After a recent lab on the test bench, I ended up with a 2008 x32 standard server. It took me a while to get this setup and running, so I wanted to keep it (or turn it into a VMware template should I ever need another). But first I needed to ‘remove it’ from the domain it was in. However, when attempting to do so this happened;
Computer Name /Domain Changes
The following error occurred validating the name “Host-Name”
A general network error occurred
That stinks of DNS? But the machine could resolve DNS, ping the domain name, was authenticated to the domain, and could ping itself by netbios name and FQDN?
Leave Domain (via Command Line)
With modern servers and clients we can simply ‘force’ a machine out of the domain with some PowerShell. In an old machine like this (2008 ran Powershell version 1 natively) those commands are not open to us. So to solve the problem I had to go a little more ‘old school’
Remember – You will need to either know the local administrator password, or a local account with administrative access before you drop it out of the domain, (or post reboot you wont be able to login!)
When attempting a File Server Migration why isn’t this better publicised? Did you know Microsoft have a set of Migration tools, and one of them is for file servers? Now traditionally I’d use RoboCopy or XCopy to migrate files and folders, and for ‘User Profiles’ I would normally back them up, and restore them to the new server. This is because the file permissions on ‘correctly deployed’ user profiles mean you can’t open them.
How about a tool, that migrates all the files, folders and profiles while maintaining all the NTFS permissions, AND Share permissions!
Windows File Server Migration Tools
Source Server Pre-requisites
Server 2003: .Net 2.0 (With SP1), and PowerShell 2.0, and 25MB free drive space.
Server 2008: PowerShell and 25Mb free drive space.
Server 2008 R2 and Newer: 25Mb free drive space.
All: UDP port 7000 needs to be open, from source to the destination server.
File Server Migration Server 2008 to Server 2019
File Server Migration from Server 2003!
Source Server: Windows Server 2003 Standard x64 (x86 supported as well)
Destination Server: Windows 2012 R2 Data Center 2012
Source Server: Here you can see my user profiles, I’ll do the migration with them, as usually they are the most ‘challenging’.
You need to create a shared folder on the Source Server, I’ve just granted everyone full control, (this is just for the migration tools).
Destination Server: Open a PowerShell windows and install the tools with the following command;
Open an administrative command window > Now you need to deploy the migrations tools to the share on the destination server, to do that use the following command;
Note: For x86 (32 bit) source servers use x86 instead of amd64. WS03 (Windows Server 2003), WS08 (Windows Server 2008), WS08R2 (Windows Server 2008 R2), and WS12 (Windows Server 2012).
Source Server: Open the folder you created earlier and within it you will find another folder that has the tools in. Open an administrative command window and change to this directory > then execute the following command;
[box]
.\smigdeploy
[/box]
Another PowerShell window will open, leave it open, and return to the destination server.
Destination Server: Here I’ve created a folder that I’m going to migrate into.
Destination Server: Open a PowerShell window and issue the following two commands;
If you are here, you have probably already found out that Dropbox is not supported on Windows Server platforms. You can install it and set it up happily but it stops working and needs to be relaunched all the time (manually).
I love dropbox! So much I actually pay for it! I run it on my management server and its handy for copying file up into my test network, so I can appreciate how annoying it is having to restart it all the time. So to fix the problem we have to use a piece of software that’s over 15 years old!
Running Dropbox as a Service on Windows Server
First you have to stop dropbox running.
Then download srvany and extract the executable to the Dropbox install directory (C:\Program Files (x86)\Dropbox). Note: This file is form the old Server 2003 resource kit.
There are lots of reasons you might want to know your PC/Servers uptime, to make sure a client has rebooted a server (like you asked them to), or to see if a server has had a BSOD and rebooted overnight, etc.
Check Uptime with Task Manager
You can get your uptime from the Task Manager’s “Performance” tab.
