Backtrack:  
 
showing posts tagged with 'windows'
by lunarg on August 31st 2015, at 11:45
Powershell can also handle queries through WMI, allowing you retrieve all kinds of system information from local and remote systems running Windows. This also includes information about volumes, logical drives and shares.

For this to work on remote systems, you need to have Remote Management enabled. Starting from Server 2012, this is already enabled by default.

The commands use the Get-WmiObject cmdlet to retrieve the information. If no computer name is specified, the information will be retrieved from the system running the cmdlet. In order to connect to a remote system, run the cmdlet while specifying the computer name of the remote host with the -ComputerName parameter.

For example, t  ...
by lunarg on August 24th 2015, at 16:20
Occasionally (usually once a year), you may have to renew your SSL certificate of your Active Directory Federation Services server, used for your Office 365 Single Sign-On setup. In past versions, this was done quite easily through IIS. However, since 2012 R2 (a.k.a. ADFS 3.0), ADFS no longer uses IIS and it gets a little bit more complicated.

Outlined in this short article are the steps you need to do in order to renew or replace your SSL certificate on a Windows 2012 R2 server, running ADFS 3.0.

First, renew or request a new SSL certificate through your Certificate Authority (such as GoDaddy, Enom, etc.). How to do this depends greatly on the CA. As ADFS on 2012 R2 no longer uses IIS, yo  ...
by lunarg on August 24th 2015, at 16:09
Certain Certificate Authority providers, such as GoDaddy allow you to renew an SSL certificate using the same CSR and private key. This greatly simplifies the procedure to renew a certificate, but this can also complicate things if you don't have your private key readily available.

On a server running ADFS 3.0 for instance, you do not have IIS available to allow an easy SSL certificate renewal (or even a request). Or perhaps, you lost the current private key, or it is located somewhere where it's not easily accessible.

Luckily, there's a fairly easy way to extract the private key from the previous SSL certificate on your Windows server. By using the Windows Certificate store functionality   ...
by lunarg on July 17th 2015, at 14:01
When you create a Windows Server 2012 failover cluster, the following event may be logged in the System log:

Event ID 1222 (Microsoft-Windows-FailoverClustering)
The computer object associated with cluster network name resource could not be updated.Unable to protect the Virtual Computer Object (VCO) from accidental deletion.

When a failover cluster or a cluster role is created, a computer account (a so-called Cluster Name Object (CNO)) is created in Active Directory. Since Server 2012, these objects are flagged to prevent accidental deletion. If the main cluster resource (also a computer account) does not have the required permissions on the OU containing the CNOs (by default, this is the   ...
by lunarg on July 9th 2015, at 09:31

Based on recommendations and best practices from Microsoft, and information I found here, I compiled a FSMO placement scenario for 2 domain controllers:

DC1DC2
PDC Emulator
RID Master
Infrastructure Master
Schema Master
Domain Naming Master
Global Catalog

Also, if your domain is top-level in the AD forest, configure DC1 to sync with external time sources.

by lunarg on July 8th 2015, at 16:55

To safely remove a node from a Windows 2003 Fail-Over Cluster, follow these steps:

  1. First, using Cluster Administrator, move all roles to the other nodes in the cluster.
    There should be no more roles, including the quorum running on the node.
  2. In Cluster Administrator, right-click the node and click Stop Cluster Service. (Skip this step if it is the last node of the cluster.)
  3. Still in Cluster Administrator, right-click the node and click Evict node. This will remove the node from the cluster.
  4. Optionally, you can now remove the Fail-Over cluster components from the server.
by lunarg on July 3rd 2015, at 15:46
Active Directory uses Kerberos for authentication, which relies strongly on having the date and time of day running synchronously across the entire network and all devices in it. By default, each server and client joined in the AD, including domain controllers, will follow the domain hierarchy to sync its time. Domain controllers are set to automatically determine whether they can be used as a (reliable) time source. If a DC has considered itself as a time source, it will accept requests from clients and provide them with the its own current time.

