I’ve seen this issue come up time and time again. Some administrator decided to remove an old DC from the network but forgot to remove it from Active Directory or the DC has entered a failed state and cannot be recovered from. In a perfect world DCPROMO is all you have to do to remove a DC from the environment. However, if that DC was already shutdown or DCPROMO is giving you problems you will have to remove it the manual way. That method involves using a command called NTDSUTIL. NTDSUTIL is a command line tool that allows you to perform some of the more advanced Active Directory maintenance tasks.
Below are the steps needed to remove a failed or offline Domain Controller from your environment.
TIP: NTDSUTIL does not require the full command to be entered…you only have to enter enough of the command that is unique. For Example, instead of typing metadata cleanup you could just type met cle…or better yet m c
- Open the Command Prompt
- Type ntdsutil (all the commands will be entered via this command prompt)
- Type metadata cleanup
- Type connections
- Type connect to server <ServerName> and replace <ServerName> with the name of a functional DC in your environment…even if you are logged in locally. This step is not needed post W2K3 SP1.
- Type quit
- Type select operations target
- Type lists sites
- Type select site <#> where <#> is the site where the failed or offline DC resided
- Type list servers in site
- Type select server <#> where <#> is the DC that is failed or offline
- Type list domains
- Type select domain <#> where <#> is the domain where the failed or offline DC resided (at this point you should verify that the site, server and domain are all selected)
- Type quit (this should set you back to the metadata cleanup menu)
- Type remove selected server ( a warning message will pop up…verify that this is the correct DC…in fact get a peer to verify it for you too)
- Click Yes
- Open Active Directory Sites and Services
- Expand out the site that the failed or offline DC resided in
- Verify the DC cannot be expanded out (no connection objects and such)
- Right Click the DC and select Delete
- Close Active Directory Sites and Services
- Open Active Directory Users and Computers
- Expand the Domain Controllers OU
- Delete the failed or offline DC from the OU (if it even exists)
- Close Active Directory Users and Computers
- Open DNS Manager
- Expand the zones where this DC was also a DNS server and perform the following steps
- Right click the zone and select Properties
- Click the Name Servers tab
- Remove the failed or offline DC from the Name Servers tab
- Click OK to also remove the HOST (A) or Pointer (PTR) record if asked
- Verify the zone no longer has a DNS record for the failed or offline DC
You can also find more info located on Microsoft site here and here for removing orphaned domains.
This has to be the mother of all resource collections on Microsoft clustering and high availability. I’ve copied over the links directly from the MS Cluster blog so that I have quick access to them in the future.
General Resources
Core
Exchange Server
File Server
Hyper-V
Multi-Site Clustering
Network Load Balancing
SQL Server
The following code can be run to display the group membership of an Active Directory group and also let you know each member’s LDAP Distinguished Name. The output will name the text file the group name and will include all the members and their location in Active Directory. Just copy this into a txt file and rename to .vbs Enjoy!
Set objGroup = GetObject("LDAP://cn=GroupName,ou=OUName,DC=DomainName,DC=local")
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.OpenTextFile(objGroup.Get("name") & " - Members.txt", 2, True, 0)
For Each objMember in objGroup.Members
objFile.WriteLine objMember.Get("sAMAccountName") & VbTab & _
objMember.Get("cn") & VbTab & _
objMember.Parent
Next
Set objFile = Nothing
Set objFileSystem = Nothing
Set objGroup = Nothing
From time to time I’ve had to figure out which user account has a specific email address. Actually its more like finding who has the “reallycoolemailaccount@company.com” so another “more senior” person can get it. Well if you work in a smaller company this can be kind of easy…but if your directory has thousands of accounts it becomes more difficult and time consuming.
What you will want to do is open up Active Directory Users and Computers and right-click the domain and select Search. Select the drop-down arrow in the Find field to select Custom Search. If you have multiple domains make sure to select Entire Directory on the In field. Now just click on the Advanced tab and put the following text in the LDAP Query - proxyaddresses=smtp:<whatever the email is you’re looking for>. Now all you have to do is click on Find Now and if the email is in use it will show the user account that is using it.
I recently blogged about time and how critical it is in a domain environment. Just this morning I read a post from the Directory Services Team that shows how to configure WMI Filtering through Group Policy to ensure that the PDC Emulator always has the right time configuration. You need to read through this post really consider implementing a similar policy into your environment.
The only portion that is missing from that post is the location of the W32Time settings in Group Policy. The policy you will be configuring is located under the Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Client
After you enable it you will want to change the default setting from NT5DS (which means find and sync with the PDCe) to NTP. This is because we are configuring this for our PDCe which should be pointing to a reliable time source (internal or external). You will also configure the location to that reliable source in the NTPServer dialog box.
I haven’t seen a great tip like this in some time. This is one of those great little finds and I hope you enjoy it.
