Category Archives: Microsoft

Creating AD Trust Relationship

Leave a Reply

Ports required for trust relationship:

  • 389 (TCP and UDP) – Directory, Replication, User and Computer Authentication, Group Policy, Trusts – LDAP
  • 636 (TCP) – Directory, Replication, User and Computer Authentication, Group Policy, Trusts – LDAP SSL
  • 3268 (TCP) – Directory, Replication, User and Computer Authentication, Group Policy, Trusts – LDAP GC
  • 3269 (TCP) – Directory, Replication, User and Computer Authentication, Group Policy, Trusts – LDAP GC SSL
  • 88 (TCP and UDP) – User and Computer Authentication, Forest Level Trusts – Kerberos
  • 53 (TCP and UDP) – User and Computer Authentication, Name Resolution, Trusts – DNS
  • 445 (TCP and UDP) – Replication, User and Computer Authentication, Group Policy, Trusts – SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc

Reference:

  • https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
    https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts

Windows 7 | Delete Offline File Cache CSC Folder

Leave a Reply

After carrying out a domain migration on a PC the “offline files cache” still retains a local cache for the previous domain.

Within “Offline Files” (Control Panel) there is an option to “Delete temporary files” but this does not remove the “All offline files” cache located in the “C:\Windows\CSC” folder

The workaround to fully remove these files (and start a new offline sync) is to add the “FormatDatabase” registry entry which forces deletion.

This command will add the registry entry. After which reboot the system and all offline files will be removed:

reg add HKLM\SYSTEM\CurrentControlSet\services\CSC\Parameters /v FormatDatabase /t REG_DWORD /d 1

DFS | Site Links, Server Target Prioritization & Reference Info

Leave a Reply

DFS Setup and Configuration Notes

I like DFS, the main issue I found is setting it up, tailoring it to your needs, debugging and configuring which can be a bit troublesome. I’ve spent a while trying to implement and tweak it for a large scale network (17 x Sites using DFS-N & DFS-R) I’ve list a number of articles/URLs which have proven useful on my DFS internet travels…

Continue reading

Remove Sharepoint Login Prompt in IE

Leave a Reply

We have a company SharePoint site which requires authentication information before logging on. This is a pain as the information displayed on the initial screen of SharePoint does not need to be restricted (Company Intranet).

Login “Annoying” Prompt:

HTTPAuth

In order to remove this you can modify the option in I.E. to use local logon credential (domain PCs):

  1. Tools/Internet Options/Security/Local Intranet/Sites
  2. Add the site in the list, click OK.
  3. Still in Local Intranet, click on “Custom Level”, scroll all the way to the bottom to User Authentication/Logon
  4. Click on “Automatic Logon with current user name and password”
  5. When the user logs to the site, make sure to select the checkmark “remember username/password” when the site asks for credentials

VMWare | “Unable to locate the required Sysprep files”

Leave a Reply

Yes the year is 2016! and Yes we are still converting Server 2003 onto VMware! (I know Server 2003 is dead and 13 years behind the times, but there are still some instances in our organisation that still require it for old bespoke software that can’t be easily moved to Server 2013/2016)

When converting a physical “Server 2003” machine to a virtual machine using VMware Converter this error displays:

“Warning: Unable to locate the required Sysprep files. Upload them under ‘C:\ProgramData\VMware vCentre Converter Standalone\sysprep\svr2003’ on the Converter server machine. See ‘Help’ for more details”

VMware_Server2003_Conversion1

Continue reading

Change Windows 7 “Logon” Background

Leave a Reply

There’s two types of background images.

  1. Windows Desktop Backgrounds
  2. Windows Logon Backgrounds

This script will add the required flags and permissions to the registry and create the “dummy” jpg files which are used to display the “Logon” background. This is the screen which displays the user logon details (At “Logon”).

echo OFF
set bgfolder=%windir%\system32\oobe\Info\backgrounds\

REM Creates the backgrounds folder
md %bgfolder%

REM Creates the dummy background files
FOR %%f IN (backgroundDefault.jpg background1280x960.jpg background1024x768.jpg background1600x1200.jpg background1440x900.jpg background1920x1200.jpg background1280x768.jpg background1360x768.jpg background1024x1280.jpg background960x1280.jpg background900x1440.jpg background768x1280.jpg background768x1360.jpg) DO echo 2> %bgfolder%%%f 1> NUL

REM Gives all authenticated users the right to write these files
FOR %%f IN (backgroundDefault.jpg background1280x960.jpg background1024x768.jpg background1600x1200.jpg background1440x900.jpg background1920x1200.jpg background1280x768.jpg background1360x768.jpg background1024x1280.jpg background960x1280.jpg background900x1440.jpg background768x1280.jpg background768x1360.jpg) DO icacls %bgfolder%%%f /grant *S-1-5-11:(R,W,M)

