Find Domain Schema Version

Find Domain Schema Version KB ID 0000025 

Problem

You want to upgrade or find out your current Schema version, or check that an” adprep / forestprep” command has worked correctly.

Solution

Find Domain Schema Version: PowerShell

Use the following sytax
[box]

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectversion

[/box]

Post Server 2016 Find Domain Schema Version

The value is populated with Server 2016 again.

If you check the value above on a domain that has Windows 2012 domain controllers, you will see the value is ‘not set’.

If the entry is blank;

Instead navigate to this registry key;

[box][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters[/box]

Locate the ‘Schema Version’ Note: the figure in brackets is the decimal value!

Find Domain Scheman Version For Windows Servers Before 2012 RTM

1. For Windows Server 2003 you will need to Install the Support Tools on your server. (2008, 2008 R2, and 2012 have the tools built in).

2. Press (Windows Key+R) > adsiedit.msc > {enter}

3. Right Click > CN=Schema,CN=Configuration,DC=domain,DC=com > Properties

<pNote: If you cannot see this you need to select “Connect To” then pick “Schema”.

4. On the Attribute Editor tab > Locate objectVersion.

 

What Are The Windows Server Schema Versions?

20: Windows 2000

30: Windows 2003 RTM, Windows 2003 SP1, and Windows 2003 SP2

31: Windows 2003 R2

44: Windows Server 2008 RTM

47: Windows Server 2008 R2 (and SBS 2011)

56: Windows Server 2012 RTM

69: Windows Server 2012 R2

87: Windows Server 2016 RTM

88: Windows Server 2019 RTM

88: Windows Server 2022

91: Windows Server 2025

Related Articles, References, Credits, or External Links

NA

Windows Server 2025 Domain Join

Server 2025 Domain Join KB ID 0001883

Problem

To perform a  Windows Server 2025 Domain Join (Local Domain). The end process is the same as it’s always been, they’ve just made the job of getting to there a little more convoluted, (this is the same with Windows 11).

 

Solution: Windows Server 2025 Domain Join

Before attempting to join the domain, let’s make sure we can ‘resolve’ the domain name, (because most domain join problems are DNS related). Whilst logged in as a (local) administrative user, click the Windows button > Windows PowerShell.

Ensure you can ‘ping’ the domain name (see below), Also here I verify that the IP address that responds in my domain controller (Note: this will only work if your DNS zone has a correctly setup reverse DNS zone!)

Click the Windows button > System.

System > About.

Advanced System Settings.

   

Computer Name.

Change.

Select ‘Domain’ and enter the domain name > OK > enter credentials that have the rights to join a machine to the domain* > OK

*Note: All domain users have the right to join x10 machines to the domain.

OK > OK.

OK > Restart Now > The server will reboot.

Ensure you don’t mistakenly log on as the local administrator > Other User > Then remember if you are logging on as domain administrator use DOMAIN/Administrator, or administrator@domain-name.domain extension.

Solution: PowerShell Windows Server 2025 Domain Join

Windows button > Open an administrative PowerShell window.

As above, before attempting to join the domain, let’s make sure we can ‘resolve’ the domain name, (because most domain join problems are DNS related).

Use the following syntax.
[box]

Add-Computer -DomainName {your-domain-name}

[/box]

When prompted, provide credentials that have rights to add computer object to the domain.

When successfully joined, you will be asked to reboot.

[box]

Restart-Computer

[/box]

Ensure you don’t mistakenly log on as the local administrator > Other User > Then remember if you are logging on as domain administrator use DOMAIN/Administrator, or administrator@domain-name.domain extension.

Leave a Windows Domain Using PowerShell

Firstly I’m making sure I am correctly domain joined by using the following command.

[box]

Get-WmiObject win32_computerSystem | Select-Object -ExpandProperty domain

[/box]

Then to ‘leave’ the domain use the following command.

[box]

Remove-Computer

[/box]

When prompted reply to Y for yes then to complete the process reboot the server with the following command.

[box]

Restart-Computer

[/box]

Leave a Windows Domain Using GUI

To do the same graphically, it’s just the reverse of a domain join, use the instructions above you get you to the following dialog then select workgroup, and enter the workgroup name.

OK > OK.

Close > Restart Now.

Related Articles, References, Credits, or External Links

How to Join a Windows Domain

Windows: Join Azure AD (AAD)

Windows Server 2022 Domain Join

How to Join Windows 11 to a Domain

Microsoft Blue Screen of Death (BSOD)

BSOD KB ID 0001882

Problem

Recovering from a Microsoft Blue Screen of Death (BSOD) involves several steps to diagnose and resolve the issue. Here is a systematic approach to help you recover from a BSOD.

