Take Ownership and Grant ‘Full Control’ Recursively

Take Ownership KB ID 0001200 

Problem

I had a bunch of old user profile folders I needed to delete today, When setup properly even the domain administrator can’t get in there and delete them;

You need permission to perform this action.

You don’t currently have persmission to access this folder

If it’s just one folder then simply take ownership, grant yourself rights and delete it! But I had a lot of folders so I needed a more robust (read less work) solution.

Solution: Take Ownership

Take Ownership of all Folders/Sub-Folders, and Files

Open an administrative command window, and execute the following command;

[box]

takeown /a /r /d Y /f C:\"Path-To-Folder"

[/box]

Grant ‘Full Control’ Rights to all Folders/Sub-Folders, and Files

Just because you are the owner, that does not mean you have any rights to the folders and files, to grant full control to the administrators group.

[box]

icacls C:\"Path-To-Folder" /grant administrators:F /t

[/box]

You can then delete the folder and its contents recursively with the following command.

[box]

Remove-Item -Path "Path-To-Folder" -Force -Recurse

[/box]

Related Articles, References, Credits, or External Links

Can’t Delete a File or Folder or Take Ownership

Windows Create NFS Share

Windows Create NFS Share KB ID 0001869

Problem

It has been a while since I mentioned this, but if you have a Windows server, and you would like to present an NFS Share, the process is pretty straight forward. The following procedure was carried out on Windows Server 2022, but the process is pretty much the same going all the way back to Server 2012.

Solution : Windows Create NFS Share

Install Server for NFS (GUI)

You need to add the “Server For NFS” Server role. Server Manager > Manage > Add roles and features >  Next > Next > Next  > Next > Expand  “File and Storage Services” > Expand “File and ISCSI Services” > Server for NFS > Next > Next > Next > Install.

 

Install Server for NFS (PowerShell)

I much prefer this method. From an Administrative PowerShell prompt, use the following command.

[box]

Install-WindowsFeature FS-NFS-Service -IncludeManagementTools 

[/box]

Note: In some instances you may be asked to reboot (post role installation.)

Windows Create NFS Share

Assuming you have a folder to share > Right Click > Properties > NFS Sharing > Manage NFS Sharing > Tick ‘Share this folder” > Permissions > Change access to ‘Read and Write” and tick allow root access > OK > Apply > OK > Apply > OK.

Related Articles, References, Credits, or External Links

Windows NFS Overview

Migrate NPS Server

Migrate NPS Server KB ID 0001841

Problem

If you have deployed an NPS Server on your network, there may be a time when you want to replace that server – if all its doing is NPS and its 2012 or newer I’d be tempted to simply in-place upgrade it, but some people are rigid in their beliefs that that is not a good idea. So in that case you need to migrate to a new server.

Solution : Migrate NPS Server

Locate NPS Server

Just in case you know you have an NPS server, but you don’t know what server it’s on, (or how many you have!) The simplest way to find out is to look in the RAS and IAS Servers group in AD.

You can use the following procedure on Server 2012 (and newer) If your source server is Server 2008 then you need to use the netsh method I’ll outline below.

Migrate NPS Server : Export NPS Settings PowerShell

On the OLD (source) server,

 

[box]

Export-NpsConfiguration -Path C:\NPS-PS-Exported.xml

[/box]

Then simply copy that exported XML file to the new NPS server.

Migrate NPS Server : Import NPS Settings PowerShell

At this point I’ll assume that your target server is built, updated and domain joined. So we have three tasks, install NPS, authorise the NPS server in AD, then import the settings from the file you exported above. Note: There is no direct PowerShell command to authorise the new server in AD (at time of writing) So we need to use the netsh command to do that.

[box]

Install-WindowsFeature NPAS -IncludeManagementTools

netsh ras add registeredserver

Import-NpsConfiguration -Path C:\NPS-PS-Exported.xml

[/box]

Then at this point I’d stop and disable NPS services on the old server and give everything a test. REMEMBER if you have RADIUS clients you may need to change the IP address that THEY are set to to the new NPS Server.

WARNING: If you are using authentication protocols that need certification like PEAPMS-CHAP v2, PEAPTLS, or EAPTLSAND your client are set to check the server’s identification (this is optional usually). Then check the new server has the correct certificates.

Migrate NPS Server (Server 2008)

On older OSs you don’t have the Export-NpsConfiguration and Import-NpsConfiguration PowerShell commandlets to use, so you have to use the netsh command instead.

