Digital Locksmith: Resetting the Directory Services Restore Mode password on Windows Server 2003

locksmith

Do you have a friend that you call when you have some totally off the wall question about IT related stuff? Well I am that friend for most of the people that I know for some odd reason, and some of the questions I get are doozies.

For instance I get this call yesterday afternoon:

Friend in need: “Hey man how’s it going?”

Me: “Not bad, working on getting our new accounting software set up, Go Live is next Monday, so I just want to make sure everything is right, you know.”

Friend in need: “Cool, hey do you know how to reset the Directory Services Restore Mode password on a WS2003 box?”

Me: Wait, what?


Not your everyday run of the mill question. This is an interesting type of problem, where you need thing A to get thing B, but cannot get thing A without already having thing B, or what I like to call “The Bill and Ted Conundrum” (excerpt from Bill and Ted’s Excellent Adventure):

Bill: Ted, while I agree that, in time, our band will be most triumphant, the truth is, Wyld Stallyns will never be a super band until we have Eddie Van Halen on guitar.
Ted: Yes, Bill, but, I do not believe we will get Eddie Van Halen until we have a triumphant video.
Bill: Ted, it’s pointless to have a triumphant video before we even have decent instruments.
Ted: Well, how can we have decent instruments when we don’t really even know how to play?
Bill: That is why we NEED Eddie Van Halen!
Ted: And THAT is why we need a triumphant video.

The Directory Services Restore Mode (DSRM) password is somewhat of a last ditch safe guard put in place by Microsoft to protect Active Directory. Without the DSRM password, you cannot restore Active Directory. This prevents attackers from creating a new Active Directory and then restoring it over your Active Directory, thereby completely pwning your network.

But what if you need to restore Active Directory, and do not have the DSRM password? Like if the SysAdmin who built AD originally did not document it and then left the company? Now we are in The Bill and Ted Conundrum: you need the DSRM password to restore AD, but you don’t have the DSRM password.

Luckily for us, Microsoft has their own version of Rufus with his time travelling Phone Booth for WS2003; the NT Directory Services Utility (Ntdsutil.exe).

To reset the DSRM password in Windows Server 2003 using Ntdsutil.exe:

  1. Log on to the domain controller using an account with administrative rights.
  2. Go to Start>Run and type: cmd {ENTER}.
  3. At the command prompt, type: cd %SystemRoot%\System32 {ENTER}.
  4. Type: ntdsutil.exe {ENTER}
  5. Type: set dsrm password {ENTER}
  6. Type: reset password on server null {ENTER}
  7. Enter the new password when prompted.
  8. Confirm the new password when prompted.
  9. At the DSRM command prompt, type: q (to exit) {ENTER}
  10. At the Ntdsutil command prompt, type: q (to exit the utility and return to the command prompt) {ENTER}

Now that the DSRM password is changed to something you know, write it down this time. In the immortal words of The Great Ones: Bill, Ted: EXCELLENT! (cue air guitar)

end

Advertisements

Banish Windows Notepad: Replacing Notepad with Notepad++

n

It’s no secret around these parts that I hate Windows Notepad. It hasn’t been updated (in any useful way) since Windows 95, and is just plain inadequate for most tasks I need a text editor for. Up to this point I have been content to simply never use it, however as I am finding myself working with text files more and more these days, I would like to completely replace it.

Now obviously I am a big proponent of Notepad++, and this would be my ideal replacement for notepad.exe and luckily for me, there is a launcher made specifically for this. Before we begin, we will need to download the following files:

  1. The current Notepad++ install package from here.
  2. The current Notepad++ launcher from here.

Once we have these files, we can begin the process:

  1. Install Notepad++.
  2. Unzip the Notepad++ launcher, and have it ready to be copied (we will need to put this in a couple different directories.
  3. Turn off hide invisible files in Tools->Folder Options->View.

Now at this point it is pertinent to mention that there are several methods that may work for preplacing Notepad, you may need to try each one until you find the one that works for your OS version (Method 1 worked for me on one XP sp2 install, but I had to use Method 2 on another.