I ran into this error awhile back after building a new root level Domain Controller (DC). My initial health checks panned out ok but after about an hour the following should up in my System Event log:
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 11
User: N/A
Computer: DCShortName
Description:
There are multiple accounts with name cifs/DCShortName of type DS_SERVICE_PRINCIPAL_NAME.
My forest root domain has a fairly small amount of accounts with the majority of them being DCs. I knew that the name that was added was not in conflict with the forest root. With this name being the shortname of the DC I knew that I would have to check other child domains. After a quick search of the directory (GC) via Active Directory Users and Computers I was able to find another computer with the same name. Unfortunately one of the computers had to go bye-bye…and it sure wasn’t going to be my DC. Needless to say after the computer was removed from Active Directory the errors stopped showing up.
Quite a few people have asked recently about services in Server Core. They want to know what’s running and what’s not running. Below you will find a listing that intended to help those out that need to know the status of Services on Server Core. It is sorted by Service Name.
Another useful item to note on Server Core (or the CMD Prompt on Server) is that you can still use the SC command. In particular you should run SC Query, this little useful command will tell you which services are running. If you want to view the ones that are not running just run sc query state=inactive. There is a bunch of stuff you can do with the SC command and you should really check out the help.
A great tip for using commands is to append | more to the end of the command. This should only display one page at a time.
| Service Name |
Display Name |
Startup Mode |
Account |
| AeLookupSvc |
Application Experience |
Auto |
LocalSystem |
| AppMgmt |
Application Management |
Manual |
LocalSystem |
| BFE |
Base Filtering Engine |
Auto |
LocalService |
| BITS |
Background Intelligent Transfer Service |
Auto |
LocalSystem |
| Browser |
Computer Browser |
Manual |
LocalSystem |
| CertPropSvc |
Certificate Propagation |
Manual |
LocalSystem |
| COMSysApp |
COM+ System Application |
Manual |
LocalSystem |
| CryptSvc |
Cryptographic Services |
Auto |
Network-Service |
| DcomLaunch |
DCOM Server Process Launcher |
Auto |
LocalSystem |
| Dhcp |
DHCP Client |
Auto |
LocalService |
| Dnscache |
DNS Client |
Auto |
Network-Service |
| DPS |
Diagnostic Policy Service |
Auto |
LocalService |
| Eventlog |
Windows Event Log |
Auto |
LocalService |
| EventSystem |
COM+ Event System |
Auto |
LocalService |
| FCRegSvc |
Microsoft Fibre Channel Platform Registration Service |
Manual |
LocalService |
| gpsvc |
Group Policy Client |
Auto |
LocalSystem |
| hidserv |
Human Interface Device Access |
Manual |
LocalSystem |
| hkmsvc |
Health Key and Certificate Management |
Manual |
LocalSystem |
| IKEEXT |
IKE and AuthIP IPsec Keying Modules |
Auto |
LocalSystem |
| iphlpsvc |
IP Helper |
Auto |
LocalSystem |
| KeyIso |
CNG Key Isolation |
Manual |
LocalSystem |
| KtmRm |
KtmRm for Distributed Transaction Coordinator |
Auto |
Network-Service |
| LanmanServer |
Server |
Auto |
LocalSystem |
| LanmanWorkstation |
Workstation |
Auto |
LocalService |
| lltdsvc |
Link-Layer Topology Discovery Mapper |
Manual |
LocalService |
| lmhosts |
TCP/IP NetBIOS Helper |
Auto |
LocalService |
| MpsSvc |
Windows Firewall |
Auto |
LocalService |
| MSDTC |
Distributed Transaction Coordinator |
Auto |
Network-Service |
| MSiSCSI |
Microsoft iSCSI Initiator Service |
Manual |
LocalSystem |
| msiserver |
Windows Installer |
Manual |
LocalSystem |
| napagent |
Network Access Protection Agent |
Manual |
Network-Service |
| Netlogon |
Netlogon |
Manual |
LocalSystem |
| netprofm |
Network List Service |
Auto |
LocalService |
| NlaSvc |
Network Location Awareness |
Auto |
Network-Service |
| nsi |
Network Store Interface Service |
Auto |
LocalService |
| pla |
Performance Logs & Alerts |
Manual |
LocalService |
| PlugPlay |
Plug and Play |
Auto |
LocalSystem |
| PolicyAgent |
IPsec Policy Agent |
Auto |
Network-Service |
| ProfSvc |
User Profile Service |
Auto |
LocalSystem |
| ProtectedStorage |
Protected Storage |
Manual |
LocalSystem |
| RemoteRegistry |
Remote Registry |
Auto |
LocalService |
| RpcSs |
Remote Procedure Call (RPC) |
Auto |
Network- Service |
| RSoPProv |
Resultant Set of Policy Provider |
Manual |
LocalSystem |
| sacsvr |
Special Administration Console Helper |
Manual |
LocalSystem |
| SamSs |
Security Accounts Manager |
Auto |
LocalSystem |
| SCardSvr |
Smart Card |
Manual |
LocalService |
| Schedule |
Task Scheduler |
Auto |
LocalSystem |
| SCPolicySvc |
Smart Card Removal Policy |
Manual |
LocalSystem |
| seclogon |
Secondary Logon |
Auto |