Export NPS with Netsh

[box]

netsh

nps

export filename="C:\NPS-Exported-NETSH.xml" exportPSK=YES

[/box]

Import NPS with Netsh

[box]

netsh

nps

import filename="C:\NPS-Exported-NETSH.xml"

[/box]

Remove NPS

Once you’ve waited long enough to be sure you no longer need the old NPS server you can remove it with the following commands.

[box]

netsh ras delete registeredserver

Uninstall-WindowsFeature NPAS

Restart-Computer

[/box]

Note: If you are removing from Server 2008 you may need to use Remove-WindowsFeature NPAS instead!

Related Articles, References, Credits, or External Links

NA

Disabling IPv6

Disabling IPv6 KB ID 0001832

Problem

Stop! Why do you want to disable IPv6? I see this regularly in forums, with other unusual statements like “If you’re not using it disabling it” or “It’s just another attack vector, disable it.

Well unless you’re running Windows XP and Server 2012 you’re using IPv6. If something does not work and disabling IPv6 fixes it, then it’s usually because your network is not configured correctly, (usually your routers are doing something called IPv6 Address Allocation*)

“From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system, and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6”

Reference.

Microsoft said that in 2016, and still there’s people routinely disabling IPv6?

*Note: You can disable SLAAC (Stateless Address Autoconfiguration) on a Cisco router with the  interface command “no ipv6 address autoconfig

Disabling IPv6 Alternative Solution

Before people accuse me of ‘not living in the real world’ If you have legacy equipment or ages old applications – you may need to consider ‘doing something about IPv6’. but your first action should be to prefer IPv4 over IPv6.

Prefer IPv4 over IPv6

Navigate to the following registry key.

[box]

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Tcpip6 > Parameters

[/box]

Create (or edit) a REG_DWORD (32 bit) value called DisabledComponents and to prefer IPv4 over IPv6 set it to Hexadecimal 20

Or simply execute the following command from an administrative command window.

[box]

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 32 /f

[/box]

Disabling IPv6

I MUST STRESS: Only do this for troubleshooting, having IPv6 enabled is the preferred state.

From the same Registry key above set the DisabledComponents value to Hexadecimal FF

Or simply execute the following command from an administrative command window.

[box]

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 255 /f

[/box]

Related Articles, References, Credits, or External Links

NA

Windows Remote VPN no DNS

VPN no DNS KB ID 0001402

Problem

I’ve been setting up a VPN solution on the test bench as I’m looking at Always On VPN. When I noticed that I had a problem with my remote VPN connections on Windows. They would connect fine but I could not resolve any FQDNs for my domain?

VPN no DNS Solution

By default, all (Windows) VPN connections are ‘Force Tunnel’ (this means they have the option ‘Use default gateway on remote network’ selected). This also means that, (unless your RAS server is the default Gateway for your network,) you usually don’t have internet access when connected to the VPN. 

Now I connected fine, and I could ping IP addresses on my corporate network, but I could not ping my servers by their domain name, in fact Windows was trying to resolve my domain name to a public IP?

Google this problem and you’re simply told to ‘Disable IPv6 on your network card, and this works, (if you want to keep your remote users Force-Tunnelled). But disabling IPv6 is hardly a fix is it?

Also If you want internet access for your remote clients, (Commonly referred to as ‘Split Tunnel’), then even with IPv6 disabled, the problem comes back!

Why is this happening? Well even with Force Tunnel enabled, you can still use your local LAN (Connect to your VPN, and ping your home gateway, or printer or wireless access point if you don’t believe me!) This connection takes precedence over your remote VPN connection, to prove it run a netstat -rn command. 

From the above you can see my Ethernet Adaptor has a metric of 6, and my VPN connector, (in this case called Connection Template) has metric of 23. AND THE LOWEST ONE WINS, so your DNS queries are going out of your local internet connection NOT down the VPN tunnel!

How Do I Fix this VPN no DNS?

Well until Microsoft fixes this in Windows 10, (it’s fine on Windows 8 and earlier), you have to manipulate the metrics yourself, like so;

VPN no DNS On Your Physical Adapter;

Start > ncpa.cpl {enter}  > Right click your NIC > Properties > Internet Protocol Version 4 > Properties.

Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 20 > OK > OK >OK.

On Your VPN Connector;

Start > ncpa.cpl {enter}  > Right click your VPN Connector > Properties > Internet Protocol Version 4 > Properties.

Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 10 > OK > OK >OK. 

Now your DNS look-ups should behave!

Related Articles, References, Credits, or External Links

NA

NameSpace ‘Microsoft.Policies.WindowsStore’ Error

Microsoft.Policies.WindowsStore KB ID 0001817

Problem

While working in the Group Policy Management tool, upon expanding administrative templates I got this error.

Namespace ‘Microsoft.Policies.WindowsStore’ is already defined as the target namespace for another file in the store.

Solution: Microsoft.Policies.WindowsStore Error

This is because in your policy definitions there are two (four actually) files that are pointing to the same thing, and it’s not sure what to do. For central policy each “set of settings’ needs a setting file (ADMX) and a language file (ADML). there used to be one called WinStoreUI, and it was superseded (with an update) by WindowsStore.

The problem is the old WinstoreUI file is still in the definitions folder and both old an new are being read. You can safely ignore the error popup, but it will bug you every time you open administrative templates.

To demonstrate, two ADMX files.

 

And two ADML files.

Note: ADML files live in the language sub-folder in the policy definitions folder (in my case en-us), if you are elsewhere in the world your locale folder will have a different name).

All you need to do to fix the problem is delete the WinStoreUI files, firstly the WindStoreUI.adml file

 

Then the WinStoreUI.admx file. Restart the Group Policy management console, and the error should have ceased.

Related Articles, References, Credits, or External Links

NA

Disable LLMNR and NetBIOS (via GPO)

Disable LLMNR and NetBIOS KB ID 0001816

Problem

LLMNR is a protocol that’s used both in IPv4 and IPv6 networks to provide name resolution (in the absense of DNS), the problem with it is that it is wide open to exploitation and can be used to perform a MITM attack on your network. NetBIOS is much older and asscociated with IPv4 networks only. Really old Microsoft OSs used to rely on it heavily, but these days its pretty much redundant*

*Note: Unless you have Windows Server NT/2000/2003 or Windows 2000/XP floating around, or some older flavours of Linux that need to talk to your Microsoft server estate, may still rely on NetBIOS.

NetBIOS itself is not actually a protocol (depending on who you ask, let’s not have an argument) It’s actually much older than the old Windows systems that are synonymous with it’s use, the actual protocol that’s used is actually NetBEUI.

Solution: Disable LLMNR and NetBIOS

Step 1: Disable LLMNR

Disabling LLMNR is as easy as peas, theres a GPO setting for it, NetBIOS is more of a challenge because its enabled/disable against a network connection, each network conection on each machine has a differnet identifyer in the registry, so we can even use a GPP and set the registry key. The only way to do this practically is with a script thats called from Group Policy that disables NetBIOS on ALL network cards.

Create (or edit an existing) Group Policy object that is linked to the OU that you computers are in.

Navigate to;

[box]

Computer Configuration > Policies > Administrative Templates > Network > DNS Client > Turn off Multicast name resolution

[/box]

Enable the Policy > Apply > OK.

Step 2: Disabling NetBIOS (For Static IP Clients)

Remember this protocol is pretty much dead not, but it is worth just firing up WireShark and having a sniff round the network to make sure nothing is still using it to be on the safe side.

Copt the following Powershell Script

[box]

If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{  
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}
$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}

[/box]

Note: Before you all start emailing in, yes it does a credentials check to make sure you have the right to perform the change – and yes I am aware startup script run under the system account (so theres no need to do this) but people can use this script universally, If I leave that in.

Save the script somewhere that’s shared, or simply \\{Domian-Name}\Sysvol\{Domain-Name}\Scripts

Then back in you group policy managment console, navigate to.

[box]

Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown) > Startup

[/box]

Add a New Script > PowerShell Scripts > Add  > Browse > MAKE SURE you browse to the network location of the script > Open > OK > Apply > OK.

To Test: Go to a client this policy is applied to, and look at its network card properties, it should show “Disable NetBIOS over TCP/IP“.

Step 3: Disabling NetBIOS (For DHCP Clients)

If your end clients get their IP addresses form a DHCP server, you can disable this (PER SCOPE) on your DHCP server. Locate the scope you want to work on > Scope Options > Configure Options > Advanced  >Microsoft Windows 2000 options > Tick Option 001 > Change the entry to 0x2 > Apply > OK.

