and for the optimization of the speed and load it run only when the script has to be deployed. It copies the docx template to local machine, changes the variables with real data and generates the signature in Outlook. To do this, the Outlook will be closed if it is open. At the end, the script writes the two registry values and delete the signature template from the local machine.

The script does not delete or effect in any other way none of the signatures that are present in Outlook. The only effect will be that, if you select, it will change the default signature on new and / or reply mails. Of course all data of the AD User object can be retrieved; you just need to found a field name in AD and associate it with variable in the script. It is pretty easy.

In my script, there are some variables that have to be present in a docx template:

  • DisplayName – Will be changed to Display value from AD
  • E-Mail – Will be changed to E-Mail value form AD
  • Title – Will be changed to Title value from AD
  • AllAddress – Will be changed to complete address from AD (street, city, CAP)
  • MobileN – Will be changed to Mobile number value from AD
  • WorkingOffice – Will be changed to Office value from AD

Of course is up to you to change these values to any other value as you wish, but be careful that values defined in script, are presented the Word template document. Only in this case the script will be able to change them.

You can download script here: Mail_Sign script.

Spectrum in Living Computer Museum

Published on in Other by Elvis

A month ago I was in a Seattle Living Computer Museum. It was my second visit there, because the first time I saw, they don’t have the old good Spectrum. I think, that this is a part of computer history, especially in Europe (do you remember: Commodore 64 vs Sinclair Spectrum?), so I decided to find it and bring it to the museum. I found a working Spectrum: my friend, Boris Santelj, was one of the “Spectrum guys” in that times (I was a Commodore guy) and he give me his computer to bring it in the Living Computer Museum.
I want to give him a special thank for giving me his computer and an give me the opportunity to make it a part of history 😉 

Living Computer Museum.

WP to LinkedIn Auto Publish Powered By : XYZScripts.com