REM Forces the use of the custom background permanently
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background /v OEMBackground /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\System /v UseOEMBackground /t REG_DWORD /d 1 /f

All you then need to do is add the background image you want to this folder directory: %windir%\system32\oobe\Info\backgrounds\

Windows Time Commands | Cheatsheet

Leave a Reply

Check time service is running (Local & Remote):

sc query w32time
sc \\HOSTNAME query w32time

Displays all local time information (Local & Remote):

w32tm /query /configuration
w32tm /query /configuration /computer:HOSTNAME

Display Windows Time service status (Local & Remote):

w32tm /query /status
w32tm /query /status /computer:HOSTNAME

Display Windows Time service source (Will return one line: local CMOS vs Server) (Local & Remote):

w32tm /query /source
w32tm /query /source /computer:HOSTNAME

Display a list of peers and their status:

w32tm /query /peers

Displays current time (local source)

Time /T

Resync local computer time against time server: (run on all servers, except time server)

w32tm /resync /rediscover

Force local computer time to update against domain server (Local & Remote):

w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover w32tm /resync
w32tm /config /syncfromflags:domhier /update /computer:HOSTNAME
w32tm /resync /rediscover w32tm /resync

Start time server via CLI (Local & Remote)

net start w32time
SC \\HOSTNAME net start w32time

Restore Windows Time Service (if it has been broken)

net stop W32Time
w32tm /unregister
w32tm /register
net start W32Time
sc query W32Time

Set Time Update NTP source

@echo off
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist: 0.uk.pool.ntp.org
w32tm /config /reliable:yes
net start w32time
w32tm /query /peers
PAUSE

Event Viewer Error Message:

Event Type: Error 

Event Source: W32Time 

Event Category: None 
Event ID: 12

Description: Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

To resolve the eventID 12:

  • w32tm /register

Reference: 

DNS | Modify DNS entry CMD

Leave a Reply

Add/Remove a DNS record without the GUI

Add

dnscmd [ServerName] /recordadd [ZoneName] [NodeName] RRType> <RRData]
dnscmd UK-WDC01 /RecordAdd edwardsd.local UK-ESX01 A 192.168.1.5

Delete

dnscmd <ServerName> /recorddelete <ZoneName> <NodeName> <RRType> <RRData>[/f]
dnscmd UK-WDC01 /recorddelete edwardsd.local UK-ESX01 A 192.168.1.5

Reference: DNSCMD Examples

Windows Commands | Powershell

Leave a Reply

A few random PowerShell commands in Windows to help complete tasks:

Create New AD User:

New-ADUser -SamAccountName U1 -Name "User 1" -AccountPassword (ConvertToSecureString -AsPlainText "p@ssw0rd" -Force) -Enabled $true -Path 'OU=Test,DC=FABRIKAM,DC=COM'

Displays if “Desktop Experience” is installed:

Get-WindowsFeature *Desktop*

Installs “Desktop Experience” Feature:

Add-WindowsFeature Desktop-Experience

Remove Windows Patches

wusa /uninstall /kb:2952664

Clear all log entries
Although previous logs in event viewer can be helpful for diagnostics, I find old errors sometime cloud the current issues. In order to quickly clear all evertvwr logs entries you can use the following powershell command

wevtutil el | Foreach-Object {Write-Host "Clearing $_"; wevtutil cl "$_"}

Bypass code Execution

Usually if you get this error “PowerShell says “execution of scripts is disabled on this system.” the quick option is to bypass the execution policy:

Set-ExecutionPolicy Unrestricted

HP Proliant Microserver (Gen8) | Windows Server 2012 R2 Storage Drivers

Leave a Reply

My configuration of the HP Microserver G1810T uses all 4 x HDD disk bays (2 x RAID1) with 1 x HDD (2.5″) attached to the secondary SATA connector on the motherboard.
This 5th disk for the OS was configured under the controller options to use RAID0.

When installing Windows Server 2012 R2 for the first time you will need to specify the B120i controller drivers for Windows to be able to see the disk.
The driver can be downloaded from the HP Microserver webpage and is listed under the “Driver – Storage” section.

The ILO made it easy for me to install Windows remotely from my desktop and attaching virtual media (ISO) and folders. Continue reading

Enable ICMP (Ping) & WMI | CMD Line

1 Reply

Without enabling ICMP ping requests will not get a reply from the server.

