Category Archives: Windows Server 2008

Step-by-Step Guide to publish proxy settings via GPO for IE10 and IE11 in windows server 2008 R2 AD environment

Before IE10, the internet explorer settings were able to manage using Internet Explorer Maintenance (IEM) in group policy. If your organization have IE settings published using IEM, it will not applying anymore to IE10 and IE11.

If its windows 2012 or later AD environment it is not a problem you can simply publish these settings using new IE setting publish method in GPO, but if its Windows 2008 and Windows 2008 R2 it need to follow different method. In this post I will explain how to do it in windows 2008 R2 AD environment.

Before IE10 you can publish settings via GPO using User Configuration > Policies > Windows Settings > Internet Explorer Maintenance. But if your server running with IE10 or IE11 you can’t see it any more in GPO.

ie1

The new method is to publish IE settings via, User Configurations > Control Panel Settings > Internet Settings. There you can create settings based on IE version. In my demo I am using a DC server with windows 2008 R2 and IE 11 installed. But here I can’t see option to publish IE10 or IE11.

ie2

So how we can do it?

In order to publish IE10+ settings need one of following from same domain,
1)    Windows 2012 or newer server with Group Policy Management Feature installed
2)    Windows 8.0 machine with latest RSAT tools https://www.microsoft.com/en-gb/download/details.aspx?id=28972
3)    Windows 8.1 machine with latest RSAT tools https://www.microsoft.com/en-us/download/details.aspx?id=39296
4)    Windows 10 machine with latest RSAT tools https://www.microsoft.com/en-us/download/details.aspx?id=45520

Also make sure the system is running with latest updates.

Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 from a computer that is running Windows 8.1, Windows 8 or newer.

In my demo I am using a windows 8.1 machine with RSAT installed.

1)    To start log in to the PC with Domain Administrator Privileges.
2)    Then go to programs and click on Group Policy Management

ie3

3)    Once its load up, expand the console and go to the domain, right click and select Create GPO in this domain, and Link it here.
In my demo I am going to create new GPO to publish the IE settings.

ie4

4)    Type the new policy name and click ok

ie5

5)    Then right click on newly added policy and click on edit

ie6

6)    Expand the policy settings and go to User Configuration > Preferences > Control Panel Settings > Internet Settings. The Right click and select new. Here now we can see the IE 10. There is no IE11 settings. IE10 settings valid for IE11 too. Click on “Internet Explorer 10” to publish the settings.

ie7

7)    Now it will open up the window and its looks similar to typical IE settings interface.

ie8

8)    Type the changes you like to publish.

ie9

9)    One thing you need to make sure is once publish the changes press “F6” to apply the changes. If its works fine the red dotted line will change to green dotted line. It doesn’t matter what ever the changes you put, if you not activate it with pressing F6 it will not publish.

ie10

10)    Click ok to submit the settings and in here you can see it save the IE10 Browser settings.

ie11

11)    It’s time for testing and let’s see if it’s applied the new settings published for IE11.

ie12

12)    Yes it is worked fine. One thing you need to keep in mind is if you need to do changes to the GPO, need to use one of the above mentioned option. You can’t edit new values with windows 2008 r2.

If you have any questions feel free to contact me on rebeladm@live.com

The Active Directory Replication Status Tool (ADREPLSTATUS)

Healthy Active directory replication is important for active directory infrastructure. REPADMIN is command line utility which can use to check the AD replication status. I wrote an article before about common replication errors and how to use these command line utilities for troubleshooting. If you till not read it you can find it in here.

The Active Directory Replication Status Tool (ADREPLSTATUS) is a small but handy tool Microsoft published which can use to analyze the replication status of active directory environment. The output is similar to output of command REPADMIN /SHOWREPL * /CSV but with few enhancements.

Specific capabilities for this tool include:

    • Expose Active Directory replication errors occurring in a domain or forest
    • Prioritize errors that need to be resolved in order to avoid the creation of lingering objects in Active Directory forests
    • Help administrators and support professionals resolve replication errors by linking to Active Directory replication troubleshooting content on Microsoft TechNet
    • Allow replication data to be exported to source or destination domain administrators or support professionals for offline analysis

System Requirement

Domain membership requirements:

    • Must be joined to the Active Directory domain or forest you intend to monitor
.NET Framework requirements:
    • .NET Framework 4.0 (you may be prompted to install .NET Framework 3.5.1 first on Windows Server 2008)

Required User Credentials:

    • Target forest/domain user account

Other Requirements:

ADREPLSTATUS will not work when the following security setting is enabled on the operating system:
    • System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

The tool can be download from https://www.microsoft.com/en-gb/download/details.aspx?id=30005

Installation

It is very straight forward. All need to do is double click on the file.

Once install, double click on the icon to run the application.

status1

status2

Once tool is loaded, you can check the replication on entire forest or specific domains.

status3

After you specify the replication boundaries, click on refresh replication status button. It will discover the current configuration and replication status.

status4

status5

status6

If you required you can export the data to xps or csv format.

status7

hope this info helps. If you have any questions feel free to contact me on rebeladm@live.com

Step by Step Guide to downgrade domain and forest functional level

Till Windows server 2008 R2, forest and domain functional level are not possible to downgrade once it’s upgraded. Well it’s not a problem if you properly plan you active directory upgrades. But sometime it’s save life with difficulties admins face with AD upgrades. With starting windows server 2008 R2 you can downgrade forest and function levels. The minimum level it can downgrade is windows server 2008.

In here on my demo I am using domain controller with forest and domain function level set to windows 2012 R2.

There is no GUI to perform this downgrade. We have to use PowerShell commands to do it.

First, log in to the domain controller as domain admin / Enterprise admin.

Then load PowerShell with Admin rights.

down-1

Then we need to import the AD module.

To do that type Import-Module -Name ActiveDirectory

down-2

Before proceed as confirmation here my domain and forest function levels are set to windows server 2012 R2.

down-4

down-3

First I am going to set forest function level to windows server 2008.
To do that,

Set-ADForestMode –Identity “CANITPRO.com” –ForestMode Windows2008Forest

In here my FQDN is CANITPRO.com you can replace it with your domain name.
After run the command ask for the confirmation, type Y or A to confirm the change.

down-5

Next step is to downgrade the domain function level to windows server 2008.
To do that,

Set-ADDomainMode –Identity “CANITPRO.com” –DomainMode Windows2008Domain

down-6

After successfully commands, next step is to confirm the new forest and domain function levels. This time I am using PowerShell.

down-7

If you have any questions feel free to contact me on rebeladm@live.com

Compacting DHCP database using Jetpack.exe

Like any other database, DHCP server database also need maintenance in periods to keep the performance and availability. In large infrastructures, DHCP database can grow fast. Like we do for other databases, DHCP server DB also can compact. Microsoft recommends to do this for any database larger than 30mb.

Back in windows NT time Microsoft introduce a utility call “Jetpack” which can use to compact WINS and DHCP databases. This tool still available even for windows server 2012 R2.

In this demo I will show how we can do the database compact. The compact process happens in 3 steps.

1)    Copy running DHCP database in to temporary databases.
2)    Delete Original DHCP DB
3)    Rename temporary database to the original database file name.

Please note that to do this first we need to stop the DHCP server. So make sure to pre-plan for the downtime.

In this demo I am using windows server 2012 R2 which is connected to domain. It holds DHCP server role for the network.

1)    Log in to the server as Domain admin or Enterprise Admin.
2)    Open command prompt as admin

jet1

3)    Then type cd %systemroot%\system32\dhcp

jet2

4)    Then type net stop dhcpserver. It will stop the DHCP server.

jet3

5)    Then type jetpack.exe dhcp.mdb tmp.mdb

jet5

Well this is the interesting part, if you do not have “wins server” role installed on the server, you will get error like, 'jetpack' is not recognized as an internal or external command, operable program or batch file.
But friends unfortunately, jetpack only comes with WINS server package. So you need to add this role if you do not have it.

jet4

6)    Finally type net start dhcpserver to start the dhcp server.

jet6

If you have any question feel free to contact me on rebeladm@live.com

Tools to help with group policy design

Design a group policies for organization some time getting more complex. It can make chaos as some time it very hard to revert back the changes pushed from group policies to workstations. Especially things which involves with registry value changes. So proper design is very important.

There are some tools/features comes GPO management which can help with design, test or troubleshooting group policies. Please note none of these recommended to use as permanent solutions to fix group policy design issues.

Block Inheritance

Any GPO setup on the higher level in GPO structure automatically applies to the lower level in the model. For example the “Default Domain Policy” by default in the highest level in structure. So any changes done on that (which is not recommended) also applies to lower level in hierarchy.

In following screenshot, as you can see the default domain policy is automatically inherited to “Test OU” I have created.

gpo1

We can disable this inheritance. To do that, right click on the OU which we need to block the inheritance and click “Block Inheritance”.

gpo2

Once it’s done, we no longer can see the default domain policy which was inherited.

gpo3

Enforced Policies

Using enforced policy option we can enforce policies to apply on lower level in hierarchy. For example let’s assume we have two polices called Policy A and Policy B in height level in hierarchy. In lower level in hierarchy some OU are blocked policy inheritance so these 2 policies by default will not apply to those two. But we still need to push Policy A for everyone in organization no matter what. So by enforcing the policy we can even push it to the OUs even its use block inheritance.

To enforce a policy, right click on the policy you needs to enforce and click on “Enforced”.

gpo4

Then we can see in Test OU, it is inherited even its use block inheritance option.

gpo5

Loopback Processing

As we know we can apply group policies based on the user object or the computer object n active directory. But some special occasions we need to only consider the policies based on computer object. For ex- in a library or public lab, many users may uses the same computer. In that case the computer should stay same for every users. It should not change based on the user policies. It only should use the computer policies which is applied to it.

In group policy management, start to edit the policy you like to configure with loopback processing. Under Computer Configuration\Policies\Administrative Templates\System\Group Policies\ double click on the option “Configure user Group Policy loopback processing mode”.

gpo6

There are 2 modes we can use with it.

gpo7

Replace – This will not consider about user polices at all. It will only apply the computer GPO.
Merge – in this mode it will consider both user and computer polices. But if there is any conflict it always uses the computer policies.

If you have any question about post feel free to contact me on rebeladm@live.com

Group Policy Slow Link Detection

In an active directory infrastructure, we use group policies to push security settings and other computer configuration from central location. It can be apply for computer level or user level. In an organization it’s important to maintain proper design on group policies and its hierarchy as complexity, applying order can cause issues on network.

This is very important when you deals with multi-site environment. Because these group policies can be bottleneck to the bandwidth usage between remote sites to the main site. This is something most administrators do not pay attention. I agree it’s depend on the group policies and its use, but for ex- let’s assume we have 10 group policies from to apply users in remote site.  The link between locations are 512kb, just imagine if 100 workstations log on in morning and initiate these group policies how much bandwidth will use? Also what about a user logs from remote location? Can we expect they always get good speed?

Well, Microsoft have an answer for this. Before apply group policies to a workstation it check for the connection speed from distributing server to workstation, by default any link speed below 500kbps Microsoft take as Slow-Link. Once it’s detected a slow-link, it will automatically block some of the group policies. So if you having issues with getting all the group policies on workstation on remote location (can be even in local network if NIC are maxed out due to its activities or virus) this is one place to check.

Here is list of components will process and will not process in slow-link detection.

Component

Pushed

Administrative Templates

Yes

Group Policy Preferences

Yes

Security

Yes

802.3 Group Policy

Yes

EFS

Yes

IE maintenance

Yes

Internet Explorer Zone Mapping

Yes

IP Security

Yes

QoS Packet Scheduler

Yes

Microsoft Offline Files

Yes

Software Restriction Policies

Yes

Windows Search

Yes

Wireless

Yes

Deployed Printer Connections

No

Disk Quotas

No

Folder Redirection

No

Scripts

No

Software Installation

No

How to change this default limit?

We can change the default limit as per our infrastructure needs. To do this,

Log in to the DC server as the domain admin or enterprise admin.

Then Server Manager > Tools > Group Policy Management

gpm1

Then go to the relevant policy and right click on and edit.

gpm2

This setting can be change on computer configuration level or user configuration level. Both are located in same path. Policies\Administrative Templates\System\Group Policy

In here there is option called, configure group policy slow link detection

gpm3

Double click on it to change. By default it is in not configure status. Even if you disable this or not configure it, system still detects any link below 500kbps as slow-link.

gpm4

Once it is enabled, you can set speeds in kbps (kilobyte per second).

gpm5

If you set speed to 0 it will disable this feature. Also we can force system to think all WWAN connections as slow links.

If you have any question about the post feel free to contact me on rebeladm@live.com

How to change UPN (User Principle Name) suffix for entire domain?

In organization, company may need to use multiple UPN suffixes for their operations. I wrote an article before explaining how to add multiple UPN suffixes to the domain. You can read it from http://www.rebeladmin.com/2015/01/how-to-configure-multiple-user-principal-name-upn-suffixes/

There are situation where you will need to do mass UPN suffix change. One of the recent challenge I face was, changing domain name suffix which end with .local to public domain name which ends with .com. because I was working with Azure AD integration with local AD. It only supports with public domain name. In my issue it was only few users since its demo, but what happen if you need to change it for hundreds of users? If you use manual method it will take ages to complete.

In following demo I am going to show how it can be done using power shell script.

In AD I have 3 users under “Test OU” called user1 to user3. All 3 are using canitpro.local as the UPN suffix.

suffix1

I need to change all users in to UPN suffix “rebeladmin.com”.

To do that, open PowerShell ISE with appropriate admin permissions.

suffix2

Then type and press enter,

Import-Module ActiveDirectory
$oldSuffix = "canitpro.local"
$newSuffix = "rebeladmin.com"
$ou = "DC=canitpro,DC=local"
$server = "DCM1"
Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -server $server -UserPrincipalName $newUpn
}

In above $oldSuffix represent the old domain UPN suffix. $newSuffix represent the new UPN suffix it should change in to. $ou represent the search path. You can use specific OU or entire domain. I used entire domain for the demo. $server represent the DC server name.

suffix4

Now, let’s go and check if it’s changed. As we can see its changed in to new suffix.

suffix5

If you have any question about the post feel free to contact me on rebeladm@live.com

How to allow/prevent domain users from join workstations to domain?

In an active directory domain environment by default any authenticated user from domain, can add workstations to domain up to 10 times. But there are situations where you may need to increase this limit or completely disable this limit.

For ex- Let’s assume an employer bring his laptop in to office and plug it in to company network. Unless its control via NPS (network policy server) or network level port protection user can simply add it to the company domain using his/her user credentials. It’s defiantly a threat to the organization’s network and data.

On another example let’s assume we restructured company domain hierarchy and we need to change domain to the different domain. If the company have 500+ workstations it will take days to move them to the new domain. But if we adjust this limit we can get help from department leads, managers to help with the process without delegating permissions.

So based on the requirement, let’s see how we can edit this limit. In demo I am using a domain controller which runs windows server 2012 R2. But same steps can use for server 2008 environment as well.

Note – This limit is do not apply for any user account which is a member of domain admins or enterprise admins group.

1)    Log in to the DC server as domain admin or enterprise admin.
2)    Go to Server Manager > Tools > ADSI Edit

limit1

3)    In console expand default naming context and select the correct domain. ( in forest there can be different domains based on the config )

limit2

4)    Then right click on it and select “properties

limit3

5)    Once list is open find the attribute called ms-DS-MachineAccountQuota. This is the attribute responsible for above limit. By default its set to 10. If set it to 0 it will disable this limit and otherwise the value can adjust based on the requirements.

limit4

6)    Once done click on ok until you exit from the popup window.

This is the end of the post and if you have any questions feel free to contact me on rebeladm@live.com

Domain In-Place Upgrade Method

8867.Microsoft_5F00_Logo_2D00_for_2D00_screen

It is important to keep the domain environments running with its latest versions. It allow organizations to use new features, enhancements available on new directory services. Typically when we upgrade from old DC to new version, we add a new server or servers to the same network and then add it to the existing forest, domain. Then promote it as DC and move roles to the new system. Later on we demote the old DC and later we go with forest and domain functional level upgrades (once all legacy domain controllers are demoted). This is the seamless and preferred method. This we call as swing-server upgrade method.

But due to limitations on budget, resources not all organizations or companies can go with swing-server upgrade method. This issue can address using the in-place upgrade method. In this method we upgrade the operating system of the running domain controller.

Currently available in-place upgrade path is windows server 2008 or windows 2008 R2 to Windows server 2012 or windows server 2012 R2. In following table you can find the versions it can upgrade in to. Please be aware that you can’t use in-place upgrade to upgrade from windows 2003 or 32 bit versions of windows server 2008 to latest windows server 2012. If you need to upgrade from those versions you must use the swing-server method. Also windows server core 2008 R2 to windows server core 2012 not supported for in-place upgrade.

Current Version

Version that can upgrade into

Windows Server Standard 2008 with SP2, Windows Server Enterprise 2008 with SP2

Windows server 2012 Standard or Datacenter

Windows Server Datacenter 2008 with SP2         

Windows server 2012 Datacenter

Windows Web Server 2008

Windows server 2012 Standard

Windows Server Standard R2 2008 with SP1, Windows Server Enterprise R2 2008 with SP1

Windows server 2012 Standard or Datacenter

Windows Server Datacenter R2 2008 with SP1

Windows server 2012 Datacenter

Windows Web Server 2008 R2

Windows server 2012 Standard

Once upgrade is completed you need to manually change the forest and domain functional levels.

Before in-place upgrade it is important to consider on following points,

1)    Hardware Requirements – Before upgrade make sure the current hardware setup support for the new operating system. Verify the free disks space on the server. It is recommended to have at least 20% free space on the partition / disk which holds the active directory database.
2)    Application Compatibility – Sometime DC server also runs different applications (even its not recommended) for the company. So before upgrade you must make sure those are compatible with the new operating system and DC.
3)    Downtime – during the upgrade process the domain services will be down, so you need to prepare for the downtime.
4)    Permissions – you must have domain admin or enterprise admin rights to proceed with upgrade.

Known issues – please refer https://technet.microsoft.com/en-us/library/hh994618 to find out about the known issues for in-place upgrade method.

This is the end of the post and if you have any questions feel free to contact me on rebeladm@live.com

Image source: http://blogs.microsoft.com/wp-content/uploads/2012/08/8867.Microsoft_5F00_Logo_2D00_for_2D00_screen.jpg