Category Archives: Windows Server 2008

Removing “Help Protect and Improve Microsoft Office” prompt from RDS/TS

  1. Users without administration access are unable to select the desired options on the “Help Protect and Improve Microsoft Office” prompt which is display when first loading Microsoft Office 2010 as they required elevated permissions.

This issue can be resolved via a GPO. Unfortunately Office 2010 GPOs are not integrated into the standard GPOs within Windows Server so require an additional download.

Continue reading

TS/RDS Renaming “Remote Desktop Services Default Connection”

Updating “Remote Desktop Services Default Connection” text

Server 2008 R2
Edit the entry in the RDWebAccess.Config file.
C:\Windows\Web\RDWeb\App_Data\RDWebAccess.Config (Default location)

Server 2012 (Powershell):

set-RDWorkspace SYNTAX Set-RDWorkspace [-Name] [-ConnectionBroker] [-Name]

Example:

set-RDWorkspace -Name "My Remote Desktop Name here BLAH BLAH"

Adding “Remote Desktop” icon to the Remote Apps list: 

Click on Parameters and select the Always use the following command-line parameters. Type the following in the text box: /v: <FQDN of the RDSH server>.

References:

Terminal Service Manager – Logoff, Reset, Disconnect?

Just a quick not to clarify what each option actually does…

Disconnect: Disconnects a user from a session. The session remains attached to the terminal server in the disconnected state and currently running applications continue to run. When you attempt to reconnect to the server, you are reconnected to the same session from which you disconnected, even if you are reconnecting from a different computer. Applications that were left open when you disconnected remain running when you reconnect to the session, with no loss of data.

Reset: Enables you to delete a session instantly. Be aware that resetting a user’s session without warning can result in loss of data at that session. Reset a session only when it malfunctions or appears to have stopped responding.

Loggoff: Enables you to log off a user from a session on the server. Be aware that logging off a user without warning can result in loss of data at the user’s session. When you log off a user, all processes end and the session is deleted from the server.

Source: technet.microsoft.com

 

Delegate Distribution List Modification to Users in Outlook.

I always wondered what the “Managed By” tab was when displaying the properties of a Distribution or Security Group in Active Directory. By adding a user to the “Managed By” tab they can then be delgated to modify distribution lists using Outlook, obviously this helps with admin tasks and people complaning at you when someone is not in the list!!

  1. My Computer -> Administrative Tools -> Users and Computers
  2. Select OU – I create a seperate “Distribution_Groups_OU”
  3. Select “Distribution Group” right click “Properties”

Checking what users are part of the Distribution group in Outlook

  1. Add Distribution in email using “to…”
  2. Simple click “+” to expand it:
  3. Note: This “+” does not apply on all distributions groups such as Dynamic groups so you may not see if. You will need to check AD to confirm what type of list it is.

Modifying Distribution group in Outlook (For the delegated user selected in the previous step “Managed By” tab)

  1. Open Outlook -> Tools -> Address Book
  2. Locate Distribution Group -> Right Click -> Properties
  3. Click “Modify Members”
  4. Click “Add”
  5. Select Member Click “OK”

 

HP Proliant Server (Safemode / DSRM)

After a bad day with a Windows Server 2003 AD failure I had to do a system state restore using Directory Services Restore Mode (DSRM)

How hard could it be?? F8 in the BIOS before the Windows start right? Wrong!

This was on a HP Proliant ML310 G5 with multiple RAID & ILO devices using F8 as their configuration options, therefore every-time I pressed F8 (trying not to miss my window) I’d simply keep going into these config screens.

The Fix:

Wait until the initial RAID & ILO has loaded and processed to the next item then keep pressing “F5”

Yes F5 not F8!

Enable Network Discovery Server 2008 R2

Need to enable network discovery in Windows Server 2008 R2?

The Problem is that after you have enabled this it simple turns off again so you need to enable the following services. I changed the startup type to automatic.

Start the following services:

net start "DNS Client"
net start "Function Discovery Resource Publication"
net start "SSDP Discovery"
net start "UPnP Discovery"

You still may not see the contents of “network places” populate with all the computers across the network so you will need to “enable NetBIOS over TCP/IP” from the network card adapter properties.

Control Panel > Network Connections -> Right click Properties on network card -> Select TCP/IP Settings -> Click Properties -> Advanced -> WINS tab -> enable NetBIOS over TCP/IP

This is usually configured within DHCP for clients, however in my situation I was enabling this feature on a server, therefore a fixed IP address not pulled from DHCP.


Source: http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/thread/e1cc2310-b4f7-4de5-818a-352d8f792de5

Groups in AD | Domain Local, Global, Universal

Domain Local: groups can contain users, global groups and universal groups from anywhere in the AD forest, but can only be used to secure resources within the same domain.

