Category: Windows server

Using Powershell to manipulate File Server Resource Manager

by Samuel Mitchell, posted in Microsoft, windows, Windows server

This article is to share information on how to use PowerShell to manipulate the File Server Resource Manager (FSRM) which is used to do quota management on a file server.

Setting the FSRM Quota for a shared path

Set-FsrmQuota -Path ‘U:\PathOFShare‘ -Description “Soft Limit set on to 10 GB” -Size 10GB [-SoftLimit] [-Threshold (New-FsrmQuotaThreshold -Percentage 85)] [-Disabled]

Set-FsrmQuota

View the File Server Resource Manager (FSRM) information for a shared path

Get-FsrmQuota -PathU:\UserPAthName

Creating a new FSRM Quota Template

new-FsrmQuotaTemplate -Name “Test” -Threshold (New-FsrmQuotaThreshold -Percentage 85) -Description “Test” -Size 10Gb

New-FsrmFileScreen -Path ”U:\PathToShare” [-Active] -Description “Screen Files for videos and music” -IncludeGroup “Audio and Video Files”

Performing an Offline Domain Join – AD DS

by Samuel Mitchell, posted in Microsoft, windows, Windows server

Provisioning a offline domain joined file for a computer:

  1. Logon to a writeable Domain Controller
  2. Open the command prompt (cmd)
  3. Use command:

Djoin /provision /domain <mydomain.com> /machine <computername> /savefile <filename.txt> /machineou <Computers> /dcname <DC1> /reuse

Joining a computer to the Domain offline:

Djoin /requestodj /loadfile <filename.txt> /windowspath <%windir%> /localos

The computer will restart and when it is up, the computer is on the domain.

Reference: https://technet.microsoft.com/en-us/library/offlinedomain-join-djoin-step-by-step(v=ws.10).aspx

Setting up a Read-only Domain Controller (RODC) using the Staging method

by Samuel Mitchell, posted in Microsoft, Uncategorized, windows, Windows server

In this article, the steps required to setup a Read-only Domain Controller (RODC) for a remote office to authenticate users.

The demonstrataction of this configuration is done using the Active Directory Users and Computers (ADUC) console and performing the same task using Powershell.

The first set of instructions is using Powershell to install the RODC:

Step 1 – Create a normal AD user account

Logon to a writeable Domain Controller and open the Powershell commandline to execute the following commands.

This command is to add a new user account that will perform this task but if a user already exist, this step can be skipped.

New-ADUser -Name Sam -SamAccountName Sam -UserPrincipalName Sam -AccountPassword (Convertto-SecureString -AsPlainText ‘Pa$$w0rd’ -Force)

The command adds user Sam with password and setting the principal name and account to Sam.

Step 2 – Pre-create the Read-only Domain Controller computer account

To pre-create the RODC computer account, run the command below which adds the account to AD. The user account Sam which has no Administrative privileges will be delegated to join the RODC server to the domain.

Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName DC-RO -SkipPreChecks -delegatedAdministratorAccountName Sam -DomainNam ‘mydomain.com’ -SiteName Default-First-Site-Name

Let the user run the following Powershell commands on the prospective RODC server which should not be on the domain.

Step 3 – Install the Active Directory Domain Services on the prospective RODC

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Step 4 – Promote the server to the role of a RODC

Install-ADDSDomainController -DomainName ‘mydomain.com’ -Credential (Get-Credential) -UseExistingAccount

The command will prompt for the delegated account create earlier or the account that was delegated and the Directory Service Restore Mode password (SafeModeAdministratorPassword) to perform this task. Once, the process is completed, the server is going to restart and then the RODC is ready for use.

Reference: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/rodc/install-a-windows-server-2012-active-directory-read-only-domain-controller–rodc—level-200-

Configuring Domain Controller Cloning

by Samuel Mitchell, posted in Data Center Virtualization, Microsoft, VMware, Windows server

Note: There is an Microsoft Hands-on Lab with code WS00148 that can be used to conduct this exercise. The environment may be required to do additional configuration to execute some of these steps since it is not the main aim and you can ignore the steps in that lab to do your own configuration.

Before cloning a virtual Domain Controller (DC), there are a few requirements that needs to exist in the environment.

