Nice post I stumbled upon regarding DNS scavenging and how it actually works.
“Best Practice Analyzer” shows this should be enabled (But I’ve not seen any posts as to why this isn’t enabled by default)
Yes the year is 2016! and Yes we are still converting Server 2003 onto VMware! (I know Server 2003 is dead and 13 years behind the times, but there are still some instances in our organisation that still require it for old bespoke software that can’t be easily moved to Server 2013/2016)
When converting a physical “Server 2003” machine to a virtual machine using VMware Converter this error displays:
“Warning: Unable to locate the required Sysprep files. Upload them under ‘C:\ProgramData\VMware vCentre Converter Standalone\sysprep\svr2003’ on the Converter server machine. See ‘Help’ for more details”
Check time service is running (Local & Remote):
sc query w32time
sc \\HOSTNAME query w32time
Displays all local time information (Local & Remote):
w32tm /query /configuration
w32tm /query /configuration /computer:HOSTNAME
Display Windows Time service status (Local & Remote):
w32tm /query /status
w32tm /query /status /computer:HOSTNAME
Display Windows Time service source (Will return one line: local CMOS vs Server) (Local & Remote):
w32tm /query /source
w32tm /query /source /computer:HOSTNAME
Display a list of peers and their status:
w32tm /query /peers
Displays current time (local source)
Time /T
Resync local computer time against time server: (run on all servers, except time server)
w32tm /resync /rediscover
Force local computer time to update against domain server (Local & Remote):
w32tm /config /syncfromflags:domhier /update w32tm /resync /rediscover w32tm /resync
w32tm /config /syncfromflags:domhier /update /computer:HOSTNAME w32tm /resync /rediscover w32tm /resync
Start time server via CLI (Local & Remote)
net start w32time
SC \\HOSTNAME net start w32time
Restore Windows Time Service (if it has been broken)
net stop W32Time w32tm /unregister w32tm /register net start W32Time sc query W32Time
Set Time Update NTP source
@echo off net stop w32time w32tm /config /syncfromflags:manual /manualpeerlist: 0.uk.pool.ntp.org w32tm /config /reliable:yes net start w32time w32tm /query /peers PAUSE
Event Viewer Error Message:
Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 12
Description: Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
To resolve the eventID 12:
w32tm /registerReference:
Without enabling ICMP ping requests will not get a reply from the server.
Enable ICMP using “netsh firewall” (Old Method):
netsh firewall set icmpsetting 8
Enable ICMP using “netsh advfirewall” (New Method):
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
Enable WMI using “netsh advfirewall” (New Method):
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
This script will automatically run the “WSUS Server Cleanup Wizard”
This can be added to a scheduled task.
Problem when trying to use RSAT to remotely administer a different domain.
“Security database on the server does not have a computer account for this workstation trust relationship”
There are numerous blog/forum posts regarding the cause of this error, however most are related to workstations on the local domain not being able to authenticate to the local DC. (The quick fix being to remove the network cable, login with the cached credentials and remove/readd the PC to the domain.
On this occasion I was trying to use RSAT to manage DHCP on an alternative domain. The connectivity is in place with a Non-Transitive Trust between Domain A and Domain B but I was trying to administer Domain C!
The really simple fix was to use the command line “runas /netonly” which allows MMC to run as an alternative user (in the destination domain) seamlessly “/netonly” allows you to run applications as a local user but authenticating over the network as another user.
runas /netonly /user:domain\username "mmc dhcpmgmt.msc /server=DC" |
Note: On Windows Server 2008 holding the “shift” key and right clicking on MMC will not display the “runas” function as in Windows Server 2008 R2 or Windows 7. A quick workaround is to use the “ShellRunAs” Sysinternals tools. Simply drag and drop the exe/msc onto the tool and it will prompt to run with alternative credentials.
References: http://ss64.com/nt/runas.html
Obtain task Process ID then use “taskkill”:
sc queryex servicename |
Replace ‘servicename’ with the services registry name i.e. “spooler”.
taskkill /f /pid [PID] |
List of common LDAP AD fields which can be used with the “DSQuery” or other tools which lookup AD objects.
csvde -m -f c:\DSQueryUsers.csv -d "OU=Users,OU=UK,DC=domain,DC=localm" -r "(&(objectClass=*)(mail=*))" -l displayName,userPrincipalName |
In order to simplify the process of creating LDAP queries you can use the SysInternals “Active Directory Explorer” tool to help with this process.
See Below for table:
Running out of the diskspace on C:\ I found the C:\WINDOWS\Installer\$PatchCache$ to be massive! I used JamSoftware “treesize” to view what was taking up the space.