To launch Task Manger
Start > Run > Taskmgr.exe {enter}. or Press CTRL+SHIFT+ESC, or Right click the Task bar > Select Task Manager. > Options
From command line execute the Systeminfo | find /I “boot” command;
Option 3 -Use Net Statistics to find Uptime
You can get uptime information by either querying the workstation service, or the server service, issue either, the following command;
[box]
net statistics workstation
[/box]
Or the following command;
[box]
net statistics server
[/box]
Option 4 – Use Uptime.exe to find Uptime
Download uptime and put a copy in your “System32” Directory, you can then use the uptime command.
Option 5 – Use WMI (Windows Management Instrumentation) to find Uptime
Issue the following command;
[box]
wmic os get lastbootuptime
[/box]
As you can see the result is not pretty, it is presented in UTC format.
20120109081112.925800+000 = Year 2010, Month 01, Day 09, Time 08:11:12
Option 6 – Check the Event Log to find Uptime
Launch the Event Viewer (eventvr.msc) > Windows Logs > System Log > Find > Search for Event ID 6005, (Note: This event gets logged each time the server boots, as the event log service starts). Event ID 6006 will be labeled as “The event log service was stopped.” This is synonymous with system shutdown.
Note: Event 6013 is periodically logged this shows the machines uptime at that point.
Note: In the event of an abnormal shutdown look for Event ID 6009 indicates the processor information detected during boot time. Event ID 6008 will let you know that the system started after it was not shut down properly.
Option 1 – Use Uptime.exe to get a Remote Machines Uptime
Already mentioned above download uptime and extract it to your system32 directory. Then to get a remote machines uptime, use the following command;
If you are retiring a CA Server, or there’s a problem with the server and you want to move Microsoft Certificate Services to another server, the procedure is pretty straight forward.
BE AWARE: We are moving the CA Server Name , NOT the Server Name (FQDN), the two things are NOT the same, (you might have called them the same thing!) But a Certificate Authority has a name of its own, and that’s what we are going to move.
So the new server doesn’t have to have the same name? No, it can do if you really want, but that’s an added layer of complication I can’t see the point of?
In the video below, I’m migrating from Server 2008 R2 to Server 2019, and I’m also moving CRLs and OSCP responders. In the screenshots below I’m moving from Server 2016 to Server 2016, but the process is pretty much identical all the way back to Server 2003.
Can I migrate from Server 2008 (NON R2) to 2016 (or newer): Yes, but not directly, you need to upgrade to Server 2012 R2 first. If you don’t, the database wont mount and you will get this error.
Solution
On the ‘Source‘ server, open the Certificate Services management console > Right click the CA NAME > All Tasks > Back up CA.
The backup wizard will open, Next > Tick BOTH options > Select a Backup Location > Next > Set a password (you will need this to set the new CA up!) > Next > Finish.
Now we need to take a backup of the Registry key that holds the information for this CA server. Run ‘regedit’ > Navigate to;
Export a copy of this key, (save it in the same folder that you backed up to earlier).
Now we need to uninstall CA Services from this server. Server Manager > Manage > Remove Roles and Services > Next.
REMOVE all the CA role services > Complete the Wizard, then launch the wizard again and select ‘Active Directory Certificate Services’ > At the pop-up select ‘Remove Features’ > Next.
Next > Next > Next > Close.
Setup Certificate Services on the Target/New Server
Server Manager > Add Roles and Features > Next.
Next > Select ‘Active Directory Certificate Services’ > Add Features > Next.
For now let’s just stick with the Certification Authority > Add the other role services later* > Next.
*Note: I’ve written about all these role services before, just use the search function, (above), if you are unsure what they all do.
Next > Close.
Warning > Configure Active Directory Certificate Services > Next.
Next > Enterprise CA (Unless it’s an offline non domain joined CA) > Root CA (unless it’s a subordinate CA!) > Next.
> Select ‘Use existing private key‘ > Select ‘Select a Certificate and use its associated private key‘ > Next > Import > Browse > In your backup folder locate the certificate (it will have a .p7b extension.) > Enter the password > OK > Select the Cert > Next.
Next > Next > Configure > Close.
