Archive for Windows Server 2008

Have you ever had one of those jobs where you just weren’t sure what Schema update had been applied in an environment?  The following command will let you know which of the Windows Server Schema updates have been applied. 

dsquery.exe * “CN=Schema,CN=Configuration,DC=domain,DC=com” -scope base -attr objectversion

Here is what the versions will mean:

44 = Windows Server 2008
31 = Windows Server 2003 R2
30 = Windows Server 2003
13 = Windows 2000

If anyone knows the Exchange Schema update numbers please post and share.

I’m always of fan of shortcuts and the Windows Server 2008 Administrator”s Companion from Microsoft Press has a complete list of the command line shortcuts for starting Administrative Consoles for Server 2008.  There are plenty of other goodies in this book so make sure you take a look at getting this one. 

Command Line

Console Name

AdRmsAdmin.msc    Active Directory Rights Management Services
Adsiedit.msc    ADSI Edit
Azman.msc Authorization Manager
Certmgr.msc Certmgr (Certificates)
Certtmpl.msc Certificates Template Console
CluAdmin.msc Failover Cluster Management
Comexp.msc Component Services
Compmgmt.msc Computer Management
Devmgmt.msc Device Manager
Dfsmgmt.msc DFS Management
Dhcpmgmt.msc DHCP Manager
Diskmgmt.msc Disk Management
Dnsmgmt.msc DNS Manager
Domain.msc Active Directory Domains And Trusts
Dsa.msc Active Directory Users And Computers
Dssite.msc Active Directory Sites And Services
Eventvwr.msc Event Viewer
Fsmgmt.msc Shared Folders
Fsrm.msc File Server Resource Manager
Fxsadmin.msc Microsoft Fax Service Manager
Gpedit.msc Local Group Policy Editor
Lusrmgr.msc Local Users And Groups
Napclcfg.msc NAP Client Configuration
Nfsmgmt.msc Services For Network File System
Nps.msc Network Policy Server
Ocsp.msc Online Responder
Perfmon.msc Reliability And Performance Monitor
Pkiview.msc Enterprise PKI
Printmanagement.msc Print Management
Remoteprograms.msc TS RemoteApp Management
Rsop.msc Resultant Set of Policy
Secpol.msc Local Security Policy
ServerManager.msc Server Manager
StorageMgmt.msc Share And Storage Management
Services.msc Services
StorExpl.msc Storage Explorer
Tapimgmt.msc Telephony
Taskschd.msc Task Scheduler
Tmp.msc Trusted Platform Module (TPM) Management
Tsadmin.msc Terminal Services Management
Tsconfig.msc Terminal Services Configuration
Tsgateway.msc TS Gateway Manager
Tsmmc.msc Remote Desktops
Uddi.msc UDDI Services Console
Wbadmin.msc Windows Server Backup
Wdsmgmt.msc Windows Deployment Services
Winsmgmt.msc WINS Manager
WmiMgmt.msc WMI Control

I just read over at Jane Lewis”s blog that if you plan on deploying Server 2008 Read Only Domain Controllers (RODC) and have down-level clients (XP and 2003 clients) then you will want to check out the RODC Compatibility Pack.

I know a lot of people are planning on deploying this so this should be something that you should pay attention to.  The KB article (and patch) addresses 10 potential issues.

The patch itself can be downloaded from Microsoft here.

I”ve just written a small article on the common steps that I perform when doing health checks on domain controllers.  AdminPrep is not up right now so I”ll post the health check stuff here.  I would love for you to come back here and let me know what else you do when you do health checks on domain controllers.

I get asked over and over about what I do when I”m performing a health check on a domain controller.  Below you will see some of the commands that I use when I need to ensure my domain controllers are still healthy after some sort of change…like patching.

The Event Viewer is always a must.  I look at all the logs before and after the update to the domain controller looking for abnormal events.  With the pre-check I usually go back a month of logs to get more historical data. I then run through a couple command line utilities.  One thing I always do is pipe my commands out to a text document.  This just makes it easier for me to read and also search for failed events.

Dcdiag.exe /v >> c:temppre_dcdiag.txt
This is a must and will always tell you if there is trouble with your DCs and/or services associated with it

Netdiag.exe /v >> c:temppre_Netdiag.txt
This will let me know if there are issues with the networking components on the DC.  This along with the post test also is a quick easy way to ensure the patch I just installed is really installed (just check the top of the log)

Netsh dhcp show server >> c:temppre_dhcp.txt
Some may not do this but I”ve felt the pain of a DHCP server somehow not being authorized after a patch.  This allows me verify the server count and names.

Repadmin /showreps >> c:temppre_rep_partners.txt
This shows all my replication and if it was successful or not.  Just be aware that Global Catalogs will have more info here than a normal domain controller.

repadmin /replsum /errorsonly >> c:temppre_repadmin_err.txt
This is the one that always takes forever but will let you know who you are having issues replicating with.

After I run and check the pre_ scripts I update my server.  When it is done I run post_ scripts which are the same thing but this allows me to verify them against the scripts earlier.

Hopefully this helps you when you troubleshoot your domain controllers but by no way is this an all encompassing list of things to do.  These are the standard steps I take but I would love to hear what you all do as well. 

Last week I spent some time at my former employer taking a Server 2008 upgrade course.  Shame on you if you haven”t checked them out for training because their Hard Hat courses are hands down the best out there.

I spent a lot of time in that course working with Server Core (which needs a dedicated home page on ms.com) I”ve posted in the past about using CoreConfigurator to configure common options on Server Core.  In fact Active Directory can be installed with this tool too…however there are some companys that will not be able to use this tool for a number of reasons (although they really all should 🙂 ,,).

What I would like to help with today is providing a sample Answer file to use to install Active Directory on Server Core.  I”m posting this partially (like all my posts) for my own selfish reasons of being able to get to it at a later date. 

Active Directory still gets installed by using DCPromo on Server Core, however you will have to use the /unattend:<path> switch. In my case I copied the following sample answer file to the C:temp directory and then ran the following command to install Active Directory using an answer file – dcpromo /unattend:c:tempanswer.txt  Here is a look at the answer file (don”t worry I just made that password up for this demo).

This is the Replica Domain Controller Answer File:
[DCINSTALL]
UserName=administrator
UserDomain=AdminPrep.local
Password=$up3rT0p$3cr3t
SiteName=Default-First-Site-Name
ReplicaOrNewDomain=replica
DatabasePath=”%systemroot%NTDS” 
LogPath=”%systemroot%NTDS”
SYSVOLPath=”%systemroot%SYSVOL”
InstallDNS=yes
ReplicaDomainDNSName=AdminPrep.local
ConfirmGC=yes
SafeModeAdminPassword=$up3rT0p$3cr3t
RebootOnCompletion=yes
 

As I”ve written this blog I noticed on Microsoft”s site that they have a KB that can be of further assistance with doing unattended installs or removals of Active Directory.  take a look at KB947034.

Below is the output from the DCPromo on Server Core.

C:Usersadministrator>dcpromo /unattend:c:tempanswer.txt
Checking if Active Directory Domain Services binaries are installed…
Active Directory Domain Services Setup

Validating environment and parameters…

A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. To enable reliable DNS name resolution from outside the domain AdminPrep.local, you should create a delegation to this DNS server manually in the parent zone.

—————————————-
The following actions will be performed:
Configure this server as an additional Active Directory domain controller for the domain AdminPrep.local.

Site: Default-First-Site-Name

Additional Options:
  Read-only domain controller: No
  Global catalog: Yes
  DNS Server: Yes

Update DNS Delegation: No

Source domain controller: any writable domain controller

Database folder: C:WindowsNTDS
Log file folder: C:WindowsNTDS
SYSVOL folder: C:WindowsSYSVOL

The DNS Server service will be installed on this computer.
The DNS Server service will be configured on this computer.
This computer will be configured to use this DNS server as its preferred DNS server.
—————————————-

Starting…

Performing DNS installation…

Press CTRL-C to: Cancel

Waiting for DNS installation to finish
…………………..
Waiting for DNS Server service to be recognized… 0

Waiting for DNS Server service to start… 0

Checking if Group Policy Management Console needs to be installed…

Changing domain membership of this computer…

Stopping service NETLOGON

…..
Installing the Directory Service

..
Examining an existing forest…
.
Configuring the local computer to host Active Directory Domain Services
………………
Creating the NTDS Settings object for this Active Directory Domain Controller on the remote AD DC DC01.AdminPrep.local…

Replicating the schema directory partition
..
Replicating CN=Schema,CN=Configuration,DC=AdminPrep,DC=local: received 536 out of approximately 1558 objects
.
Replicating CN=Schema,CN=Configuration,DC=AdminPrep,DC=local: received 1071 out of approximately 1558 objects
.
Replicated the schema container.
.
Replicating the configuration directory partition
.
Replicating CN=Configuration,DC=AdminPrep,DC=local: received 535 out of approximately 4114 objects

Replicating CN=Configuration,DC=AdminPrep,DC=local: received 1071 out of approximately 4114 objects
.
Replicating critical domain information…
.
Replicating data DC=AdminPrep,DC=local: Received 101 out of approximately 101 objects and 23 out of approximately 27 distinguished name (DN) values…

Replicating critical domain information…
….
Creating new domain users, groups, and computer objects

Setting the LSA policy information from policy DC01.AdminPrep.local

.
Configuring service IsmServ

Configuring service kdc

.
Configuring service NETLOGON

.
Setting the computer”s DNS computer name root to AdminPrep
.local

…..
Setting security on the domain controller and Directory Service files and registry keys

..
Securing S-1-5-32-551

Securing S-1-5-32-554
.
Securing S-1-5-9

Securing machinesoftwaremicrosoftwindows
……
Securing machinesystemcurrentcontrolsetcontrol

Securing c:windowssystem32logfiles
.
Securing SamSs
..
Securing dmserver
.
Securing Kerberos Policy

Replicating the domain directory partition…

Press CTRL-C to: Finish Replication Later

Replicating DC=ForestDnsZones,DC=AdminPrep,DC=local: received 18 out of approximately 18 objects
.
Replicating DC=DomainDnsZones,DC=AdminPrep,DC=local: received 42 out of approximately 42 objects
..
Configuring service NtFrs

The attempted domain controller operation has completed

Configuring the DNS Server service on this computer…
………..

I know i”m late on this but I”ve got to blog about it.  Fellow Directory Services MVP Guy Teverovsky has created the coolest tool yet for Server 2008 Server Core.  It is the Server Core CoreConfigurator

After you copy the four files to your Server Core server you have a great tool to help with the most common tasks within Server Core.  Included features are:
Features:

  • Product Activation
  • Configuration of display resolution
  • Clock and time zone configuration
  • Remote Desktop configuration
  • Management of local user accounts (creation, deletion, group membership, passwords)
  • Firewall configuration
  • WinRM configuration
  • IP configuration
  • Computer name and domain/workgroup membership
  • Installation of Server Core features/roles

The latest build added support for 3 scenarios for DCPromo:

  • Additional DC in existing domain new forest
  • Few Forest
  • New Child Domain

I highly recommend you go to his blog to view some of the screen shots.  To bad he didn”t get to make it to the last MVP summit because it would have been nice to catch up with him again.

Some of you may have noticed there were some missing tabs in Active Directory Users and Computers after you installed RSAT on Windows Vista.  Specifically the Terminal Services Profile, Remote Control, Environment, and Sessions tabs are not there.  The reason behind this is because Windows Vista is missing the TSUSEREX.DLL…basically it can”t be a Terminal Server.

Ned from the Directory Services team has posted an unsupported fix for this on the Directory Services blog.  I snagged the fix here for you to see.

  1. You can use your Windows Server 2008 AD Users and Computers snap-in by terminal serving into the remote administration sessions.
  2. You can make your RSAT DSA.MSC work the way you’d expect by taking the following unsupported steps:

A. Locate a Win2008 Server which has DSA.MSC installed via Server Manager features/roles. The installed OS platform architecture must match your client (so use 32-bit OS server if using 32-bit OS client, and the same for 64-bit).

B. Locate the following two files:

%systemroot%system32tsuserex.dll
%systemroot%system32en-ustsuserex.dll.mui

(NOTE: If not running US English, the path would not be EN-US; it would be the language(s) running on the server)

C. Copy these two files to the Vista machine running RSAT tools and place them in the same paths.

D. Run as an administrator:

regsvr32.exe tsuserex.dll

E. Start DSA.MSC on the Vista machine and look at a user”s properties – the tabs will now be there.

Mar
28

Fellow Directory Services MVP Mark Minasi has a great table that shows a ton DNS commands using dnscmd. For those of you getting ready to use Server Core here is yet another list of commands that will come in handy. All I can say is WOW!!!

Function

DNSCMD option

Example

Comments

Do any dnscmd command on a remote system

dnscmd servername command

dnscmd main.bigfirm.com /zoneprint bigfirm.com

   

Create a primary zone

dnscmd /zoneadd zonename /primary

dnscmd /zoneadd bigfirm.com /primary

   

Create a secondary zone

dnscmd /zoneadd zonename /secondary master IP address

dnscmd /zoneadd bigfirm.com /secondary 192.168.1.1

   

Host a zone on a server based on an existing (perhaps restored) zone file

dnscmd /zoneadd zonename /primary /file filename /load

dnscmd /zoneadd bigfirm.com /primary /file bigfirm.com.dns /load

   

Delete a zone from a server

dnscmd /zonedelete zonename [/f]

dnscmd /zonedelete bigfirm.com /f

(without the /f, dnscmd asks you if you really want to delete the zone)

Show all of the zones on a DNS server

dnscmd /enumzones

dnscmd /enumzones

   

Dump (almost) all of the records in a zone

dnscmd /zoneprint zonename

dnscmd /zoneprint bigfirm.com

Doesn”t show glue records.

Add an A record to a zone

dnscmd /recordadd zonename hostname A ipaddress

dnscmd /recordadd bigfirm.com mypc A 192.168.1.33

   

Add an NS record to a zone

dnscmd /recordadd zonename @ NS servername

dnscmd /recordadd bigfirm.com @ dns3.bigfirm.com

   

Delegate a new child domain, naming its first DNS server

dnscmd /recordadd zonename childname NS dnsservername

dnscmd /recordadd bigfirm.com test NS main.bigfirm.com

This would create the “test.bigfirm.com” DNS child domain unter the bigfirm.com DNS domain

Add an MX record to a zone

dnscmd /recordadd zonename @ MX priority servername

dnscmd /recordadd bigfirm.com @ MX 10 mail.bigfirm.com

   

Add a PTR record to a reverse lookup zone

dnscmd /recordadd zonename lowIP PTR FQDN

dnscmd /recordadd 1.168.192.in-addr.arpa 3 PTR pc1.bigfirm.com

This is the PTR record for a system with IP address 192.168.1.3

Modify a zone”s SOA record

dnscmd /recordadd zonename @ SOA primaryDNSservername responsibleemailipaddress serialnumber refreshinterval retryinterval expireinterval defaultTTL

dnscmd /recordadd bigfirm.com @ SOA winserver.bigfirm.com mark.bigfirm.com 41 1800 60 2592000 7200

Ignores the serial number if it”s not greater than the current serial number

Delete a resource record

dnscmd /recorddelete zonename recordinfo [/f]

dnscmd /recorddelete bigfirm.com @ NS main.bigfirm.com /f

Again, “/f” means “don”t annoy me with a confirmation request, just do it.”

Create a resource record and incorporate a nonstandard TTL

dnscmd /recordadd zonename leftmostpartofrecord TTL restofrecord

dnscmd /recordadd bigfirm.com pc34 3200 A 192.168.1.4

   

Reload a zone from its zone file in windowssystem32dns

dnscmd /zonereload zonename

dnscmd /zonereload bigfirm.com

Really only useful on primary DNS servers

Force DNS server to flush DNS data to zone file

dnscmd /zonewriteback zonename

dnscmd /zonewriteback bigfirm.com

   

Tell a primary whom to allow zone transfers to

dnscmd /zoneresetsecondaries zonename /nonsecure|securens

dnscmd /zoneresetsecondaries bigfirm.com /nonsecure

That example says to allow anyone who asks to get a zone transfer

Enable/disable DNS NOTIFY

dnscmd /zoneresetsecondaries zonename /notify|/nonotify

dnscmd /zoneresetsecondaries bigfirm.com /nonotify

Example disables DNS notification, which is contrary to the default settings.

Tell a secondary DNS server to request any updates from the primary

dnscmd /zonerefresh zonename

dnscmd /zonerefresh bigfirm.com

   

Enable or disable dynamic DNS on a zone

dnscmd /config zonename /allowupdate 1|0

1 enables, 0 disables, 0 is default

   

Stop the DNS service

Either net stop dns or sc stop dns

   

(No dnscmd command for this)

Start the DNS service

Either net start dns or sc start dns

   

(No dnscmd command for this)

Install the DNS service on a 2008 full install system

servermanagercmd -install dns

   

   

Install the DNS service on a 2008 Server Core system

ocsetup DNS-Server-Core-Role

   

Case matters — ocsetup dns-server-core-role would fail

Uninstall the DNS service on a 2008 Server full install system

servermanagercmd -remove dns

   

   

Uninstall the DNS service on a 2008 Server Core system

ocsetup /uninstall DNS-Server-Core-Role

   

   

Mar
27

It”s been quite awhile since my last Server Core blog so I feel obligated to share some of the other findings that I have.  I”ve been asked several times how to configure TCP/IP settings on a Server Core server.

To configure the IP address we will have to remember (or learn) Netsh.

Configure a Static IP Address on Server Core:

Netsh int ipv4 set address “Local Area Connection” static 10.1.1.10 255.255.255.0 10.1.1.1

Netsh int ipv4 set dnsserver “Local Area Connection” static 10.1.1.5 primary

Netsh int ipv4 set winsserver “Local Area Connection” static 10.1.1.6 primary

Configure a Dynamic (DHCP) IP Address on Server Core:

Netsh int ipv4 set address “Local Area Connection” source=dhcp

Change the name of the network interface on Server Core:

Netsh int set interface name = “Local Area Connection” newname = “Primary Network”

 

And another little handy command that I thought you might like.

List of installed patches:

wmic qfe list

 

Hope that helps those that are in need.

I”m confused…really confused.  One of Windows Server 2008”s new touted upgrades is IIS7.  Maybe it”s just me but I”ve always thought FTP was part IIS…and it is in Windows Server 2008.  So why am I so confused.  Well apparently Microsoft and the IIS team (which I”m a big fan of!) released another version of FTP as a separate download.  Oh and get this, it”s name is FTP7. 


Yes you heard correct.  FTP7 is not the same FTP service that is included with IIS7.  I saw this over at IIS.net which is the home of the IIS team.  Take a look for yourself but I snatched the main bullets below:



  • Integration with IIS 7.0: IIS 7.0 has a brand-new administration interface and configuration store, and the new FTP service is tightly integrated with this new design. The old IIS 6.0 metabase is gone, and a new configuration store that is based on the .NET XML-based *.config format has taken its place. In addition, IIS 7.0 has a new administration tool, and the new FTP server plugs seamlessly into that paradigm.
  • Support for new Internet standards: One of the most significant features in the new FTP server is support for FTP over SSL. The new FTP server also supports other Internet improvements such as UTF8 and IPv6.
  • Shared hosting improvements: By fully integrating into IIS 7.0, the new FTP server makes it possible to host FTP and Web content from the same site by simply adding an FTP binding to an existing Web site. In addition, the FTP server now has virtual host name support, making it possible to host multiple FTP sites on the same IP address. The new FTP server also has improved user isolation, now making it possible to isolate users through per-user virtual directories.
  • Extensibility and custom authentication: The new FTP server supports developer extensibility, making it possible for software vendors to write custom providers for FTP authentication. Microsoft is using this extensibility feature to implement two new methods for using non-Windows accounts for FTP authentication for IIS Managers and .NET Membership.
  • Improved logging support: FTP logging has been enhanced to include all FTP-related traffic, unique tracking for FTP sessions,FTP sub-statuses,additional detail fields in FTP logs, and much more.
  • New supportability features: IIS 7.0 has a new option to display detailed error messages for local users, and the FTP server supports this by providing detailed error responses when logging on locally to an FTP server. The FTP server also logs detailed information using Event Tracing for Windows (ETW), which provides additional detailed information for troubleshooting.

My first thought was one of confusion but then I started to think a little further.  Now that it is a separate download perhaps I could install it on Server 2003 or Vista or DOS…ok so maybe not DOS.  Well here is what you get when you try to install it on anything but Server 2008. 🙁


FTP


You will have to have IIS7 installed for this to work but you will have to ensure that the FTP portion is uninstalled before you install this one.  Head on over to IIS.net to download the latest revision of FTP7.