LocalSystem |
| SENS |
System Event Notification Service |
Auto |
LocalSystem |
| SessionEnv |
Terminal Services Configuration |
Manual |
LocalSystem |
| slsvc |
Software Licensing |
Auto |
Network-Service |
| SNMPTRAP |
SNMP Trap |
Manual |
LocalService |
| swprv |
Microsoft Software Shadow Copy Provider |
Manual |
LocalSystem |
| TBS |
TPM Base Services |
Manual |
LocalService |
| TermService |
Terminal Services |
Auto |
Network-Service |
| TrustedInstaller |
Windows Modules Installer |
Auto |
LocalSystem |
| UmRdpService |
Terminal Services UserMode Port Redirector |
Manual |
LocalSystem |
| vds |
Virtual Disk |
Manual |
LocalSystem |
| VSS |
Volume Shadow Copy |
Manual |
LocalSystem |
| W32Time |
Windows Time |
Auto |
LocalService |
| WcsPlugInService |
Windows Color System |
Manual |
LocalService |
| WdiServiceHost |
Diagnostic Service Host |
Manual |
LocalService |
| WdiSystemHost |
Diagnostic System Host |
Manual |
LocalSystem |
| Wecsvc |
Windows Event Collector |
Manual |
Network-Service |
| WinHttpAuto-ProxySvc |
WinHTTP Web Proxy Auto-Discovery Service |
Auto |
LocalService |
| Winmgmt |
Windows Management Instrumentation |
Auto |
LocalSystem |
| WinRM |
Windows Remote Management (WS-Management) |
Auto |
Network-Service |
| wmiApSrv |
WMI Performance Adapter |
Manual |
LocalSystem |
| wuauserv |
Windows Update |
Auto |
LocalSystem |
I was playing around with Microsoft’s Hyper-V today and ran into some problems managing the service remotely. I set my server up and wanted to connect via RSAT from my Vista box but was not able to connect to my server because of permissions. No biggie there, actually I didn’t expect I would just be able to connect to the server and manage Hyper-V. I did think that after installing Hyper-V that there would be some groups created to help manage Hyper-V…needless to say I was wrong.
Thankfully I found a great series of posts on delegating access to VM and Hyper-V and thought it would be great to share them here with you.
Delegation Model in Hyper-V – Part 1
Delegation Model in Hyper-V – Part 2
Delegation Model in Hyper-V – Part 3
Delegation Model in Hyper-V – Part 4
Delegation Model in Hyper-V – Part 5
Delegation Model in Hyper-V – Part 6
Basically Hyper-V uses Authorization Manager to delegate what you can do within it. If you haven’t used AzMan don’t be scared, the posts walk you though several scenarios.
And for those of you that are interested in the HW aspect of my project…This is simply a development server that I'm using to test some things. It is an HP DL360 G5 with a single quad core XEON (only 2 Ghz) with 16 GB of RAM. All my VMs will be hosted locally (not sure on the number yet). I’m trying to set up an environment that people can use to practice Server 2008. I don’t think the CPU is going to be that much of a limiter since there won’t be a ton of people on at the same time doing processor intensive operations.
Ever since Windows 2000's implementation of Active Directory (AD) we have had a method to restore AD objects that were removed. Although it hasn’t been as easy as hitting CTRL-Z to undo a mistakenly deleted object or to try to restore from the Recycle Bin, we have had a method to restore objects. That method is to restart the Domain Controller (DC) in Directory Services Restore Mode (DSRM) and logon with the DSRM account and password that is generated using DCPROMO. (how to reset a DSRM account password)
Having to restart a DC to restore objects has always been a sore subject with me. Thankfully in Windows Server 2008, Active Directory Domain Services (AD DS) now functions as a service. This service may look the same from the outside but if you dig a little deeper you will see that it is a bit different. For example, you cannot pause this service and the startup is hard coded to Automatic...thus the only way you can start a DC with AD off is via DSRM, but you can Stop it while the server is up in a norm state.
The advantage of this is that you no longer have to bring down a DC to do an offline defrag of your ntds.dit. One thing you can't do by default is stop AD DS and then perform an authoritative restore. I say by default because this can change in Server 2008. This all changes with Server 2008 and you now have the ability to change the DSRM logon behavior. By modifying the following registry key you can select when you want to allow the DRSM administrator to log on:
HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior
There are three values that can be selected:
| Value |
Description |
| 0 (default) |
DSRM Administrator can log on using DRSM boot option |
| 1 |
DSRM Administrator can log on while AD DS is stopped |
| 2 |
DSRM Administrator can log on at all times |
I'm personally a fan of Value 1. Value 0 has to big of an impact for restores and maintenance and Value 2 is a little too liberal for my likings.
Finally some commands that can be used for those Server Core Admins:
- net start ntds (starts AD DS service)
- net stop ntds (stops AD DS service)
- sc \\ <DC Name> query ntds (queries AD DS service)
Important Notes:
When you stop AD DS you are also stopping the following services on that DC:
- File Replication
- Kerberos Key Distribution Center
- Intersite Messaging
- DNS Server (hopefully your clients have multiple DNS sever entries)
- DFS Replication
Be aware that when you change the value of DSRMAdminLogonBehavior the DRSM Administrator account is not checked by any password policy.
My daughter Alyssa and I play a game…well she might not consider it a game but she is constantly asking me “What time is it without looking”. I’ve actually gotten pretty good at it and can usually get within a few minutes. Not sure why she likes to play but perhaps time is something they recently talked about at school but she seems obsessed with it. I keep telling her that at 6 she really shouldn’t worry to much about time.
Although time may not be important for my daughter, it is immensely important for Active Directory. Most AD admins know that domain controllers and clients need to be within 5 mins of each other to work correctly. If your time was out by 5 or more minutes the client would not be able to authenticate. What most AD admins might not know is that time just doesn’t affect AD, it also can affect certain time sensitive applications. I don’t know of any out of the box ones from Microsoft but organizations have plenty of custom built apps that may use time syncs. I’ve seen custom applications that need to be accurate within less than a second.
Let’s take a look at how time synchronization works in an Active Directory forest. The magic all starts in the root domain (I always wanted to use that in my blog). The PDC Emulator (PDCe) is solely responsible for time synchronization and uses the Network Time Protocol (NTP) on port UDP 123. You will want to sync the PDCe with a reliable source, either internal (perhaps a router) or external. The problem with going external is that there is less security because of the lack of authentication and verifiable authenticity.
Clients and servers in your forest root domain will sync their time with any DC in the forest root. This is all configured in the registry at the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters. Domain members have Nt5DS set for the TYPE key which configures them to use the domain hierarchy for time. Some people change this to NTP which means it will go to a specific time source besides the PDCe but I prefer to keep the default here because it works! If you’re crazy enough you could configure it so that it relies on the CMOS clock…I just don’t have enough faith in the batteries for that.
If you have child domains or other tree roots in your forest realize that the forest root PDCe is STILL the authority for forest wide time synchronization. The PDCe for the child domains will sync their time with the forest root PDCe or any DC in the root (but those root DCs get their time from the PDCe). The clients and servers in the child domain will always go to a DC in their domain, so they should never go up to the forest root domain. Clients poll the time every 45 minutes by default. After three successful synchronizations it will increase that polling time to 8 hours. Below is a great illustration of how time works in a multi domain forest.
To configure your forest root PDCe with a valid time source you should use the w32tm command:
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update
You can and I recommend adding multiple peers but simply putting a space between them. Please don’t forget to run this command on the DC that you have designated as the DC to fail the PDCe role over to during downtime (for example, patching).
To test how close your time is synced you can use the w32tm command again, except this time we can get a really cool command prompt chart…hey its the simple things in life that get me.
w32tm /stripchart /computer:target /samples:n
Replace target target with the name of the forest root PDCe. I prefer to get 10 samples but you can go for whatever amount you like. This will tell you the difference between the clocks. More info can be found on the w32tm here.
The Microsoft Directory Services team has a great blog that talks about high accuracy in w32tm and why they don’t support it. This is a must read for all AD admins. Don’t forget to set up an RSS feed to the Windows Time Service blog as well.
I would recommend baseline the time difference in your environment so that if an issue does occur you will know what the norm state is for your time differential. You may also want to include some monitoring that can alert you of time drift using the baseline numbers you’ve collected. I would also recommend talking to your developers and ensure they understand how time works in the environment.
Hopefully this sheds some light on how time works in an Active Directory forest but also how you can control and tweak it. Oh and if you’re bored try playing the time game…its a great exercise for your mind and internal clock! :)
Repost from AdminPrep.com…I will be moving several of the articles over to this blog.
Before all this starts, credit must go where credit is due. I did not come up with all of the info within this article. A lot of people have felt my pain and have contributed in their own ways. One place you should know about is the Official Server Core Blog, as it is where I learned my all time favorite command which embeds the time into the Command Prompt (read on to see that one!). As I've collected my own list internally and blogged on for about a year now I see a lot of the same commands there. The Windows Server 2008 Administrator's Companion has a nice chapter on Server Core but by far the best resource are the scripts that accompany the book. They allow you to very easily configure common settings. One last area you should look into is of course Guy Teverovsky's Server Core Configurator...if you haven't see it check it out now!
Server Core is a version of Windows Server 2008 that has a minimal Graphical User Interface (GUI). I say minimal when most say command-line only because there are GUI tools available such as Notepad and Task Manager. One thing that definitely doesn't run on Server Core is the Explorer process. If you're unaware of what that process does, just end the explorer.exe process in Task Manager from your client and look what happens...don't freak out, all you need to do is then go back to Task Manager and select File -> New Task (Run...) and then type explorer.exe.
The purpose of this article is not to give you every last detail to Server Core but to provide you with what you need to know it get it up and running in your environment.
Server Core has a limited amount of roles that can be installed on it, which include:
- Active Directory Domain Services (AD DS) and AD Lightweight Directory Services (AD LDS)
- DNS Server
- Internet Information Services (IIS) (No ASP.NET support)
- DHCP Server
- File Services
- Print Services
- Streaming Media Services
- Hyper V
Now that doesn't mean that Server Core can't do other things. In fact it can, but Microsoft calls those other items Features and not Roles.
- Microsoft Failover Cluster (not available in Standard Edition)
- Network Load Balancing
- Subsystem for UNIX-based applications
- Backup
- Multipath IO
- Removable Storage Management
- Bitlocker Drive Encryption
- Simple Network Management Protocol (SNMP)
- WINS
- Telnet
Later on in the article I will explain how to install these services. But first its time to go over what I believe to be the most commonly requested commands for administrating a Server Core environment.
Server Core Common Networking and Firewall Commands
Here is the start of you Networking and Firewall related commands for Server Core:
Server Core Common Networking Commands
To configure the IP address we will have to remember (or learn) Netsh.
Configure a Static IP Address on Server Core:
Netsh int ipv4 set address “Local Area Connection” static 10.1.1.10 255.255.255.0 10.1.1.1
Netsh int ipv4 set dnsserver “Local Area Connection” static 10.1.1.5 primary
Netsh int ipv4 set winsserver “Local Area Connection” static 10.1.1.6 primary
Configure a Dynamic (DHCP) IP Address on Server Core:
Netsh int ipv4 set address “Local Area Connection” source=dhcp
Change the name of the network interface on Server Core:
Netsh int set interface name = “Local Area Connection” newname = “Primary Network”
Server Core Common Windows Firewall Commands:
The Windows Firewall is a blessing to some and a curse to others. Either way it is installed by default and you have to understand the commands that are needed to configure the basics and in some cases some advanced commands.
Disable firewall:
netsh firewall set opmode disable
Server Core can be managed by using MMCs from a remote server. However with the firewall being on by default you will have to allow these tools to work remotely. The first thing to note here is how to translate the MMC Snap-in to Windows Firewall Rule Group.
MMC Snap-in - Event Viewer
Windows Firewall Rule Group - Remote Event Log Management
MMC Snap-in - Services
Windows Firewall Rule Group - Remote Services ManagementMMC Snap-in - Shared Folders
Windows Firewall Rule Group - File and Printer Sharing
MMC Snap-in - Task Scheduler
Windows Firewall Rule Group - Remote Scheduled Tasks Management
MMC Snap-in - Reliability and Performance
Windows Firewall Rule Group - Performance Logs and Alerts
Windows Firewall Rule Group - File and Printer Sharing
MMC Snap-in - Disk Management
Windows Firewall Rule Group - Remote Volume Management
MMC Snap-in - Windows Firewall with Advanced Security
Windows Firewall Rule Group - Windows Firewall Remote Management
To enable all of these rules follow use this command:
Netsh advfirewall firewall set rule group=“remote administration” new enable=yes
To enable specific commands follow this format:
Netsh advfirewall firewall set rule group=“” new enable=yes
Server Core Common Domain Management Commands
Join a domain:
netdom join ComputerName /domain:DomainName /userd:UserName /passwordd:*
Yes, /passwordd:*
needs to have that second d at the end of it.
Remove from domain:
netdom remove
Rename a Domain Member:
netdom renamecomputer %computername% /NewName: /userd: /password:*
Rename Administrator:
wmic UserAccount where Name="Administrator" call Rename Name="new-name"
Add User to a Local Group
net localgroup GroupName /add \
Remove User from a Local Group
net localgroup GroupName /delete \
Confirm Domain and/ New Computer name
Set
Update User Passwords:
Net user [/domain] *
Server Core Common Server Management Commands
Toggle Remote Desktop on and off:
Cscript \windows\system32\scregedit.wsf /ar 0
Enable reduced security for RDP connections:
Cscript \windows\system32\scregedit.wsf /cs 0
Active Server Core:
Local method - Slmgr.vbs –ato
Remote method - Cscript windows\system32\slmgr.vbsServerName UserName password:-ato
Rename a Stand-Alone Member:
netdom renamecomputer /NewName:
List of installed patches:
wmic qfe list
Install Updates:
wusa .msu /quiet
Configure for AutoUpdates:
cscript scregedit.wsf /AU /4
Disable AutoUpdates:
cscript scregedit.wsf /AU /1
View AutoUpdate Setting:
cscript scregedit.wsf /AU /v
Configure the Page File:
wmic pagefileset where name=”” set InitialSize=,MaximumSize=
Configure a Proxy Server: (Server Core cannot use a proxy that requires a proxy)
netsh Winhttp set proxy :
All your favorite TCP/IP commands work including the following:
IPConfig
ARP
Ping
PathPing
TraceRT
Route
NSLookup
NetStat
NBTStat
List Running Services:
sc query
Start and/or Stop a Service:
sc start
sc stop
Task Manager: (Ctrl+Shift+Esc)
taskmgr
Manage Disk Volumes:
Diskpart /?
Defrag a Volume:
defrag /?
Change Time and Time Zone:
control timedate.cpl
Change the Desktop Resolution: (requires you to log off and back on)
Regedit - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video
\0000\DefaultSettings.XResolution
\0000\DefaultSettings.YResolution
Display the Time in the Command Prompt:
prompt [$t]$s$p$g
Log off:
shutdown /l
Restart Now:
shutdown /r /t 0
To get the Roles and Features installed you are going to need to use the ocsetup.exe command. The OC is short for Optional Components. The most important thing to remember about this command is that IT IS CASE SENSITIVE!!! As a best practice you should always use the /w switch with ocsetup.exe as this will hold the Command Prompt from being active (when you can type again) until the setup is complete. Below you will find a list of the commands that are required to install Roles and Features on Server Core.
DNS
start /w ocsetup DNS-Server-Core-Role
DHCP
start /w ocsetup DHCPServerCore
File Services (Server service is installed by default) but there are other role features
File Replication Service
start /w ocsetup FRS-Infrastructure
Distributed File System
start /w ocsetup DFSN-Server
Distributed File System Replication
start /w ocsetup DFSR-Infrastructure-ServerEdition
Services for Network File System (NFS)
start /w ocsetup ServerForNFS-Base
start /w ocsetup ClientForNFS-Base
Hyper V
start /w ocsetup Microsoft-Hyper-V
Print Server feature
start /w ocsetup Printing-ServerCore-Role
Line Printer Daemon (LPD) service
start /w ocsetup Printing-LPDPrintService
Active Directory Lightweight Directory Services
start /w ocsetup DirectoryServices-ADAM-ServerCore
Active Directory Domain Services
dcpromo /unattend:
Streaming Media Services
Follow directions found in Article ID 934518
IIS
start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel
To uninstall IIS use the following command
start /w pkgmgr /uu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel
NOTE: If you need to install a Role that you installed with ocsetup all you need to do is to append the commands above with /uninstall.
Now let's take a look at how we install Features on Server Core:
Microsoft Failover Clustering
start /w ocsetup FailoverCluster-Core
Network Load Balancing
start /w ocsetup NetworkLoadBalancingHeadlessServer
Subsystem for UNIX-based applications
start /w ocsetup SUACore
Multipath IO
start /w ocsetup MultipathIo
Removable Storage
start /w ocsetup Microsoft-Windows-RemovableStorageManagementCore
Bitlocker Drive Encryption
start /w ocsetup BitLocker
Backup
start /w ocsetup WindowsServerBackup
Simple Network Management Protocol (SNMP)
start /w ocsetup SNMP-SC
Windows Internet Name Service (WINS)
start /w ocsetup WINS-SC
Telnet client
start /w ocsetup TelnetClient
NOTE: If you need to install a Feature that you installed with ocsetup all you need to do is to append the commands above with /uninstall.
Having the Role or Feature installed doesn't do much without going in and configuring the service. The quick and easy way to manage these Roles and Features is to have either a dedicated Terminal Server have the AdminPak or Remote Server Administrative Tools (RSAT) installed or just install those same tools on XP or Vista.
Take a look here for more info on how to manage DNS with DNSCMD and then head over here for installing Active Directory via an answer file on Server Core.
I know this isn't a complete listing of the commands but I really believe this should help you get started in the right direction. One of the best resources out there is from the Windows Server 2008 Step-by-Step Guides.. For this case you will want to download the Server_Core_Installation_Option_of_Windows_Server_2008_Step-By-Step_Guide.doc guide.
Please don’t just read this post…participate by answering the questions I ask using the comments. Don’t worry you don’t have to register. :)
One of the things that I’ve been waiting awhile for, was a Windows operating system that is smart enough to not have to reboot as much as previous versions. I thought that wait would end with Windows Server 2008 but unless someone can prove me wrong I think there is actually potential for more reboots.
The first and obvious one that we still have to deal with is patching. Didn’t Microsoft mention that reboots after patching would be much fewer? I can’t seem to find anything from the early hype days but, the excellent ASKPERF blog does go into some detail as why there should be fewer reboots. The problem is system DLL's such as NTDLL.DLL and Kernel32.DLL still require a reboot when they are updated. Have you seen fewer reboots because of patching?
My next big complaint about Server 2008 reboots has to do with Features and Roles. I first experienced this after installing the limp Windows Server Backup. I know many people don’t like the old built in tool but if you manage an AD environment it was perfect for doing AD backups while not allowing domain Backup Operators the ability to restore your AD to their desktop. I know other ways to do this in Server 2008 but that is not my point of this post.
I installed the Windows Server Backup and quickly decided to uninstall it. What do you know…I have to reboot my server to uninstall backup software. I couldn’t believe that. During some testing I had to uninstall AD and DNS on a DC. I go and run DCPROMO on the DC and of course afterwards I have to reboot. So I do. Next I go to uninstall DNS from Server Manager (also removed the AD Binaries) and sure enough not 5 mins after rebooting for DCPROMO I had to reboot again. This was not an issue with Server 2003.
COME ON MICROSOFT!!! The last time I had to reboot this frequently was with Windows NT. Heck I was surprised after a right-click it didn’t ask me to reboot…Okay, so maybe it isn’t that bad but it definitely seems to be more now than it was in Server 2003, especially with Services. Have you experienced reboots doing tasks that didn’t require them in Server 2003? Are you happy with that?
The problem with this is when I want to install an additional Feature or Role it won’t let me because it is pending an uninstall. I’d love to hear what others think of this.
Conditional Forwarders was a new feature within the Microsoft DNS server for Windows Server 2003. It was a great addition that allowed you to specify a specific DNS server for clients trying to resolve hosts in a specific domain. This way you could tell the DNS server to always go to a specific DNS server for specific domain names.
One of the things that you will find different in Windows Server 2008’s DNS is how it displays Conditional Forwarders. Previously you needed to view the Forwarders tab in the DNS server’s properties. Here is shot of the old way.
The new way is in plain site…but it still seems like people miss it.
Now here is a look at what type of options you have for it:
You just place the DNS domain name in the top section and the IP address of the DNS server that is authoritative for that domain below. Notice you also can store this Conditional Forwarder in Active Directory if you want. It is NOT the default. Behind that drop down is the amount of time the DNS server will wait before it times out…which is 5 seconds by default.
Hopefully that helps you figure out how DNS Conditional Forwarders are set up in Windows Server 2008
In my Administrator’s Guide to Server Core Commands article on AdminPrep I showed you how to display the time on the command prompt of your Server Core command window. I just read that Daniel Petri has some other cool shortcuts on what you can display on the command window of Server Core. The one that I really like is the computer name. If manage multiple Server Core servers then you already know how difficult it can be to manage different sessions…especially since they all look the same.
To display the computer name (among other things listed on Daniel’s article) you need to modify the registry. If you don’t already know please modify the registry carefully!
1. Navigate to the HKLM\System\CurrentControlSet\Control\Session Manager\Environment key.
2. Create or Edit a key called Prompt (it should be an Expandable String Value) 
3. Add the the following for the data - $_Server:%computername%_$p$g
You will have to log off and log back on to see the change but once you do it is a pleasant addition to the command window. Daniel’s example shows how you can the Date, Time and User…very cool so make sure you check it out.
How many of you have heard of this? This is the new “Premier Technical Credential” from Microsoft. The program will be required to obtain the Microsoft Certified Architect program. Kind of weird having the “Premier Technical Credential” in there if it is a prerequisite for another cert…but all the same it looks pretty nice. In fact the only thing it is missing from the MCA is the review board portion. The Master program is a three week long hands-on training that only takes place in Redmond WA and then you must pass three written exams and a lab-based exam.
There are currently three speciality areas, Exchange, SQL, and Directory with OCS and SharePoint to be added in the future. The cost is pretty high. A $125 non-refundable application fee and then $18,500 program fee (which includes the exams). Retakes are $250 for the written and $1,500 for the lab.
If you take the first run (beta) of either of the specialities you can get a 50% discount. Each speciality has it’s own prerequisites that can be found on the links below.
Here are the running times:
Exchange
October 6–October 25, 2008 (50% off)
January 5–January 24, 2009
March 16–April 4, 2009
SQL
October 20–November 8, 2008 (50% off)
January 12–January 31, 2009
March 16–April 4, 2009
Directory
November 3–November 22, 2008 (50% off)
February 16–March 6, 2009
May 4–May 23, 2009
More info can be found on this blog too.
Good luck to anyone that attends, I wish I could but that cost and time commitment is tough.
Sometimes a picture is worth a thousand words…
One thing that really bugs me is there is no easy way to grab some email addresses from a distribution group. Usually I end up expanded the group to list all the users and then I have to go to the Outlook properties of each user to view the email address. Heck, I can’t even copy the email address from there…instead I have to write it down. This can be a pain for companies that have long complex email addresses.
I’ve finally figured out a way to export this info into a text file…no one said I was quick. :) To do this you just need to use either CSVDE or LDIFDE. I use mail as the attribute I pull from these commands but you could really use any AD attribute that you want to pull.
csvde -f c:\temp\report.txt -r "memberOf=cn=group name,ou=ou name,dc=domain,dc=name" -l mail
ldifde -f c:\temp\report.txt -r "memberOf=cn=group name,ou=ou name,dc=domain,dc=name" -l mail
This may not be the cleanest way to pull this data but at least now I can copy and paste the email addresses.