The requirements are listed below:

  1. There must exist a DC with the FSMO role PDC Emulator running on atleast Windows Server 2012 which is accessible on the network.
  2. The virtual DC to be clone must be running on a hypervisor that supports the feature VM-GenerationID.
  3. The source virtual DC must be running atleast Windows Server 2012 and is a member of the AD group Cloneable Domain Controllers.
  4. There must be a DC Clone Configuration XML file (namely DCCloneConfig.xml) that holds the settings the clone DC will use to configure itself.

To start the process of cloning a DC, the DC needs to be added to the Cloneable Domain Controllers:

  1. Open Server Manager. server_mgr
  2. Then, go to the Active Directory Users and Computers (ADUC). aduc
  3. Go to the Organization Unit (OU) Users,
  4. Select the security group “Cloneable Domain Controllers“. cloneable_group
  5. Right click and select Properties. cloneable_properties
  6. Then go to Members Tab and Add the DC here. select member
  7. Save and Close the settings.

 

Alternately, PowerShell can be used to the previous step, see command:

 

ADGroupMember -Identity ‘Cloneable Domain Controllers’ -member (Get-ADComputer SRV1)

Next step is to check for excluded Application and generate a file using PowerShell:

Open an PowerShell console and use this command:

This command generates a list of excluded applications that are added to the allowed list and saves it to the C:\Windows\NTDS\.

Get-ADDCCloningExcludedApplicationList -GenerateXml

The next command is used to create the DC Cloning configuration XML file that is used to configure the virtual DC clone that you will import into the desired Hypervisor.

New-ADDCCloningConfigFile -CloneComputerName “DCCloneName” -IPv4Address 10.10.10.10 –IPv4DefaultGateway 10.10.10.1 –IPv4SubnetMask 255.255.255.0 –IPv4DNSResolver 10.10.10.100,10.10.10.102 –Static

Now shutdown the VM DC, export a copy of it and then import it as a copy generating a new VM ID. Once the copied VM is booted, you should see the cloning process initializing at boot up. When the process is completed, it will reboot and the new cloned DC is ready for use.

 

Reference: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100

Useful Windows commands

by Samuel Mitchell, posted in windows, Windows server

This article was written to share the commands which can be executed on a Windows system to access different tools of the computer. This list will be updated as time goes by.

Open Local Users and Groups

lusrmgr.msc

Local Security Policy

secpol.msc

Local Group Policy Editor

gpedit.msc

Computer Management Tools

compmgmt.msc

Registry Editor

regedit

Disk Management tool

diskmgmt.msc

Execute a Group Policy Result Report

gpresult /H GPReport.html

GPReport.html

Flush the local DNS cache

ipconfig /flushdns

To change the default OU for Domain computer, use the redirect command

redircmp “OU=MyComputer,DC=domain,DC=com”

View the ARP list of MAC address linked to IP address

arp -a

 

Veeam Replication Error – Unable to discover replica VM

by Samuel Mitchell, posted in Data Center Virtualization, Microsoft, VMware, Windows server

There was an Veeam Backup & Replication job notification with the following error:

Discovering replica VM Error: Unable to find mapping target VmRef [vm-40195]
Error: Unable to find mapping target VmRef [vm-40195]

Based the above error line “unable to find mapping target” means that the replica VM is missing or the replica VM is not mapped to the particular source VM. To resolve this issue, you will need to make the changes to the Replication Job settings for this source VM.

Open the Veeam Backup & Replication console.

veeam_b_r_console

Select Replication and right click and select Edit to modify the properties of the selected job.

veeam_edit_replica_job

Under Describe you DR site, tick Low connection bandwidth (enable replica seeding). Note: This allows you get the additional options to check the original VMs mapping to the replica VMs.

veeam_low_connection

Select Seeding on the left side to go directly to the Replica mapping settings.

veeam_replica_displayed

Under Replica Mapping, tick Map replicas to existing VMs if not already ticked.

It will show all the original VMs and their respective replica VMs. If there is a replica VM beside the source VM with error, it means that the replica VM is missing.

Select the Detect button to let Veeam discover all the replica VMs associated with the original VMs in the database. If the replica VM is showing No mapping, it means that the replica VM is missing or it is unable to detect the replica VM.

veeam_detect_replica

The replica VM was can manually selected by highlighting the original VM and select Edit. browse the vCenter for the replica and select it (this is only if it exist but not mapping automatically using the Detection method).

Select Finish and retry the failed replica job. One thing to note is when the retry job option is used, only the failed VM replication job is executed.