Solution : BSOD Resolution.

 

Note: If using Crowdstrike (18th Jul 2024) or you’re Stuck at the recovery screen. The problem is being worked on Ref:

TEMPORARY WORK AROUND

 

  1. Boot Windows into Safe Mode or WRE.
  2. Go to C:\Windows\System32\drivers\CrowdStrike
  3. Locate and delete file matching “C-00000291*.sys”
  4. Boot normally.

Alternative Crowdstrike Fix (from the recovery screen)

If you’re stuck at the recovery screen, try these steps:

  1. Click on ‘See advanced repair options’ on the Recovery screen.
  2. In the Advanced Repair Options menu, select ‘Troubleshoot’.
  3. Next, choose ‘Advanced options’.
  4. Select ‘Startup Settings’.
  5. Click on ‘Restart’.
  6. After your PC restarts, you will see a list of options. Press 4 or F4 to start your PC in Safe Mode.
  7. Open Command Prompt in Safe Mode.
  8. In the Command Prompt, navigate to the drivers directory: cd \windows\system32\drivers
  9. To rename the CrowdStrike folder, use ren CrowdStrike CrowdStrike_old

Alternative Crowdstrike Fix (For Virtual Machines)

  1. Attach an the system disk of the affected machine asunmanaged disk to another VM for offline repair (Note:Disks that are encrypted may need these additional instructions: Unlocking an encrypted disk for offline repair
  2. Once the disk is attached, customers can attempt to delete the following file. “Windows/System/System32/Drivers/CrowdStrike/C00000291*.sys
  3. The disk can then be detached and re-attached to the original VM.

 

1. Note the BSOD Error Code

When a BSOD occurs, an error code is displayed on the screen. This code can be crucial in diagnosing the problem. Write down the error code and any associated information.

2. Restart Your Computer

Sometimes, a simple restart can resolve the issue. However, if the BSOD persists, proceed to the next steps.

3. Boot into Safe Mode

Safe Mode loads a minimal set of drivers and services. Booting into Safe Mode can help you determine if a default setting or basic device driver is causing the issue.

  • Windows 10/11:
    1. Restart your computer.
    2. As soon as your computer starts, press the F8 key repeatedly until the Advanced Boot Options menu appears.
    3. Select “Safe Mode” or “Safe Mode with Networking.”

4. Check for Hardware Issues causing BSOD

  • Disconnect External Devices: Unplug all external devices (USB drives, printers, etc.) and restart your computer to see if the BSOD persists.
  • Run a Memory Check: Use Windows Memory Diagnostic tool to check for memory issues.
    • Press Windows + R, type mdsched.exe, and press Enter.
    • Choose “Restart now and check for problems.”

5. Update or Roll Back Drivers

  • Update Drivers:
    • Open Device Manager (Windows + X > Device Manager).
    • Expand categories and update any drivers with a yellow exclamation mark.
  • Roll Back Drivers:
    • In Device Manager, right-click the driver causing the issue, select “Properties,” go to the “Driver” tab, and select “Roll Back Driver.”

6. Check for Software Issues

  • Uninstall Recent Software: Uninstall any software or updates installed recently.
    • Go to Settings > Apps > Apps & features and uninstall the problematic software.
  • Run System File Checker (SFC):
    • Open Command Prompt as Administrator.
    • Type sfc /scannow and press Enter.

7. Perform a System Restore

If the BSOD started after a recent change, performing a System Restore can revert your computer to a previous state.

  • Go to Control Panel > System and Security > System > System Protection > System Restore.
  • Follow the prompts to choose a restore point.

8. Check Disk for Errors

  • Open Command Prompt as Administrator.
  • Type chkdsk /f /r and press Enter.
  • Restart your computer to allow the check to run.

9. Update Windows

Ensure your Windows operating system is up to date.

  • Go to Settings > Update & Security > Windows Update and check for updates.

10. Perform a Clean Boot

A clean boot helps eliminate software conflicts.

  • Press Windows + R, type msconfig, and press Enter.
  • Go to the “Services” tab, check “Hide all Microsoft services,” and click “Disable all.”
  • Go to the “Startup” tab, open Task Manager, and disable all startup items.
  • Restart your computer.

11. Reset or Reinstall Windows

If none of the above steps work, you may need to reset or reinstall Windows.

  • Reset This PC:
    • Go to Settings > Update & Security > Recovery > Reset this PC.
    • Choose whether to keep your files or remove everything.
  • Reinstall Windows: Backup your data and perform a clean installation using a bootable USB drive with the Windows installation media.

Additional Tools and Resources

  • BlueScreenView: A utility to view minidump files created during BSODs.
  • WhoCrashed: Analyzes crash dumps to determine the cause of the crash.

Related Articles, References, Credits, or External Links

NA

PowerCLI: Get Snapshot Information

Get Snapshot Information KB ID 0001829

Problem

The question was asked on Experts Exchange today.

Are there any scripts or reports that would give me information on VMware VM’s with snapshots?

was pretty sure this was a straight forward one, so I jumped on the test network.

Solution: Get Snapshot Information

Connect to your vCenter and use the following commands.

[box]

Connect-viserver vCenter-Name 
THEN AUTHENTICATE
Get-VM | Get-Snapshot | Select-Object VM, Name, SizeGB, Created

[/box]

That was easy!

Get Snapshot Information : With RV Tools

You can also get the same information from RVTools, which if you don’t already use, do so!

Solution: PowerShell Delete Snapshots

You can delete all snapshots by simply piping the command above to Remove-Snapshot, But you will porbably want to do that on a VM by VM basis. Use the cfollowing command.

[box]

 Get-VM VM-Name| Get-Snapshot | Remove-Snapshot

[/box]

Related Articles, References, Credits, or External Links

NA

Disable NTLM

Disable NTLM KB ID 0001880

Problem

NTLM (NT LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users in a network. It is an older protocol that has been largely replaced by Kerberos, (since Server 2008 and windows Vista!) In modern Windows environments due to its enhanced security features. NTLM is a challenge-response authentication protocol used to authenticate a client to a resource on a network. It operates in three versions: NTLMv1, NTLMv2, and NTLMv2 Session Security.

Key Components

Authentication Process:

    • Challenge-Response Mechanism: NTLM uses a challenge-response mechanism where the server challenges the client, and the client responds with a value that proves its knowledge of the user’s password.
    • Session Security: Provides confidentiality (encryption) and integrity (signing) for data sent over the network.

NTLM Versions:

    • NTLMv1:
      • Uses DES (Data Encryption Standard) for encryption.
      • The client sends a hashed password, and the server compares it to the stored hash.
      • Known for its vulnerabilities, including susceptibility to replay attacks and weak password hashes (LM hashes).
    • NTLMv2:
      • Introduced to address the security shortcomings of NTLMv1.
      • Uses HMAC-MD5 for cryptographic operations.
      • Provides stronger encryption and better resistance to replay attacks.
      • Supports mutual authentication where both client and server authenticate each other.
    • NTLMv2 Session Security:
      • Provides additional security by creating a session key based on both client and server challenge-response pairs.
      • Ensures integrity and confidentiality for the session.

Components of NTLM:

    • User Authentication: Verifies the identity of a user or system requesting access.
    • Message Integrity: Ensures that messages are not tampered with during transmission.
    • Message Confidentiality: Encrypts messages to protect sensitive information.

Security Weaknesses

  1. NTLMv1:
    • Weak Hashing (LM Hash): The LM hash is derived from passwords in a way that is susceptible to brute-force attacks.
    • Replay Attacks: Can be exploited to reuse valid authentication tokens.
    • Lack of Mutual Authentication: Only the client is authenticated, not the server.
  2. NTLMv2:
    • Improved but Still Vulnerable: While it significantly improves upon NTLMv1, it is still not as secure as Kerberos and can be vulnerable to certain types of attacks, especially in environments where NTLMv1 is still supported for backward compatibility.

Deprecation and Modern Alternatives

  • Kerberos: Introduced in Windows 2000, Kerberos provides stronger security features, including mutual authentication, and is now the default authentication protocol in Active Directory environments.
  • Recommendations: Organizations are encouraged to disable NTLM where possible, particularly NTLMv1, and to use Kerberos or other modern authentication protocols.

In Summary

NTLM played a crucial role in early Windows network security, providing a means of authenticating users and securing communications. However, due to its security vulnerabilities, especially in NTLMv1, it has been largely replaced by more secure protocols like Kerberos. NTLMv2 offers improvements but is still not as robust as modern alternatives, making it advisable for organizations to phase out NTLM in favour of stronger authentication methods.

As of Jun 2024 Microsoft has declared that NTLM (all versions) are depreciated.

Solution : Disable NTLM

Developers are being encouraged to STOP using NTLM, and the advice is to set your systems to ONLY use NTLM if Kerberos is not available. You first challenge is to find out what (if anything) is still using NTLM.

On your server(s) look in the (Security) Event logs for Event ID 4624 That mentions NTLM.

But there’s thousands of Event ID 4624 events, so let’s narrow the search with some PowerShell.

[box]

$query= @"
    <QueryList> 
           <Query Id="0"> 
              <Select Path="Security"> 
                *[System[(EventID='4624')]] 
                 and 
                *[EventData[Data[@Name='AuthenticationPackageName'] and (Data='NTLM')]]
               </Select> 
           </Query> 
    </QueryList>
"@
Get-WinEvent -FilterXml $query

[/box]

Now I can review each of those events (by their time stamp!) and I’ve only got two offenders to investigate.

You can also have a reconnoitre with WireShark, and scan for ntlmssp.

Disable NTLM v1

It’s considered best practice to disable NTLM version 1 first, then wait for a while (a period of a few weeks,) then you can attempt to disable NTLM version 2 also.

Edit the Default Domain Controller Policy and Navigate to.

[box]

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >  
Network Security: LAN Manager Authentication Level

[/box]

Settings;

  • Send LM and NTLM responses
  • Send LM and NTLM (use NTLMv2 session security if negotiated)
  • Send NTLM response only
  • Send NTLMv2 response only
  • Send NTLMv2 response only, Refuse LM: Domain controllers offer only NTLMv2 but still accept NTLMv1 authentication.
  • Send NTLMv2 response only, Refuse LM and NTLM: Domain controllers refuse LM and NTLMv1, accepting only NTLMv2.

To keep NTLM v2 and disable NTLM v1 choose the last option.

WARNING: This will effectively tattoo this setting into registry of the domain controller(s), even if you have a problem and revert the setting back to not defined, it will remain. If that happens to you, you can manually change the setting in the registry at.

[box]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

[/box]

 

There’s six settings (0 to 5) that correspond to the ones in the group policy for further information see this article.

Disable NTLM Completely

Before proceeding its a good idea to enable the “Restrict NTLM: Audit NTLM authentication in this domain” policy then waiting a while longer and reviewing the logs, if something does appear you can simply add it to the “Restrict NTLM: Add server exceptions in this domain” policy

This time in the default domain controller’s policy navigate to.

[box]

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >  
Network Security: Restrict NTLM: NTLM authentication in this domain

[/box]

  • Disable: the policy is disabled (NTLM authentication is allowed in the domain).
  • Deny for domain accounts to domain servers: the domain controllers reject NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error message is displayed.
  • Deny for domain accounts: the domain controllers are preventing NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears.
  • Deny for domain servers: NTLM authentication requests are denied for all servers unless the servername is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy.
  • Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.

To stop client computers attempting to connect with NTLM you can edit the Default Domain Policy.

  • Network security: Restrict NTLM: Incoming NTLM traffic = Deny all accounts
  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Deny all

Related Articles, References, Credits, or External Links

NA

Windows Server Evaluation Extending & Converting

Server Evaluation Extending & Converting KB ID 0001879

Problem

If you download and install Windows Server evaluation, you get 180 days grace to upgrade it to a full licensed version. Now the internet is awash with articles telling you how you can extend that – In fact you can extend it by 180 days a further SIX TIMES. But what they fail to tell you, is this only works if you DONT LET IT EXPIRE. Once you’ve breached the 180 days you cannot extend it by 180 days (If you try you only get 10 days grace!)

Day 1

After 180 Days

Solution: Server Evaluation Extending

When the server is first deployed you will have 180 days and SIX REARMS available, which you can see with the following command.

[box]

slmgr -dlv

[/box]

Assuming you are within the 180 day period you can simply extend by 180 days with the following command.

[box]

slmgr -rearm

[/box]

Once rebooted you can check status with the same command we used above (slmgr -dlv).

Solution: Server Evaluation Extending (If Expired)

If you have been on the server it would have warned you with prompts like this.

What Happens If The Windows Server Evaluation License Expires?

The server will shut itself down, 1 hour after it has been powered on, (after logging Event ID 1074).

Event ID 1074
The License period for this installation of Windows has expired. the operating system is shutting down.

As mentioned above you can give yourself some breathing room (assuming you have a rearm count of 1 or more) by using the same command to extend (slmgr – rearm). But you will only get 10 days grace to enter a valid key/activation code.

Converting Windows Server Evaluation To Full Version

The other option, and of course what Microsoft want you to do, is convert the evaluation version to a full version. You can see what versions are available by running the following command.

[box]

DISM /Online /Get-TargetEditions

[/box]

My only option is ServerDatacenter – so I can convert to that version and enter a valid Windows Key to licence the server at the same time.

[box]

DISM /Online /Set-Edition:ServerDatacenter /ProductKey XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

[/box]

Then (when asked) reboot the server to complete the procedure.

Note: Before you email me to point out there’s a Windows licence key in that screenshot (above) that’s the Windows Server 2022 KMS Key.

Related Articles, References, Credits, or External Links

NA