Server 2003 Active Directory replication problems

We just replaced one of our domain controllers with a brand spankin new rack mounted IBM eServer. We were like kids at Christmas time opening the huge box and gawlking at the beautifull insides. Installation went well, for the most part.

The server we replaced had Microsoft Exchange running on it, DNS and IIS hosting a website. The Exchange database had some corruption to it and had to be repaired but it went well. Once we got it up and running and made it a domain controller, installed Exchange, restored the Exchange database, got the website up and running and a couple of other applications it needed it purred away and was right at home. Then a couple of days later we added the first user to our domain since the upgrade and for some reason we couldn’t log on with it. After some looking and checking out the event viewer we noticed errors with the Active directory replication service. Apparently the two domain controllers were not on speaking terms with one another. Research was pointing to DNS as the cause and how Windows Server 2003 handles active directory replication following an unsuccessful DNS lookup.

From Microsoft’s support site it appears that Server 2003 with Service Pack 1 (which I thought was on both boxes) handles this much better. So after I figured out that one of the servers didn’t have Service Pack 1 I installed it rebooted and the two Servers decided they were on speaking terms after all. I think we need to do some diving into the workings of the DNS problem but for now it’s working!



This is one of those shots that you get every now and then that are totally unexpected. I took my camera to my son’s t-ball game and hadn’t really planned on taking any shots. I had taken pictures at several previous games and they all start looking the same. So, I was a bit bored and just wandering around the area by his field when I saw this girl and snapped a couple, not really thinking much about it. When I got back I dumped everything and saw this and loved it immediately.

Traffic trouble

Here’s a lesson we learned the hard way. We have a remote site that has a PIX 501 installed using VPN to connect back to our main site to a PIX 506. It worked great for about a month and then we began having problems.
For some reason random computers behind the PIX 501 would stop communicating to the internet. We beat our heads against the wall, went to the remote site and just couldn’t get it figured out. We would reboot the PIX and things seemed to start working only to randomly quit hours later. For some strange reason checking the log on the PIX had slipped my mind. When I did finally type ‘show log’. The light came on and the angels sang ‘Halleluiah’. Hidden between the ‘Built inbound TCP connection…’ and ‘Teardown TCP connection…’ lines was the magic info that we desperately needed. ‘host blocked…license limit exceeded.’ As soon as I saw that I realized what was going on. The PIX 501 has a 10 user limit. My thought on it was that the limit was on 10 VPN connections either outbound or inbound. The limit is actually 10 hosts communicating through the PIX. So, we called our favorite hardware and software vendor overnighted a license upgrade to increase the limit from 10 to 50. We’ve gone a full day with no phone calls so far! Kind of a wierd problem and something we should have picked up on on earlier but, that’s the way things go in the tech world sometimes!

The boob-tube

It all started when they took Tech-TV and run it into the ground by allowing the G4 network to take it over. The G4 network is a gaming network, don’t get me wrong, I like games. PS2 games, PC games, PSP is cool too. But no one would be able to call me a hard core gamer. Every now and then a game comes along and I get sucked into it and spend tons of time playing. Like Burnout 3 or Half Life 2 or Far Cry or Dungeon Seige. But my career and more of my time is tech related and I have to say that I shed a tear when G4 took Tech-TV and totally decimated it. Not long after that I called the Dish Network and had them change my package to only local channels. I don’t really miss having all of those channels either. It was mostly just a bunch of junk anyways.
So now I’ve been renting DVD’s like crazy. I signed up with Blockbuster’s movie pass thing which allows you to have 2 DVD’s out at a time for as long as you want for like $19.95 a month. It’s pretty cool because I’m far more inclined to experiment and get stuff I’m not sure about. We usually rented about 3 to 4 movies a month prior to getting rid of the extra channels anyways. At $3.75 a pop that ended up being about $15.00. Now I can get as many as I can watch in a month for $4.00 more. There are movie rental places that are cheaper than the $3.75 but my experience there has been that they don’t have what I want when I want it. Someone else I know has a problem with Blockbuster, but we won’t discuss that here! :) I tried the movie by mail thing, but the turn around is just too slow for me. Content on demand is where we are heading and the quicker we get there the better.

  • Camera: NIKON D70
  • Taken: 14 July, 2005
  • Aperture: ƒ/5.6
  • Focal length: 70mm
  • Shutter speed: 1/60s

Enable and disable domain user accounts with VBScript

How to enable and disable a Windows domain account using vb script. In our network there are only 2 people who are able to add or manipulate domain users. Every now and then I have wanted to give a non administrator user the ability to enable or disable a user account.


In our case we have a couple of domain user accounts used for external software support companies that VPN into our network to perform tasks. I didn’t want that account being open and accessible all of the time. I realize I could have used logon hours within the account properties to specify what hours the user could and couldn’t log on, but I wanted to the account to only be enabled when the support personel asked for access. I didn’t want to add the person I wanted to be able to enable and disable this account to the domain administrator’s group and I didn’t want to have to install the domain administration tools on their PC so they could do this locally.
After some research I found a really easy way to accomplish this using VB Script. The user that will be running the script will have to have security privileges on the user that they are going to be able to enable or disable. Create a text file and name it whatever you want with .vbs as the extension. Edit the following text in the appropriate places and copy this text into the .vbs file.

Set objUser = GetObject _
objUser.AccountDisabled = FALSE

Replace accountname with the user account name, replace organizationalunit with the appropriate organizational unit, domain and domain extension. Save the text file.
Just double click it to execute and viola! Now this is just the bare minimum coding to enable a disabled account it doesn’t come back and let you know it worked or didn’t work. You could get fancy and make it display a message box when it’s finished, but I didn’t feel like going that far.
The following code disables the specified account.
Set objUser = GetObject _
(“LDAP://cn= accountname,ou= organizationalunit,dc= domain,dc= domainextension “)
intUAC = objUser.Get(“userAccountControl”)
objUser.Put “userAccountControl”, intUAC OR ADS_UF_ACCOUNTDISABLE

For added security I took the disable account code and made a scheduled task on one of our servers to automatically run this script every day at 4:30pm. That way I know the account gets disabled and don’t have to worry about someone forgetting to disable it.

I love America

I love America

I went to the 4th of July celebrations put on by one of the churches in the area. I was impressed with how well they did the planning and activities. It was the first large scale fireworks I had been to in several years. I was also impressed because they gave a good gospel message and there was at least 100,000 people there that day. Many of those people are not regular church attenders.