Cert Exam Prep: Exam 70-742: Identity with Windows Server 2016 – Study notes

by Samuel Mitchell, posted in Microsoft, Windows server
  1. Install and configure Active Directory Domain Services (AD DS) (20–25%)

Install Active Directory

Know the PowerShell commands:

– Add the binaries

Add-WindowsFeature -name ad-domain-services—lncludeManagementTools -Restart

– Add a new forest

Install-ADDSForest —DomainName ‘corp.contoso.com’

– Add a new domain in an existing forest

Install-ADDSDomain -NewDomainName amer ParentDomainName ‘corp.contoso.com’

– Add a new domain controller in an existing domain

Install-ADDSDomainController —DomainName ‘amer. corp.contoso.com’

– Perform a staged read-only domain controller (RODC) installation

Install-ADDSReadOnlyDomainControl|erAccount –DomainControllerAccountName RODC1 -DomainName amercorp contoso com -SiteName Boston

* Then on RODC1: add the ad-domain-services feature, and domain controller role

 

Transferring and seizing FSMO roles

Exam Topic – What you should know!

Transfer FSMO Roles

  • Perform this on a domain controller which will be down for maintenance for a period of time, to ensure there is no loss of the fsmo service

  • Move-ADDirectoryServerOperationMasterRo|e -Identity “Target-DC” -OperationMasterRole SchemaMaster,RlDMaster,InfrastructureMaster, DomainNamingMaster,PDCEmulator

Seize FSMO Roles

  • Perform this if a domain controller is down and cannot be recovered, to ensure there is no loss of the FSMO service

  • Move-ADDirectoryServerOperationMasterRole -ldentity “Target-DC’ -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator -Force

FSMO roles can be represented by numbers

  • Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole 0,1,2,3,4 -Force

– 0: PDC Emulator

– 1: RID Master

– 2: Infrastructure Master

– 3: Schema Master

– 4: Domain Naming Master

 

Additional common active directory install functions

Install from media

  • Useful when the database is on a domain controller across a slow WAN link

  • Install-ADDSDomainController —DomainName ‘amer.corp.contoso.com” -lnstallationMediaPath C:\ADMedia

Configure a domain controller to not be global catalog server

  • InstalI-ADDSDomainController —DomainName ‘amer.corp.contoso.com” —NoGlobalCatalog

Move the Infrastructure Master FSMO role

  • Needed if the domain controller will be a global catalog server

  • Install-ADDSDomainController —DomainName ‘amer.corp.contoso.com” -MovelnfrastructureMasterRolelfNecessary

Uninstall active directory and demote to a server

  • Uninstall-ADDSDomainController

Time-limited Group Memberships

Users can be added to a security group with time-to-live (TTL)

  • When the TTL expires, the user’s membership in that group disappears

Kerberos token lifetime will be determined by TTL of the user’s memberships

  • TGT (Ticket Generated Ticket) based on shortest group membership
  • ST (Shortest time) based on TGT and resource local domain group membership

Requires new FFL (Force Functional Level)

  • Scavenger thread takes care of cleaning up group memberships

 

Way to join a computer to the domain

System Control Panel

  • System added to default container unless pre—staged

Windows PowerShell

  • Add-Computer -ComputerName ‘Server1′ -DomainName ‘amer.corp.contoso.com’ -Credential Get-Credential -Restart

  • System added to default container unless pre-staged

Desired State Configuration (DSC)

  • Joins a computer to the domain, and re-joins if it ‘falls out‘ of the domain
  • Uses Start-DscConfiguration cmdlet, and can be set to check compliance every x minutes

Offline domain join

  • Run djoin.exe on a domain controller to pre-stage the object and create provisioning file
  • Run djoin.exe on target computer and point to the provisioning file

Tips

  1. Know the PowerShell commands for installing and managing Active Directory
  2. Active Directory, FSMO Roles, DNS. Group Types and scopes haven’t really changed, but if you haven’t managed them lately, brush up
  3. Desired State Configuration (DSC) can be used to join a server to the domain and rejoin it if necessary

 

  1. Manage and Maintain AD DS (15-20%)

Configure service authentication

Service Accounts

  • Used to enhance security but the pain point is the password management and SPN mgmt.
  • Two types: Managed Service Accounts and Group Managed Service Accounts

Create/configure Managed Service Accounts

  • Used for a single computer or server
  • New-ADServiceAccount with the —RestrictToSingleComputer parameter
  • Not supported for scheduled tasks, Exchange, SQL

