Yearly Archives: 2013

Warning: Enable Receive Side Scaling (RSS) on a network adapter

Warning: All OUs in this domain should be protected from accidental deletion

Symptom: When running the Microsoft Best Practices Analyzer on Server 2008 - Server 2012 R2, you receive the following warning:

Severity: Warning
All OUs in this domain should be protected from accidental deletion

What is accidental deletion?

By protecting all OUs in the domain from accidental deletion, you will prevent yourself from being able to simply right click and delete an organizational unit in Active Directory Users and Groups. By enabling accidental deletion on all OUs, you will have to take an extra step to delete the OU (which can be nice, as you don't want to accidentally delete an OU with important users or groups in it).

Solution:

Complete the steps below to enable protect all OUs in the domain from accidental deletion.

Open up Server Manager
Click Tools and select Active Directory Module for Windows PowerShell
Optional Step: Execute the following command to see which OUs are not currently protected from accidental deletion
1. Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft DistinguishedName
Execute the following command to protect all OUs in the domain from accidental deletion
1. Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

Notes: An official KB article from Microsoft on this subject can be found here: http://technet.microsoft.com/en-us/library/dd723677(v=ws.10).aspx

Warning: DNS: The DNS server should have scavenging enabled

1 Reply

Symptom: When running the Microsoft Best Practice Analyzer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2, you receive the following recommendation/warning:

Severity: Warning
DNS: The DNS server should have scavenging enabled.

What is DNS scavenging?

Per Microsoft: Scavenging automates the deletion of old records. When scavenging is disabled, these records must be deleted manually or the size of the DNS database can become large and have an adverse effect on performance.

Solution: Complete the following steps below to enable scavenging of DNS records.

Click Start (right click Start if in Server 2012), and select Run
Type dnsmgmt.msc and click OK
Right click on your server and select Properties
Click on the Advanced tab and check Enable automatic scavenging of stale records
Click OK

Notes: The official KB article from Microsoft can be found here: http://technet.microsoft.com/en-us/library/ff807390(v=ws.10).aspx

Enabling SSL on Windows Server Update Services (WSUS)

28 Replies

Here are the steps to configure SSL on your servers running the Windows Server Update Services. This guide was written using Server 2012 R2, however it should be the same steps for Windows Server 2008 R2 as well. This guide also assumes you have a working instance of WSUS installed and configured, using default ports.

Login to your WSUS server
Open up Server Manager
Select Tools -> Internet Information Services (IIS) Manager
Generate a SSL certificate
1. Click on your Server and select Server Certificates
2. If you have your own PKI environment, follow these steps, if not, jump to step three
  1. Click Create Domain Certificate on the right side
  2. Fill in the requested information on the Distinguished Name Properties page and click Next
  3. Select your certificate authority and enter a friendly name (this can be anything), and then click Finish
3. If you need to submit a certificate request to an external certificate authority like Goaddy, Verisgn, Comodo; follow these steps
  1. Click Create Certificate Request on the right side
  2. Fill out the Distinguished Name Properties and click Next
  3. Change the Bit length to 2048 and click Next
  4. Select a location on where to place the CSR file that will be generated by the wizard and click Finish
  5. At this point, send the request to your certificate authority (like GoDaddy, Verisign, or your own internal certificate authority). You should receive back a .cer file once the claim has been fulfilled.
  6. Click on Complete Certificate Request on the right side
  7. Select the .cer file that your public certificate authority provided you, type in a friendly name (this can be anything), select Web Hosting for the certificate store, and click OK
Next, we need to bind the SSL certificate to your network adapter.
1. Expand your server, expand Sites, and select WSUS Administration
2. Select Bindings... on the right side
3. Select the https site and hit the Edit... button
4. Select https for the type, select the SSL certificate you created above, and click OK
5. Click Close on the Site Bindings window
Next, we need to enforce SSL encryption on the following virtual roots
• ApiRemoting30
• ClientWebService
• DSSAuthWebService
• ServerSyncWebService
• SimpleAuthWebService
1. Expand WSUS Administration and foreach of the directories above, complete the following steps
  1. Select the virtual site
  2. Double click on SSL Settings
  3. Check Require SSL and leave client certificates to ignore
  4. Click Apply in the top right corner
Next, we need to execute a command to tell WSUS to use ssl
1. Open up an elevated command prompt
2. Navigate to your WSUS installation folder
  1. cd "c:\Program Files\Update Services\Tools"
3. Execute the following command (replace your server with the correct FQDN)
  1. WSUSUtil.exe configuressl myserver.mydomain.local
Restart the WSUS server to make sure all changes take effect. You should be able to bring up the WSUS management console if all went well.
Configure your clients to connect via SSL to the WSUS server via Group Policy
1. Login to your domain controller
2. Open up Server Manager
3. Open up Group Policy Management
4. Right click on the policy you want to edit and select Edit
5. Expand Computer Configuration -> Polices -> Administrative Templates -> Windows Components -> Windows Update
6. Double click on Specify intranet Microsoft update service location
7. Change the intranet update service url to https and specify port 8531 and then click Apply.

