Convenience rollup KB3125574 with bonus powershell [W7 & W2K8R2]

So Microsoft has released a convenience rollup that contains loads of updates..

There are a few issues, especially one connected to vNics. So they also released a small VB Script to help remove the offending parts from the registry.
But I hate VBscript and love Powershell so I rewrote it. It went from 30 lines to 8. I know I can sqeeze it into 2 without loosing to much readability but I like it like that.

You can find information about the update at KB3125574. The download is available through the Microsoft Update Catalog (requires IE).

Getting a FSMO DC to start without replication

So you have just restored your domain controller so that you can do a recovery test or a real recovery. And you notice that the domain controller isn’t working. First you off you might even need to logon using the Directory Restore mode because well you just don’t get in. Then you notice all of those Event id 2092 in the Active Directory log.

Windows_2012R2_AD_Event_2092

Windows_2008R2_AD_Event_2092

This is a security measure implemented by Microsoft. To make sure that a domain controller that hosts a FSMO wont start the FSMO role, without checking if another domain controller has seized the role while the server was down. Consider the following:

  • We loose the current RID master (dc01)
  • We promote (seize) the dc02 to RID master
  • We fix the server dc01

If the check wasn’t done we could have two RID masters until the first replication was completed with dc01. Since having more than one of a FSMO role online at the same time is BAD. This check is good and works most of the time.

So now you are thinking, well my domain only has one domain controller. And it starts just fine, so?? Well Microsoft checks if there are any replication partners, if there aren’t well no need to check for replication.

[Read more…]

RID pool depleted?

Whoh.. What happened.. I was about to install a new software in my home domain that required a service account so I tried to run New-ADServiceAccount.. But I got:

So why does my domain leak like a sieve?

Lets run dcdiag on it

[Read more…]

Dont forget to create a GPO Central Store

It doesn’t matter if your domain is new or old.  If the servers are Windows 2008 or later you could and should use the central store. I have seen both new and upgraded domains that don’t use the concept of the central store.

What is the Central Store

In older versions of windows you copied the administrative templates to each GPO. With Windows 2008 and later you don’t need nor should do so. The Central Store is a directory on the sysvol where all servers can look and multiple policies share the same new admx format files.

I checked I dont have the Central store and it works anyway

Well yes all same level windows have a copy of the same policies in the C:\Windows\PolicyDefinitions directory. But that gives different information based on the client that you used edit the policy. By creating the central GPO store we make sure that all client use the same amdx files.

How do I create a central store then.

Just copy the C:\Windows\PolicyDefinitions directory with subfolders to \\domain.fqdn\sysvol\domain.fqdn\policies\. Its as simple as that.

For more information see How to Implement the Central Store for Group Policy Admin Templates, Completely (Hint: Remove Those .ADM files!)

Setting up alternative names for a computer

So a friend of mine had a problem with them not being able to access a windows server using a CName they had created for the computer.

So what is wrong with this picture. Well using a Cname is as bad as using an IP, the AD does not know about this name. There are so many more things that you need to fix.

There are a few simple and simpler solutions.

Using netdom

Reboot the computer to make it all work.

OptionalNames for Server service [SMB]

By altering OptionalNames (You might need to create it) under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, you can make the Server service allow other names for the machine. Remember that type of OptionalNames needs to be Multi-String Value.

SPNs (Service Principal Name)

You can also manually edit the SPNs for a server to allow Kerberos to IIS and other services.

Keys for Windows and Office

I was trying to find the Office 2013 Keys and all I found was the Windows ones. So here are the links to the key pages at Microsoft.

The keys I use the most at the moment

Software  KMS Client Setup Key
2012 R2 Datacenter W3GGN-FT8W3-Y4M27-J84CP-Q3VJ9
2012 R2 Standard  D2N9P-3P6X9-2R39C-7RTCD-MDVJX
2012 R2 Standard AVMA DBGBW-NPF86-BJVTX-K3WKJ-MTB6V
Windows 10 Professional W269N-WFGWX-YVC9B-4J6C9-T83GX
Windows 10 Enterprise NPPR9-FWDCX-D2C8J-H872K-2YT43
Windows 10 Enterprise 2015 LTSB WNMTR-4C88C-JK8YV-HQ7T2-76DF9
Windows 8.1 Enterprise MHF9N-XY6XB-WVXMC-BTDCT-MKKG7

Links

 

Acronyms

Acronym Full name
AVMA Automatic Virtual Machine Activation
VLK Volume License Key
GVLK Generic Volume License Key
MAK Multiple Activation Key
KMS Key Management Services

Remote Desktop IP Virtualization networking adapter

So I was setting up Remote Desktop IP Virtualization for a customer. Since Microsoft removed the TS configuration console (TSConfig.msc) with Windows 2012. How do I do the configuration now. Well one way that you could have used before to is a GPO, this also gives the benefit of that all servers will be configured the same.

So when I was configuring the GPO setting I noticed this small gotcha:

This policy setting specifies the IP address and network mask that corresponds to the network adapter used for virtual IP addresses. The IP address and network mask should be entered in Classless Inter-Domain Routing notation; for example, 192.0.2.96/24.

So what is strange with this. Well not really strange, but could I really be forced to enter the IP of the server? No, as long as the network ID / subnet match it will work. So for the example that Microsoft provided I would have used 192.0.2.0/24 instead.

Select the network adapter to be used for Remote Desktop IP Virtualization

UAC modified groups

So I was searching for which groups that User Access Control (UAC) removes from the default kerberos ticket. After alot of googling, and even reading the old UAC blog. So I decided to make the list myself. And not finding it I decided to build the list.

But first what is UAC?

UAC helps secure a system by removing some groups from the kerberos ticket used by Explorer.exe. When you run a program as Administrator it will run with the full kerberos ticket.

Which windows groups are removed from the default kerberos ticket? [Read more…]

Getting an error while removing an DFS namespace server

I have seen a few get the following error while trying to remove obsolete DFS namespace servers. Usually the server has been removed permanently before removing the server from the DFS namespace. More than once have I seen people being a bit to smart for their own good, by removing the namespace server using ADSIedit.

How to get:

  • Permanently remove a namespace server
  • Use adsiedit to cover up the misstake by removing the namespace server in the DFS configuration
  • Get baffled by it still being in the DFS Managment console
  • Trying to remove the server the correct way

Result:

What to do:

Readd the namespace server to the DFS Configuration using ADSIedit.

Use the correct way of removing an obsolete DFS root server using the correct command:

Remove an obsolete namespace server on a Windows 2000 Server
Remove an obsolete namespace server on a Windows 2003 Server
Remove an obsolete namespace server on a Windows 2008 and newer Server

Remove an obsolete DFS nameserver Windows 2008 and newer

A simple explanation how to remove an obsolete DFS namespace server from a Windows 2008/2008r2 Server. Since Microsoft removed the Support tools with Windows 2008 and replaced them with RSAT, there is no need to install any tools anymore. Just a command and happiness.

Getting an error about:

See my blog entry about errors removing DFS namespace server