Create/configure Group Managed Service Accounts

  • Used for multiple servers
  • Minimum of one DC that runs at least Windows Server 2012
  • Before you begin, must create KDS Root Key: Add-KDSRootKey -Effectivelmmediately
  • New-ADServiceAccount and Set-ADServiceAccount

Configure Kerberos delegation

  • IIS may require the Trust this computer for delegation to any service (Kerberos only) option

Manage Service Principal Names (SPNs)

  • Use SetSPN <service type>/<instance name>:<port number>/<service name>

 

 

 

 

 

 

 

 

 

Veeam Replication Job Trouble Ticket # 1

by Samuel Mitchell, posted in Microsoft, VMware, Windows server

There was an email notification received from the Veeam B&R server stating that one of the VM replication job had failed with the following error:

Error: Failed to open VDDK disk [[Datastore_Name] VM_replica/VM2-000001.vmdk] ( is read-only mode – [false] ) Logon attempt with parameters [VC/ESX: [vCSA_Name];Port: 443;Login: [domain\account_name];VMX Spec: [moref=vm-40195];Snapshot mor: [snapshot-112166];Transports: [nbd];Read Only: [false]] failed because of the following errors: Failed to open disk for write. Failed to download disk. Reconnectable protocol device was closed. Failed to upload disk. Age

The first thing done was to log into the Veeam backup server and open the Veeam Backup & Replication console.   veeam_b_r_console

Under the Home, navigate to the Replicas, search for the VM. Then highlight it and right click and open the properties. It will show all the replica jobs which are snapshots on the replica VM in vSphere.

Home-Replicas
Search for VM
Select Properties
view Replica Job/snapshots

 

The two last replica job shows that they were incomplete. This sometimes indicate that there was a problem with the snapshot that was created. Logon to the vSphere web client and check the snapshot manager for the replica VM (the default naming convention is “VMName_replica“). Open the option Snapshots–>Manage Snapshots and you will expand the snapshots until you reach the last two set before “You are here”.

vsphere_snapshot

In the image, you will notice that the snapshot names “Veeam Replica Working Snapshot” which indicate that the snapshot was not completed. To eliminate the job continue failing is to delete all the snapshots with the title “Veeam Replica Working snapshot” and rerun the job from veeam so it can recreate the snapshot. If these snapshot are allowed to remain, the Veeam replica job will continue to fail.

I hope this help to resolve some of the veeam replication job failures.

Active Directory Domain Services Offline and Defragmentation

by Samuel Mitchell, posted in Microsoft, Windows server

There is a tradition method of taking the Microsoft Active Directory Domain Services (AD DS) offline to perform maintenance on the database is using the Directory Service Restore Mode (DSRM). The steps are listed below:

  1. Log into your Domain Controller (DC)
  2. Open the command prompt
  3. Run the command:

    bcdedit /set safeboot dsrepair

  4. Reboot the DC so the it can enter into safe mode

To exit the safe mode, run the command

bcdedit /deletevalue safeboot

and then reboot for the DC to return to normal mode.

Another method of taking the AD DS offline is by stopping the AD DS service using the services applet (services.msc).

Now to perform defragmentation on the AD DS database is to use the NTDS utility.

Execute the following command at the prompt:

ntdsutil

activate instance ntds

files

compact to c:\

integrity

quit

quit

copy c:\ntds.dit c:\windows\ntds\ntds.dit

del c:\windows\ntds\*.log

Restart the AD DS services.

Restart-Service NTDS

Please note that you don’t have to restart the server after the maintenance of the database.

 

 

Useful Windows PowerShell (PS) command

by Samuel Mitchell, posted in Microsoft, Windows server

This blog is an opportunity to record all the PS commands I used in my day-to-day management of my environment.

Get-Help [*command*]

The get-help is a useful command used to get details of the command executed.

Get-Command [*command*]

List the A record of the server

Get-DnsServerRecord -Name [Hostname]-RRType [A]

Add an server name with the IP address to the DNS server. This command should be ran from the DNS server remotely or locally.