Method 1

  1. Go to %windir%\system32\Restore
  2. Select filelist.xml and right click->Properties and uncheck Read-only
  3. Edit the file, adding:
  4. <REC>%windir%\notepad.exe</REC>

    to:

    <Exclude>
    <REC>%windir%\system.ini</REC>
    <REC>%windir%\tasks\desktop.ini</REC>
    <REC>%windir%\win.ini</REC>
    <REC>*:\AUTOEXEC.BAT</REC>
    <REC>*:\CONFIG.MSI</REC>
    <REC>*:\CONFIG.SYS</REC>
    </Exclude>

  5. Copy the Notepad++ launcher to %windir%\system32, replacing notepad.exe there with the Notepad++ launcher.
  6. If this worked, you should now be able to open a Run dialog, and type: notepad {ENTER}, which will launch Notepad++.

Method 2

  1. Copy the Notepad ++ launcher to %windir%\system32\dllcache
  2. Copy the Notepad ++ launcher to %windir%\system32
  3. A dialog will pop up hit cancel.
  4. If this worked, you should now be able to open a Run dialog, and type: notepad {ENTER}, which will launch Notepad++.

Method 3

  1. Copy the Notepad ++ launcher to %windir%\servicepackfiles\i386
  2. Copy the Notepad ++ launcher to %windir%\system32\dllcache
  3. Copy the Notepad ++ launcher to %windir%\system32
  4. Copy the Notepad ++ launcher to %windir%
  5. When you replace notepad.exe in %windir% and %windir%\system32, a “Windows File Protection” message box appears, click Cancel. Then another message box appears, click OK.
  6. If this worked, you should now be able to open a Run dialog, and type: notepad {ENTER}, which will launch Notepad++.

Now, enjoy the goodness that comes from having a real text editor as your default text editor.

end

Bringing awareness to AITO Syndrome.

aito-syndrome

If you work in IT I can guarantee you have run into AITO Syndrome, as it seems to effect an alarming number of people. AITO (Assumed IT Omnipotence Syndrome) is a very serious (and in some extreme cases life threatening) affliction which causes those afflicted with it to assume that anyone that works in IT knows everything about every computer related thing ever made, often including anything with a power cord.

Together, I believe we can stop AITO Syndrome, there are many warning signs, including:

  • Conversations starting with “Do you know that one program that does…. I was wondering how I can change setting XYZ to make it do ABC better, you know, like on that one movie.”
  • Calls from employees that go something like “Hey I installed program XYZ, how do I configure it?”
  • Being asked to load up “that program we got a while back to do XYZ, on the new servers” which turns out to be stored on some 5″ floppy disks in the company fire safe.
  • Conversations that start out with or contain any of the following phrases occur regularly, and these terms are used incorrectly: hackers, virus, Trojan, the Internet is down, email is broken, the network is down, crack (as in “can’t you just crack this password”, or “well I forgot the license code, so just crack it”)
  • Or maybe (and this one is tricky, because you will have to hear it more than once to realize that it is an indicator of AITO Syndrome) “So I have this music DVD, and I want to transfer just the audio to my iPod because…”

If you know someone who suffers from AITO (or are a victim of this terrible affliction yourself), please have them read this carefully:

I am not God. I cannot make things happen that are physically impossible. I am not “The One”, I do not see the world in Matrix code. I cannot load a program written in 1985 on to a server with an OS made in 2000-anything, as the hardware interface for that program likely does not exist anymore.

Yes I can do some things with technology that may to the uninitiated appear to be magic, but they are not in fact magic. Please do not mistake this for Omnipotence. I have worked very hard to attain the technology skills I have, but I cannot know everything.

I do not use every kind of computer known to man (nor have I), so the chances of me being able to pull an answer to your obscure Apple IIe question off the top of my head are slim to none. I cannot possibly have used (or in most cases have even heard of) all of the available software packages that were released this month, let alone 5 years ago.

The software packages I do know enough about to answer those kinds of questions intelligently are all packages that relate to doing my job, so you will most likely have absolutely no use for them, let alone have heard of them.

My ability to understand computers, and servers, and the software that runs on them is the direct result of many years of hard work and diligent study on my part, which I cannot impart to you in a 5 minute conversation.

The truth of it is that “computers” and everything relating to them is a job for me. When I get home at night if I sit down in front of a computer, I am either working (IT professionals work quite a lot more hours than you would think, or is healthy quite frankly), or I may send a couple people email, or even play a game for a bit.