Related Articles, References, Credits, or External Links

NA

Upgrade Server 2012 (In Place)

Upgrade Server 2012 KB ID 0001802

Server 2012 End Of Life

Windows Server 2012 (and Windows Server 2012 R2) will go end of life on October 10th 2023. Start planning to migrate your productions workloads off this platform as soon as you can.

I’ve mentioned before on the site, I’m not a fan of ‘in place’ upgrades, you get to migrate all the ‘broken bits’ (that you didn’t realise were broken), and if the process goes wrong, best case scenario is you are going to be restoring from backup.

What can I upgrade to? Well essentially, your target is to upgrade to Server 2019 , (not Server 2022 that’s not supported).

Upgrade Server 2012 Pre Requisites

Licenses: Just because you’re legally running Server 2012 does not mean you can upgrade to Server 2019, unless you have  software assurance. If you’re wondering if you have software assurance you probably do not (typically you buy it on a three year deal with the option to extend it to five years, and it’s VERY expensive). So if you dont know, you probably DONT have the software assurance. So you will need to purchase a new agreement, or buy new retail copies of Server 2019.

You will require a Windows Key for the new server (or KMS services setting up that will allocate a Server 2019 key to the newly upgraded server.)

CALs/SALs (Chances are you WONT have SALs, but if you do then speak to your MSP). You will need the correct amount of user/device CALS for server 2019 before you start your upgrade.

Backup Support: Does your backup solution support server 2019? 

Application Support: Does your AV Software, Endpoint protection solution, or Managed Detection and Response system support Server 2019? Make sure you check this list for Microsoft application support, and ensure any third party applications are supported with the vendor.*

*I cannot stress this enough, I work for a major MSP, and most clients are astounded when we wont simply upgrade their old server(s) from 2012, because we simply cannot guarantee that THEIR applications will work successfully on a newer version of Windows Server.

Hardware Support: Most servers are virtual these days, so this is less of an issue, but the machine/VM being upgraded needs to meet the minimum hardware requirements for server 2019.

Updates: MAKE SURE your existing 2012 server is up to date, (and the applications are patched as much as possible!)

Maintenance Window: During the upgrade the server will be offline to users, this will be for as long as a normal OS install, but you will need to plan in additional time for testing applications (post OS upgrade), then programming in any maintenance timings, and arranging and planning any CAB.

Snapshot: If you’re running in a virtual environment, then carry out a snapshot, (or Checkpoint if you are running Hyper-V).

Backup: Before even entertaining the idea of updating the server, make sure you have a good backup. I would make sure I could restore from backup successfully before even attempting an in place upgrade on a production server running 2012/2012R2. In fact if your risk averse, upgrade the restored server itself!

WARNING: Make sure the media you use to upgrade is up to date. While Windows server has a mainstream support date of 9th January 2024, some earlier versions may not be supported. ENSURE you are using build number 1809 Long-Term Servicing Channel (LTSC) or newer.

If you are in doubt about any role or application that may not work (post in place upgrade), then clone your machine, and test the upgrade on an isolated network to test the procedure beforehand.

Upgrade Server 2012 (Domain Controllers)

Other posts say this is not possible, but that is not true, (with some caveats). But it’s so much easier to build a new member server with server 2019/2022 and then extend the forest and domain, promote the new server to be a DC, and demote the old server(s). 

If you attempt to in place upgrade a 2012 server Windows MAY stop an in place upgrade with the following error;

Active Directory on this server does not contain Windows Server ADPREP / FORESTPREP updates.

Which makes sense (if you’ve ever done any domain upgrades or migrations). Before a 2019 DC can be introduced into a domain the forest and domain need to be prepared, (the schema extended). You can either (on this or another DC) run adprep.exe / forestprep and adprep.exe /domainprep from the 2019 install media (look in the support/adprep folder).  

Note: Make sure you’re logged in as a member of the schema admins group!

Obviously if you’ve already ran forest prep and adprep and already have 2019 domain controllers this error will not appear and the server will simply update.

Upgrade Server 2012 (Exchange Server)

NO ! Just don’t do this. Exchange on-premises is designed to be ‘swing migrated‘ to a newer version. If you need to do this then PeteNetLive is littered with upgrade run through even if you are on older versions of Exchange.

Migrate Exchange 2010 to Exchange 2016 (& 2013)

Exchange 2019 Migration from Exchange 2016 (&2013)

Upgrade Server 2012 (SQL Server)

We are in murky waters here! Server 2019 (at time of writing) does not support anything OLDER than SQL 2014. So you may need to upgrade your SQL instances before you consider upgrading the OS. Every single time I’ve ever replaced a SQL server (and I’ve been doing this for over 20 years now) I’ve built a new one, migrated the databases and then the application vendor has installed ‘whatever‘ application or website that required the database.

Also Server 2019/2022 have particular SQL CU level requirements!

If some SQL Jedi walks in here I’d welcome any comments below. But for me it’s a No!

Upgrade Server 2012 / 2012 R2 to Server 2019 (In Place)

By this point you’re adamant you DON’T want to build a new server and migrate your apps and data, and you’ve understood all the pre-requisites and warnings above.

Before starting, Microsoft recommend that you gather some information, run the following commands and take the information dumped into text files and put them safely elsewhere.

[box]

Systeminfo.exe >> SystemInfo.txt
ipconfig /all >> IPConfig

[/box]

Then take a copy of the contents of the following two registry values;

[box]

HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx

HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EditionID

[/box]

Note: I lost the will to live trying to work out how to dump those two values into a text file with PowerShell 5.1 (there’s a challenge for you!)

Present the Server 2019 Install to your 2012 server, locate and run setup.exe.

It will ask to check for update let it do so  > Next.

If you are installing a ‘retail’ version of Windows server, at this point it will ask of the licence key > 

Call me an  old traditionalist, I require a graphical user interface > Next.

I believe that someone at Microsoft should be made to read one of these out loud for EVERY copy of Windows it sells, seriously they could put anything in here. Now that your firstborns soul belongs to Microsoft > Accept.

The whole point is to retain our data! > Next.

It will now run through its pre-flight checks, pull down any updates and make sure it’s happy. When finished it will warn you if there’s any potential problems. Here it’s complaining about my monitor driver, (probably because it’s using the Window update download one, and not the VMware tools one to be fair). I know this wont cause me any problems, I can click Confirm > 

Last chance to bail out! Install.

One hour and twenty five minutes later,

In Place Upgrade of Server 2012 Running Certificate Services

Can you do this? Yes – Even if you have a multi-tier PKI deployment. see here

 

Related Articles, References, Credits, or External Links

In Place Upgrade Windows 2016 to Windows 2019

Windows Update Error 80072EFE

 80072EFE Error KB ID 0001801

Problem

Seen on versions of Windows built from ‘older’ versions of the install media, when attempting to check for updates you may see.

Error(s) food:

Code 80072EFE Windows update ran into a problem

80072EFE Update Error Resolution

At first (because it was a newly build machine.) I thought the problem was incorrect Time zone, Time, or Locale.

But thats NOT the problem, you’re stuck in a ‘catch 22′, where the update components need to update, but they can’t update, because the update components are too old! So to fix the problem you need to manually update them. Search for and install KB2937636.

Then reboot the server, and attempt updating again.

Related Articles, References, Credits, or External Links

NA

Migrate DHCP Scope(s)

Migrate DHCP KB ID 0001792

Problem

If you have a lot of DHCP scopes, options, or reservations, then manually creating them on your new DHCP servers can be a both a time consuming and tedious process. If only there was an easier way?

Migrate DHCP with Netsh

Below you can see an example, where  I have many scopes and lot’s of settings that would be painful to have to recreate from scratch. This example is on Server 2008 R2,but your source server could be server 2000, (or newer) the export procedure is the same.

Open an administrative command window, and issue the following  command.

[box]

netsh dhcp server export C:\dhcp-export.txt all

[/box]

Now on the source DHCP server I’m stopping and disabling the DHCP SERVER service, you might want to wait until, you are about to authorise the new 2022 DHCP server to minimise downtime, before doing this in production.

Copy the exported text file from the old DHCP server, to the new server.

Migrate DHCP: Install DHCP on Windows Server (via PowerShell)

Open an administrative PoweShell window, and issue the following  command.

[box]

Install-WindowsFeature DHCP -IncludeManagementTools

[/box]

Then import the settings with the following command.

[box]

netsh dhcp server import C:\dhcp-export.txt all

[/box]

Go to Administrative Tools > DHCP > You should see your migrated information in here, the DHCP scopes will be down (because the server has not yet been authorised in AD). Right click the server name, and select Authorise.

Note: At this point ENSURE the old DHCP server has had its DHCP server service stopped and disabled.

Wait a few seconds and then restart the DHCP Server service, (this can be done as shown below).

After a few seconds, the new scopes should be up and getting served.

Related Articles, References, Credits, or External Links

NA