From research this folder can be safely deleted, however you MUST NOT delete the top level “Installer” folder “C:\WINDOWS\Installer” (only the sub-folders inside it)
A quick method for deleting this directory is:
Stop “Windows Installer Service”
net stop msiserver |
Run the “Remove Directory” command (/q Quiet: /q | Removes all directories and files: /s)
rmdir /q /s %WINDIR%\Installer\$PatchCache$ |
Start “Windows Installer Service”
net start msiserver |
Reference: http://goo.gl/SW5M9
I’ve recently updated my Windows Server 2008R2 system to Windows Server 2012. Windows Server 2012 was a fresh install using a different domain name on a new system. My intention was to manually migrated all data from the existing 2008R2 server into the new domain, this included Hyper-V VMs, DHCP and GPOs. There is the option of using ADMT however I required a clean install.
These are the steps I took in order to migrate GPOs from the source server to the destination server with a different domain name.
(Although this was completed from a 2008R2 to 2012 server, the first set of screen shots where created on the new 2012 server for this guide)
Source WS2008R2: Backup the existing GPOs from the GPMC, you need to ensure that the “Group Policy Objects” container is selected for the “Backup Up All” option to be available.
I don’t want to get into the habit of logging every single error and snag I find in the event viewer, but part of my work is closely tided to Group Policy and deployment, therefore thought this would be useful in the further.
I was getting this error listed in the event viewer:
Error: Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
Category: None
Type: Warning
Event ID: 1202
Simple script to show host name of the local machine in a popup window add code to “ShowHost.vbs”
Dim Shell
Dim CompName
Set Shell = WScript.CreateObject("WScript.Shell")
CompName = Shell.ExpandEnvironmentStrings("%COMPUTERNAME%")
Msgbox "Your Computer name is " & CompName |
I see this error quite a few times when users logon to the Windows Server 2008 R2 RDS/TS server. The fix is pretty simple.
Use “regedit” and navigate to this entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Find the entry with .bak listed and delete it. When the user logs back in the profile will be recreated.
Source: KB947242
In order to rename a Windows system remotely you need to use the NETDOM command:
The command has been knocking about for a while now and is standard in Windows 2008. In Windows 2003 you can find it in the Windows Resource Tool Kit
Example:
netdom renamecomputer old_name /newname:new_name /userd:domain_admin_login /passwordd:domain_admin_pwd |
netdom renamecompuer domold-W7 /newname:domnew-W7 /userd:administrator /passwordd:Passw0rd |
Windows Remote Management (WinRM) required by Windows Remote Shell command-line tool, Winrs, event forwarding, and Windows PowerShell 2.0.
WinRM service starts automatically on Windows Server 2008, but must be started manually on Windows Vista.
Performs the following operations:
Reference: http://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx
I always wondered what the “Managed By” tab was when displaying the properties of a Distribution or Security Group in Active Directory. By adding a user to the “Managed By” tab they can then be delgated to modify distribution lists using Outlook, obviously this helps with admin tasks and people complaning at you when someone is not in the list!!
Checking what users are part of the Distribution group in Outlook
Modifying Distribution group in Outlook (For the delegated user selected in the previous step “Managed By” tab)
After a bad day with a Windows Server 2003 AD failure I had to do a system state restore using Directory Services Restore Mode (DSRM)
How hard could it be?? F8 in the BIOS before the Windows start right? Wrong!
This was on a HP Proliant ML310 G5 with multiple RAID & ILO devices using F8 as their configuration options, therefore every-time I pressed F8 (trying not to miss my window) I’d simply keep going into these config screens.
The Fix:
Wait until the initial RAID & ILO has loaded and processed to the next item then keep pressing “F5”
Yes F5 not F8!
Domain Local: groups can contain users, global groups and universal groups from anywhere in the AD forest, but can only be used to secure resources within the same domain.
Global: groups can contain only users and groups from within the same domain, but can be used to secure resources anywhere in the forest.
Universal: groups can contain objects from anywhere in the forest, and can be used to secure resources anywhere in the forest.
| Group Scope | Can Contain | Usage |
| Domain Local |
|
|
| Global |
|
|
| Universal |
|
|
You can only convert from the following and this will only take place if the correct “member of” groups are related:
This is something we all overlook and it makes life so much easier if you have a copy just dumped to a network share!
GPO Backup:
C:\PS> Backup-Gpo -All -Path \\Server1\GpoBackupsGPO Restore:
DHCP Backup:
netsh dhcp server export C:\dhcp.txt all
Bridgehead Servers
A bridgehead server is a domain controller in each site, which is used as a contact point to receive and replicate data between sites. For inter-site replication, KCC designates one of the domain controllers as a bridgehead server. In case the server is down, KCC designates another one from the domain controller. When a bridgehead server receives replication updates from another site, it replicates the data to the other domain controllers within its site.
Repadmin Sync: (Synchronizes DC with replication partners)
repadmin /syncall
Bridgehead Servers: (Displays bridgehead servers)
repadmin /bridgeheads
Troubleshooting:
Seeing a number of KCC replication errors in the event log, no doubt there is something not configured correctly in “Site-&-Services” This Microsoft document should give you a few tips. Troubleshoot with Repadmin