Category Archives: Windows 2012

Step-by-Step Guide to publish proxy settings via GPO for IE10 and IE11 in windows server 2008 R2 AD environment

Before IE10, the internet explorer settings were able to manage using Internet Explorer Maintenance (IEM) in group policy. If your organization have IE settings published using IEM, it will not applying anymore to IE10 and IE11.

If its windows 2012 or later AD environment it is not a problem you can simply publish these settings using new IE setting publish method in GPO, but if its Windows 2008 and Windows 2008 R2 it need to follow different method. In this post I will explain how to do it in windows 2008 R2 AD environment.

Before IE10 you can publish settings via GPO using User Configuration > Policies > Windows Settings > Internet Explorer Maintenance. But if your server running with IE10 or IE11 you can’t see it any more in GPO.

ie1

The new method is to publish IE settings via, User Configurations > Control Panel Settings > Internet Settings. There you can create settings based on IE version. In my demo I am using a DC server with windows 2008 R2 and IE 11 installed. But here I can’t see option to publish IE10 or IE11.

ie2

So how we can do it?

In order to publish IE10+ settings need one of following from same domain,
1)    Windows 2012 or newer server with Group Policy Management Feature installed
2)    Windows 8.0 machine with latest RSAT tools https://www.microsoft.com/en-gb/download/details.aspx?id=28972
3)    Windows 8.1 machine with latest RSAT tools https://www.microsoft.com/en-us/download/details.aspx?id=39296
4)    Windows 10 machine with latest RSAT tools https://www.microsoft.com/en-us/download/details.aspx?id=45520

Also make sure the system is running with latest updates.

Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 from a computer that is running Windows 8.1, Windows 8 or newer.

In my demo I am using a windows 8.1 machine with RSAT installed.

1)    To start log in to the PC with Domain Administrator Privileges.
2)    Then go to programs and click on Group Policy Management

ie3

3)    Once its load up, expand the console and go to the domain, right click and select Create GPO in this domain, and Link it here.
In my demo I am going to create new GPO to publish the IE settings.

ie4

4)    Type the new policy name and click ok

ie5

5)    Then right click on newly added policy and click on edit

ie6

6)    Expand the policy settings and go to User Configuration > Preferences > Control Panel Settings > Internet Settings. The Right click and select new. Here now we can see the IE 10. There is no IE11 settings. IE10 settings valid for IE11 too. Click on “Internet Explorer 10” to publish the settings.

ie7

7)    Now it will open up the window and its looks similar to typical IE settings interface.

ie8

8)    Type the changes you like to publish.

ie9

9)    One thing you need to make sure is once publish the changes press “F6” to apply the changes. If its works fine the red dotted line will change to green dotted line. It doesn’t matter what ever the changes you put, if you not activate it with pressing F6 it will not publish.

ie10

10)    Click ok to submit the settings and in here you can see it save the IE10 Browser settings.

ie11

11)    It’s time for testing and let’s see if it’s applied the new settings published for IE11.

ie12

12)    Yes it is worked fine. One thing you need to keep in mind is if you need to do changes to the GPO, need to use one of the above mentioned option. You can’t edit new values with windows 2008 r2.

If you have any questions feel free to contact me on rebeladm@live.com

The Active Directory Replication Status Tool (ADREPLSTATUS)

Healthy Active directory replication is important for active directory infrastructure. REPADMIN is command line utility which can use to check the AD replication status. I wrote an article before about common replication errors and how to use these command line utilities for troubleshooting. If you till not read it you can find it in here.

The Active Directory Replication Status Tool (ADREPLSTATUS) is a small but handy tool Microsoft published which can use to analyze the replication status of active directory environment. The output is similar to output of command REPADMIN /SHOWREPL * /CSV but with few enhancements.