Stop Certificate Services;
[box]net stop certsvc[/box]
If your new server has a different hostname/FQDN open the registry file you exported above with Notepad, locate and change the CAServerName entry to the name of the NEW server.
Right click the registry backup > Merge > Yes > OK.
Launch the Certificate Services management console > Right Click the CA NAME > All Tasks > Restore CA.
The restore wizard will start > Next > Browse to the folder with your backup in > Next > Enter the password you used (above) > Next > Finish.
You will be prompted to start the Certificate Services service > Yes.
What About Certificate Templates? Do I need to Move Them?
No! Certificate templates are actually stored in Active Directory, NOT in/on the actual Certificate Services server, (that’s why sometimes they take a while to appear after you create them!) You can see them here;
Related Articles, References, Credits, or External Links
I don’t think, Ive ever run the VMware Standalone Converter, without at least one error message or popup complaining about something! Today I was trying to convert a clients old Windows Server 2003 document management server, when trying to deploy the agent this happened;
Unable to connect to the network share ‘{Sever-name-or-IP} \ADMIN$’.
Solution
It’s a pretty descriptive error, can you map a drive to this machine and open a network share manually? Is the ‘server service’ running? In my case the problem was easily diagnosed;
As I wasn’t about to start enabling SMBv1 on the clients Windows 2019 server! So I simply installed the VMware Standalone converter on one of their existing 2008 members servers instead, and ran it from there.
Related Articles, References, Credits, or External Links
If your OS is 2008R2 or newer then you wont need to do this as the drivers are already included. But what if you have a machine that you want to put the drivers in before you virtualise or migrate it. Well if you mount the ISO and run it this happens;
Unsupported Guest Environment
The Hyper-V integration services can only be installed inside of a virtual machine running Hyper-V
Bah! You are not the boss of me! I want the drivers in here because I’m about to virtualise it!
Solution
Mount the Integrations Services ISO on the machine (or open it with 7Zip and treat it like a zip file)
If you have Hyper-V 2016 or newer and cant find the iso, Microsoft handily don’t include any more, because it’s a massive 29Mb is size? (Yeah I don’t understand either?) Here’s a copy. Go to the x86 or amd64 directory depending on whether you are x32 or x64 bit. locate the Windows{Version}-HyperVIntegrationServices-{processor-version}.cab that matches your machine and copy it to your desktop. Then open it, select all the files.
Open an administrative command prompt, then change directory to the folder you extracted all the files into. Run the following command;
[box]for /f %i in (‘dir /b /s *.inf’) do pnputil.exe -i -a %i[/box]
It will run though and install all the drivers, you may get some warnings that some of the drivers are unsafe or unsigned. Just say install them anyway.
Note: If you are on Server 2003, then there are a bunch of KB updates on the CD that you will also need to install.
Related Articles, References, Credits, or External Links
There are many reasons why you might want to do this, someone has managed to change a user password and that person is not available, you might simply have forgotten it. Or you might have been given a machine, or bought one from ebay that has come without a password. Also there have been a few times when a user has looked me in the eye and said “I’m typing my password in, but it’s not working”, I have never seen a password change on it’s own, so I will just put that down to the evil password gremlins.
The procedure will also work on the Windows local administrators password, just bear in mind that his account is disabled by default, (after Windows 8). This procedure will not work if the machine in question has had its hard drive encrypted using BitLocker.
You can use this procedure to blank, (or reset) a Domain Controllers DSRM (Directory Services Restore Mode) password.
You can avoid this procedure if you have access to another account on this machine that has administrative access. If you can log on as an administrator, then you can change the password of other local accounts on the affected machine without the need to do this.
2. Download ImgBurn and install, Launch the program, if it does not look like this you need to select View >EX-Mode-Picker. Select the ‘Write image file to disc’ option.
2. The file you downloaded is a zip file that contains the disk image, you will need to extract the image from the zip file (i.e. drag it to your desktop). From within ImgBurn launch the browse option and navigate to the disk image you have just extracted > Open.
3. Select the burn to disc icon (Note: This will be greyed out, until there is a blank CD in the drive). The image is very small, it will not take long to burn.
Carry Out a Windows 8 Password Reset.
This procedure uses the boot CD you have just created, for it to work you need to make sure the machine will attempt to boot to its CD/DVD Drive before it boots to its hard drive. (Or it will simply boot into Windows again). This change in ‘Boot Order’ is carried out in the machines BIOS, how you enter this varies depending on machine vendor, when you first turn on the machine watch for a message that looks like Press {key} to enter Setup. Typically Esc, Del, F1, F2, or F9. When in the BIOS locate the boot order and move the CD/DVD Drive to the top of the list.
1. Boot your machine from your freshly burned CD, when you see this screen simply press {Enter} to boot.
2. Depending on how many disks/partitions you have it will discover them and assign a number to each one, here I only have 1 so I will type ‘1 {Enter}’.
Note: You may see a small 300Mb partition, ignore that. You may also see your machines recovery partition if it has one, if that’s the case you may have to carry out some trial and error to get the right one.
3. The system is set to look for the default registry location C:WindowsSystem32Config so simply press {Enter}. If it fails at this point you selected the wrong drive/partition.
4. We want password reset so select option 1.
5. We will be editing user data and passwords, so again select option 1.
6. You will be presented with a list of the user objects that it can locate, here I want to reset the password for the ‘PeteLong’ user object so simply type in the username you want to edit.
Note: As mentioned you can see here the administrator account is disabled, if you want to work with that account, you will need to unlock and enable it on the next screen before you blank or change the password.
7. You can choose option 2 and type in a new password, but I’m going the blank the password, then change it when I get back into the machine by selecting option 1.
8. To step back you need to enter an exclamation mark.
9. Enter a ‘q’ to quit.
10. To write the changes you have made enter a ‘y’.
11. As long as you are happy, and have no other accounts that need changing, enter ‘n’.
12. Now remove the boot CD, and press Ctrl+Alt+Delete to reboot the machine.
13. As the user object we are dealing with was the last one that has logged on, it will select that account as soon as the computer boots, and now it has a blank password it will automatically log on.
14. To change the password, press Ctrl+I > Change PC settings.
15. Users > Create a password.
16. Type and confirm your new password, and enter a password hint > Next.
17. Log off the account and test the new password.
Related Articles, References, Credits, or External Links
I was trying to demote a domain controller yesterday morning, it was a 2008 R2 Domain controller, (in fact it was SBS 2011). I’d already added a nice new Server 2016 Domain Controller to the domain, and transferred all the FSMO roles, so I was surprised when I tried to gracefully demote the old DC and got this;
You did not indicate that this Active Directory domain controller is the last domain controller for the domain {domain-name}. However, no other Active Directory domain controllers for that domain can be contacted.
Do you want to proceed anyway?
If you click Yes, any Active Directory Domain Services changes that have been made on this domain controller will be lost.
Well, that’s a scary error, and pretty much made me cancel the demotion right away.
Solution
Well I could ping the other domain controller, by name and by IP address, and it was listed in ‘Sites and Services’, and I could replicate Active Directory? (Very Strange). It was not until I ran dcdiag that I saw some warnings about ‘sysvol replication‘. that steered my in the right direction.
On the ‘outgoing’ Domain Controller, run regedit, then navigate to the following location;
[box]HKEY LOCAL MACHINE > SYSTEM > CurrentControlSet > services > Netlogon > Parameters[/box]
Locate the SysvolReady value, (it’s probably set to 0 (Zero)).
Change it to 1 (one) then click OK, (this sort of ‘kicks windows up the backside’, and re-shares Sysvol with the correct permissions). Then after you have changed it, change it back to ZERO. You don’t need to restart any services, just change it, then change it back. Repeat the process on your other domain controllers. Have a coffee, then attempt to demote your Domain Controller again.
Related Articles, References, Credits, or External Links