If you haven’t noticed yet, Windows Server 2008 has several more User Right Assignments in the Local Policy settings. If you’re looking for a definition of one or all take a look below. These are the same settings that are found in Group Policy located at this path – Computer Configuration\Windows Settings\Local Policies\User Right Assignment.
Access Credential Manager as a trusted caller
This policy setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this user right is assigned to other entities.
By default, no accounts are assigned this right. However, to enforce the default setting, the Access Credential Manager as a trusted caller setting is restricted to No One for the SSLF environment discussed in the security guide.
Act as part of the operating system
This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. For this reason, the Act as part of the operating system setting is restricted to No one for both of the environments that are discussed in this guide.
Add workstations to domain
This policy setting only takes effect when applied to domain controllers.
Adjust memory quotas for a process
This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, this setting could be used to launch a denial of service (DoS) attack.
For this reason, the Adjust memory quotas for a process setting is restricted to Administrators, Local Service, and Network Service groups for the SSLF environment. The setting is configured to Not Defined for the EC environment.
Allow log on locally
This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the computer keyboard require this user right.
Microsoft recommends that you enable this setting through Group Policy and restrict this right to members of the Administrators group. Assign this user right to the other Operator level administrative security groups, such as Backup Operators or Server Operators, if your organization requires that they have this capability.
Allow log on through Terminal Services
This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. Microsoft recommends that you restrict this user right to the Administrators group to prevent unwanted users from gaining access to computers on your network by means of the Remote Assistance feature. Dedicated Terminal Servers will require additional configuration.
Back up files and directories
This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, the assigned file and directory permissions apply.
Bypass traverse checking
This policy setting allows users who do not have the special "Traverse Folder" access permission to "pass through" folders when they browse an object path in the NTFS file system or in the registry. This user right does not allow users to list the contents of a folder, but only allows them to traverse directories.
Change the system time
This policy setting determines which users and groups can change the time and date of the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer’s time setting is changed, logged events reflect the new time, which may not be the actual time that the events occurred.
Change the time zone
This setting determines which users can change the time zone of the computer. This setting capability poses no great risk for the computer. However, modifications to this setting affect all users and applications on the computer, which could cause confusion in shared terminal server environments.
Create a pagefile
This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer.
Create a token object
This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. In environments in which security is a high priority, this user right should not be assigned to any users. Any processes that require this capability should use the Local System account, which is assigned this user right by default.
Create global objects
This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right.
Users who can create global objects could affect processes that run under other users' sessions. This capability could lead to a variety of problems, such as application failure or data corruption.
Create permanent shared objects
This policy setting allows users to create directory objects in the object manager. This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right.
Create symbolic links
This policy setting determines which users can create symbolic links. In Windows Server 2008, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much like a shortcut or .lnk file) to another file system object, which can be a file, folder, shortcut or another symbolic link. The difference between a shortcut and a symbolic link is that a shortcut only works from within the Windows shell. To other programs and applications, shortcuts are just another file, whereas with symbolic links, the concept of a shortcut is implemented as a feature of the NTFS file system.
Symbolic links can potentially expose security vulnerabilities in applications that are not designed to use them. For this reason, the privilege for creating symbolic links should only be assigned to trusted users. By default, only members of the Administrators group can create symbolic links.
Debug programs
This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be assigned this user right. However, developers who are debugging new system components need it.
Deny access to this computer from the network
This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
Deny log on as a batch job
This policy setting prohibits users from logging on to a computer through a batch-queue facility, which is a feature in Windows Server 2008 that you can use to schedule jobs to run automatically one or more times in the future.
Deny log on as a service
This policy setting determines whether users can log on as a service. Accounts that can log on as a service could be used to configure and launch new unauthorized services, such as a keylogger or other malware.
Deny log on locally
This policy setting prohibits users from logging on locally to the computer console. If unauthorized users can log on locally to a computer, they can download malicious code or elevate their privileges on the computer. In addition, if attackers have physical access to the console, there are other risks to consider. This user right should not be assigned to those users who need physical access to the computer console.
Deny log on through Terminal Services
This policy setting prohibits users from logging on to computers in your environment through Remote Desktop connections. If you assign this user right to the Everyone group, you also prevent members of the default Administrators group from using Terminal Services to log on to computers in your environment.
Enable computer and user accounts to be trusted for delegation
This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory®. Abuse of this privilege could allow unauthorized users to impersonate other users on the network.
Force shutdown from a remote system
This policy setting allows users to shut down Windows–based computers from remote locations on the network. An unauthorized shut down of a server is a type of denial of service (DoS) condition that makes the computer unavailable to service user requests. Microsoft recommends to only assign this user right to highly trusted administrators.
Generate security audits
This policy setting determines which users or processes can generate audit records in the Security log. An attacker could use this capability to create a large number of audited events, which would make it more difficult for a system administrator to locate any illicit activity. Also, if the event log is configured to overwrite events as needed, any evidence of unauthorized activities could be overwritten by a large number of unrelated events