Getting a FSMO DC to start without replication

So you have just restored your domain controller so that you can do a recovery test or a real recovery. And you notice that the domain controller isn’t working. First you off you might even need to logon using the Directory Restore mode because well you just don’t get in. Then you notice all of those Event id 2092 in the Active Directory log.

Windows_2012R2_AD_Event_2092

Windows_2008R2_AD_Event_2092

This is a security measure implemented by Microsoft. To make sure that a domain controller that hosts a FSMO wont start the FSMO role, without checking if another domain controller has seized the role while the server was down. Consider the following:

  • We loose the current RID master (dc01)
  • We promote (seize) the dc02 to RID master
  • We fix the server dc01

If the check wasn’t done we could have two RID masters until the first replication was completed with dc01. Since having more than one of a FSMO role online at the same time is BAD. This check is good and works most of the time.

So now you are thinking, well my domain only has one domain controller. And it starts just fine, so?? Well Microsoft checks if there are any replication partners, if there aren’t well no need to check for replication.

[Read more…]

RID pool depleted?

Whoh.. What happened.. I was about to install a new software in my home domain that required a service account so I tried to run New-ADServiceAccount.. But I got:

So why does my domain leak like a sieve?

Lets run dcdiag on it

[Read more…]

Push a solid colored background to a Windows Server 2012 or later

So I had a customer that requested that I changed the background color for all users of a RDS solution. Well that seems easy, lets start by right clicking the desktop and selecting personialize, woho. It isn’t there, by default Windows Server does not include Desktop Experience. So lets install it, just for fun. Its not needed really.

This wants to reboot so lets do that and take a coffee [Read more…]

I tried to create a reverse zone and all I got was this error message

So you read my earlier blog entry about creating reverse zones, and tried to create a the 0, 127 or 255 zone. If you tired to create one of those zones on a Windows DNS server you should get the following error message “The zone cannot be created. The zone already exists.”
The zone already exists

So whats up I don’t the see the zone but its there? Microsoft has made sure that all DNS servers will create those zones in the background unless a registry change is made. To be able to see these zones you need to enable their display. [Read more…]

Moving a fileshare on the same server

So I saw a question on Social Technet and decided to answer it. So how do I move a server share from one drive to another in the same computer.

First we need to have the data on the new location. I prefer to use robocopy with a minimum of /E /COPYALL.

To make sure nobody changes the data during the final copy I suggest stopping the server service. So now the data is migrated, what about the share then. Since we know that to migrate shares between servers by dumping the registry, just changing the path is simple.

[Read more…]

Dumping shares from the registry

Most people know that dump all shares on a server to a .reg file to be able to add them to another server.

Where do Windows store all the shares?

Windows stores the share information in the registry.

Registry LanmanServer Shares

So how can I easily export the shares to a file

Im a powersheller, isnt there a cmdlet?

If you are fortunate enough to run Windows 2012 or later you have Get-SMBShare and Get-SmbShareAccess.

Get the shares back now then

If you have exported the share to a registry file. Well just reimport the regfile. And restart the Server service.

Well if you are running 2012 or later on both the origin and destination server you could build a simple script with New-CIMSession, Get-SMBShare, Get-SMBShareAccess and New-SMBShare.

What to remove in DNS to to stop Client Access to Domain Controllers

So you want to get rid of a domain controller, but dont want incidents with systems configured directly to that controller?

First of start with disabling the dynamic registration of the Domain Controller in DNS. The easy way of doing that is by setting the registry value of UseDynamicDns to 0.

So now the Domain Controller wont register it self in the DNS again. So now lets start to remove entries from the DNS. There exist a list in the %WINDIR%\System32\config\netlogon.dns, Below is an example of that list. [Read more…]

Different methods of removing user profiles

Sometimes I see people removing user profiles by just going into explorer. Going to the SystemDrive\Users folder, and using delete. Well this worked perfect on Windows 2003. But with upgrades to the profiling system with Windows 2008 and later this is a really bad idea.

There are 2 basic ways to remove user profiles in Windows today. And one for the special people.

[Read more…]

Different ways of specifying Internet Explorer Zones

There are a few different ways of doing IE zone.. I dont like all though. I have listed the most common and the way I like.

[Read more…]

DFS Server registry configuration values

With a DFS server there are several configuration settings which needs to be done in the registry. This blog entry is planned to be updated when I discover the use or values.

[Read more…]