Delete sem5.log form SEPM12.0

Symantec is aware and is investigating this issue. 

Alternately, the following manual process is recommended to be performed as needed:

1) Stop the Symantec Endpoint Protection Manager and Symantec Embedded Database services.
2) Rename or delete the current sem5.log
3) Click Start > Run and type CMD then click OK
4) In the Command Prompt type:
    For 32-bit: CD C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\
    For 64-bit: CD C:\Program Files(x86)\Symantec\Symantec Endpoint Protection Manager\ASA\win32\
5) Press Enter. This will change directories to the folder containing dbsrv11.exe.
6) To force the recreation of sem5.log, type:
    For 32-bit: dbsrv11 -f “C:\Program Files\Symantec\Symantec Endpoint Protection Manager\db\sem5.db”
    For 64-bit: dbsrv11 -f “C:\Program Files(x86)\Symantec\Symantec Endpoint Protection Manager\db\sem5.db”
7) Press Enter
8) Click Start > Run and type services.msc then click OK
9) Start the Symantec Endpoint Protection Manager and Symantec Embedded Database services

Domain Join Error Messages

This article describes some of the common domain join error messages and possible steps that need to be performed when you encounter these errors joining a client machine (server or workstation) to a domain.

In the table below, you will find error messages associated with domain join and possible resolution(s).

Domain Join Error	Resolution
An attempt to resolve the DNS name of a DC in the domain being joined has failed. Please verify this client is configured to reach a DNS server that can resolve DNS names in the target domain.	When you type the domain name, make sure you type the DNS Domain Name, rather than the NetBIOS name.  For example, if the DNS name of the domain is fabrikam.com, make sure you enter that name instead of just fabrikam.
An attempt to resolve the DNS name of a domain controller in the domain being joined has failed. Please verify this client is configured to reach a DNS server that can resolve DNS names in the target Domain.	Run nslookup, and verify that the machine can reach the DNS server.  Ensure that the correct DNS server is specified and you have connectivity to that server. Make sure you configured right preferred DNS IP in client, which one is the domain controller IP.
An operation was attempted on a nonexistent network connection.	When you type the domain name, make sure you type the DNS Domain Name, rather than the NetBIOS name.  For example, if the DNS name of the domain is fabrikam.com, make sure you enter that name instead of just fabrikam.
You have exceeded the maximum number of computer accounts you are allowed to create in this domain.	Ensure that you have permissions to add computers to the domain or that you have not exceeded the quota limit defined by your Domain Administrator.
Logon failure: The target account name is incorrect.	Run nslookup, and verify that the machine can reach the DNS server.  Ensure that the correct DNS server is specified and you have connectivity to that server.
Logon failure: the user has not been granted the requested logon type at this computer.	Ensure that you have permissions to add computers to the domain.
Logon failure: unknown user name or bad password.	Ensure that you are using the correct user name\password combination when prompted for credentials to add the computer to the domain.
Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.	Reboot the machine you are trying to join to the domain to ensure there are no latent connections to any of the domain servers. When you type the domain name, make sure you type the DNS Domain Name, rather than the NetBIOS name.  For example, if the DNS name of the domain is fabrikam.com, make sure you enter that name instead of just fabrikam.
Network name cannot be found.	Run nslookup, and verify that the machine can reach the DNS server.  Ensure that the correct DNS server is specified and you have connectivity to that server. Update the network card driver.
No mapping between account names and security IDs was done.	Ensure that you are using the correct user name\password combination when prompted for credentials to add the computer to the domain. Ensure that you entered the correct DNS Domain name for domain you are trying to join.
No more connections can be made to this remote computer at this time because there are already as many connections as the computer can accept.	Before joining the computer to the domain, ensure that you have cleared all mapped connections to any drives. Net del
Not enough storage is available to complete this operation.	To resolve this issue, you need to increase the Kerberos token size of the computer you are joining to the domain. KB 935744
The account is not authorized to login from the station.	You must edit the SMB value in the registry.  For more information on this topic see: KB 887429  AD DS Forum Thread
The account specified for this service is different from the account specified for other services running in the same process.	Ensure that the domain controller through which you are trying to perform the domain join has the Windows Time service started. KB 892501
The directory service has exhausted the pool of relative identifiers.	Ensure that the domain controller hosting the RID Master FSMO role is online and functional. KB 839879
The format of the specified network name is invalid.	Run nslookup, and verify that the machine can reach the DNS server.  Ensure that the correct DNS server is specified and you have connectivity to that server. When you type the domain name, make sure you type the DNS Domain Name, rather than the NetBIOS name.  For example, if the DNS name of the domain is fabrikam.com, make sure you enter that name instead of just fabrikam.
The remote procedure call failed and did not execute.	Ensure you have the most up to date drivers for the client machine’s network adapter.
Changing the Primary Domain DNS name of this computer to “” failed. The name will remain “<DNS domain>.<top level domain>”.The specified server cannot perform the operation.	This error occurs when using the domain join user interface (UI) to join a Windows 7 or Windows Server 2008 R2 workgroup computer to an Active Directory domain by specifying the target DNS domain. To resolve this error message follow the actions outlined in KB 2018583  .