Specific capabilities for this tool include:

    • Expose Active Directory replication errors occurring in a domain or forest
    • Prioritize errors that need to be resolved in order to avoid the creation of lingering objects in Active Directory forests
    • Help administrators and support professionals resolve replication errors by linking to Active Directory replication troubleshooting content on Microsoft TechNet
    • Allow replication data to be exported to source or destination domain administrators or support professionals for offline analysis

System Requirement

Domain membership requirements:

    • Must be joined to the Active Directory domain or forest you intend to monitor
.NET Framework requirements:
    • .NET Framework 4.0 (you may be prompted to install .NET Framework 3.5.1 first on Windows Server 2008)

Required User Credentials:

    • Target forest/domain user account

Other Requirements:

ADREPLSTATUS will not work when the following security setting is enabled on the operating system:
    • System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

The tool can be download from https://www.microsoft.com/en-gb/download/details.aspx?id=30005

Installation

It is very straight forward. All need to do is double click on the file.

Once install, double click on the icon to run the application.

status1

status2

Once tool is loaded, you can check the replication on entire forest or specific domains.

status3

After you specify the replication boundaries, click on refresh replication status button. It will discover the current configuration and replication status.

status4

status5

status6

If you required you can export the data to xps or csv format.

status7

hope this info helps. If you have any questions feel free to contact me on rebeladm@live.com

Step by Step Guide to downgrade domain and forest functional level

Till Windows server 2008 R2, forest and domain functional level are not possible to downgrade once it’s upgraded. Well it’s not a problem if you properly plan you active directory upgrades. But sometime it’s save life with difficulties admins face with AD upgrades. With starting windows server 2008 R2 you can downgrade forest and function levels. The minimum level it can downgrade is windows server 2008.

In here on my demo I am using domain controller with forest and domain function level set to windows 2012 R2.

There is no GUI to perform this downgrade. We have to use PowerShell commands to do it.

First, log in to the domain controller as domain admin / Enterprise admin.

Then load PowerShell with Admin rights.

down-1

Then we need to import the AD module.

To do that type Import-Module -Name ActiveDirectory

down-2

Before proceed as confirmation here my domain and forest function levels are set to windows server 2012 R2.

down-4

down-3

First I am going to set forest function level to windows server 2008.
To do that,

Set-ADForestMode –Identity “CANITPRO.com” –ForestMode Windows2008Forest

In here my FQDN is CANITPRO.com you can replace it with your domain name.
After run the command ask for the confirmation, type Y or A to confirm the change.

down-5

Next step is to downgrade the domain function level to windows server 2008.
To do that,

Set-ADDomainMode –Identity “CANITPRO.com” –DomainMode Windows2008Domain

down-6

After successfully commands, next step is to confirm the new forest and domain function levels. This time I am using PowerShell.

down-7

If you have any questions feel free to contact me on rebeladm@live.com

Restricted Groups using group policies

In previous post I explain about the different groups we can create in a domain environment. In an organization some time you may need to grant permissions for different users to manage these groups and its memberships. But some time it is better if we can lock some of these memberships for security reasons. For example let’s assume you have a group which have access to financial records of the organization which should only have access to upper management. So membership of the group is important.

Restricted group policy is the answer for that. Using group policy you can specify the membership and enforce. So no one can add or remove members.

Let’s see how we can do it in domain environment.

For the demo I created a group called “Remote Clients” and made usera and userb members of it.
But for the demo I need to restrict the group membership and only use testa user as a member.

restrict1

To do it go to server manager > tools > group policy management

restrict2

Then go to the OU you wish to apply restrict group policy. If it’s going to apply for the organization you can make it global policy as well. Then right click on OU name and select “Create GPO in this domain an link it here

restrict3

Then provide the name for new policy and click ok.

restrict4

Then go to the OU again and right click on the new GPO and click on edit.

restrict5

Then go to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups folder
Right click on it and click “Add Group

restrict6

restrict7

Then go and select the group you need to add, in my demo its Remote Clients. Then click ok.

restrict8

Then it gives option to add members to the group. Also if this group should need to be added as member of another group.

restrict9

In here I added user testa and I need to force the membership only to this user.

restrict10

restrict11

Now it’s all done. Next time when policy applied it will overwrite the current membership.

restrict12

If you have any question feel free to contact me on rebeladm@live.com

Compacting DHCP database using Jetpack.exe

Like any other database, DHCP server database also need maintenance in periods to keep the performance and availability. In large infrastructures, DHCP database can grow fast. Like we do for other databases, DHCP server DB also can compact. Microsoft recommends to do this for any database larger than 30mb.

