OfficeScan Client IP Update with Batch File IPxfer Utility

If the OfficeScan host has new IP address (192.168.1.16), it’s best to run a batch file to update the client’s IP address than to uninstall/reinstall.  Create separate batch files for 32 & 64 bit computers.  Copy the commands below into notepad and save as batch for examples, ipxfer_x64.bat or ipxfer_86.bat.

To execute it, right-click and run as administrator. Update process takes ~ 3 minutes.
– DOS window appears/disappears
– Services are stopping/running/started
– Updating in progress

ipxfer_x64.bat (for 64 bit)

\\192.168.1.16\ofcscan\admin\utility\ipxfer\ipxfer_x64.exe -s 192.168.1.16 -p 8080 -c 17226 -e \\192.168.1.16\ofcscan\PCCNT\Common\OfcNTCer.dat

ipxfer_x86.bat (for 32 bit)

\\192.168.1.16\ofcscan\admin\utility\ipxfer\ipxfer.exe -s 192.168.1.16 -p 8080 -c 17226 -e \\192.168.1.16\ofcscan\PCCNT\Common\OfcNTCer.dat

Update Group Policies Settings

>gpupdate /help
Description: Updates Group Policies settings.

Syntax: GPUpdate [/Target:{Computer | User}] [/Force] [/Wait:<value>]
[/Logoff] [/Boot] [/Sync]

Parameters:

Value
/Target:{Computer | User}

Description: Specifies that only User or only Computer
policy settings are updated. By default,
both User and Computer policy settings are
updated.

/Force

Description: Reapplies all policy settings. By default,
only policy settings that have changed are
applied.

/Wait:{value}

Description: Sets the number of seconds to wait for policy
processing to finish. The default is 600
seconds. The value ‘0’ means not to wait.
The value ‘-1’ means to wait indefinitely.
When the time limit is exceeded, the command
prompt returns, but policy processing
continues.

/Logoff

Description: Causes a logoff after the Group Policy settings
have been updated. This is required for
those Group Policy client-side extensions
that do not process policy on a background
update cycle but do process policy when a
user logs on. Examples include user-targeted
Software Installation and Folder Redirection.
This option has no effect if there are no
extensions called that require a logoff.

/Boot

Description: Causes a computer restart after the Group Policy settings
are applied. This is required for those
Group Policy client-side extensions that do
not process policy on a background update cycle
but do process policy at computer startup.
Examples include computer-targeted Software
Installation. This option has no effect if
there are no extensions called that require
a restart.

/Sync

Description: Causes the next foreground policy application to
be done synchronously. Foreground policy
applications occur at computer boot and user
logon. You can specify this for the user,
computer or both using the /Target parameter.
The /Force and /Wait parameters will be ignored
if specified.

Directory Server Diagnosis -> dcdiag.exe /h

>dcdiag /h

Directory Server Diagnosis

dcdiag.exe /s:<Directory Server>[:<LDAP Port>] [/u:<Domain>\<Username> /p:*|<Password>|””]
[/hqv] [/n:<Naming Context>] [/f:<Log>] [/x:XMLLog.xml]
[/skip:<Test>] [/test:<Test>]
/h: Display this help screen

/s: Use <Directory Server> as Home Server. Ignored for DcPromo and
RegisterInDns tests which can only be run locally.
/n: Use <Naming Context> as the Naming Context to test
Domains may be specified in Netbios, DNS or DN form.
/u: Use domain\username credentials for binding.
Must also use the /p option

/p:  Use <Password> as the password. Must also use the /u option
/a:  Test all the servers in this site
/e:  Test all the servers in the entire enterprise. Overrides /a
/q:  Quiet – Only print error messages
/v:  Verbose – Print extended information
/i:  ignore – ignores superfluous error messages.
/c:  Comprehensive, runs all tests, including non-default tests but excluding
DcPromo and RegisterInDNS. Can use with /skip
/fix: fix – Make safe repairs.
/f:  Redirect all output to a file <Log> seperately
/x:<XMLLog.xml> Redirect xml output to <XMLLog.xml>. Currently works with /test:dns option only
/xsl:<xslfile.xsl or xsltfile.xslt> Adds the processing instructions that references specified stylesheet.
Works with /test:dns /x:<XMLLog.xml> option only

/test:<TestName> – Test only this test. Required tests will still
be run. Do not mix with /skip.

/skip:<TestName> – Skip the named test. Required tests will still
be run. Do not mix with /test.