Global: groups can contain only users and groups from within the same domain, but can be used to secure resources anywhere in the forest.

Universal: groups can contain objects from anywhere in the forest, and can be used to secure resources anywhere in the forest.


Group Scope Can Contain Usage
Domain Local
  • User account from any domain in the forest
  • Global or universal from any domain in the forest
  • User accounts, global or universal groups from a trusted forest domain
  • Other domain local groups from the same domain
  • Resources in local domain
Global
  • User accounts in the same domain
  • Other global groups from the same domain
  • Any domain in the forest or trusted forests
Universal
  • Users. Global groups or universal groups from any domain in the forest
  • Any domain in the forest or trusted forests

You can only convert from the following and this will only take place if the correct “member of” groups are related:

  • Domain Local to Universal
  • Global to Universal
  • Universal to Domain Local & Global

BACKUP!

DO A STANDALONE BACKUP NOW!

This is something we all overlook and it makes life so much easier if you have a copy just dumped to a network share!

GPO Backup:

GPO Restore:

DHCP Backup:

 

Bridgehead Servers, Intersite Links and RepAdmin

Bridgehead Servers

A bridgehead server is a domain controller in each site, which is used as a contact point to receive and replicate data between sites. For inter-site replication, KCC designates one of the domain controllers as a bridgehead server. In case the server is down, KCC designates another one from the domain controller. When a bridgehead server receives replication updates from another site, it replicates the data to the other domain controllers within its site.

Repadmin Sync: (Synchronizes DC with replication partners)

repadmin /syncall

Bridgehead Servers: (Displays bridgehead servers)

repadmin /bridgeheads

Troubleshooting:

Seeing a number of KCC replication errors in the event log, no doubt there is something not configured correctly in “Site-&-Services”  This Microsoft document should give you a few tips. Troubleshoot with Repadmin

Continue reading

Adobe Reader X (Rollout)

With the release of Adobe Reader X I needed to roll this out to a number of systems. There seems to be a mass of complex information regarding something as simple as a silent install at login on the client PCs.

Below is a list of reference material to help make this process easier! There are a number of methods, so no right and wrong way of doing it! I’m in the process of deployment so building up a list of information to get it right (will update here later)

Silent Install switch (could be added to login script) then via GP:

\\server\Software-Distribution\AdbeRdr1000_en_US.exe /msi EULA_ACCEPT=YES /qn

Installation via software deployment in GP (old guide but the same principle)

http://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/gpo_ad_8.pdf

TS/RDS Disconnect Sessions GP

  • Start -> Run -> gpedit.msc
  • Open Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services – > Session.

Set time limit for disconnected sessions

  • You can use this setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Terminal Services allows users to disconnect from a remote session without logging off and ending the session.

Sets a time limit for active Terminal Services session

  • You can use this setting to specify the maximum amount of time a Terminal Services session can be active before it is automatically disconnected.

Sets a time limit for active but idle Terminal Services session

  • You can use this setting to specify the maximum amount of time that an active session can be idle (that is, no user input) before it is automatically disconnected.

Allow reconnection from original client only

  • Specifies whether to allow users to reconnect to a disconnected Terminal Services session using a computer other than the original client computer.

Terminate session when time limits are reached

  • Specifies whether to terminate a timed-out Terminal Services session instead of disconnecting it.

WSUS (wuauclt.exe) | Updates CLI

Detectnow Option

Because waiting for detection to start can be a time-consuming process, an option has been added to allow you to initiate detection right away. On one of the computers with the new Automatic Update client installed, run this at command prompt:

wuauclt.exe /detectnow

Resetauthorization Option

WSUS uses a cookie on client computers to store various types of information, including computer group membership when client-side targeting is used. By default this cookie expires an hour after WSUS creates it. If you are using client-side targeting and change
group membership, use this option in combination with detectnow to expire the cookie, initiate detection, and have WSUS update computer group membership.

Note that when combining parameters, you can use them only in the order specified as follows:

wuauclt.exe /resetauthorization /detectnow

Windows Server Update Services (WSUS) Support Tools:

CLI for WUAUCLT:

Source: http://technet.microsoft.com/en-us/library/cc708617(WS.10).aspx

Check Action Sessions & disconnect on TS via CMD

Run the following on any Server in the domain from CMD.

  • query session /server:servername

You can then close the sessions by running the following:

  • reset session [ID] /server:servername

This e-mail and any attachments are intended for the addressee only and may=
be confidential. If you are not the intended recipient, please advise the =
sender as soon as practicable and delete the e-mail from the system. The Un=
iversity of Chichester is a company
limited by guarantee, registered in England and Wales. Registration number=
4740553. The registered office is College Lane, Chichester, West Sussex, P=
O19 6PE.