That should do it! Try doing a gpupdate /force on your local machine and the check for windows updates. If windows successfully completes checking for updates, you should be good to go! 🙂

Notes: Official documentation from Microsoft in regards to using SSL and WSUS can be found here: http://technet.microsoft.com/en-us/library/hh852346.aspx#consswsus

Configuring external time source on your Primary Domain Controller

23 Replies

Here we will configure your primary domain controller (PDC) to connect to an external source to keep your time synchronized up with the rest of the world. By changing the primary DC's time source to an external source, the changes will be replicated from the PDC to other clients in your domain; limiting the amount of bandwidth needed to synchronize with an external source. First, I am going to reference much of the information provided by Marc Weisel. I would highly recommend you check out his blog post as it contains a ton of valuable information on the subject as well as more information/best practicies in regards to keeping time in your organization's infrastrucutre: http://binarynature.blogspot.co.uk/2012/04/configure-active-directory.html

Find out what your primary domain controller (PDC) is for your domain by executing the following powershell commands from any machine in the domain
1. [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain.PdcRoleOwner.Name
Login to your primary domain controller
Open up a command prompt/powershell window with administrative privileges
Execute the following command to configure the domain controller to look at an external time source
1. w32tm.exe /config /manualpeerlist:"0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org" /syncfromflags:manual /reliable:YES /update
  1. Notes: You can find the closest time server near you by browsing the following page and clicking on the nearest zone: http://www.pool.ntp.org/zone/@
Execute the following command to actually perform a time synchronization with the external source
1. w32tm.exe /config /update
Execute the following command for the changes to take effect
1. Restart-Service w32time

That's all that is to it!

Configuring DHCP Failover for Server 2012 R2

3 Replies

In this tutorial, we will implement one of Server 2012's newest features, DHCP Failover. Before Server 2012, DHCP failover was achieved through Windows Failover Cluster. Now, Server 2012 has native tools built into the DHCP role to support failover without the need to setup clustering services. It is nice to note that DHCP failover is fully supported in all server editions of Windows Server 2012 (Foundation, Standard, Data Center), allowing everyone to provide this role in high availability.

Before beginning, this tutorial assumes the following prerequisites to this tutorial:

Two Server 2012 servers have been installed and joined to your domain as member servers
Both servers have installed the DHCP role
One of the servers has been configured with your desired DHCP scopes

Login to your primary DHCP server that has been configured with the DHCP scopes
Open up the DHCP program
1. Launch Server Manager
2. Click Tools->DHCP
3. Expand your DHCP server and right click on IPv4 and select Configure Failover...
4. On the Introduction to DHCP Failover page, click Next to allow failover of all DHCP scopes.
  Optionally, uncheck Select all and select the specific scopes you would like to allow to failover and then click Next.
5. Click on the Add Server button
6. Check This authorized DHCP server, select the server you would like to use to allow failover, and then click OK
7. Click Next
8. Enter in the settings you wish to use and then click Next. I would recommend entering a Shared Secret and checking the State Switchover Interval to failover in the event a server fails unexpectedly.
  Notes:
  If you are failing over to another DHCP server on the same subnet, it is recommended to setup loadbalancing. If you are failing over your DHCP server to another network, set the mode to Hot standby. Additionally, here is a list with more indepth details on what each option does.
  - Relationship Name: Descriptive name to describe this DHCP Failover relationship. This can be named anything to help you understand the server relationship.
  - Maximum Client Lead Time: Specifies the amount of time for which a DHCP lease may be renewed by either failover peer without contacting the other. It also specifies the amount of time that either DHCP server will wait in a “partner down” state before assuming control of the entire IP address range within the scope. ( default = 1 hour ).
  - Mode: Select Load Balance ( default – Active / Active ) or Hot Standby ( Active / Passive )
  - Load Balance Percentage: Specifies the percentage of the IP Address range to reserve for each server in the failover relationship. Each server will use their assigned range of addresses prior to assuming control over the entire IP Address range of a scope when the other server transitions into a “partner down” state and the Maximum Client Lead Time ( specified above ) passes.
  - Auto State Switchover Interval: When selected, specifies the amount of time that elapses before a DHCP Server is automatically transitioned to a “partner down” state when network communication is interrupted to a DHCP Server. If this option is unchecked, an administrator must manually transition the status of a DHCP Server into a “partner down” state using the DHCP Management console or PowerShell. ( when checked, the default = 60 minutes )
  - Enable Message Authentication: check this checkbox option to enable authentication of failover replication traffic between servers
  - Shared Secret: Type a “Shared Secret” ( ie., a Password ) to be used to authenticate the failover connection between servers
9. Click Finish
10. Click Close on the results dialog, confirming the failover configuration was properly setup.
11. Optionally, you can login to your secondary DHCP server to confirm failover has successfully been setup.
  1. On the secondary DHCP server, right click on one of your DHCP scopes and select Properties
  2. Select the Failover tab and you should see your failover settings in effect.

That's all that's to it! Hurray for high availability! 🙂

Notes:

Descriptions of each of the failover options were found on the following technet article: http://blogs.technet.com/b/keithmayer/archive/2012/10/28/step-by-step-scoping-out-the-new-dhcp-failover-in-windows-server-2012-31-days-of-favorite-features-part-28-of-31.aspx

An offial Microsoft KB article on configuring DHCP failover can be found here: http://technet.microsoft.com/en-us/library/hh831385.aspx

Migrate DHCP Role from Server 2008 R2 to Server 2012 R2

13 Replies

After doing a quick google search, it appears you can easily migrate your DHCP server as long as you have both your current DHCP server (running Server 2008 R2) and a new Windows Server 2012 server you are going to designate as a DHCP server.

Login to your new Server 2012 R2 machine with the DHCP role installed
Open up a Powershell shell
Execute the following command to export the configuration from the Server 2008 R2 DHCP Server
1. Export-DhcpServer –ComputerName win2k8r2-dhcp.corp.contoso.com -Leases -File c:\users\yourusername\Desktop\dhcpexp.xml -verbose
Execute the following command to import the configuration into your new Server 2012 R2 DHCP Server; must be an Administrator running this PowerShell command.
1. Import-DhcpServer –ComputerName win2k12r2.corp.contoso.com -Leases –File C:\users\yourusername\Desktop\dhcpexp.xml -BackupPath C:\users\yourusername\Desktop\backup\ -Verbose

Notes: Credit goes to the following technet article for the powershell commands and a more in-depth explanation: http://blogs.technet.com/b/teamdhcp/archive/2012/09/11/migrating-existing-dhcp-server-deployment-to-windows-server-2012-dhcp-failover.aspx

Migrating Domain Controllers From Server 2008 R2 to Server 2012 R2

94 Replies

In this article, I have documented the steps I took to update our two domain controllers to Server 2012 R2 from Server 2008 R2. While this can be considered a tutorial, it is more a reflection of what I did during my migration process. This guide assumes you have already made backups of your environment, all Windows Active Directory Domain Controllers in the forest are running Server 2003 or later, and we will be recycling (reusing) the same two servers you deployed. Last, Microsoft strongly recommends we do a clean install and not directly upgrade each server, so we will decommission a DC, reinstall windows, and then redeploy the DC until the entire environment has been upgraded.

Prepare the AD Schema for Server 2012 R2
1. Mount the Server 2012 R2 installation disk on one of your Domain Controllers
2. Open up a command prompt with Administrative Privileges and navigate to the /support/adprep folder on the installation media.
  1. Click Start, type cmd, right click select Run as administrator
  2. Execute the command: d:
  3. Execute the command: cd d:\support\adprep
3. Execute the following command (don't close out of this until after we verify the schema version in an upcoming step):
  1. adprep /forestprep
  2. Type the letter C and press the enter key to begin the process
4. Execute the following command:
  1. adprep /domainprep
5. Verify the schema version has been updated
  1. Click Start and search for regedit
6. Open up regedit and navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters
7. Verify the Schema Version value matches the last entry shown in your upgrade results. In my case, the Schema Version should be 69.
Demote and decommission secondary domain controller
1. Click Start, Run...
2. Type dcpromo and click OK
3. Click Next > on the Welcome page
4. If the domain controller has the global catalog service, make sure your primary DC also has the service enabled and click OK. This can be done by opening up Active Directory Sites and Services and viewing the services for each domain controller.
5. Make sure the Delete this domain because this server is the last domain controller in the domain is UNCHECKED, and click Next >
6. Type in a new password to be used for the Local Administrator account the machine will contain after it is demoted.
7. Click Next > on the Summary page
8. Check the Reboot on completion box to restart the server after the service has been removed
9. Log back into the DC upon reboot and open up Server Manager
10. In Roles Summary, click Remove Roles
11. Click Next > on the Before You Begin page
12. Uncheck Active Directory Domain Services and DNS Server (if the role is installed) and click Next >
13. Click Remove
14. Click Close
15. Select Yes on the Do you want to restart now? dialog box
16. Log back into the DC upon reboot and you should greeted by a Removal Results window. Let the process finish and select Close upon removal success.
17. Disjoin the machine from the domain
  1. Click Start, right click Computer, select Properties
  2. Click Change settings
  3. Click Change... on the System Properties page
  4. Check Workgroup, type in a workgroup name, and click OK
  5. Click OK on the warning dialog
  6. Click OK on the Welcome to the workgroup dialog
  7. Click OK on the restart dialog
  8. Click Close on the System Properties window
    (oops, forgot to make a screenshot!)
  9. Click Restart Later on the Microsoft Windows dialog box
  10. Shutdown the machine
18. Format the decommissioned machine, reinstall a clean copy of Server 2012 R2, and join the machine to the domain.
Add first Server 2012 R2 Domain Controller
1. At this point, you should have one Server 2008 R2 Domain Controller and a blank Server 2012 R2 machine joined to the domain ready for the Active Directory services. If you are at this point, continue on, if not, you might want to read back a couple steps and see where things ventured off course.
2. Start Server Manager on your new Server 2012 R2 machine.
3. Select Manage in the top right and select Add Roles and Features
4. Click Next > on the Before you begin screen
5. Click Next > on the Select installation type screen
6. Ensure your new server is selected and click Next >
7. Check the box next to Active Directory Domain Services
8. On the Add features that are required for Active Directory Domain Services? dialog, click the Add Features button
9. Click Next >
10. Click Next >
11. Check the box that says Restart the destination server automatically if required
  (Click Yes on the restart dialog if it pops up)
12. Click the Install button
13. Once the install is done, click the Close button
14. Next, head back to the Server Manager screen and select the warning icon with the flag; then select Promote this server to a domain controller.
15. On the Deployment Configuration page, make sure Add a domain controller to an existing domain is checked and hit Next >
16. Check Domain Name System (DNS) server, Check Global Catalog (GC), and uncheck Read only domain controller (RODC). Enter a strong password to be used to access Directory Services Restore Mode and click Next >
17. Click Next > on the DNS Options page
18. Click Next > on the Additional Options page, or if you would like, you can manually select a domain controller to replicate data from and then hit Next >.
19. Click Next > on the Paths page
20. Click Next > on the Review Options page
21. Click Install on the Prerequisites Check page
22. Once the domain controller reboots after installation, open up Server Manager and select Tools, Active Directory Users and Computers
23. Expand your Domain and select Domain Controllers; ensure your new machine shows up here.
24. Next, verify DNS works properly
  1. Go back to Server Manager, select Tools, DNS
  2. Expand your server, Forward Lookup Zones, and right click on your domain name and select Properties
  3. Select the Name Servers tab and ensure all DCs are listed
Next, we need to verify the FSMO (Flexible Single Master Operations) roles are stored on our other server 2008 DC
1. On the new Server 2012 R2 DC we joined, open up a command prompt with administrative privileges.
2. Execute the following command to verify FSMO roles are on our 2008 DC:
  netdom query fsmo
Next, we need to transfer the FSMO roles from our primary DC to our new one
1. Execute the following command using the same command prompt in the previous steps: ntdsutil
2. Type roles when prompted and hit enter
3. Type connections when prompted and hit enter
4. Type connect to server server2012DC.mydomain.com, where server2012DC is the new DC we just deployed, when prompted and hit enter
5. Type quit and hit enter
6. Type transfer schema master and hit enter
7. Click Yes on the Role Transfer Dialog for the Schema Master role
8. Type transfer naming master and hit enter
9. Click Yes on the Role Transfer Confirmation Dialog for the Naming Master role
10. Type transfer PDC and hit enter
11. Click Yes on the Role Transfer Configuration Dialog for the Primary Domain Controller role
12. Type transfer RID master and hit enter
13. Click Yes on the Role Transfer Configuration Dialog for the RID master role
14. Type transfer infrastructure master and hit enter
15. Click Yes on the Role Transfer Configuration Dialog for the Infrastructure Master role
16. Type quit and hit enter
17. Type quit and hit enter
18. Execute the following command to ensure the FSMO services are on the new Server 2012 R2 machine: netdom query fsmo
At this point, you should have a Server 2012 R2 DC with the FSMO roles and a secondary 2008 R2 Domain Controller. If not, please go back and complete the steps to get to this point.
Optional Step: After upgrading the first DC, you may want to reconfigure the machine to keep its time in sync with an external source. To do this, please follow my guide here: http://jackstromberg.com/2013/10/configuring-external-time-source-on-your-primary-domain-controller/
Next, decommission the last Server 2008 R2 domain controller that used to function as the primary DC.
1. Follow the same instructions in Step 2 above called Demote and decommission secondary domain controller
Next, add the machine back to the domain
1. Follow the same instructions in Step 3 above called Add first Server 2012 R2 Domain Controller
At this point, your environment should be up and running with Windows Server 2012 R2! You can optionally transfer the FSMO roles back to your "primary" DC that you had before, or continue on with the roles left on the current DC.

Notes

Official information on removing a domain controller from the domain can be found on Microsoft's website here: http://technet.microsoft.com/en-us/library/cc771844(v=ws.10).aspx

Lync call - error ID 52063 (source ID 242)

Export a list of numbers used in Lync Server 2013

13 Replies

Today I was curious how many numbers we have used up on our DID block and wanted to pull a report specifying which numbers were allocated to which user, conference room, etc. After a quick Google search, I came accross a powershell script by Lasse Nordvik Wedø. Attached below is a copy of his powershell script with a few modifications by me to pull a couple of extra attributes about the user from Active Directory. Please make sure to drop him a comment on his blog, located here: http://tech.rundtomrundt.com/2012/04/listing-all-deployed-numbers-in-lync.html

The following list of numbers will be generated to a .htm web report:

Users enabled in Lync without a number assigned
Users with a number assigned to them
Users with a private line
Analog devices
Common Area Phone Numbers
Response Group Numbers
Meeting (dialin) numbers
Meeting Room Objects
Exchange Objects
Application endpoints with a LineURI

The script can be downloaded here (make sure to remove the .txt extension once you have downloaded it): Assigned_numbers.ps1

Here is an image of executing the powershell script:

Here is an image of the result (webpage):

Here is an image of what the htm file looks like when you open it up:

Additionally, if you are looking for a complete resource of different attributes you can pull from the Get-ADUser command, see the following technet article: http://social.technet.microsoft.com/wiki/contents/articles/12037.active-directory-get-aduser-default-and-extended-properties.aspx

Jack Stromberg

A site about stuff