Category Archives: Windows Server 2012

Adding DNS Alias | Replacing File Server

When replacing a file server with new server and new name you probably want to keep the old name and add a redirect. Originally, I thought this was a simple “change the DNS IP” and job done but there’s a little bit more to it than just that!

1) Locate OLDSERVER entry in DNS and delete it.

2) If the OLDSERVER server AD object still exists, you need to delete it. Failing to remove the old computer object will result in this error:

Unable to add NEWSERVER.
as an alternate name for the computer.
The error is: Cannot create a file when that file already exists.
The command failed to complete successfully.

3) Run this command to add the server alias:

netdom computername NEWSERVER /add:OLDSERVER

Note: if you have subdomains in use (sub.domain.com) then you need to specifically define this overwise the object will add “oldserver.domain.com” rather than “oldserver.sub.domain.com”

4) Register the machine in DNS

IPConfig /RegisterDNS

5) Run this command to check the aliases are shown on the machine

netdom computername NEWSERVER /enum

6) Final check to show what SPF entries have been created:

setspn -l NEWSERVER

Ref: https://support.microsoft.com/en-gb/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias

Netdom: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc835082(v=ws.10)

Original Post: https://blogs.technet.microsoft.com/askpfeplat/2017/06/19/using-computer-name-aliases-in-place-of-dns-cname-records/

Windows | DHCP PowerShell Options (Cheatsheet)

Managing DHCP on DHCP server:

Add-WindowsFeature -Name DHCP –IncludeManagementTools

Managing DHCP on remote host:

Add-WindowsFeature RSAT-DHCP

Powershell DHCP Module:

Import-Module DhcpServer

Get all DHCP servers in AD

Get-DhcpServerInDC

Get DHCP scope configuration

Get-DhcpServerv4Scope –ComputerName <DHCPServerName>

Get DHCP reservations on scope:

Get-DhcpServerv4Reservation -ComputerName <DHCPServerName> -ScopeId <ScopeID>

Import/Export DHCP Scopes

netsh dhcp server export C:\temp\DHCP.txt all
netsh dhcp server import C:\temp\DHCP.txt all

Note: The temp folder needs to be created

Check DHCP Replication Failover Status

Get-DhcpServerv4Failover -ComputerName <DHCPServerName>

Reference:
https://technet.microsoft.com/en-us/library/jj590708(v=wps.630).aspx

Windows | Remote Management “Could not start Virtual Disk Service (VDS)”

To avoid this error when you remotely managing another servers virtual disks (From “Server Management” you need to follow some steps

Disk Management could not start Virtual Disk Service (VDS) on SERVER-NAME. This can happen if the remote computer does not support VDS, or if a connection cannot be established because it was blocked by Windows Firewall.

For additional information about diagnosing and correcting this problem, see Troubleshooting Disk Management in Disk Management Help.

Step1: 

Check Virtual Disk Service is started on BOTH the local and remote system

Powershell:

Start-Service -Name "vds"

CMD:

net start vds

Step2: 

Add firewall exceptions on BOTH the local and remote system. VOILA! WORKING WITHOUT ANY ERRORS 🙂

netsh advfirewall firewall set rule group="Remote Volume Management" new enable=yes

Step3: 

Use “Server Manager” to connect remotely and access the disk management properties on the remote machine.

no images were found

Migrate Folder Shares | PowerShell

Basic objective, we’ve got a ton of shares which we need to move to a new server. The data has already been replicated but we need to re-share.
There are methods of doing this by exporting the registry but being a little scared of messing up the current shares and requiring a reboot I decided to do this manually…

Export list of shares on source server:

get-WmiObject -class Win32_Share -computer servername.fqdn.com | Export-Csv -Path "C:\Shares.csv"

Create shares on destination server:

Powershell:

Need the powershell command here

CMD Net Share

net share "ShareName"="D:\Path\FolderName" /grant:everyone,FULL

Reference:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/export-csv?view=powershell-6
https://gallery.technet.microsoft.com/scriptcenter/Creates-New-Share-with-fb22d905
http://www.tomsitpro.com/articles/use-fileshare-powershell-cmdlets-server-2016,2-1053.html

SQL Firewall Rules | PowerShell

Add Windows Firewall exclusions for Microsoft SQL using PowerShell

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
#Enabling SQL Server Ports
New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow
New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow
New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow
New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow
New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow
#Enabling SQL Analysis Ports
New-NetFirewallRule -DisplayName “SQL Analysis Services” -Direction Inbound –Protocol TCP –LocalPort 2383 -Action allow
New-NetFirewallRule -DisplayName “SQL Browser” -Direction Inbound –Protocol TCP –LocalPort 2382 -Action allow
#Enabling Misc. Applications
New-NetFirewallRule -DisplayName “HTTP” -Direction Inbound –Protocol TCP –LocalPort 80 -Action allow
New-NetFirewallRule -DisplayName “SSL” -Direction Inbound –Protocol TCP –LocalPort 443 -Action allow
New-NetFirewallRule -DisplayName “SQL Server Browse Button Service” -Direction Inbound –Protocol UDP –LocalPort 1433 -Action allow
#Enable Windows Firewall
Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen True -AllowUnicastResponseToMulticast True

DFS | DFSR Removal of Staging Directory

After removing DFS shares on a server there may be some leftover files in the “DFSR” cache, this is a hidden location within the “System Volume Information”. This can be tricky one to delete but can be completed using some CLI.

Take Ownership of folder

icacls "e:\system volume information" /grant Administrator:F

Remove Directory (Silent & whole directory tree)

rd "e:\system volume information\dfsr" /s /q

Windows 7/10 | Remotely logoff user (Instantly)

Useful in the event of having to log someone off remotely. (i.e. if a users AD account has been disabled and you want to prevent them from using the system urgently)

You must have local administrator access to complete this. This process will logoff the user instantly.

Run CMD (As Administrator)
Obtain the session ID:

quser /server:COMPUTERNAMEHERE

Logoff session ID:

logoff ID /server:COMPUTERNAMEHERE

Example

Creating AD Trust Relationship

Ports required for trust relationship:

  • 389 (TCP and UDP) – Directory, Replication, User and Computer Authentication, Group Policy, Trusts – LDAP
  • 636 (TCP) – Directory, Replication, User and Computer Authentication, Group Policy, Trusts – LDAP SSL
  • 3268 (TCP) – Directory, Replication, User and Computer Authentication, Group Policy, Trusts – LDAP GC
  • 3269 (TCP) – Directory, Replication, User and Computer Authentication, Group Policy, Trusts – LDAP GC SSL
  • 88 (TCP and UDP) – User and Computer Authentication, Forest Level Trusts – Kerberos
  • 53 (TCP and UDP) – User and Computer Authentication, Name Resolution, Trusts – DNS
  • 445 (TCP and UDP) – Replication, User and Computer Authentication, Group Policy, Trusts – SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc

Reference:

  • https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
    https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts

DFS | Site Links, Server Target Prioritization & Reference Info

DFS Setup and Configuration Notes

I like DFS, the main issue I found is setting it up, tailoring it to your needs, debugging and configuring which can be a bit troublesome. I’ve spent a while trying to implement and tweak it for a large scale network (17 x Sites using DFS-N & DFS-R) I’ve list a number of articles/URLs which have proven useful on my DFS internet travels…


Continue reading

Windows Time Commands | Cheatsheet

Check time service is running (Local & Remote):

sc query w32time
sc \\HOSTNAME query w32time

Displays all local time information (Local & Remote):

w32tm /query /configuration
w32tm /query /configuration /computer:HOSTNAME

Display Windows Time service status (Local & Remote):

w32tm /query /status
w32tm /query /status /computer:HOSTNAME

Display Windows Time service source (Will return one line: local CMOS vs Server) (Local & Remote):

w32tm /query /source
w32tm /query /source /computer:HOSTNAME

Display a list of peers and their status:

w32tm /query /peers

Displays current time (local source)

Time /T

Resync local computer time against time server: (run on all servers, except time server)

w32tm /resync /rediscover 

Force local computer time to update against domain server (Local & Remote):

w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover w32tm /resync
w32tm /config /syncfromflags:domhier /update /computer:HOSTNAME
w32tm /resync /rediscover w32tm /resync

Start time server via CLI (Local & Remote)

net start w32time
SC \\HOSTNAME net start w32time

Restore Windows Time Service (if it has been broken)

net stop W32Time
w32tm /unregister
w32tm /register
net start W32Time
sc query W32Time

Set Time Update NTP source

@echo off
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist: 0.uk.pool.ntp.org
w32tm /config /reliable:yes
net start w32time
w32tm /query /peers
PAUSE

Event Viewer Error Message:

Event Type: Error 

Event Source: W32Time 

Event Category: None 
Event ID: 12

Description: Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

To resolve the eventID 12:

  • w32tm /register

Reference: 

DNS | Modify DNS entry CMD

Add/Remove a DNS record without the GUI

Add

dnscmd [ServerName] /recordadd [ZoneName] [NodeName] RRType&gt; &lt;RRData]
dnscmd UK-WDC01 /RecordAdd edwardsd.local UK-ESX01 A 192.168.1.5

Delete

dnscmd &lt;ServerName&gt; /recorddelete &lt;ZoneName&gt; &lt;NodeName&gt; &lt;RRType&gt; &lt;RRData&gt;[/f]
dnscmd UK-WDC01 /recorddelete edwardsd.local UK-ESX01 A 192.168.1.5

Reference: DNSCMD Examples

Windows Commands | Powershell

A few random PowerShell commands in Windows to help complete tasks:

Create New AD User:

New-ADUser -SamAccountName U1 -Name "User 1" -AccountPassword (ConvertToSecureString -AsPlainText "p@ssw0rd" -Force) -Enabled $true -Path 'OU=Test,DC=FABRIKAM,DC=COM'

Displays if “Desktop Experience” is installed:

Get-WindowsFeature *Desktop*

Installs “Desktop Experience” Feature:

Add-WindowsFeature Desktop-Experience

Remove Windows Patches

wusa /uninstall /kb:2952664

Clear all log entries
Although previous logs in event viewer can be helpful for diagnostics, I find old errors sometime cloud the current issues. In order to quickly clear all evertvwr logs entries you can use the following powershell command

wevtutil el | Foreach-Object {Write-Host "Clearing $_"; wevtutil cl "$_"}

Bypass code Execution

Usually if you get this error “PowerShell says “execution of scripts is disabled on this system.” the quick option is to bypass the execution policy:

Set-ExecutionPolicy Unrestricted

HP Microserver G1810T (Gen8) | Windows Server 2012 R2 Storage Drivers

My configuration of the HP Microserver G1810T uses all 4 x HDD disk bays (2 x RAID1) with 1 x HDD (2.5″) attached to the secondary SATA connector on the motherboard.
This 5th disk for the OS was configured under the controller options to use RAID0.

When installing Windows Server 2012 R2 for the first time you will need to specify the B120i controller drivers for Windows to be able to see the disk.
The driver can be downloaded from the HP Microserver webpage and is listed under the “Driver – Storage” section.

The ILO made it easy for me to install Windows remotely from my desktop and attaching virtual media (ISO) and folders. Continue reading

Enable ICMP (Ping) & WMI | CMD Line

Without enabling ICMP ping requests will not get a reply from the server.