Hyper-V Role installation Issue

In this post, we’re going to look at an issue that was happened when I was teaching a Hyper-V R2 class few weeks back.

Students were experimenting Hyper-V Role installation options using Server Manager Console, DISM.exe, ocsetup.exe and ServerManager PowerShell Module.

After reboot, we noticed that one of Windows Server 2008 R2 SP1 Full edition hosts (Not Core) didn’t have Hyper-V Management Console listed under Administration Tools. In addition to that, there no Hyper-V Role listed under Server Manager Console Roles!

When we tried to select the Hyper-V Role in Server Manager Add Roles Wizard, the following error message surprised us!

Hyper-V cannot be installed

The processor on this computer is not compatible with Hyper-V. To install this role, the processor must have a supported version of hardware-assisted virtualization, and that feature must be turned on in the BIOS.

We verified that hardware-assisted virtualization feature and hardware DEP are enabled within the server’s BOIS.

Bcdedit.exe showed Hypervisorlaunchtype was set to Auto

%windir%\logs\CBS.log showed Hyper-V roles is installed and didn’t show any errors.

Looking at dism.exe feature query (dism.exe /online /get-features) showed

Feature Name : Microsoft-Hyper-V

State : Enabled

So, comparing with a working Hyper-V R2 (Full Edition) host we found that the following feature was not installed in here;

Microsoft-Hyper-V-Management-Clients

So, it turned out the he’d used the following command to install Hyper-V role without installing the management console feature.

This feature is normally being installed on Hyper-V Server Full Edition when using Server Manager Role installation wizard while it needs to be installed separatly if command line tools such as dism.exe, ocsetup.exe are being used.

The command that was used was

Dism.exe /online /enable-feature /featurename:Microsoft-Hyper-V

Note: this command works fine on Server Core edition of R2 as it doesn’t require management console and there’s no server manager console either.

Instead, the following command should’ve been used on Windows Server 2008 R2 Full Edition;

Dism.exe /online /enable-feature /featurename:Microsoft-Hyper-V /featurename:Microsoft-Hyper-V-Management-Clients

This helps me to prevent this mystery…

Tombstone lifetime attribute

The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC.

LDIFDE and CSVDE

CSVDE

is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users. Consult your help file for more info.

LDIFDE

is a command that can be used to import and export objects to and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file is a file easily readable in any text editor, however it is not readable in programs like Excel. The major difference between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can only import and export objects.

Trust in Active Directory

To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created.

The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-AD domains.

Trusts in Windows 2000 (native mode)

One-way trust – One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.

Two-way trust – Two domains allow access to users on both domains.

Trusting domain – The domain that allows access to users from a trusted domain.

Trusted domain – The domain that is trusted; whose users have access to the trusting domain.

Transitive trust – A trust that can extend beyond two domains to other trusted domains in the forest.

Intransitive trust – A one way trust that does not extend beyond two domains.

Explicit trust – A trust that an admin creates. It is not transitive and is one way only.

Cross-link trust – An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.

Windows 2000 Server – supports the following types of trusts:

• Two-way transitive trusts.
• One-way intransitive trusts.

Additional trusts can be created by administrators. These trusts can be:

Shortcut

Windows Server 2003 offers a new trust type – the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive.

Open SMTP, IMAP or POP3 traffic to an Email Server behind the SonicWALL

Article Applies To:

Affected SonicWALL Security Appliance Platforms:

Gen5: NSA E8510, E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 220, NSA 220W NSA 240, NSA 250M, NSA250MW
Gen5 TZ series: TZ 100, TZ 100W, TZ 105, TZ 105W TZ 200, TZ 200W, TZ 205, TZ 205W TZ 210, TZ 210W,TZ 215, TZ 215W.
Gen4 PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260.
Gen4 TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless.
Firmware/Software Version: All SonicOS Enhanced Versions.
Services: Port forwarding (NAT policies, Address objects, firewall access rules).

Procedure: 

In this example we have chosen to demonstrate using SMTP service, however the following steps apply to any service you wish to use (like HTTPS, SMTP, FTP, Terminal Services, SSH, etc).

Step 1: Creating the necessary Address Objects 

TIP: For complete information on creating Address Objects refer: KBID 7486

1. Select Network > Address Objects.
2. Click the Add a new address object button and create two address objects one for Server IP on LAN and another for Public IP of the server: 

Address Object for Server on LANName: MailServer Private Zone Assignment: LAN Type: Host IP Address: 192.168.1.100

Address Object for Server’s Public IP Name: MailServer Public Zone Assignment: WAN Type: Host  IP Address: 1.1.1.1

3. Click the OK button to complete creation of the new address objects.

Step 2: Create a Service Group

1. The Services page can be accessed either from Firewall > Services or Network > Services.
2. Click Add Group.
3. Select individual services from the list in the left column. Click – > to add the services to the group.
4. To remove services from the group, select individual services from the list in right column. Click < – to remove the services.

