Office 365 Distribution List Question

Hey Mitch! Do you know if we can add a couple hundred users to a distribution list instead of adding them one by one?

One of my help desk techs was asked to create several distribution lists with several hundred users, and they do not want to have to scroll through the user list to click each user one by one.  Of course there is a solution… PowerShell!  It is pretty easy to do…

Firstly, you need to create a .csv file.  Let’s call it DGroups.csv.  Create the following headers: Alias,DistributionGroup.  It should look like this:

Alias,DistributionGroup
Mitch.Garvis,O365-Admins
Fred.Kippels,O365-Admins
Fred.Kippels,HelpDesk-Managers
John.Frinks,HelpDesk-Managers
John.Frinks,Softball-Players
Mitch.Garvis,Softball-Players

Once you have that, open a PowerShell console, and connect to your Office 365 instance.  Make sure you have the credentials to add users to the groups listed in the file.  Now, run the following cmdlet:

Import-Csv “C:\DLAdd.csv” | ForEach-Object { Add-DistributionGroupMember -Identity $_.DistributionGroup -Member $_.Alias -BypassSecurityGroupManagerCheck }

That should be it… You should have your users added to the group.  Have fun!

Change the Way You Change Text

I remember when I first discovered the mail merge feature… it amazed the twelve-year-old me that I could write a letter once, and then AppleWorks would address that letter to the several hundred people in my database.  I was thrilled with it.

PowerShell_thumb.jpgLast week, I was working with a client who moved a server.  No big deal, right?  Well unfortunately, this was a server that collected information from every other server in the environment… several hundred of them, to be precise.  If the collection application were programmed differently, there would have been an option to send out to all of the servers the changed IP address.  This application did not work that way.  Even though we have an agent deployed to every server, there was no automated way to make the change on the agent side… at least, not out of the box.

It turns out that the information we needed to change was in a file I will call ‘c:\Program Files\Collector\agent.conf.’ The file consisted of three lines:

[Collector Agent Settings]
Collector Hostname: servername.domain.com
Collector IP Address: 10.201.15.72

While the collector hostname was not changing, the IP address had to, because it had been relocated to a different datacenter.  The new address was going to be 10.205.119.70.  (Obviously none of these addresses are the actual addresses from my client… don’t go looking for them!)  I had to change the IP address in this file… but I had to do it across about 600 servers.  Fortunately I have my deployment tool that allows me to send the script to every server… and I have PowerShell, which let me build the following script:

# Variables

$s1
= 10.201.15.72

$s2
= 10.205.119.70

$file
=”c:\Program Files\Collector\agent.conf”

# Stop the service

net
stop Collector

# Make my change

(Set-Content -path $file) -replace $s1, $s2

# Restart the service

net
start Collector

So:

First I set my variables, which are the original IP address, the new IP address, and the file name.

Next I stop the service, because while the service is actually running, the configuration file is protected.  In some cases, you may also have a Process protecting it, so you would then have to add a Kill command.

The Set-Content command does the following:

  • Selects the file (from the variable)
  • Replaces the first variable with the second variable.

And lastly, I restart the service.

Now, I used this script for a configuration file, but there is no reason it cannot be used for any other purpose.  Changing text in ASCII files is something you might need to do on a regular basis.  Scripting it will save you a lot of time and effort.

Which Patches?

It came up in conversation with a friend recently that he believed that a Windows Update (hotfix, patch, whatever you want to call it) broke something on his computer.  What can I say? It happens… sometimes.  No problem Fred, all you have to do is roll back the updates that were applied last week and if that was really the problem then it should resolve the issue.

“Well, it wasn’t quite last week…

It turns out that Fred (his real name is protected to protect the usually intelligent friend) has had this problem for a couple of months, but didn’t say anything to me, because he didn’t want to bother me.  He figured he would just ask me about it the next time he came over.

For a decent analogy of why this is a bad idea, I want you to imagine getting a splinter on the side of your foot.  If you sit down, remove the splinter, clean the wound, and put a bandage on it then sometime in the next few days your foot will heal.  The alternative is to wait… keep up business as usual, walk through the pain, keep sweating and getting it dirty.  In the same few days as before you will likely have something with the adjectives festering and infected applied to it.

Okay, here we are.  Fred’s computer has a festering infected wound, and it’s my job to clean it up.  He goes home and asks me what to do first.

“Please send me a list of the updates that have been installed since you realized there was a problem.”  He sent me a screenshot of Windows Update.

Okay, that is one way to go… but a screen shot is a lot less useful than a text file. So here’s what you would do:

  1. Open a Windows PowerShell console.
  2. Navigate to a directory where you can save files (hint: NOT the root of your profile… try c:\Users\YourName\Documents).
  3. Enter the following cmdlet:

Get-WmiObject -class win32_QuickFixEngineering –Property Description,hotfixID| Export-Csv Updates.csv

This will create a CSV file of all of your patches, which if you were to open it in a text editor would look like this:

image

Not very nice, huh?  But if we were to open it with a spreadsheet that recognizes comma separated value files, this is what you will get:

image

This is a much more useful file for an IT Professional to work with, as you have data, and not simply an image file of data.

I hope this helps!

PowerShell: A Colourful Experience

4214_Powershell20blore-logo_png-550x0.pngOne of the topics I inject into every one of my classes (and frankly, most of my customer conversations) is how to do whatever we are doing in PowerShell.  Scripting is one of the ways I make my life easier, and I recommend my students and customers use the knowledge I share to make their lives easier.

One of the differences between a Command Shell window and a PowerShell window is the colours.  Command Shell is white type on a black background.  PowerShell is a blue background, with the type colours varying depending on the context… Yellow for cmdlets, red for errors, and so on.

One of my students recently told me that because of the issues he has with his eyes, he has trouble reading the red writing on the blue background, and asked if there was a way to change it.  I honestly had never thought of it… so I decided to do some research.

It turns out, according to what I discovered, it is possible to change a lot of the colours in PowerShell.  Let’s start by changing the colour of the error messages:

$host.PrivateData.ErrorForegroundColor = “Green”

So let’s see what that does:

image

Okay, that is much better.  We can also change the background colour of the error text (black by default), by using this:

$host.PrivateData.ErrorBackgroundColor = “DarkCyan”

image

Granted, I hate the colour, but once you know the command, you can play with the colours that you want.

As well, if you want to change the colour scheme of the entire console, you can use the following:

[console]::ForegroundColor = “Yellow”

[console]::BackgroundColor = “black”

Now we have the entire console in black, and the default text in yellow.

If you want to use these colours persistently, you can insert them into your profile… or just create a .ps1 file that you run every time you open PowerShell.

Jeff Hicks wrote a number of great scripts a few years ago that will let you manage your colour schemes, and they can be found here.  Unfortunately it is an older article and the images are gone, but the scripts are intact, and that is the important part.

Have fun!

IPv6: Be gone!

Let me start this piece by stating that I am not advocating that we all ignore IPv6.  There are many reasons to use it, and there is nothing wrong with it.  Sure, it is more complicated than we may like… but then again, so was IPv4 when we were first introduced to it.

But alas, if you and your organization are not using IPv6, then there is no reason to have it bound to your workstations, let alone to your servers.  Let’s get rid of it… for now, knowing we can come back and re-enable it with a simple cmdlet.

First, we need to see which network cards have IPv6 bound to it, with the following:

Get-NetAdapterBinding | where {$_.ComponentId -eq ‘ms_tcpip6’}

That will return a list of NICs that have IPv6 enabled, like so:

Get-IPv6

We can remove the binding from each adapter individually, like so:

Disable-NetAdapterBinding -Name “Wi-Fi 2” -ComponentID ms_tcpip6

Of course, then we would have to do it for each of our NICs.  Rather than doing that, it would be simpler to just use a wildcard, thus disabling it for all of our NICs simultaneously:

Disable-NetAdapterBinding -Name “*” -ComponentID ms_tcpip6

Of course, in order to do this, you must open PowerShell with elevated credentials, so make sure you Run As Administrator.

Once you have done that, you can then go back and get the same list.  Notice that the listings under Enabled all read False now.

Disable-IPv6

Now, as you may have heard me say before, PowerShell is very easy to understand… it is almost as if it were post-troglodyte grammar.  Get-Thing! Disable-NetAdapterBinding!  So it stands to reason that the reverse of the Disable-NetAdapterBinding cmdlet would be… yes, you guessed it! Enable-NetAdapterBinding!  But this time, rather than using the wildcard, let’s just do it for the NIC that I am currently using:

Enable-NetAdapterBinding -Name “W-Fi 2” -ComponentID ms_tcpip6

From this, we will now get the following results:

Enable-IPv6

…and just like that, we can now enable and disable a protocol on demand.

By the way, if you are not fond of ComponentIDs, you can also use the actual display names:

Get-Bindings

Of course, that is too much typing for a lot of people, so you could shorten it with wildcards… or you can just cut and paste the ComponentID cmdlets.

Have fun guys, and script on!

 

 

A PowerShell Gotcha

powershell1_thumb.jpgI was bulk-creating users for a test environment today, and in doing so, I borrowed a script from an article online, which set the password for all users to ‘Pa$$word’  I usually use a variation on the same for test environments, but I opted to leave this one as it was.  The script worked.

A few minutes later, I went to log on as one of the newly created users, and the computer returned ‘The password is incorrect.  Try again.’

I spent a few minutes troubleshooting, until I realized… PowerShell uses the dollar sign ($) for variables.  I deleted the users, then changed the script to use a password like ‘P@ssw0rd’.  Sure enough, it worked.

The moral of the story… When using PowerShell, remember that the $ means something, and might break things if you use it for other things.

Have fun!

Deleting User Profiles

“How do I delete old users from a Windows 10 computer? I log in as an administrator, navigate to c:\Users\, and delete their tree.”

NO!  In fact, HELL NO!

There are several reasons why you might want to delete a user profile from a computer. ranging from termination of employment to reallocation of systems to… well, you get the picture.  There are a few of ways you can do it, but there are only a couple of ways of doing it right,

Recently I was working with a client who encountered a situation where a few of his domain users’ local profiles were corrupted on a corporate system.  I told him that the simplest way of fixing the issue was to delete the user profile, so that when the user next logged on, it would re-create the profile for them.  They called me back a few minutes later reporting that they were now receiving the following message when the affected users logged in:

We can’t sign in to your account.  This problem can often be fixed by signing out of your account then signing back in.  If you don’t sign out now, any files you create or changes you make will be lost.

Okay, that led me to believe they had simply deleted the c:\Users\%username% directory, and we had to clean up that mess in the registry (under “KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList”, delete any entries that have the .BAK extension).

Okay… now that we have learned how NOT to do it, here’s how you should do it:

1) Open Control Panel > System and Security > System in the affected machine.  The simplest way to do this in the more recent releases of Windows 10 is to click Run – sysdm.cpl.

3) In the Advanced tab of the System Properties window, in the User Profiles section, click Settings…

image

4) In the User Profiles window, click on the user you want to delete, and click Delete.

image

**NOTE: You will not be able to delete the account you are logged in as, nor the default Administrator account.

Of course, you will be asked if you are really really sure that you want to delete the account, and you can click Yes or No as you wish.

There are ways to do it in PowerShell… but they don’t seem to be very clear or very easy.  For this one time, I strongly suggest the GUI.

What is in a Name?

Recently a client asked me to build a series of virtual machines for them for a project we were working on.  No problem… I asked what they should be named, and the client told me to call them whatever sounded right.

That did not sound right… or at least, it turned out to not be right.  Indeed, the client had an approved server naming convention, and when the manager saw my virtual machines named VM1, VM2, VM3, and so on… he asked me to change them.

If we were talking about a single server, I would have logged in and done it through Server Manager.  But there were fifteen machines in play, so I opted to use Windows PowerShell from my desktop.

Rename-Computer –ComputerName “VM1.domain.com” –NewName “ClientName.domain.com” –DomainCredential domain\Mitch –Restart

The cmdlet is pretty simple, and allowed me to knock off all fifteen servers in three minutes.  All I needed was the real names… and of course my domain credentials.

The cmdlet works just as well with the –LocalCredential switch… in case you aren’t domain joined.

image

That’s it… have fun!

Default Gateway Corrections

PowerShell.jpgThe default gateway setting in Windows (and every other networked operating system) is a simple setting that tells your network interface card (NIC) where to send traffic when sending it outside of your domain segment.  More often than not, it will be the .1 address of a network segment (e.g.: 10.0.0.1), but that is not always the case.

It is one of those settings that you set once and forget it… It almost never needs to be changed… until it does.  Network reconfigurations do happen, and changing the default gateway is simple to do in the graphical user interface via the Properties window of your network interface, simply by modifying the appropriate field in the  Internet Protocol Version 4 (TCP/IPv4) properties.

But what if you need to do it for several machines?  Of course, PowerShell to the rescue!

First, you need to check what your NIC Interface Index is:

Get-NetIPConfiguration

This will give you an output that looks like this:

Get-Alias

As we see in this example, the server was moved from one network segment (10.128.43.x/24) to a new one (10.128.11.x/24).  Because of that, we need to assign a new Gateway in the proper network segment.

The Interface Index here lists as 3.  Remember that.

Before we add the new Gateway, we have to remove the old one.  Otherwise the NIC will have two gateways, and that can cause issues.

Remove-NetRoute -ifindex 3 -NextHop “10.128.43.1”

Notice that we put in 3 for the ifindex (the Interface Index), and the old gateway in quotes.

Now that we have a clean slate, all we have to do is configure the new default gateway, with this:

New-NetRoute -interfaceindex 3 -NextHop “10.128.11.1” -destinationprefix “0.0.0.0/0”

Again, we change our interfaceindex to 3, and our NextHop to the proper gateway.  When you run these two commands, you should get the following output:

Done

That’s all there is to it!  Of course, you may want to execute this script against a group of computers, but that’s for another time…

 

 

 

SCOM Prerequisites: A Web of Confusion

Microsoft’s System Center Operations Manager (SCOM) has several prerequisites that must be installed for each component, and frankly, some of those can be cumbersome to get around.  Of course, it is nice for the SCOM installation console to let us know that Report Viewer (a free download from Microsoft, link provided in the notifications window) is a prerequisite… but they do not tell you that System CLR Types for SQL Server 2014 are a prerequisite to Report Viewer, no link given (spoiler alert: it is a component of the SQL Server 2014 Feature Pack).

Of all the components, it is the SCOM Web Console that has the most prerequisites, and frankly some of them are easier to install than others.

WebConsole Prerequisites

We have our work cut out for us, it would seem… unless we use PowerShell!

Yes, we could much our way through the Add Roles & Features wizard in Server Manager… and if you are only installing it the once, then that is probably fine.  If you are a consultant and expect to be installing SCOM more than once in your client environments, I strongly suggest you grab these PowerShell scripts.

Of course, the Report Viewer Controls Check is still going to fail, but those prerequisites are really easy – the link for the Report Viewer is here, and I hope you took the opportunity to install the SQL Server 2014 Feature Pack before you do that.

Script:

Import-Module ServerManager

Add-WindowsFeature NET-Framework-Core,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Request-Monitor,Web-Filtering,Web-Stat-Compression,Web-Metabase,Web-Asp-Net,Web-Asp-Net45,Web-Windows-Auth,NET-HTTP-Activation,NET-WCF-HTTP-Activation45 -restart

This should do it… you will need to reboot the server in order for a few things to register properly (ISAPI and CGI and all sorts of stuff), but when you restart the installer and check your prerequisites…

Prerequisites Passed

That’s what we want to see… so in a few minutes time (the web console really does not take a long time to install) you should be able to navigate to https://servername/OperationsManager and you will see…

WebConsole

Now go forth and script, my good man!

I am heading out of town for a week or R&R… See you next Friday!

SCOM Management Packs: Removing Foreign Languages

When you go to add Management Packs (MPs) to System Center Operations Manager, there is that temptation to be lazy and just add everything.  This will clog your environment with a lot of things you do not need… including MPs in languages that you likely do not speak, read, or care about (within the context of your SCOM environment).

Once you realize this is a lousy idea, it is usually too late… you’ve already done it.  You will want to clear out a lot of things… starting with those foreign languages.

You can delete them one by one of course… right-click on the MP, click Remove (or Delete).  This will be reasonably time consuming… so when this happened to me some time ago, I went looking online for a better solution.

John Savill, an IT writer and Microsoft MVP whom I have known and respected for many years, created a great script that I found.  I found it again recently in an article he wrote for IT Pro Today.  Essentially, it removes every MP that has a geo-tag (.KOR for Korean, .ITA for Italian, and so forth).

From the Operations Manager Shell, enter (or cut and paste) the following:

Get-SCOMManagementPack | where{($_.Name.Substring($_.Name.Length -4,4) -eq “.CHS”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.KOR”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.CHT”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.ITA”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.JPN”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.RUS”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.FRA”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.PTB”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.DEU”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.ESN”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.HUN”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.NLD”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.PLK”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.PTG”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.SVE”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.TRK”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.CSY”)} | Remove-SCOMManagementPack

(Note: John’s original script excluded a number of languages; I have modified the script to include Hungarian, Dutch,  Polish, Portuguese, Swedish, Turkish, and Czech. I do not know if these are languages that were added to Management Packs recently, but I found several with these and wanted to remove them as well.)

Depending on how many foreign language MPs you have, it might take some time… After all, it is going through and removing them individually the same way that you would… but without having to right-click, click, confirm, repeat.  So be patient… it is working!

(Note: While it is working, you will not be able to access the Operations Console… at least, not from the same system you are running the script on.)

RemoveSCOMMPs

The article I found it in is here, and while it was originally written for SCOM 2012, it works just as well for SCOM 2016.

Thanks John!

Operations Manager: How to List What Management Packs Are Installed?

A client asked me recently how to determine what Management Packs he had installed in his System Center Operations Manager (SCOM) infrastructure.  I told him to open his Management Console and navigate to Administration – Installed Management PacksIt was a short conversation.

SCOM Installed MPs

Easy peasy, right?  Here’s a list, go with G-d.  Twenty minutes later, my phone rings again.

“Mitch, how can I export that list so that I can include it in our Infrastructure Documentation?”

Aha… That is a different kettle of fish.  For this, we will go into the Operations Manager Shell, essentially the PowerShell console for SCOM.  The command most people seem to recommend, to stick to pure PowerShell scripting, would be:

Get-SCOMManagementPack |ConvertTo-Csv | Out-File c:\MPs\InstalledMPs.csv

This will give you a .CSV (comma separated values) file with the following information:

  • Name
  • TimeCreated
  • LastModified
  • KeyToken
  • Version
  • ID
  • Identifier
  • VersionID
  • References
  • Sealed
  • ContentReadable
  • FriendlyName
  • DisplayName
  • Description
  • DefaultLanguageCode
  • ActiveLanguageCode
  • LockObject
  • Store
  • SchemaVersion
  • OriginalSchemaVersion
  • Registry
  • Extensions
  • LifetimeManagers
  • Features
  • ImageReferences
  • EntityTypes
  • ManagementPacks
  • Presentation
  • Monitoring
  • DerivedTypes

…in other words, way more information than we need.  I generally cheat and use the following (from my Batch File days):

Get-SCOMManagementPack >”c:\MPs\InstalledMPs.txt”

This creates a text file with exactly what would be displayed if I ran this cmdlet on the screen…

SCOM Installed MPsTXT

Ok, that is a lot more useful than the whole CSV list, but I might want to select only the columns I want, and not the ones that PowerShell thinks I want.  Let’s try this:

Get-SCOMManagementPack | Select-Object Name,FriendlyName,Description | ConvertTo-Csv | Out-File c:\MPs\InstalledMPs.csv

Now I have a usable file (.csv imported into Excel is a lot more useful than a text file that I can only manipulate in Notepad), that has exactly the information I want… in this case, I have the Name, the Friendly Name, and the Description.  My output might now be formatted to look like this:

SCOM Installed MPs-Formatted

Much better, don’t you think?  If we are doing this for the sake of documentation, we should be able to make it as legible as possible.

Of course, you can choose your objects (columns) as you choose… just replace the names in my Select-Object entry with the ones you want (from the list above, separated by commas).  Then you can import your list into Excel.  Do not try to open the file in Excel by double-clicking… that will not do anything with your CSV formatting, and it gets ugly.

Have fun!

SCOM License – Upgrade?

The installation of System Center Operations Manager (SCOM) 2016 does not ask you anywhere to enter a license key.  Then when you run the Operations Console, you are shown a required task to Upgrade to full version.  When you click on the link, it opens a website that is less than helpful.

SCOM Upgrade to Full

In fact, when you open the Help – About, you get a nice screen that says the product is not licensed to anyone, and you are using an Eval copy.

SCOM Unlicensed

All this is saying is that we have not yet entered a product key for SCOM.  For reasons I have never quite understood, there is no way to enter the license key in the GUI; you have to enter it in the Operations Manager Shell (essentially the PowerShell for SCOM), and you have to do it directly from the Management Server.

The command is: Set-SCOMLicense -ProductID “XXXXX-XXXXX-XXXXX-XXXXX-XXXXX”.

SCOM ProductID

Once you do this, the Upgrade Required notice will disappear (when you restart the Management Console), and your product version in the About section will now appear as Retail.

SCOM Licensed

Note: If you have any problems getting this to work with the Shell, try running the Operations Manager Shell as Administrator.

Active Directory Recycle Bin

A few years ago, Microsoft introduced the Active Directory Recycle Bin to Windows Server.  Wonderful!  It is not enabled out of the box, but it is reasonably simple to enable… except, it is not.

Firstly, you can do it in the GUI… Open the Active Directory Administrative Center, navigate to local (local), and then in the Actions Pane click Enable Recycle Bin…  You will get a warning about how serious this is – that is, it is irreversible.  Thanks, let’s go ahead.  We’re done.

The other way to do it, and obviously my preferred method, is with PowerShell.  Use the following cmdlet:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=local,DC=domain,DC=name’ –Scope ForestOrConfigurationSet –Target ‘local.domain.name’

Once again, you will get a warning that “Enabling ‘Recycle Bin Feature” is an irreversible action! You will not be able to disable ‘Recycle Bin Feature’ on ‘CN=Partitions,CN=Configuration,DC=local,DC=domain,DC=name’ if you proceed.”

(Yes, the warning is in orange… not my choice)

You press YES, you go ahead, and it’s done…

…or IS IT?

“A referral was returned from the server”

This error can come equally and identically from the GUI as from PowerShell… It simply means, THIS DID NOT WORK.

I have read all sorts of articles and forums on this, people telling people that they had the syntax wrong.  “Change single quotes to double quotes, or remove the quotes, that’s what will work.”  Some of these may be accurate.  In my experience, it is not a syntax error.

There are five (5) Flexible Single Master Operations (FSMO) roles on our domain.  Two of these, namely the Schema Master and the Domain Naming Master have to be on the same domain controller in order for this to work.  Otherwise… no.

I should also take a moment to mention that anytime you are doing anything with the Schema Master role, you have to be a member of the Schema Administrators security group.  I hear from people all the time ‘…but I am a member of the Enterprise Admins group!’ Nothing doing… except that, if you are a member of the EA group, you can add yourself pretty easily to the SA group.

So… transfer the Schema master role and you will be fine.  Good luck!

Oh yeah… here’s how.

  1. Use ntdsutil.exe.  I will not bore you with the details… somewhere under roll – connections – servers – bla bla bla.
  2. Use PowerShell.  Here’s your cmdlet:

Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole SchemaMaster

Let me know if you run into any further issues, but this should solve it for you!

DCPromo No More… PowerShell!

I needed to build a new domain controller for a friend’s company recently.  It is something that I have done so many times over the past two decades that some things are just instinctive… like typing dcpromo to create a domain controller.

dcpromo

Right… I had forgotten about that.  dcpromo has been deprecated.

You could go through the process of doing it through the Server Manager, but it really is more work than is needed.  Instead, try the following PowerShell script::

#################
#
# Script to create Active Directory Domain Controller.
# Written by Mitch Garvis for Cistel Technologies Inc.
#
# Enjoy!
#
#################

# Install Active Directory

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

# Create Domain Controller

Import-Module ADDSDeployment
Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath “C:\Windows\NTDS” `
-DomainName “domain.com” `
-InstallDns:$true `
-LogPath “C:\Windows\NTDS” `
-NoRebootOnCompletion:$false `
-SiteName “Default-First-Site-Name” `
-SysvolPath “C:\Windows\SYSVOL” `
-Force:$true

That should do it… just change where it says ‘domain.com’ to whatever domain you want to use.  Run it.  In a couple of minutes, you will be asked to enter a Safe mode Admin password.  A few minutes after that, you should have a brand new domain controller.

Remember, depending on the size of your Active Directory, it may take several hours to replicate to the new DC… so give it time 🙂