Getting a FSMO DC to start without replication

So you have just restored your domain controller so that you can do a recovery test or a real recovery. And you notice that the domain controller isn’t working. First you off you might even need to logon using the Directory Restore mode because well you just don’t get in. Then you notice all of those Event id 2092 in the Active Directory log.

Windows_2012R2_AD_Event_2092

Windows_2008R2_AD_Event_2092

This is a security measure implemented by Microsoft. To make sure that a domain controller that hosts a FSMO wont start the FSMO role, without checking if another domain controller has seized the role while the server was down. Consider the following:

  • We loose the current RID master (dc01)
  • We promote (seize) the dc02 to RID master
  • We fix the server dc01

If the check wasn’t done we could have two RID masters until the first replication was completed with dc01. Since having more than one of a FSMO role online at the same time is BAD. This check is good and works most of the time.

So now you are thinking, well my domain only has one domain controller. And it starts just fine, so?? Well Microsoft checks if there are any replication partners, if there aren’t well no need to check for replication.

[Read more…]

Hyper-V: Firmware – Load Failed

I was reinstalling one of my virtual clients, a lot. And from time to time I ran into problems. Well I want the machine to boot from ethernet, that is a easy change. Just open the properties of the virtual machine, and bump ‘Network’ on the Firmware tab.. Well.. Where is my firmware tab?
Hyper-V Settings Firmware Load Failed

I need my firmware tab. [Read more…]

Enable scavenging on all dns zones using Powershell

So I needed to enable scavenging on all reverse zones for a customer. All forward and most reverse zones were done but not all. Since this was a Windows Server 2012R2 server I knew, that every cmdlet I might need was available.

But what if I have enabled scavaging but want to update which servers will scavenge?

And now all my zones have scavenge enabled and the correct DNS server specified.

Powershell function to discover netboot GUID on Hyper-V

Earlier I needed to find the netboot GUID of machines in Hyper-V. So I wrote a small powershell snipit for that.. And since I continued to need that and I didn’t to continue running all those lines each time I did a small function. So this time I went through the code and wrote a small function that does what I need. I have published it on Script Center Galleries.

Some examples:

and

[Read more…]

Dont forget to create a GPO Central Store

It doesn’t matter if your domain is new or old.  If the servers are Windows 2008 or later you could and should use the central store. I have seen both new and upgraded domains that don’t use the concept of the central store.

What is the Central Store

In older versions of windows you copied the administrative templates to each GPO. With Windows 2008 and later you don’t need nor should do so. The Central Store is a directory on the sysvol where all servers can look and multiple policies share the same new admx format files.

I checked I dont have the Central store and it works anyway

Well yes all same level windows have a copy of the same policies in the C:\Windows\PolicyDefinitions directory. But that gives different information based on the client that you used edit the policy. By creating the central GPO store we make sure that all client use the same amdx files.

How do I create a central store then.

Just copy the C:\Windows\PolicyDefinitions directory with subfolders to \\domain.fqdn\sysvol\domain.fqdn\policies\. Its as simple as that.

For more information see How to Implement the Central Store for Group Policy Admin Templates, Completely (Hint: Remove Those .ADM files!)

Push a solid colored background to a Windows Server 2012 or later

So I had a customer that requested that I changed the background color for all users of a RDS solution. Well that seems easy, lets start by right clicking the desktop and selecting personialize, woho. It isn’t there, by default Windows Server does not include Desktop Experience. So lets install it, just for fun. Its not needed really.

This wants to reboot so lets do that and take a coffee [Read more…]

Setting up alternative names for a computer

So a friend of mine had a problem with them not being able to access a windows server using a CName they had created for the computer.

So what is wrong with this picture. Well using a Cname is as bad as using an IP, the AD does not know about this name. There are so many more things that you need to fix.

There are a few simple and simpler solutions.

Using netdom

Reboot the computer to make it all work.

OptionalNames for Server service [SMB]

By altering OptionalNames (You might need to create it) under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, you can make the Server service allow other names for the machine. Remember that type of OptionalNames needs to be Multi-String Value.

SPNs (Service Principal Name)

You can also manually edit the SPNs for a server to allow Kerberos to IIS and other services.

Keys for Windows and Office

I was trying to find the Office 2013 Keys and all I found was the Windows ones. So here are the links to the key pages at Microsoft.

The keys I use the most at the moment

Software  KMS Client Setup Key
2012 R2 Datacenter W3GGN-FT8W3-Y4M27-J84CP-Q3VJ9
2012 R2 Standard  D2N9P-3P6X9-2R39C-7RTCD-MDVJX
2012 R2 Standard AVMA DBGBW-NPF86-BJVTX-K3WKJ-MTB6V
Windows 10 Professional W269N-WFGWX-YVC9B-4J6C9-T83GX
Windows 10 Enterprise NPPR9-FWDCX-D2C8J-H872K-2YT43
Windows 10 Enterprise 2015 LTSB WNMTR-4C88C-JK8YV-HQ7T2-76DF9
Windows 8.1 Enterprise MHF9N-XY6XB-WVXMC-BTDCT-MKKG7

Links

 

Acronyms

Acronym Full name
AVMA Automatic Virtual Machine Activation
VLK Volume License Key
GVLK Generic Volume License Key
MAK Multiple Activation Key
KMS Key Management Services

Remote Desktop IP Virtualization networking adapter

So I was setting up Remote Desktop IP Virtualization for a customer. Since Microsoft removed the TS configuration console (TSConfig.msc) with Windows 2012. How do I do the configuration now. Well one way that you could have used before to is a GPO, this also gives the benefit of that all servers will be configured the same.

So when I was configuring the GPO setting I noticed this small gotcha:

This policy setting specifies the IP address and network mask that corresponds to the network adapter used for virtual IP addresses. The IP address and network mask should be entered in Classless Inter-Domain Routing notation; for example, 192.0.2.96/24.

So what is strange with this. Well not really strange, but could I really be forced to enter the IP of the server? No, as long as the network ID / subnet match it will work. So for the example that Microsoft provided I would have used 192.0.2.0/24 instead.

Select the network adapter to be used for Remote Desktop IP Virtualization

UAC modified groups

So I was searching for which groups that User Access Control (UAC) removes from the default kerberos ticket. After alot of googling, and even reading the old UAC blog. So I decided to make the list myself. And not finding it I decided to build the list.

But first what is UAC?

UAC helps secure a system by removing some groups from the kerberos ticket used by Explorer.exe. When you run a program as Administrator it will run with the full kerberos ticket.

Which windows groups are removed from the default kerberos ticket? [Read more…]