Back in windows NT time Microsoft introduce a utility call “Jetpack” which can use to compact WINS and DHCP databases. This tool still available even for windows server 2012 R2.

In this demo I will show how we can do the database compact. The compact process happens in 3 steps.

1)    Copy running DHCP database in to temporary databases.
2)    Delete Original DHCP DB
3)    Rename temporary database to the original database file name.

Please note that to do this first we need to stop the DHCP server. So make sure to pre-plan for the downtime.

In this demo I am using windows server 2012 R2 which is connected to domain. It holds DHCP server role for the network.

1)    Log in to the server as Domain admin or Enterprise Admin.
2)    Open command prompt as admin

jet1

3)    Then type cd %systemroot%\system32\dhcp

jet2

4)    Then type net stop dhcpserver. It will stop the DHCP server.

jet3

5)    Then type jetpack.exe dhcp.mdb tmp.mdb

jet5

Well this is the interesting part, if you do not have “wins server” role installed on the server, you will get error like, 'jetpack' is not recognized as an internal or external command, operable program or batch file.
But friends unfortunately, jetpack only comes with WINS server package. So you need to add this role if you do not have it.

jet4

6)    Finally type net start dhcpserver to start the dhcp server.

jet6

If you have any question feel free to contact me on rebeladm@live.com

Automatic DHCP server Backup

Dynamic Host Configuration Protocol (DHCP) server in organization may require backup and restore dhcp database in event of hardware failure, software failure, migration or in fault configuration change. How many of you guys know that Microsoft automatically backup your dhcp database? Sounds strange right? but yes system automatically backup the DHCP server config. In this post let’s see how we can adjust the default parameters of this automatic backup process.

In my demo I am using a server with windows server 2012 R2 in a domain. It do have DHCP server role installed and configure.

To start the process log in to server as Domain admin or Enterprise admin.
Then Server Manager > DHCP

dhcpbk1

Once mmc load, right click on the server node and click properties.

dhcpbk2

In the new window you can see it shows backup path as C:\Windows\system32\dhcp\backup. This is the default path. But we can change it to local folder or network share. Click on brows to select the new path. In my demo it is set to C:\DHCPBackup. Once path set click on ok.

dhcpbk3

dhcpbk4

System automatically backup the config in every 60 minutes time. But we also can change this schedule as per our requirement.
To do that we need to do some registry key edit. To open the registry mmc, go to Run > regedit

dhcpbk5

Then go to path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters
In there you will be able to see a key called BackupInterval.

dhcpbk6

To edit the value double click on it, and then once open select, decimal value option.

dhcpbk7

As you can see default value is 60, to change it type the value you needs (the value represent the number of minutes) and press ok. In my demo I am going to set for 10 minutes.

Once done we can check the folder path we set to confirm the backup it’s made.

dhcpbk8

If you have any questions feel free to contact me on rebeladm@live.com

Bye Bye!! Windows server 2003

ms_1201_webinar_trending_03

Microsoft windows server 2003 extended support ends on July 14th, 2015. Microsoft ended its mainstream support on July, 2010. It’s been 5 years since then but there are lot of organizations which uses windows server 2003 on their operations. If it’s same for your organization, it is not too late to build up the migration plan. This post will help you to determine why need to upgrade, how to plan migration properly.

Why *%4#@*!?

If your organization running smooth operations still with windows server 2003 infrastructure, “Why we migrate?” is the question everyone will ask when you submit your migration plan. Because migration still cost your organization $$$. This is one of major reason to see windows 2003 server still in operation. Especially in Non-IT business it is very difficult to justify the benefits over the cost as IT operations gets lower budget allocation. Apart from that one common question I get in presentations “Is windows server 2003 bad?” answer to that’s question is straight forward, NO!!!!. Windows server 2003 was a perfect product but it was in its era, at the year 2003 people were not talking about “Cloud Computing”, people were not using “Virtualization” much in operations. “SaaS (Software as a Service), IaaS (Infrastructure as a service)” was still new term to industry. “Security” concerns were relatively low with modern computing. So it was perfect product for “That” time but not for “This” time.

What will happen if we not upgrade?