Most likely though (assuming I do not have work that must be done), I do not even want to look at a computer, as my brain is totally fried from all the mental gymnastics I’ve had to do at work all day (while sitting at a computer all day might seem like a kick back job, I can assure you that it is incredibly tough, and highly stressful).

AITO Syndrome is not incurable! If you keep the above in mind, the symptoms will begin to disappear, and you may eventually even be symptom free! Please, do you part to end the needless suffering caused by AITO Syndrome. If for nothing else, do it for the children.

Treatment options for AITO syndrome include:

  • Frequent and hearty use of Google.com (this is considered by many IT professionals the best course of treatment).
  • Possible use of books or help files for the program or OS you have questions about (usually abbreviated as “RTFM” when prescribed by an IT professional).
  • Understanding that software has a usable life of approximately 1-2 years before it must be upgraded to a current version.
  • Hardware has a useful life of between 3 and 5 years before it must be replaced.
  • Operating Systems should be upgraded to the latest version at every hardware replacement, or at the very least when the OS manufacturer stops providing free support for them.

If these methods are not effective, more aggressive treatment options include:

lart-design

  • Revocation of network access.
  • Filtering of Internet access.
  • Liberal application of a L.A.R.T. by a qualified IT Professional.
  • Migration from a standard desktop OS to DOS.
  • Questions being answered with a link to http://www.letmegooglethatforyou.com/
  • Random stapling of written instructions to various parts of your anatomy by an IT professional.

Together we can beat this horrible affliction, do your part today!

end

How do I…: Hide the non printable formatting marks in Outlook 2007?

pilcrow

Here’s the situation; you’re working away, minding your own business, you go to send an email, and BAM! Pilcrow overload! Where did all these characters come from? How do I get rid of them?

What you are seeing are the “non printable formatting” characters that are used by Office programs to determine the layout of your document. I’m not quite sure how most people end up with these displayed (since the default setting is for them to be hidden), but I do know that unless you are trying to fix a really tricky formatting issue, they are totally useless!

Fortunately the fix is very easy, and works not only in Outlook, but also in Word, and in all of the 2000, XP, 2003, and 2007 versions of both programs.

There is a keyboard shortcut to show or hide these characters as needed: CTRL+SHIFT+8 (don’t use the 8 on the 10 key, use the one on top of the keyboard – technically these are totally different keys). Voila! no more formatting marks.

There are ways to do this through the individual program menus as well, but why try to memorize umpteen different ways when the keyboard shortcut works in all of them?

end

How do I…: Use EXMERGE to protect Individual users’ mailboxes?

exchangeicon

For the third time this month I’ve gotten this email:

My email is gone, I need it back.
– Your boss

Now it wasn’t exactly like that, but it was pretty dang close. I have absolutely no idea how this keeps happening (though I am pretty sure it has something to do with him deleting it while “not doing anything”, and restoring from tape is getting old.

So I put a little thought into it, and I’ve got a “quick and (not so) dirty” solution.
ExMerge can be used to backup any mailbox on any server (it works remotely too) and you can schedule it to run as you please.

WARNING: Do not confuse this procedure for a proper method for protecting Exchange. This will only protect individual mailboxes, so if anything happens to the actual Mail Store in Exchange, you’re going to have trouble if you are not performing a proper “monolithic” Exchange backup.

First we need to get a current version of ExMerge for Exchange 2003 (what I am using at work, and what this article is based on, though the setps for prior versions of Exchange are pretty much the same). To get this we head over to Microsoft’s site and download it here.

Once we have the latest version of ExMerge, extract it from the download (use 7zip or similar compression software) and copy EXMERGE.EXE to the %Program Files%>Exchsrvr>bin folder of your Exchange server.

Now we need to configure the user account being used to do this to have access to the mailbox(es) that will be backed up (by default the Exchange Full Administrator permissions do not give you the right to open any other users’ mailbox).