5. When you are finished, click OK to add the group to Custom Services Groups.

Step 3: Defining the appropriate NAT Policies

1. Select Network > NAT Policies.
2. Click the Add a new NAT Policy button and chose the following settings from the drop-down menu:

Understanding how to use NAT policies starts with the construction of an IP packet. Every packet contains addressing information that allows the packet to get to its destination, and for the destination to respond to the original requester. The packet contains (among other things) the requester’s IP address, the protocol information of the requestor, and the destination’s IP address. The NAT Policies engine in SonicOS Enhanced can inspect the relevant portions of the packet and can dynamically rewrite the information in specified fields for incoming, as well as outgoing traffic.

Note: To Add custom port in SonicOS Enhanced refer KBID 7133

Adding appropriate NAT PoliciesOriginal Source: Any Translated Source: Original Original Destination: MailServer Public Translated Destination:MailServer Private Original Service: MailServer Services Translated Service: Original Inbound Interface: Any Outbound Interface: Any Comment: Webserver behind SonicWALL. Enable NAT Policy: Checked Create a reflexive policy: Checked

Note: Create a reflective policy: When you check this box, a mirror outbound or inbound NAT policy for the NAT policy you defined in the Add NAT Policy window is automatically created.

3. Click the Add button.

Loopback Policy:

If you wish to access this server from other internal zones using the Public IP address 1.1.1.1 consider creating a Loopback NAT Policy else go to next step:

• Original Source: Firewalled Subnets 
• Translated Source: MailServer Public
• Original Destination: MailServer Public
• Translated Destination: MailServer Private
• Original Service: MailServer Services
• Translated Service: Original
• Inbound Interface: Any
• Outbound Interface: Any
• Comment: Loopback policy
• Enable NAT Policy: Checked
• Create a reflexive policy: unchecked

4.  Upon completion under Network > Nat Policies tab the above Inbound and Outbond NAT policies will be created.

Step 3: Creating Firewall Access Rules

1. Click Firewall > Access Rules tab.
2. Select the type of view in the View Style section and go to WAN to LAN access rules.
3. Click Add a new entry and create the rule by entering the following into the fields:

Caution: The ability to define network access rules is a very powerful tool. Using custom access rules can disable firewall protection or block all access to the Internet. Use caution when creating or deleting network access rules.

Action: Allow  From Zone: WAN To Zone: LAN Service: MailServer Services Source: Any Destination: MailServer Public  Users Allowed: All Schedule: Always on Enable Logging: checked Allow Fragmented Packets:checked

5: Click OK.

 

Change Microsoft Office 2007 Product License Key

1. First of all close all running Microsoft Office Applications.
2. Fire the Start button, then click on Run or pres both Windows key + R to enter in to Run mode.
3. Type “regedit” (without quotes) in the Run text box, and click OK or press Enter.
4. Now you will be in registry editor, Locate and then click the following subkey:HKEY_LOCAL_MACHINE  >> Software >> Microsoft >> Office >> 12.0 >> RegistrationInside, you will find another subkey that resembles the following subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Registration\{30120000-0011-0000-0000-0000000FF1CE}
5. Recomendation : Backup this registry branch by exporting the Registration subkey to a file, In case of any failure you can restore it again by exporting the registry, right click on the Registration subkey and click on Export, and follow the on-screen prompt to enter a file name for the registry file and choose a location to store it.
6. Under the Registration subkey, there may be several Globally Unique Identifiers (GUID) subkey that contain a combination of alphanumeric characters. Each GUID is specific to a program that is installed on your computer.If you find additional subkeys that reference Microsoft 12.0 registration, then click and open each GUID subkey to view and identify the Office product version by the ProductName registry entry in the right pane. For example:ProductName=Microsoft Office Professional Plus 2007
7. After you find the GUID subkey that contains your Office product or program which you want to remove the existing product license key or registration details, delete the following registry entries by right clicking on the registry entry in the GUID subkey, click Delete, and then click Yes: Do the same for following GUID subkeys• DigitalProductID
   • ProductID
8. Exit Registry Editor.
9. Run or open an Office application program, such as Microsoft Word or Excel or Outlook. Office 2007 will prompt you to enter a new 25-character product key.
10. Type in the valid and genuine product key, and then click Continue.

Requirements for installing AD

• An NTFS partition with enough free space.
• An Administrator’s username and password.
• The correct operating system version.
• A NIC Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway).
• A network connection (to a hub or to another computer via a crossover cable). 
• An operational DNS server (which can be installed on the DC itself). 
• A Domain name that you want to use. 
• The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder).

DS commands

• DSmod – modify Active Directory attributes.
• DSrm – to delete Active Directory objects. 
• DSmove – to relocate objects
• DSadd – create new accounts 
• DSquery – to find objects that match your query attributes.
• DSget – list the properties of an object