No Updates – Back in early 20’s, we gets operating system updates rarely, but now a days it’s almost daily. It’s because every day new threats will find, so these patches fixes those security holes in your infrastructure, also these includes new enhancements, bug fixes for the existing services or applications. So updates are crucial these days, No updates for windows server 2003 means Microsoft will not test or monitor widows 2003 against new threats or will not invest on enhancing services or applications of windows server 2003.

No Support – You will not be able to call in Microsoft Support lines regarding windows server 2003 issues any more. Even its critical operation downtime, you will need to fix issues your own or hire consultants or engineers to help. So its increases IT operation cost anyway.

No Compliance – Businesses which handles regulated data such as PCI (payment card industry) may become non-compliant which can cause being cut off from trading partners. Because to keep their system protected, they need to keeps the compliance standards.

No Application Support – Lots of software companies already released applications, software which not support on windows server 2003 anymore. So sooner you will not get benefits from those new versions due to compatibility issues. Most of software providers also ends their support on older versions of the applications to reduce lengthy support cycles. So running an unsupported application for operations add risks.

No compatibility with Modern day computing – Microsoft Azure is one of the best example for this. You can’t re-host windows 2003 server 32bit version images in azure environment. But majority of the windows server 2003 installations are 32 bit. Also in a hybrid-cloud infrastructure it will be very difficult to integrate with modern applications and services compare to infrastructures runs with windows server 2008 or 2012. Upcoming windows server 2016 also will not supported for windows 2003 functional levels.

Why Windows server 2012 R2?

Well if you are migrating, unless you have critical reason you should not migrate to windows server 2008 or R2. Windows server 2016 is already on Technical preview 2 and if you plan long term, definitely you should go to windows server 2012 R2.

bye2003

Windows Server 2012 R2 delivers significant value around the following seven key capabilities:

1.    Server virtualization. Windows Server 2012 R2 is a virtualization platform that has helped organizations of all sizes realize considerable cost savings and operational efficiencies. With industry leading size and scale, Hyper-V is the platform of choice for you to run your mission critical workloads. Hyper-V in Windows Server 2012 R2 greatly expands support for host processors and memory. Using Windows Server 2012 R2, you can take advantage of new hardware technology, while still utilizing the servers you already have. This way you can virtualize today, and be ready for the future.

2.    Storage. Windows Server 2012 R2 was designed with a strong focus on storage, from the foundation of the storage stack up, with improvements ranging from provisioning storage to how data is clustered, transferred across the network, and ultimately accessed and managed. Windows Server 2012 R2 offers a wide variety of high-performance, highly available storage features and capabilities, while taking advantage of industry-standard hardware for dramatically lower cost.

3.    Networking. Windows Server 2012 R2 makes it as straightforward to manage an entire network as a single server, giving you the reliability and scalability of multiple servers at a lower cost. Automatic rerouting around storage, server, and network failures enables file services to remain online with minimal noticeable downtime. What’s more, Windows Server 2012 R2 – together with System Center 2012 R2 – provides an end-to-end Software Defined Networking solution across public, private, and hybrid cloud implementations.

4.    Server management and automation. Windows Server 2012 R2 enables IT professionals to meet the need for fast, continuous and reliable service within their datacenters by offering an integrated platform to automate and manage the increasing datacenter ecosystem. Windows Server 2012 R2 delivers capabilities to manage and automate many servers and the devices connecting them, whether they are physical or virtual, on-premises or off, and using standards-based technologies.

5.    Web and application platform. Windows Server 2012 R2 builds on the tradition of the Windows Server family as a proven application platform, with thousands of applications already built and deployed and a community of millions of knowledgeable and skilled developers already in place. Windows Server 2012 R2 can offer your organization even greater application flexibility. You can build and deploy applications either on-premises or in the cloud—or both at once, with hybrid solutions that work in both environments.

6.    Access and information protection. With the new capabilities in Windows Server 2012 R2, you will be able to better manage and protect data access, simplify deployment and management of your identity infrastructure on-premises and across clouds, and provide your users with more secure remote access to applications data from virtually anywhere and any device.

7.    Virtual desktop infrastructure. With Windows Server 2012 R2, Microsoft is making it even easier to deploy and deliver virtual resources across workers’ devices. VDI technologies in Windows Server 2012 R2 offer easy access to a rich, full-fidelity Windows environment running in the datacenter, from virtually any device. Through Hyper-V and Remote Desktop Services, Microsoft offers three flexible VDI deployment options in a single solution: Pooled Desktops, Personal Desktops, and Remote Desktop Sessions (formerly Terminal Services).

On your mark, get set, go!!!!

Microsoft recommends 4 steps plan for migration.

servercloud-aug26-1

Discover – Before migration it is important to evaluate and properly make inventory about current running system. You need to identify the server roles you need to migrate. Also important to check how you can migrate the current running applications, services. For ex- CMS, billing system, websites, etc. some of these applications, especially custom made applications may require upgrades, support from vendor to migrate to new system. Also in this stage important to evaluate the hardware upgrades or new implementations which will required.
You can use Microsoft Assessment and Planning Toolkit to inventory and assess current infrastructure setup.

Asses – in this stage we need to categorize the applications, roles and workload based on type, importance and complexity. We need to evaluate the risks, concerns involves with the migration. For ex-operation downtime, impact on sales, licenses cost, software upgrade costs, man power etc.

Target – in this step we need to decide the migration destination for each application or services. It can be in same network, datacenter facility, and Azure or hybrid-cloud setup. For ex- if company uses exchange email services we can migrate that role to office365. Following links will helpful to decide the target.

Office365 Trial

Windows server 2012 R2 Trial

Microsoft Azure one-month Trial

Migrate – This is where action begins. Based on outcome of previous steps it is time to start the actual migration. In below you can find some of articles I wrote about roles migration. You also can get further training on windows server 2012 on here.

Step-By-Step: Migrating Windows Server 2003 FSMO Roles To Windows Server 2012 R2

Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2

Step-By-Step: Migrating DHCP From Windows Server 2003 to 2012 R2

Tools to help with group policy design

Design a group policies for organization some time getting more complex. It can make chaos as some time it very hard to revert back the changes pushed from group policies to workstations. Especially things which involves with registry value changes. So proper design is very important.

There are some tools/features comes GPO management which can help with design, test or troubleshooting group policies. Please note none of these recommended to use as permanent solutions to fix group policy design issues.

Block Inheritance

Any GPO setup on the higher level in GPO structure automatically applies to the lower level in the model. For example the “Default Domain Policy” by default in the highest level in structure. So any changes done on that (which is not recommended) also applies to lower level in hierarchy.

In following screenshot, as you can see the default domain policy is automatically inherited to “Test OU” I have created.

gpo1

We can disable this inheritance. To do that, right click on the OU which we need to block the inheritance and click “Block Inheritance”.

gpo2

Once it’s done, we no longer can see the default domain policy which was inherited.

gpo3

Enforced Policies

Using enforced policy option we can enforce policies to apply on lower level in hierarchy. For example let’s assume we have two polices called Policy A and Policy B in height level in hierarchy. In lower level in hierarchy some OU are blocked policy inheritance so these 2 policies by default will not apply to those two. But we still need to push Policy A for everyone in organization no matter what. So by enforcing the policy we can even push it to the OUs even its use block inheritance.

To enforce a policy, right click on the policy you needs to enforce and click on “Enforced”.

gpo4

Then we can see in Test OU, it is inherited even its use block inheritance option.

gpo5

Loopback Processing

As we know we can apply group policies based on the user object or the computer object n active directory. But some special occasions we need to only consider the policies based on computer object. For ex- in a library or public lab, many users may uses the same computer. In that case the computer should stay same for every users. It should not change based on the user policies. It only should use the computer policies which is applied to it.

In group policy management, start to edit the policy you like to configure with loopback processing. Under Computer Configuration\Policies\Administrative Templates\System\Group Policies\ double click on the option “Configure user Group Policy loopback processing mode”.

gpo6

There are 2 modes we can use with it.

gpo7

Replace – This will not consider about user polices at all. It will only apply the computer GPO.
Merge – in this mode it will consider both user and computer polices. But if there is any conflict it always uses the computer policies.

If you have any question about post feel free to contact me on rebeladm@live.com