Domain controllers at the top of the forest (top-level DCs) don't have another server above them to sync against, so they can either opt to sync   ...
by lunarg on July 2nd 2015, at 13:29
Contacting a domain controller in Active Directory is done through DNS lookup. Several DNS SRV records are used to find domain controllers in a site. If multiple domain controllers are present in the same site, the client will arbitrarily select one, based on the contents of those records.

By default, the selection is random, and all DCs have an equal change of being picked. The inherit properties of SRV-records allow for this behaviour to be influenced, by changing the weight and priority of those records. This enables fine-tuning and configuration of which DC to favour or even exclude. By default, all SRV records (thus, all DCs) have their weight and priority set to 0.

The weight defines  ...
by lunarg on June 29th 2015, at 13:00
Microsoft's recommendations for customizing the default start screen for new users are known to be somewhat over-complicated and perhaps difficult to implement. They involve editing the reference image, using unattend.xml, or some other elaborate procedure. There's also the posibility of using a group policy to provide users with a customized start screen, but while this is relatively easy to implement, it does not allow the user to change the layout afterwards.

Fortunately, there's a far easier method, involving two Powershell cmdlets that provide us with a very easy way to provide new users with a default customized start screen, but still allow the users to make changes to it. This metho  ...
by lunarg on June 26th 2015, at 12:01
When attempting to trigger an AD replication from one DC to another using Active Directory Sites and Services or repadmin.exe, you may get the following error:

AD Replication error 8452:
"The naming context is in the process of being removed or is not replicated from the specified server."

The most common cause for this error is that you tried to replicate between DCs for which no DS replication connection exist. The replication attempt will therefore fail. As a workaround, try replicating to the target DC from another source DC. Or, create a new replication connection between the target and source DCs.

Open Active Directory Sites and Services.

In the tree to the left, locate t  ...
by lunarg on June 26th 2015, at 11:25

Active Directory (AD) integrated DNS zones are not replicated by the DNS server, but replicates through the Active Directory replication mechanism, and uses the same settings for AD replication.

You can trigger replication through Active Directory Sites and Services, or with repadmin.exe on command prompt:

repadmin.exe /replicate target_dc source_dc DC=DomainDnsZones,DC=domain,DC=com

Replace parameters accordingly:

  • target_dc is the DC to replicate to
  • source_dc is the DC to replicate from
  • Edit the naming context so it includes your FQDN: e.g. contoso.co.ukDC=contoso,DC=co,DC=uk
by lunarg on June 25th 2015, at 09:07

During start up or log on, once in a while, you'll see a message just saying Please wait. To turn this message into a more useful message, you can enable verbose messages through a policy setting (local or GP):

Either through gpedit.msc, or, if you're in a domain, through a GPO, navigate to Computer ConfigurationAdministrative TemplatesSystem. Look for the setting Display highly detailed status messages and set it to Enabled. Reboot to apply the change.

by lunarg on June 24th 2015, at 13:07
With dcpromo.exe now being deprecrated on 2012 and 2012 R2, it is no longer obvious which method to use to demote a domain controller. Although you could resort to Powershell to get it done, there's also a way to demote using Server Manager, albeit not a very clear one.

The trick is to attempt to remove the Active Directory Domain Services role from the server, using Server Manager. When you do remove this, you will be prompted to demote the domain controller before the role can be removed, along with a link to actually perform this task.

Start Server Manager. In the upper right corner, click Manage, then click Remove Roles and Features.

Continue in the wizard that appears, making sure th  ...
by lunarg on June 22nd 2015, at 10:29
The HP Network Config Utility provides advanced network configuration tasks for HP servers. It allows to set up NIC teaming, VLAN and more.

