Archive for the ‘Active Directory’ Category

Unable to close MMC – You must close all dialog boxes before you can close

June 24, 2011 4 comments

Long time no see y’all – been a bit quiet but am back with another bug from Microsoft;

When attempting to close MMC (Active Directory Users and Computers or the Exchange Management Console for example) on a Windows 2008 R2 server with Internet Explorer 9 installed you get the following error;

For the sake of our friend Google (as I’m not using my normal software to fill out the “blanks”) – thats “You must close all dialog boxes before you can close Exchange Management Console”


There is an interesting thread on the Technet forums that has been going some time;

It looks to affect Windows 7 also – so it must be the “7” suite of OS’s (i.e Windows 6.1).


The “work-around” at this moment is to uninstall IE9 – which is fine on your server (and not so fine on your Desktop). Some users have reported that disabling Enhanced Security for IE is a temporary fix (along with adding http://localhost and https://localhost to the Trusted sites), though I don’t see how this would work with Windows 7.


Official line from MS at this moment is “Sorry, we are working on it”.


Funnily enough it only seems to happen when certain dialog boxes / panes are opened (see above Technet post) – so if you do get it just kil mmc.exe from the Task Manager 🙂


Au Revoir!


Hosts “not responding” after joining Virtual Centre to Active Directory

March 2, 2011 Leave a comment

Had a bit of a scary moment today – joined the Virtual Centre server to an AD so I could install backup technologies onto it.


All went fine aside from when I opened the vShpere client – all my hosts were marked as “not responding”.


Re-connected the hosts (as it can be seen above) – and the hosts popped back in and then back out again. Hmm not good!

Checked DNS, all right as far as I can see. Checked time sync, all right again.


Rather bricked myself, so off I went uninstalling the Virtual Centre server and reinstalling (using the existing DB) and voila! all is good.


In short, if you do have to join your Virtual Centre to AD, do it before you put Virtual Centre on it or reinstall afterwards!

SYSVOL holder list wrong on multi-site AD config

September 10, 2010 Leave a comment

After authentication to a Windows 2003 Domain Controller, the DC will then list the possible SYSVOL servers for the client to use for GPO related files/folders. By default the order is as follows;

· List all Site-local holders to the client

· Randomly list the remaining SYSVOL holders, not based on Site Costing.

Consider a three-site AD structure, with a single DC at each site;

A user authenticated against the DC in SITEA would get the following SYSVOL servers presented to it;

1 entries…
Entry: domainnamesysvol
ShortEntry: domainnamesysvol
Expires in 0 seconds
UseCount: 0 Type:0x1 ( DFS )
0:[DC1.domainnamesysvol] State:0x21 ( ACTIVE )
1:[ DC2.domainnamesysvol l] State:0x21 ( )
2:[ DC3.domainnamesysvol] State:0x21 ( )

N.B. entry 1 and 2 are randomly generated, and could as easily be reversed

In this scenario, no further configuration or design thoughts are required and SYSVOL will always be presented from a local-to-site server.

However, consider a more complicated design that contains multiple sites without local Domain Controllers. This is fine for authentication, as site-based costing is utilised to decide the nearest DC to each site – this is stored within DNS so that clients can always see their nearest authentication server (GC).

As the default behaviour for SYSVOL location is Local Site, then Random (with no Site Costing based calculations done), this consider the following;

A User authenticates from SITEC. There are no local Domain Controllers (with the GC role) available; however it is able to locate DC2 as the nearest authentication point using DNS. DC2 is then asked for a list of available SYSVOL points, and calculates using the formula below;

· List all Site-local holders to the client

· Randomly list the remaining SYSVOL holders, not based on Site Costing.

As there are no site-local holders of the SYSVOL share, it skips the first point and lists the remaining SYSVOL holders randomly, giving a result similar to;

1 entries…
Entry: domainnamesysvol
ShortEntry: domainnamesysvol
Expires in 0 seconds
UseCount: 0 Type:0x1 ( DFS )
0:[DC1.domainnamesysvol] State:0x21 ( ACTIVE )
1:[ DC2.domainnamesysvol l] State:0x21 ( )

N.B. Again this can be random, and DC2 could just as likely be first priority.

This works fine if DC1 is over a fast WAN link, and therefore responsive enough for the end user to not notice. However, if DC1 is placed on the end of a 2mbit site-to-site link and DC2 is on a 100Mbit LES/MPLS, the difference is then astounding – especially in environments with multiple Group Policies.


July 22, 2009 Leave a comment

Below is a script to find any users who have logon hours restricted (i.e. not set to “Allow Any Time”)


Don’t forget to generate an objects.txt by doing a “dsquery –user –l 0 > objects.txt” as per any of my other scripts.


strtextfile = "objects.txt"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile(strtextfile, 1, False, 0)
On Error Resume Next

strobject = objTextFile.ReadLine
strobject = Mid(strobject,2,Len(strobject)-2)

Set objObject = GetObject("LDAP://" & strObject)
arrLogonHours = objObject.Get("logonHours")
strName = objObject.Get("CN")

If arrLogonHours <> "" Then
‘wscript.echo (strName & " has had Logon Hours defined – checking to see if they have any set currently")

For i = 1 To LenB(arrLogonHours)
    strLogonArray = AscB(MidB(arrLogonHours, i, 1))
arrLogonArray = arrLogonArray & strLogonArray

strMidB = MidB(arrLogonHours, i, 1)

if arrLogonArray <> "255255255255255255255255255255255255255255255255255255255255255" then
WScript.Echo (strName & " has Logon Hours defined – please investigate.")
end if

arrLogonArray = ""

End If

arrLogonHours = ""

Loop Until objtextfile.AtEndOfStream = True

Updating AD Users from a CSV

April 28, 2009 Leave a comment

I recently come across a question on EE about updating GAL entries (i.e. AD user attributes) via csv.

I wasn’t sure, so did a quick google.

There is a script ( that allows this. The instructions on the linked page are detailed enough, so take this as a reminder to me (and anyone who comes across this) of where to find it and how to do it 🙂

Categories: Active Directory

What to do when your SYSVOL stops replicating………

December 17, 2008 Leave a comment

Just a reminder for myself how to do it really.

Got a customer who was getting several error messages.

I’ll deal with the SYSVOL replication issues first, then move onto the DCOM issues.

They were getting;


I checked the usual, and both DC01 and DC02 could talk ok, so I figured “Let’s just Resync the bugger”.

The above MS KB will tell you in detail, however here is a overlay for replacing DC02 with DC01’s copy (making DC01 Authoritative)

Stop the File Replication Service on both DC01 and DC02

Edit the registry on both;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

On DC01 I set it to D4 –> AKA Authoritative. On DC02 I set it to D2 –> AKA non-authoritative.

Start the FRS on DC01 and let it clear through the normal event log messages (right up to where it proclaims it is OK to be a DC again! Thank god!), then start up DC02. Monitor, and voila it all synced!

Jobs a goodun’ guvnor 😉