Add-DnsServerRecordA -Name [HostName] -IPAddress [IP] -ZoneName [domain-name] -AllowUpdate

Shutdown the server

Stop-Computer -ComputerName [Servername] -Force

Restart the server

Restart-Computer -ComputerName [Servername] -Force

Start a remote PowerShell session on server

Enter-PSSession [Servername]

Exit the existing PowerShell remote session

Exit-PSSession

A Similiar command to ping and trace route in Powershell

Test-NetConnection [-traceroute] [destination-name or address]

A command to execute PS commands on a remote host

Invoke-Command -ComputerName -ScriptBlock { [Powershell command goes here] }

List all the services on a computer

Get-Service

List all the Windows share (SMB) session on a computer

Get-SmbSession

Get the AD User information filtered by Name or login

Get-ADUser -Identity [CID] -Filter ‘Name -like “Firstname*”‘

Set the AD User information

Set-ADUser -Identity [CID] -ParameterField “Value”

Unlock User Account

Unlock-ADAccount -Identity [CID]

Disable User Account

Disable-ADAccount Identity [CID]

Enable User Account

Enable-ADAccount Identity [CID]

Reset User Account Password

Set-ADAccountPassword -Identity [CID] -Reset -NewPassword (ConvertTo-SecureString -ASPlainText “MyPassword” -Force)

Set the user account password settings

Set-ADUser -ChangePasswordAtLogon $true -CannotChangePassword $true -AccountExpirationDate “mm/dd/yyyy” -PasswordNeverExpires $true

Search AD for User Account that has expired password

Search-ADAccount -UsersOnly -PasswordExpired | FT SamAccountName, Name, LastLogonDate

Search AD for Locked Out Accounts

Search-ADAccount -UsersOnly -LockedOut | FT SamAccountName, Name, LastLogonDate

Search AD for Expiring Accounts within 60 days

Search-ADAccount -usersonly -AccountExpiring -TimeSpan 60.00:00 | FT SamAccountName,Name,AccountExpirationDate

Search AD for Inactive Accounts

Search-ADAccount -UsersOnly -AccountInactive | FT SamAccountName, Name, LastLogonDate

Search AD for Disabled Accounts

Search-ADAccount -UsersOnly -AccountDisabled | FT SamAccountName, Name

Search AD for Expired Accounts

Search-ADAccount -UsersOnly -AccountExpired | FT SamAccountName, Name, AccountExpirationDate

Search AD for Accounts password set to never expire

Search-ADAccount -UsersOnly -PasswordNeverExpires | FT SamAccountName, Name, AccountExpirationDate,LastLogonDate

Retrieve AD Group Information based on Filter

Get-ADGroup -Filter ‘Name -like “[string]*”‘ -Properties canonicalName | FT canonicalname

Retrieve members for a specific AD Group

Get-ADGroupMember -Identity ‘[groupname]’ | FT SamAccountName, Name

Retrieve the properties of an object

Verb-Object -properties *

Add Members to an AD Group

Add-ADGroupMember -Identity ‘GroupName’ -Members [UserName]

Create an New OU

New-ADOrganizationUnit -Name [OU-Name] -Path “[DC=Domain,DC=com]”

Create a user in the New OU

New-ADUser -Name “Firstname Lastname” -SamAccountName [CID] -Path “OU=,DC=,D=com”

Create a New AD Group

New-ADGroup -Name “GroupName” -SamAccountName [GroupName] -GroupCategory [Security/Distribution] -GroupScope [DomainLocal/Global/Universal] -Path “OU=,DC=domain,DC=com”

Create a managed service account

New-ADServiceAccount -Name [AccountName] -RestrictToSingleComputer

Add-ADComputerServiceAccount -Identity [COMPNAME] -ServiceAccount [AccName]

Test-ADServiceAccount -Identity [AccName]

Get Windows Security event of lockout accounts from PDC

Get-ADDomainController -Filter “OperationMasterRoles -like ‘*PDCEmulator*'” | FT Hostname, OperationMasterRoles, Site, OperatingSystem

Get-WinEvent -ComputerName [PDCEmulaor] -FilterHashtable @{LogName=’Security’;Id=4740} -ErrorAction Stop

Show the Default Domain Password Policy

Get-ADDefaultDomainPasswordPolicy

Change the Default Domain Password Policy

Get-ADDefaultDomainPasswordPolicy | Set-ADDefaultDomainPasswordPolicy -LockoutDuration -LockoutThreshold -MaxPasswordAge -MinPasswordAge -MinPasswordLength -ComplexityEnabled [$true/$false] -PasswordHistoryCount -LockoutObservationWindow