Enable ICMP using “netsh firewall” (Old Method):

netsh firewall set icmpsetting 8

Enable ICMP using “netsh advfirewall” (New Method):

netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow

Enable WMI using “netsh advfirewall” (New Method):

netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

Unable to Access DFS Share | Windows 7 Mapped Drives

Leave a Reply

Mapped network drive to DFS share is not allowing access.

“This operation is supported only when you are connected to the server”

If you try to remap the drive with different credentials the following error appears:

The network folder specified is currently mapped using a different username and password.

To connect using a different user name and password, first disconnect any existing mappings to this network share.

Looking in the EventVWR the following is logged:

EventID1004: Path \Server\DFS transitioned to slow link with latency = 115 and bandwidth = 13265936

  • Rebooting doesn’t fix the issue
  • Remapping doesn’t fix the issue.
  • Entering the direct server UNC path allows full access (as it should)
  • Applied regedit to force Auto Reconnect to the server but still didn’t fix the issue.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache]
"SilentForcedAutoReconnect"=dword:00000001

Fix:

In the end the really simple workaround was to “Disable Offline File Sync” and reboot the system. All working again!

“Control Panel -> Sync Centre ->  Manage offline files -> Disable Offline Files”

Reference:

http://blogs.technet.com/b/askds/archive/2011/12/14/slow-link-with-windows-7-and-dfs-namespaces.aspx
https://www.conetrix.com/Blog/post/Fixing-Problem-With-Windows-7-Shared-Files-and-Mapped-Drives-Unavailable-Over-VPN.aspx

Windows Backup | Adding Multiple External HDDs

Leave a Reply

Windows Backup can be configured to use multiple external hard drives as the target. This way you can setup a hard drive rotation system i.e. Mon: USB_HDD1, Tue: USB_HDD2, Wed: USB_HDD1

Ideally both HDDS (or more) need to be connected at the same time when you configure the backup from the GUI. If you do not have both HDDS connected this can be accomplished using the WBADMIN command line tool.

Locate the HDD identifier using “get disk” and add it to the job using “-addtarget”.

wbadmin get disks
WBADMIN ENABLE BACKUP -addtarget:{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

Reference:

PSEXEC | Remove File Share Remotely

Leave a Reply

Sometime it takes time to go and speak to a user, then stop what they are doing so you can make a change or tweak on their PC/Laptop so I like to do this in the background remotely without their knowledge (Hey! I’m an Admin that’s what I do)

PSEXEC has become a good friend for doing this!
I usually dump the “psexec” exe in the c:\Windows\System32 folder so I don’t have to change CMD paths. (Remember you need to run CMD as the user with access to the remote system for this to work)

Remove Share Remotely:

psexec \\PCNAME net share <SHARENAME> /delete

Map Drive Remotely:

psexec \\PCNAME net use S: \\SERVER\SHARE

RSAT Across Domains | Security database on the server does not have a computer account for this workstation trust relationship

Leave a Reply

Problem when trying to use RSAT to remotely administer a different domain.

“Security database on the server does not have a computer account for this workstation trust relationship”

SecurityDBTrustRelationship

There are numerous blog/forum posts regarding the cause of this error, however most are related to workstations on the local domain not being able to authenticate to the local DC. (The quick fix being to remove the network cable, login with the cached credentials and remove/readd the PC to the domain.

On this occasion I was trying to use RSAT to manage DHCP on an alternative domain. The connectivity is in place with a Non-Transitive Trust between Domain A and Domain B but I was trying to administer Domain C!

The really simple fix was to use the command line “runas /netonly” which allows MMC to run as an alternative user (in the destination domain) seamlessly “/netonly” allows you to run applications as a local user but authenticating over the network as another user.

runas /netonly /user:domain\username "mmc dhcpmgmt.msc /server=DC"

Note: On Windows Server 2008 holding the “shift” key and right clicking on MMC will not display the “runas” function as in Windows Server 2008 R2 or Windows 7. A quick workaround is to use the “ShellRunAs” Sysinternals tools. Simply drag and drop the exe/msc onto the tool and it will prompt to run with alternative credentials.

References: http://ss64.com/nt/runas.html

SubACL & iCALCS

Leave a Reply

SUBINACL (SubInACL.exe)

SubInACL is an alternative command line tool to iCACLS that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

iCACLS

iCACLS example of modifying file permissions:

@echo off
REM ** /T = Performs the operation on all specified files in the current directory and its subdirectories.
REM ** /F = Full Access
REM ** /M = Modify Access
if exist "C:\Program Files (x86)" goto 64
icacls "%ProgramFiles%\Folder" /inheritance:e /grant "MyDomain\Domain Users":M /T
goto next
:64
icacls "%ProgramFiles(x86)%\Folder" /inheritance:e /grant "MyDomain\Domain Users":M /T
next
pause