Uninstalling this software (e.g. after a P2V) is not possible through Control Panel (Add/Remove Programs) because it's not in the list like other HP software components. The only way to uninstall HP Network Config Utility is through an NIC's properties:

Open the network properties for any Ethernet NIC (doesn't matter which one).

In the This connection uses the following items: box (where you also set up IPv4/v6 settings), you'll see the HP Network Configuration Utilty.

Select (click) it, then click the Uninstall button. At the following prompt, click  ...
by lunarg on June 19th 2015, at 09:40
This article contains a list of download links for the offline/standalone installers for .NET Framework. Each major version is listed, along with the OSes supported by that version.

To install, open the main download for the desired version, select your language, download the main file and run the installer.

For releases that have separate language packs: first download and install the main file. After the installation, click the download link for the language pack, select the preferred language, then download and install that file. You can install more than one language pack on a MUI system.

Version Download links OS requirements .NET Framework 4.6 RC   ...
by lunarg on June 17th 2015, at 14:33
Angry IP Scanner is a very fast, lightweight IP scanner. It has been around for a long time already, and used by many IT professionals to help accomplish tasks. Although version 3 of the program is available for some time now, I still like to use the old version (version 2), simply because it works on every system without the need for Java (version 3 requires Java, unfortunately).

Version 3 comes with an installer available as a download. Version 2 does not, and although it has the built-in ability to create shortcuts if the user chooses to, I rather prefer a proper installer, with proper uninstallation support, in short: the Windows-way. As no such installer exists, I decided to create my   ...
by lunarg on June 15th 2015, at 11:54
When running multiple scripts in a session, which use and add the same snap-in using Add-PSSnapin, only the first one succeeds. Subsequent attempts to add the same snap-in will result in an error:

Error
Cannot add Windows PowerShell snap-in My.SnapIn because it is already added. Verify the name of the snap-in and try again.

You can resolve this issue by enclosing it in the following if-statement:

if ( (Get-PSSnapin -Name My.SnapIn -ErrorAction SilentlyContinue) -eq $null ){ Add-PsSnapin My.SnapIn}

It (silently) checks the presence of the requested snap-in. If it does not exist (i.e. the check returns $null, then it loads the snap-in.

Note: replace My.SnapIn with whatever snap-in you   ...
by lunarg on June 12th 2015, at 13:14
Attached to this article are scripts to configure proxy settings for Internet Explorer (all versions). As Google Chrome uses the IE settings for their proxy settings, it can be used for that browser as well. I know there are other, far better methods for configuring proxy settings for clients, but continue your read to see why they were not usable in this particular case.

I ran into a customer where they were still using Internet Explorer Maintenance in their group policies to configure proxy settings for their clients. As a result, all users who got more recent computers did not get the proxy settings, as they were running Internet Explorer 10 or newer. Starting from IE10, configuration of  ...
by lunarg on June 10th 2015, at 16:04

When demoting a 2003 domain controller using dcpromo, you may run into the following error:

Error
The operation failed because:

Failed to configure the service NETLOGON as requested

"The wait operation timed out"

The error message is quite misleading as the real cause has got nothing to do with NETLOGON, but is in fact a DNS issue. You will most likely have the server's primary DNS pointing to itself using loopback address (127.0.0.1) or its own IP address.

You can correct the issue by having the DNS point to remaining domain controllers, and remove any DNS pointing to itself (i.e. loopback address or any other IP owned by the server being demoted).

by lunarg on June 10th 2015, at 14:29

There are two ways to see which Certificate Authority servers exist in your AD domain.

1. Check the Cert Publishers group

The AD group Cert Publishers contain the servers that are permitted to publish certificates to AD. As a consequence, this gruop will contain all servers that are CAs.

2. Use certutil

You can use the certutil command to view (and select from) a list of CAs in the current AD domain:

certutil -config - -ping

Note: type the command as-is, including all spaces and hyphens.

A window will appear, listing the CA name and the server it runs on.

showing posts tagged with 'windows'