The list of known tests:

Advertising
Checks whether each DSA is advertising itself, and whether it is advertising itself as having the
capabilities of a DSA.

CheckSDRefDom
This test checks that all application directory partitions have appropriate security descriptor
reference domains.

CheckSecurityError
Locates security errors (or those possibly security related) and performs the initial diagnosis of the

problem. Optional Arguments: /ReplSource:<Source DC> to target a specific source, regardless of it’s
error status. Need not be a current partner.
* Test is not run by default, i.e. it must be requested explicitly

Connectivity
Tests whether DSAs are DNS registered, pingeable, and have LDAP/RPC connectivity.
* Test cannot be skipped
* Test is applicable to AD/LDS

CrossRefValidation
This test looks for cross-refs that are in some way invalid.
* Test is applicable to AD/LDS

CutoffServers
Check for servers that won’t receive replications because its partners are down
* Test is not run by default, i.e. it must be requested explicitly
* Test is applicable to AD/LDS

DcPromo
Tests the existing DNS infrastructure for promotion to domain controller. If the infrastructure is
sufficient, the computer can be promoted to domain controller in a domain specified in
<Active_Directory_Domain_DNS_Name>. Reports whether any modifications to the existing DNS
infrastructure are required. Required argument: /DnsDomain:<Active_Directory_Domain_DNS_Name> One of
the following arguments is required: /NewForest /NewTree /ChildDomain /ReplicaDC If NewTree is
specified, then the ForestRoot argument is required: /ForestRoot:<Forest_Root_Domain_DNS_Name>

DNS
This test checks the health of DNS settings for the whole enterprise. Sub tests can be run
individually using the switches below. By default, all tests except external name resolution are run)
/DnsBasic (basic tests, can’t be skipped) /DnsForwarders
(forwarders and root hints tests) /DnsDelegation (delegations tests)
/DnsDynamicUpdate (dynamic update tests) /DnsRecordRegistration (records
registration tests) /DnsResolveExtName (external name resolution test)
/DnsAll (includes all tests above) /DnsInternetName: <internet name> (for
test /DnsResolveExtName) (default is http://www.microsoft.com)
* Test is not run by default, i.e. it must be requested explicitly

FrsEvent
This test checks to see if there are any operation errors in the file replication system (FRS).
Failing replication of the SYSVOL share, can cause Policy problems.

DFSREvent
This test checks to see if there are any operation errors in the DFS.

SysVolCheck
This test checks that the SYSVOL is ready.

LocatorCheck
Checks that global role-holders are known, can be located, and are responding.

Intersite
Checks for failures that would prevent or temporarily hold up intersite replication.

KccEvent
This test checks that the Knowledge Consistency Checker is completing without errors.
* Test is applicable to AD/LDS

KnowsOfRoleHolders
Check whether the DSA thinks it knows the role holders, and prints these roles out in verbose mode.

MachineAccount
Check to see if the Machine Account has the proper information. Use /RecreateMachineAccount to attempt

a repair if the local machine account is missing. Use /FixMachineAccount if the machine account flags
are incorrect.

NCSecDesc
Checks that the security descriptosrs on the naming context heads have appropriate permissions for
replication.

NetLogons
Checks that the appropriate logon priviledges allow replication to proceed.

ObjectsReplicated
Check that Machine Account (AD only) and DSA objects have replicated. Use /objectdn:<dn> with /n:<nc>
to specify an additional object to check.
* Test is applicable to AD/LDS

OutboundSecureChannels
See if we have secure channels from all of the DC’s in the domain the domains specified by
/testdomain:. /nositerestriction will prevent the test from being limited to the DC’s in the site.
* Test is not run by default, i.e. it must be requested explicitly

RegisterInDNS
Tests whether this directory server can register the directory Server Locator DNS records. These
records must be present in DNS in order for other computers to locate this directory server for the
<Active_Directory_Domain_DNS_Name> domain. Reports whether any modifications to the existing DNS
infrastructure are required. Required argument: /DnsDomain:<Active_Directory_Domain_DNS_Name>

Replications
Checks for timely replication between directory servers.
* Test is applicable to AD/LDS

RidManager
Check to see if RID master is accessable and to see if it contains the proper information.

Services
Check to see if appropriate supporting services are running.
* Test is applicable to AD/LDS

SystemLog
This test checks that the system is running without errors.
* Test is applicable to AD/LDS

Topology
Checks that the generated topology is fully connected for all DSAs.
* Test is not run by default, i.e. it must be requested explicitly
* Test is applicable to AD/LDS

VerifyEnterpriseReferences
This test verifys that certain system references are intact for the FRS and Replication infrastructure

across all objects in the enterprise on each DSA.
* Test is not run by default, i.e. it must be requested explicitly

VerifyReferences
This test verifys that certain system references are intact for the FRS and Replication
infrastructure.

VerifyReplicas
This test verifys that all application directory partitions are fully instantiated on all replica
servers.
* Test is not run by default, i.e. it must be requested explicitly
* Test is applicable to AD/LDS

All tests except DcPromo and RegisterInDNS must be run on computers
after they have been promoted to directory server.

Note: Text (Naming Context names, server names, etc) with International or
Unicode characters will only display correctly if appropriate fonts and
language support are loaded

Replication Admin

>repadmin /viewlist gc:

>repadmin /showrepl

>readmin /replsummary

 

repadmin systax

>repadmin help
Usage: repadmin <cmd> <args> [/u:{domain\user}] [/pw:{password|*}]
[/retry[:<retries>][:<delay>]]
[/csv]

Use these commands to see the help:

/?  Displays a list of commands available for use in repadmin and their
description.
/help  Same as /?
/?:<cmd>  Displays the list of possible arguments <args>, appropriate
syntaxes and examples for the specified command <cmd>.
/help:<cmd>  Same as /?:<cmd>
/experthelp  Displays a list of commands for use by advanced users only.
/listhelp  Displays the variations of syntax available for the DSA_NAME,
DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp  Displays a list of deprecated commands that still work but
are no longer supported by Microsoft.

Supported <cmd> commands (use /?<cmd> for detailed help):
/kcc Forces the KCC on targeted domain controller(s) to immediately
recalculate its inbound replication topology.

/prp This command allows an admin to view or modify the
password replication policy for RODCs.

/queue Displays inbound replication requests that the DC needs to issue
to become consistent with its source replication partners.

/replicate Triggers the immediate replication of the specified directory
partition to the destination domain controller from the source DC.

/replsingleobj Replicates a single object between any two domain
controllers that have common directory partitions.

/replsummary The replsummary operation quickly and concisely summarizes
the replication state and relative health of a forest.

/rodcpwdrepl Triggers replication of passwords for the specified user(s)
from the source (Hub DC) to one or more Read Only DC’s.

/showattr Displays the attributes of an object.

/showobjmeta Displays the replication metadata for a specified object
stored in Active Directory, such as attribute ID, version
number, originating and local Update Sequence Number (USN), and
originating server’s GUID and Date and Time stamp.

/showrepl Displays the replication status when specified domain controller
last attempted to inbound replicate Active Directory partitions.

/showutdvec displays the highest committed Update Sequence Number (USN)
that the targeted DC’s copy of Active Directory shows as
committed for itself and its transitive partners.

/syncall Synchronizes a specified domain controller with all replication
partners.

Supported additional parameters:

/u:  Specifies the domain and user name separated by a backslash
{domain\user} that has permissions to perform operations in
Active Directory. UPN logons not supported.

/pw:  bSpecifies the password for the user name entered with the /u
parameter.

/retry  This parameter will cause repadmin to repeat its attempt to bind
to the target dc should the first attempt fail with one of the
following error status:

1722 / 0x6ba : “The RPC Server is unavailable”
1753 / 0x6d9 : “There are no more endpoints available from the
endpoint mapper”

/csv  Used with /showrepl to output results in comma separated
value format. See /csvhelp

Note: Most commands take their parameters in the order of “Destination or
Target DSA_LIST”, then a “Source DSA_NAME” if required, and finally the
NC or Object DN if required.

<DSA_NAME> (or <DSA_LIST>) is a Directory Service Agent binding
string. For Active Directory Domain Services, this is simply a network
label (such as a DNS, NetBios, or IP address) of a Domain Controller.
For Active Directory Lightweight Directory Services, this must be a
network label of the AD LDS server followed by a colon and the LDAP
port of the AD LDS instance
Examples (AD DS): dc-01
dc-01.microsoft.com
Examples (AD LDS): ad-am-01:2000
ad-am-01.microsoft.com:2000

<Naming Context> is the Distinguished Name of the root of the NC
Example: DC=My-Domain,DC=Microsoft,DC=Com
Note: Text (Naming Context names, server names, etc) with International or
Unicode characters will only display correctly if appropriate fonts and
language support are loaded.