DNS Zone export to TXT & Clear DNS

Exports the contents of the specific DNS zone to a .txt file. Just makes the process easier for debugging etc, when dealing with larger DNS zones:

dnscmd /zoneexport domain.com c:\zones-export.txt

Clears the local computer cache.

Ipconfig /flushdns

Clears the DNS server cache.

dnscmd /clearcache

Terminal Services Licensing service cannot start Server 2008

Event Viewer displays:

  1. The Terminal Services Licensing service cannot start. The following error occurred: Can’t initialize Cryptographic – error code 8009000f.
  2. An error occurred during the Terminal Services license server initialization phase.
  3. To resolve this issue, ensure that required groups are granted the correct permissions to the TermServLicensing registry key and that the value of the DBPath registry key matches the location of the LServer directory. If the problem persists, shut down and then restart the Terminal Services license server

Fix:

  • Change permissions on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
  • Manually restarted the service (service.msc)

In my case, Local administrator already had full access. Added Domain Admin (Full Access) and Network Services (Full Access)

Check this article which pointed me in the right direction: http://msdn.microsoft.com/en-us/library/bb909654(VS.90).aspx

Next…

Now with the above problem solved… we then move onto our next problem:

http://blogs.msdn.com/b/rds/archive/2010/03/30/event-17-certificate-corruption-on-terminal-services-remote-desktop-license-servers.aspx#CertDeletion

Another useful link:

http://www.windowsitpro.com/article/licensing/jsi-tip-9040-you-cannot-activate-a-terminal-services-license-server-in-a-windows-server-.aspx

Add Network Printer via VBS

Use the script below to add a network printer, you can simply dump this into a txt file, rename to a .VBS and change the printer addresses (these need to be shared of course!)
The last bit of code should stop the “Error: 8007007B – the filename, directory name, or volume label syntax is incorrect” as it will keep retrying the connection to the printer share if the network is slow and timming out etc.

Last bit is to drop the script into the DC netlogon and add to group policy! BAMM!


Dim net
Set net = CreateObject("WScript.Network")
net.AddWindowsPrinterConnection "\\server\printer"
net.SetDefaultPrinter "\\server\printer"

MapPrinter "\\server\printer"

Sub MapPrinter(strPrinter)
On Error Resume Next
Set objNetwork = CreateObject("WScript.Network")
boolConnected = False
intAttempts = 1
While boolConnected = False And intAttempts <= 5
Err.Clear
objNetwork.AddWindowsPrinterConnection strPrinter
If Err.Number <> 0 Then
intAttempts = intAttempts + 1
WScript.Sleep 2000
Else
boolConnected = True
End If
Wend
End Sub

RDP via TS Web “error occurred… Desktop Gateway server.”

Problem connecting to server via RDP when using the TS web interface.

  1. Login OK to the TS Web Interface.
  2. Click “Connect” to server
  3. RDP Loads…
  4. Error displays: “An error occurred while sending data to the Remote Desktop Gateway server. The server is temporarily unavailable or a network connection is down. Try again later, or contact your network administrator for assistance.”

Note: This problem is related to newer features in RDP v7 which are not installed by default on Windows XP Service Pack 3 (SP3), Windows Vista Service Pack 1 (SP1), and Windows Vista Service Pack 2 (SP2)

Fix:

Turn on CredSSP.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click -> Security Packages -> Modify -> type “tspkg”. (Leave other info) -> click OK.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

Right-click -> SecurityProviders -> Modify -> type “credssp.dll” (Leave other info) -> click OK.

Exit -> Restart computer

FSEXTEND.EXE (Diskpart)

After performing the “diskpart extend” command to merge two partitions the new partition will display in disk management however will not show the full capacity. This is a known problem if the command was run without sufficient system resources.
The partition size is extended, but the file system remains the original size when you extend an NTFS volume” – Unfortunately Microsoft have pulled the original “KB832316” (As of 2021) so there is limited information available. There are some references for diskpart here: KB325590

The following method of fixing this with the diskpart tool may work for some (but not others)

diskpart
list volume
select volume X
extend filesystem

If like me you received the following error “Diskpart failed to extend the volume. Please make sure the volume is valid for extending” then there is a 99% this method will not work, in this case you can use the FSEXTEND.EXE tool, after burning around the net and looking at the following EE article it seems that getting hold of the tool is another problem. I resolved this by 45minutes of talking to Microsoft and getting a case open… but to avoid this I’ve uploaded the tool…

Trying to get FSEXTEND.EXE ?

How to Use:

The FSExtend tool really is a “one trick pony” if you try to get the switches required by the program it will simply return with “usage: fsextend.exe driveLetter” so you just need to perform the following:

DISKPART> select volume 1
DISKPART> extend filesystem
DiskPart successfully extended the file system on the volume.
DISKPART> exit
Leaving DiskPart...