Configuring EXMERGE

To perform Brick-Level backups of one or more mailboxes found on one Exchange server follow these steps:

  1. Navigate to the %Program Files%>Exchsrvr>bin folder of your Exchange server and double click ExMerge.exe.
  2. On the Welcome page click Next.
  3. On the “Procedure Selection” dialogue box, select “Export or Import (Two Step Procedure)”.
  4. On the “Two Step Procedure” dialogue box, select “Step 1: Extract data from and Exchange Server Mailbox”.
  5. In the “Source Server” dialogue box specify the name of your Exchange server. If you have a multiple domain environment you’ll need to specify the name and LDAP port number of your Domain Controller. Click Next.
  6. In the “Database Selection” dialogue box select the mailbox store you want to perform the action upon (Note: In a scenario where you only have one mailbox store you will not be presented with this page). Click Next.
  7. In the “Mailbox Selection” dialogue box select individual mailboxes or press the “Select All” button to select all mailboxes found in that store. In this example I will only select one mailbox. Note that you can also see the mailbox size next to the mailbox name. Click Next.
  8. On the “Locale Selection” dialogue box select the Locale that you would like to use to search the mailboxes. (Hebrew users take note: there are special steps that must be taken to use ExMerge with Hebrew language characters. Contact Microsoft for specific instructions). Click Next.
  9. Specify the path to the folder where you want to place the .PST files. This folder should reside on a different HD that the one where your mailbox stores are located, but this is only a recommendation for performance benefits, not a must. Also, make sure you have enough free space on that partition. Click Next.
  10. On the “Save Settings” dialogue box you can now save the settings you’ve configured so far, or you can just click Next. You can also change the name and location of the files used by ExMerge by clicking on the “File Names” button.
  11. After pressing Next the process will begin. This could take a considerable about of time depending on how many mailboxes you’ve selected and the size of the mailboxes.

Now, next time this user “does nothing” and loses all their email, I can simply restore is from this PST file (assuming that I have a recent copy). To ensure that there is always a recent copy available, we’d need to automate this process of using ExMerge, which I will cover in another post.

WARNING: Be aware of the following issues:

  • Security – ExMerge does not password-protect the .PST files it creates.
  • Storage Space – You need to consider how much space is required to store the .PST files and with what frequency you will have to purge the archived .PST files.
  • Overwriting .PST files – If there is no corresponding .PST file for the mailbox in the export folder, EXMERGE will create a new .PST file for the mailbox. The .PST file naming convention is [ALIAS].PST. If a .PST file for the mailbox already exists in the export folder, ExMerge will export only new message data from the mailbox to the .PST file. Therefore, you may want to purge the .PST files or move them to another directory so that ExMerge will create new .PST files when it runs next time.
  • Single Instance Architecture – When ExMerge exports mailbox data to a .PST file, you lose the benefit of the Single Instance message storage capability, so expect a mailbox’s newly created .PST file to be 10% to 50% larger than the mailbox itself (depending on how many messages in that mailbox are also in other mailboxes on the Exchange Server).

end

Can you hear me now? Know when your email got to their BlackBerry.

blackberry_logo

I just love hearing “oh sorry, I didn’t get your email” as a response when I ask someone for a response for the third time. Especially when I know that person has a BlackBerry. When it’s from users on my BlackBerry Enterprise Server (BES) I usually just create a help desk ticket from their “oh I didn’t get your email” response, and then attach a screen shot of the BES log showing that it was in fact delivered to their BlackBerry.

Then they forget that I can do this, and in a few weeks I have to repeat the whole thing. But what do you do when the person you’re sending email to doesn’t have a BES, or is not on your network?

Apparently the good folks at RIM are one step ahead of me, as they have a solution to this nonsense built in. Keeping in mind that this will only work with actual BlackBerry devices (I’ve confirmed that it works with a BES server, and using the BlackBerry Redirector for peeps without a BES), send a email to the address that gets delivered to the BlackBerry with <confirm> as the subject, and in a few moments you should get a reply that looks something like this:

confirm

As you’ll see in the screen shot, you can use this functionality with an actual subject, or by sending just <confirm> as the subject (just make sure that <confirm> is the first thing on the subject line). The really awesome part of this is that unless the recipient knows what the <confirm> tag in the subject line does, they have no idea that you now know that the email was delivered to their device. Take note smarmy sales weasels: I see what you did there.

end

I, SysAdmin

monitored

(Evil SysAdmin laugh) Silly Users! You cannot escape my domain! I have been getting a whole lot of questions regarding… “Can I do this at work” or “Will I get caught if I am downloading…” and my all time favorite “If I look at a little pr0n will I get caught?”

Here’s a clue; most of the time, if we have the capabilities of remote monitoring, we’re not using them. Unless you do something to draw the Evil Eye of a SysAdmin, we just don’t care, we’ve got other things to worry about.

Now that being said, if you DO happen to do something to draw our attention, you’re dead in the water if you’re doing something wrong.

Here is a list of things that most SysAdmins don’t really care about:

  • Light Porn surfing (if it’s playboy type stuff) up to say 10-15 minutes a day, we just don’t care. We might be a bit entertained by your old woman or tranny fetish, but chances are, nothing to really worry about. Unless you owe us money. Just be aware, we know what you’re doing.
  • Reading news sites, or shopping online. Again, we just don’t care. Most of our days are spent in one of two modes; putting out fires, or preventing fires.
  • Circumventing the proxy to go watch that really funny YouTube video your brother sent you in your corporate email. If you’re smart enough to do it, more power to you. If you didn’t do it exactly right, the Evil Eye is turning your way right now. If it’s just a funny YouTube video, no big deal. If you’re logging into hardcore pr0n sites to download videos, and eating all the T1 bandwith, your fapping is about to be seriously interrupted. It might even be something like total computer failure, which we will conveniently be able to pin to the pr0n you were downloading.

If you have thus far managed to evade the Evil Eye, good job! Here are some things that will draw down the Striking Hammer Of God:

anger

  • Illegal pr0n. If she could be your daughter, or our kid sister, you are toast. We don’t just get you fired, we call the FBI and let them arrest you. At work. If you (sick bastards) are unlucky enough to get a SysAdmin like me, you first get the living shit beat out of you, then you get to deal with the Feds.
  • Illegal pr0n. If the “man” of the pr0n is named fido, we call the FBI and again, probably beat the crap out of you for good measure. We definitely make sure that EVERYONE in the company (and likely your spouse, and/or family) know what you were doing, and why the men in suits have come to take you away.
  • Downloading illegal music. Not cool man. Not at work. Yeah we have a T1, but it’s not your personal playground. Expect to have the music mysteriously disappear from your machine overnight, and forget being able to do anything like that in the future, we just demoted you to the Guest account.
  • Listening to streaming music. Ok, so yeah it’s not illegal. But you and your 10 brethren have just filled our T1, and effectively DoS’d the email server. If you want music, bring it from home on a portable hard drive, and don’t copy it to the machines. Just play it from the hard drive.
  • Installing or running any port scanners, or downloading anything that might be considered a “hack” tool. Congratulations, you just pissed IT off, and will likely be locked out of the network shortly. I’ve got enough to do without wrangling your script kiddie ass too.
  • Heavy pr0n surfing. Like 5-6 hours a day heavy. Dude, just stop. You are likely going to be visiting some websites that are, ummm, let’s just say less than legit, to get in that amount of pr0n every day. You are going to end up getting that machine infested with virii and spyware. You might even actually inadvertently compromise the corporate network. If that happens, do you really think that anyone is going to let that slide? Now I’ve actually had to explain to the boss why you need to be fired before your little problem destroys the network, and I don’t really care to discuss what you’ve been looking at (you mean there’s more than one person that looks at THAT?!?!?) with my boss.

Even if I’ve been cool enough not to filter out web content, the boss is going to want to know how you were able to view this stuff. Rather than blow it for everyone, I am going to do the right thing. I am going to lie my ass off. You must be a hacker, because you’ve been able to circumvent every filtering method I’ve set up, and I have logs to prove it (believe me, I have logs to prove ANYTHING).

The short answer is, if we’re watching you, there is no escape. Between hardware keyloggers, and specialty software that is designed to be undetectable (which is extremely hard to find even to buy), we will catch you.

If you are doing something that is in a grey area, take your SysAdmin out for lunch a couple times, or for a beer, and find out what the real policy is (the one that gets enforced, not the one in the manual). Hell if we like you, we’ll let you get away with a lot more than if you’re a dick to us in the hall.

end

%d bloggers like this: