Category Archives: Windows Server 2012

RSAT Across Domains | Security database on the server does not have a computer account for this workstation trust relationship

Problem when trying to use RSAT to remotely administer a different domain.

“Security database on the server does not have a computer account for this workstation trust relationship”

There are numerous blog/forum posts regarding the cause of this error, however most are related to workstations on the local domain not being able to authenticate to the local DC. (The quick fix being to remove the network cable, login with the cached credentials and remove/readd the PC to the domain.

On this occasion I was trying to use RSAT to manage DHCP on an alternative domain. The connectivity is in place with a Non-Transitive Trust between Domain A and Domain B but I was trying to administer Domain C!

The really simple fix was to use the command line “runas /netonly” which allows MMC to run as an alternative user (in the destination domain) seamlessly “/netonly” allows you to run applications as a local user but authenticating over the network as another user.

runas /netonly /user:domain\username "mmc dhcpmgmt.msc /server=DC"

Note: On Windows Server 2008 holding the “shift” key and right clicking on MMC will not display the “runas” function as in Windows Server 2008 R2 or Windows 7. A quick workaround is to use the “ShellRunAs” Sysinternals tools. Simply drag and drop the exe/msc onto the tool and it will prompt to run with alternative credentials.

References: http://ss64.com/nt/runas.html

SubACL & iCALCS

SUBINACL (SubInACL.exe)

SubInACL is an alternative command line tool to iCACLS that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

iCACLS

iCACLS example of modifying file permissions:

@echo off
REM ** /T = Performs the operation on all specified files in the current directory and its subdirectories.
REM ** /F = Full Access
REM ** /M = Modify Access
if exist "C:\Program Files (x86)" goto 64
icacls "%ProgramFiles%\Folder" /inheritance:e /grant "MyDomain\Domain Users":M /T
goto next
:64
icacls "%ProgramFiles(x86)%\Folder" /inheritance:e /grant "MyDomain\Domain Users":M /T
next
pause

AD LDAP Attributes | Common Entries

List of common LDAP AD fields which can be used with the “DSQuery” or other tools which lookup AD objects.

csvde -m -f c:\DSQueryUsers.csv -d "OU=Users,OU=UK,DC=domain,DC=localm" -r "(&(objectClass=*)(mail=*))" -l displayName,userPrincipalName

In order to simplify the process of creating LDAP queries you can use the SysInternals “Active Directory Explorer” tool to help with this process.

See Below for table:

Continue reading

Adding “Trusted Sites” to IE10 | Regedit | BAT | GPO

I’ve been looking for a simple method to add trusted sites into Internet Explorer 10 since they removed the “Internet Explorer Maintenance” (“The Internet Explorer Maintenance (IEM) snap-in is replaced by the Internet Explorer 10 preference extension”) options from the Server 2012 GPO.

Unfortunately a number of the methods for “adding trusted sites” prevent the local user from being able to customise the list with any additional sites. The method below is the quickest I have found to add a site to the “trusted sites” whilst also allowing users customisation. The following will add “work.edwardsd.co.uk” to the trust sites list:

*.BAT File Method:

REM See http://technet.microsoft.com/en-us/library/cc732643.aspx for Reg Commands/Switches
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\edwardsd.co.uk\work" /v "http" /t REG_DWORD /d 00000002 /Y

*.REG Method:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\edwardsd.co.uk\work]
"https"=dword:00000002

Note: The dword number represents the following values:

  • 1: Intranet sites
  • 2: Trusted Sites
  • 3: Internet
  • 4: Restricted Sites.
"https"=dword:00000001
"https"=dword:00000002
"https"=dword:00000003
"https"=dword:00000004

GPO Method:
The alternative option would be to use a GPO, usually my preference however I found this a little bit more complex so opted for the *.BAT option. This is a top site for GPO guides: GPO to configure IE zones sites (remember if you use this method the users can’t make changes themselves, but great for a controlled environment.

Enabling the “Contact Linking Field” in Outlook 2007/2010/2013

The “Contact linking field” isn’t always displayed by default in Outlook:

To display the “contacts” selection box for an “event” in Outlook 2007

Tools > Options > Contact Options > "Show Contact Activity Information on All Forms"

Continue reading

HP Proliant Microserver | AMD RAIDXpert RAID Rebuild

I recently developed a few faults with Windows Server 2008 R2 install running on my HP Proliant Microserver.
A number of posts and articles suggested the fault maybe the result of a faulty HDD therefore I ran a series of disk checks and applications to verify. Unable to locate any faults I opted to remove both 2TB HDDs (configured in RAID1) in order that I could dock them in another workstation and run thought some more thougher checks.
strangely as a result of removing the HDDs the Windows “BSOD” and crashing did stop, however I was still unable to locate any errors on the HDDs.

Rather than installing both HDDs back in the system, I thought it best to only reinstall one HDD in order to fault find, therefore breaking the RAID. Once happy that the fault was correct (Never found out the issue) I started RAID1 rebuild process using the following steps.

Continue reading

List “Dynamic Distribution Group” members | EMC PowerShell

If you need to get a list of AD users in “Dynamic Distribution Groups” then you can use this PowerShell script… here. Only problem is that the script does not export details of Dynamic Distribution Group.

You can list DDG users by running this script using the Exchange Management Shell (EMC)

$Group = Get-DynamicDistributionGroup -Identity "Staff-UK"
Get-Recipient -Filter $Group.RecipientFilter -OrganizationalUnit “domain.com/UK_Users_OU/Branch_Users” | Out-File c:\Staff-UK.txt

“Migrating GPOs Across Domains with GPMC”

I’ve recently updated my Windows Server 2008R2 system to Windows Server 2012. Windows Server 2012 was a fresh install using a different domain name on a new system. My intention was to manually migrated all data from the existing 2008R2 server into the new domain, this included Hyper-V VMs, DHCP and GPOs. There is the option of using ADMT however I required a clean install.

These are the steps I took in order to migrate GPOs from the source server to the destination server with a different domain name.

(Although this was completed from a 2008R2 to 2012 server, the first set of screen shots where created on the new 2012 server for this guide)


Source WS2008R2: Backup the existing GPOs from the GPMC, you need to ensure that the “Group Policy Objects” container is selected for the “Backup Up All” option to be available.

Continue reading

WBAdmin | Daily Backup and Restore via Schedule

I’ve been working with the windows backup. One downside of this in Windows 2008 is that you can’t schedule a routine backup job to a network device. A work around is use a scheduled task and the WBAdmin tool.

Scheduled Task: (Create a scheduled task and us the following switches)

wbadmin start backup -backuptarget:\\server\backup$\ -vssFull -allCritical -quiet

This command will backup the entire drive including a system image. I don’t think the “allcritical” will work if you then specify items to exclude.

Show Backups Running:

Wbadmin get status

Full list of switches: cc742083

Continue reading

TS/RDS Renaming “Remote Desktop Services Default Connection”

Updating “Remote Desktop Services Default Connection” text

Server 2008 R2
Edit the entry in the RDWebAccess.Config file.
C:\Windows\Web\RDWeb\App_Data\RDWebAccess.Config (Default location)

Server 2012 (Powershell):

set-RDWorkspace SYNTAX Set-RDWorkspace [-Name] [-ConnectionBroker] [-Name]

Example:

set-RDWorkspace -Name "My Remote Desktop Name here BLAH BLAH"

Adding “Remote Desktop” icon to the Remote Apps list: 

Click on Parameters and select the Always use the following command-line parameters. Type the following in the text box: /v: <FQDN of the RDSH server>.

References: