Change the Way You Change Text

I remember when I first discovered the mail merge feature… it amazed the twelve-year-old me that I could write a letter once, and then AppleWorks would address that letter to the several hundred people in my database.  I was thrilled with it.

PowerShell_thumb.jpgLast week, I was working with a client who moved a server.  No big deal, right?  Well unfortunately, this was a server that collected information from every other server in the environment… several hundred of them, to be precise.  If the collection application were programmed differently, there would have been an option to send out to all of the servers the changed IP address.  This application did not work that way.  Even though we have an agent deployed to every server, there was no automated way to make the change on the agent side… at least, not out of the box.

It turns out that the information we needed to change was in a file I will call ‘c:\Program Files\Collector\agent.conf.’ The file consisted of three lines:

[Collector Agent Settings]
Collector Hostname: servername.domain.com
Collector IP Address: 10.201.15.72

While the collector hostname was not changing, the IP address had to, because it had been relocated to a different datacenter.  The new address was going to be 10.205.119.70.  (Obviously none of these addresses are the actual addresses from my client… don’t go looking for them!)  I had to change the IP address in this file… but I had to do it across about 600 servers.  Fortunately I have my deployment tool that allows me to send the script to every server… and I have PowerShell, which let me build the following script:

# Variables

$s1
= 10.201.15.72

$s2
= 10.205.119.70

$file
=”c:\Program Files\Collector\agent.conf”

# Stop the service

net
stop Collector

# Make my change

(Set-Content -path $file) -replace $s1, $s2

# Restart the service

net
start Collector

So:

First I set my variables, which are the original IP address, the new IP address, and the file name.

Next I stop the service, because while the service is actually running, the configuration file is protected.  In some cases, you may also have a Process protecting it, so you would then have to add a Kill command.

The Set-Content command does the following:

  • Selects the file (from the variable)
  • Replaces the first variable with the second variable.

And lastly, I restart the service.

Now, I used this script for a configuration file, but there is no reason it cannot be used for any other purpose.  Changing text in ASCII files is something you might need to do on a regular basis.  Scripting it will save you a lot of time and effort.

Domain Controller Ports

Active Directory

Recently I was asked by a client to produce a list of firewall ports that are used by Active Directory Domain Services (AD DS), specifically those for domain controllers.  This is what I came up with:

TCP and UDP 389 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts
LDAP
TCP 636 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts
LDAP SSL
TCP 3268 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts
LDAP GC
TCP 3269 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts
LDAP GC SSL
TCP and UDP 88 User and Computer Authentication, Forest-Level
Trusts
Kerberos
TCP and UDP 53 User and Computer Authentication, Name Resolution,
Trusts
DNS
TCP and UDP 445 Replication, User and Computer Authentication, Group
Policy, Trusts
SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR,
SrvSvc
TCP 25 Replication SMTP
TCP 135 Replication RPC, EPM
TCP Dynamic Replication, User and Computer Authentication, Group
Policy, Trusts
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR,
FRS
TCP 5722 File Replication RPC, DFSR (SYSVOL)
UDP 123 Windows Time, Trusts Windows Time
TCP and UDP 464 Replication, User and Computer Authentication,
Trusts
Kerberos change/set password
UDP Dynamic Group Policy DCOM, RPC, EPM
UDP 138 DFS, Group Policy DFSN, NetLogon, NetBIOS Datagram
Service
TCP 9389 AD DS Web Services SOAP
UDP 137 User and Computer Authentication, NetLogon, NetBIOS Name Resolution
TCP 139 User and Computer Authentication,
Replication
DFSN, NetBIOS Session Service,
NetLogon

One of the sites I polled for this information also listed the ports for DHCP (which is not an AD component, but is often installed on domain controllers).  Another listed that there are more ports for Azure AD and Office 365.  I am not including all of these.  I just set out to list the ports required for on-premises Active Directory in Windows Server 2016.

Server 2016 Versions & Builds

When Microsoft introduced the Operating System as a Service with Windows 10, a lot of people got started getting confused because of the different version numbers and build numbers, all the while Microsoft was telling us it was really the same operating system.  Okay, I think we have it clear now… three years later.

So just to make things fun, Windows Server 2016 is offered as an OS as a Service as well… although mercifully we do not have to update our servers nearly as often to stay current.

It is one thing to mess around with our desktops.  Messing around with our servers could be disastrous on an entirely different level.  So, unlike Windows 10, monthly updates (or Cumulative Updates, if you are just catching up) will not change the version of the OS.  If you installed a Windows Server from the original release (Version 1607), it will remain Version 1607.  The only thing that will change is the OS Build.

Notice the different build… the original reads OS Build 14393.1884, and after applying Cumulative Update for Windows Server 2016 for x64-based Systems (KB4093119) it kicks up to OS Build 14393.2189.

Some of us in the know feel that calling every release of Windows 10 the same operating system is like saying that a 2013 Ford Mustang is the same as a 2018 Ford Mustang; just because they have the same name does not make them the same car.  Similarly, Windows 10 Version 1607 is hardly the same as Windows 10 Version 1803.  They look the same for day-to-day operations, but under the hood there are real differences (i.e.: look for your Control Panel in the Windows Menu in 1803).

The team at Microsoft understood that you cannot just upgrade versions with servers.  There are too many things that could go wrong.  As such, Windows Server 2019 is currently in pre-release testing (we used to call it beta testing… I can’t keep up with the current names).  When the time is right, you can upgrade.

In the meantime, should you be upgrading all of your servers that are Version 1607 to Version 1803?  In general I wouldn’t, but there may be use cases where you would want to.

I hope this clears some things up for you!

Delegating Control in Active Directory

I have been saying for years that a good IT department in a secure, well-managed infrastructure will give their end users the tools they need to do their job… and nothing more.

If that is true for end users, shouldn’t it also be true for the IT department themselves?  It is frustrating to see the number of shops I go into where there are fifteen or twenty members of the Domain Admins group, and for the silliest reasons.

Windows ServerBy using the Delegation of Control Wizard, you can assign very granular permissions to regular user accounts to perform several common tasks.  In Windows Server 2016 these include:

  • Create, delete, and manage user accounts
  • Reset user passwords and force password change at next logon
  • Read all user information
  • Modify the membership of a group
  • Join a computer to the domain
  • Manage Group Policy links
  • Generate Resultant Set of Policy (Planning)
  • Generate Resultant Set of Policy (Logging)
  • Create, delete, and manage inetOrgPerson accounts
  • Reset inetOrgPerson passwords and force password change at next logon
  • Read all inetOrgPerson  information

These permissions can be set either at the domain level, or at the Organizational Unit (OU) level (except Join a computer to the domain, which must be set at the domain).  In order to do it:

  1. Open Active Directory Users and Computers (ADUC)
  2. Right-click on the domain (or OU) where you want to assign the permission
  3. Click Delegate Control…
  4. On the Welcome to… window click Next
  5. On the Users or Groups window click Add… and select the security group (or individual) that you want to affect.  Click Add, then click Next
  6. On the Tasks to Delegate window select the tasks from the list, and then click Next
  7. On the Completing the Delegation of Control Wizard window click Finish.

Remember, if you have multiple sites across slow links this might take a while to propagate, but you are done.  That’s it!

I hope this helps.  Really, it has not changed much in fifteen years, but sometimes it is important to refresh knowledge, especially for the newer generations of IT Admins!

What is in a Name?

Recently a client asked me to build a series of virtual machines for them for a project we were working on.  No problem… I asked what they should be named, and the client told me to call them whatever sounded right.

That did not sound right… or at least, it turned out to not be right.  Indeed, the client had an approved server naming convention, and when the manager saw my virtual machines named VM1, VM2, VM3, and so on… he asked me to change them.

If we were talking about a single server, I would have logged in and done it through Server Manager.  But there were fifteen machines in play, so I opted to use Windows PowerShell from my desktop.

Rename-Computer –ComputerName “VM1.domain.com” –NewName “ClientName.domain.com” –DomainCredential domain\Mitch –Restart

The cmdlet is pretty simple, and allowed me to knock off all fifteen servers in three minutes.  All I needed was the real names… and of course my domain credentials.

The cmdlet works just as well with the –LocalCredential switch… in case you aren’t domain joined.

image

That’s it… have fun!

Offline Files: Groan!

You’ve configured Folder Redirection in Group Policy, and it works as expected… as long as you are connected to the network.  As soon as you disconnect, things stop working.  That may be a real inconvenience if you are redirecting your Photos, but if you have redirected your Desktop folder to a network share, there is as good chance that your computer will be rendered unusable… that is, until you reconnect to your local network.

We came across this issue recently at a client’s site, and we spent a few aggravating hours trying to get things working, to no avail.  Remember, this is something that I have been doing since the days of Windows 2000, and the procedures have not changed significantly in that time.  I was baffled… until I realized that we were working with a File Server Failover Cluster, and that our servers were Windows Server 2016.

There is an option in clustered Server 2016 shares that is called Enable continuous availability.  If this option is checked (as it is by default), then even if you have done everything right… even if your Offline Files are properly configured, you are going to click on a file in that properly configured folder, and in the Details tab it will be listed as Available: Online-Only.

How do we fix that?  Simple… uncheck the box.

Capture

  1. In Server Manager, expand File and Storage Services, and then click on Shares.
  2. In your list of shares, right-click on the one where you are redirecting your files and click Properties.
  3. In the Settings tab, clear the checkbox next to Enable continuous availability.
  4. Click Okay.

Incidentally, the file share will only be listed under the cluster node that is the current owner.  Don’t worry about doing it at the Cluster Level, although if you prefer to do it in Failover Cluster Manager, you can perform the following steps to achieve the same results:

Capture2

  1. Connect to the relevant failover cluster.
  2. Navigate to Roles
  3. Click on your File Server Role in the main screen.
  4. In the Details pane below, select the Shares tab.
  5. Right-click the relevant share, and click Properties.
  6. In the Settings tab, clear the checkbox next to Enable continuous availability.
  7. Click Okay.

The Properties window will be identical to the one that you saw under Server Manager.

You shouldn’t have to refresh your group policy on the client, but you may want to log off and log on to force the initial synchronization.

That’s it… Good luck!

KB4103723: DO NOT APPLY!

image

Hey folks, if you know what is good for you, do not apply this patch yet.  KB4103723 protects against a CredSSP vulnerability that has not yet been compromised.  However, it will break lots of things in your system, including RDP and Hyper-V connections.  Errors will include CredSSP errors when trying to connect via RDP (or Hyper-V Manager, or Failover Cluster Manager, or SCVMM).

Remote Computer: This could be due to CredSSP encryption oracle remediation.

Good luck!

Automated Virtual Machine Activation

Let’s face it… Microsoft wants you to use Microsoft, so when it can, it creates technologies that make it easier for you to do so.  Automatic Virtual Machine Activation (AVMA) is one of those tools.

I remember when Microsoft got into the server virtualization game, it really had very little to compete with VMware, other than price.  That has certainly changed, and while Hyper-V is not completely where ESXi is, it is damned close… and there are some benefits, such as AVMA.

What is it?  Simple.  If your virtualization host is running Hyper-V, then your guest VMs do not need to activate to Microsoft… or even to a KMS Server for that matter.  They activate directly to the host.  That means that rather than having to keep track of (or worse, share) your Product Keys, you can simply share the AVMA keys.  The rest is done through the Data Exchange Integration Service in the Hyper-V stack.

The downside?  You have to have an (activated) Windows Server Datacenter Edition as your host.  In other words, it will not work with Hyper-V Server.  That is not a huge downside, but it is significant.

The keys are available for free on-line, and the activation is done against your host.  So use the following keys:

Windows Server 2016

Edition AVMA key
Datacenter TMJ3Y-NTRTM-FJYXT-T22BY-CWG3J
Standard C3RCX-M6NRP-6CXC9-TW2F2-4RHYD
Essentials B4YNW-62DX9-W8V6M-82649-MHBKQ

Windows Server 2012 R2

Edition AVMA key
Datacenter Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW
Standard DBGBW-NPF86-BJVTX-K3WKJ-MTB6V
Essentials K2XGM-NMBT3-2R6Q8-WF2FK-P36R2

(Notice that this works only for Server 2012R2 and later.  The feature was only introduced in that version.)

One thing you need to make sure of in the guest VM settings… You need to have Data Exchange enabled in the Integration Services context, as seen here:

Capture

…So now, you can include the AVMA key in your VM templates, and you will be all set.  But if you didn’t do that, try the following command:

slmgr.exe /ipk C3RCX-M6NRP-6CXC9-TW2F2-4RHYD

That will add the product key to your VM, and all that is left to do is activate it using the following:

slmgr.exe /ato

That’s it… Have fun!

 

Domain Controller Health Service Lockdown Issue with SCOM 2016

I came to this realization last year, but I don’t think I wrote about it.

When monitoring domain controllers, specifically domain controllers running on Windows Server 2016, and specifically with System Center Operations Manager 2016 (and later, I assume) have a bit of an issue when you deploy the SCOM Agent to the server.  It deploys, it installs… but when you look at the list, your domain controllers do not have that friendly GREEN check mark… you get the same icon, but it is grey.

SCOM Greyed

Reason? The Health Service is denying the NT AUTHORITY\SYSTEM.

HSLockdown

This is an easy fix.  If you are running Server with Desktop Experience (what we until recently called the GUI), then make sure you open the Command Prompt with elevated privileges.  Navigate to c:\Program Files\Microsoft Monitoring Agent\Agent, and then type the following:

  1. HSLockdown.exe /A “NT AUTHORITY\SYSTEM”
  2. net stop healthservice
  3. net start healthservice

Once you do that, it should only take a minute for SCOM to reflect the change.  If you are too impatient to wait, you can click REFRESH.

I hope this helps!

DCPromo No More… PowerShell!

I needed to build a new domain controller for a friend’s company recently.  It is something that I have done so many times over the past two decades that some things are just instinctive… like typing dcpromo to create a domain controller.

dcpromo

Right… I had forgotten about that.  dcpromo has been deprecated.

You could go through the process of doing it through the Server Manager, but it really is more work than is needed.  Instead, try the following PowerShell script::

#################
#
# Script to create Active Directory Domain Controller.
# Written by Mitch Garvis for Cistel Technologies Inc.
#
# Enjoy!
#
#################

# Install Active Directory

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

# Create Domain Controller

Import-Module ADDSDeployment
Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath “C:\Windows\NTDS” `
-DomainName “domain.com” `
-InstallDns:$true `
-LogPath “C:\Windows\NTDS” `
-NoRebootOnCompletion:$false `
-SiteName “Default-First-Site-Name” `
-SysvolPath “C:\Windows\SYSVOL” `
-Force:$true

That should do it… just change where it says ‘domain.com’ to whatever domain you want to use.  Run it.  In a couple of minutes, you will be asked to enter a Safe mode Admin password.  A few minutes after that, you should have a brand new domain controller.

Remember, depending on the size of your Active Directory, it may take several hours to replicate to the new DC… so give it time 🙂

Hyper-V Server Clustering Network Issue: Validation Failed?

If I’ve told you once I’ve told you a thousand times… When you build a Failover Cluster on Windows Server make sure you run the Validation Tests… and make sure those tests succeed (or at the very least nothing FAILS… Warnings are acceptable).

So as I sit at a client trying to cluster two Hyper-V Server 2016 hosts, I am frustrated by the big red FAILED on my Cluster Report.

Failure

Should you ever encounter this error, it is important to note that the network vEthernet (Data) is not the same network as Data.  So the solution, which stymied me for about an hour, was simple:

Solution

In other words, I have to disable to TCP/IP v6 on the problematic binding, which I do with a simple PowerShell cmdlet:

PS c:\> Disable-NetAdapterBinding -Name “vEthernet (Data)” -ComponentId ms_tcpip6

(Remember that I have to put the “quotation marks” around the name because there is a space in it… otherwise I could leave them out.)

Also remember that because these hosts are Hyper-V Servers and not actual Windows Servers, I couldn’t use the GUI to do this.  (There actually is a netsh command to accomplish this as well… but PowerShell rocks!)

Once I ran this cmdlet on both hosts, I re-ran my Validation Tests, and bingo!

Validated

Everything comes up roses, and I can continue my day happily.

I hope this helps you!

Windows Server 2016: A pet peeve

Windows Server 2016Over the next few weeks, as I do my first production infrastructure implementation based on Windows Server 2016 and System Center 2016, I am sure this list will grow longer.  In the meantime, I have uncovered my first pet peeve in the new version.

Don’t get me wrong, overall I like Server 2016… but to find out that it is no longer possible to install Windows Server with a GUI (Graphical User Interface) and then later to uninstall the GUI (see article for Windows Server 2012) is fairly annoying.

Throughout the launch of Windows Server 2012 I was with the Evangelism Team at Microsoft Canada and I traveled the country – first for the launch events, and then evangelizing and teaching that platform.  I spent a lot of time talking about Server Core because of the benefits for security, as well as for the reduced resource requirements (which, in a virtualized infrastructure, can be staggering).

Of course, Server Core looks a lot like where we started out… if you were a server administrator back in the 1980s and most of the 1990s, you were using command line tools to do your job.  However it had been too long ago, and the vast majority of admins today were not admins back then.  So I was able to discuss a compromise… Install Windows Server with the GUI, and when you were done doing whatever it was you needed the GUI for (or thought you did), you could uninstall it… or at the very least, switch to MinShell.

I showed up at my client site this week and was handed a series of brand new servers on which to work.  They all had the GUI installed.  So I went to work, and typed in that familiar PowerShell cmdlet to remove the GUI.  I was greeted by that too-familiar red text which meant I had done something wrong.  I will spare you the boring details, and after several minutes of research I discovered that Microsoft had removed the ability to remove the GUI in Windows Server 2016.

I understand that the product team has to make difficult decisions when developing the server, but this was one that I wish they had not made.  However confirmation comes directly from the product group in this article, in which they write:

Unlike some previous releases of Windows Server, you cannot convert between Server Core and Server with Desktop Experience after installation. If you install Server Core and later decide to use Server with Desktop Experience, you should do a fresh installation.

I wish it weren’t so, but it is.  Once you install the GUI you are now stuck with it… likewise, if you opted for Server Core when you first installed, you are committed as well.

Sigh.