Enable ICMP using “netsh firewall” (Old Method):

netsh firewall set icmpsetting 8

Enable ICMP using “netsh advfirewall” (New Method):

netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow

Enable WMI using “netsh advfirewall” (New Method):

netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

Unable to Access DFS Share | Windows 7 Mapped Drives

Mapped network drive to DFS share is not allowing access.

“This operation is supported only when you are connected to the server”

If you try to remap the drive with different credentials the following error appears:

The network folder specified is currently mapped using a different username and password.

To connect using a different user name and password, first disconnect any existing mappings to this network share.

Looking in the EventVWR the following is logged:

EventID1004: Path \\Server\DFS transitioned to slow link with latency = 115 and bandwidth = 13265936

  • Rebooting doesn’t fix the issue
  • Remapping doesn’t fix the issue.
  • Entering the direct server UNC path allows full access (as it should)
  • Applied regedit to force Auto Reconnect to the server but still didn’t fix the issue.
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache]
"SilentForcedAutoReconnect"=dword:00000001

Fix:

In the end the really simple workaround was to “Disable Offline File Sync” and reboot the system. All working again!

“Control Panel -> Sync Centre ->  Manage offline files -> Disable Offline Files”

Reference:

http://blogs.technet.com/b/askds/archive/2011/12/14/slow-link-with-windows-7-and-dfs-namespaces.aspx
https://www.conetrix.com/Blog/post/Fixing-Problem-With-Windows-7-Shared-Files-and-Mapped-Drives-Unavailable-Over-VPN.aspx

Windows Backup | Adding Multiple External HDDs

Windows Backup can be configured to use multiple external hard drives as the target. This way you can setup a hard drive rotation system i.e. Mon: USB_HDD1, Tue: USB_HDD2, Wed: USB_HDD1

Ideally both HDDS (or more) need to be connected at the same time when you configure the backup from the GUI. If you do not have both HDDS connected this can be accomplished using the WBADMIN command line tool.

Locate the HDD identifier using “get disk” and add it to the job using “-addtarget”.

wbadmin get disks
WBADMIN ENABLE BACKUP -addtarget:{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

Reference:

PSEXEC | Remove File Share Remotely

Sometime it takes time to go and speak to a user, then stop what they are doing so you can make a change or tweak on their PC/Laptop so I like to do this in the background remotely without their knowledge (Hey! I’m an Admin that’s what I do)

PSEXEC has become a good friend for doing this!
I usually dump the “psexec” exe in the c:\Windows\System32 folder so I don’t have to change CMD paths. (Remember you need to run CMD as the user with access to the remote system for this to work)

Remove Share Remotely:

psexec \\PCNAME net share &lt;SHARENAME&gt; /delete

Map Drive Remotely:

psexec \\PCNAME net use S: \\SERVER\SHARE

RSAT Across Domains | Security database on the server does not have a computer account for this workstation trust relationship

Problem when trying to use RSAT to remotely administer a different domain.

“Security database on the server does not have a computer account for this workstation trust relationship”

There are numerous blog/forum posts regarding the cause of this error, however most are related to workstations on the local domain not being able to authenticate to the local DC. (The quick fix being to remove the network cable, login with the cached credentials and remove/readd the PC to the domain.

On this occasion I was trying to use RSAT to manage DHCP on an alternative domain. The connectivity is in place with a Non-Transitive Trust between Domain A and Domain B but I was trying to administer Domain C!

The really simple fix was to use the command line “runas /netonly” which allows MMC to run as an alternative user (in the destination domain) seamlessly “/netonly” allows you to run applications as a local user but authenticating over the network as another user.

runas /netonly /user:domain\username "mmc dhcpmgmt.msc /server=DC"

Note: On Windows Server 2008 holding the “shift” key and right clicking on MMC will not display the “runas” function as in Windows Server 2008 R2 or Windows 7. A quick workaround is to use the “ShellRunAs” Sysinternals tools. Simply drag and drop the exe/msc onto the tool and it will prompt to run with alternative credentials.

References: http://ss64.com/nt/runas.html