Find Domain Schema Version

Find Domain Schema Version KB ID 0000025 

Problem

You want to upgrade or find out your current Schema version, or check that an” adprep / forestprep” command has worked correctly.

Solution

Find Domain Schema Version: PowerShell

Use the following sytax
[box]

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectversion

[/box]

Post Server 2016 Find Domain Schema Version

The value is populated with Server 2016 again.

If you check the value above on a domain that has Windows 2012 domain controllers, you will see the value is ‘not set’.

If the entry is blank;

Instead navigate to this registry key;

[box][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters[/box]

Locate the ‘Schema Version’ Note: the figure in brackets is the decimal value!

Find Domain Scheman Version For Windows Servers Before 2012 RTM

1. For Windows Server 2003 you will need to Install the Support Tools on your server. (2008, 2008 R2, and 2012 have the tools built in).

2. Press (Windows Key+R) > adsiedit.msc > {enter}

3. Right Click > CN=Schema,CN=Configuration,DC=domain,DC=com > Properties

<pNote: If you cannot see this you need to select “Connect To” then pick “Schema”.

4. On the Attribute Editor tab > Locate objectVersion.

 

What Are The Windows Server Schema Versions?

20: Windows 2000

30: Windows 2003 RTM, Windows 2003 SP1, and Windows 2003 SP2

31: Windows 2003 R2

44: Windows Server 2008 RTM

47: Windows Server 2008 R2 (and SBS 2011)

56: Windows Server 2012 RTM

69: Windows Server 2012 R2

87: Windows Server 2016 RTM

88: Windows Server 2019 RTM

88: Windows Server 2022

91: Windows Server 2025

Related Articles, References, Credits, or External Links

NA

Certificate Services 0xc8000202 Error

KB ID 0001639

Problem

You will see this error if you are migrating a Certificate Services Server from Server 2008, (NOT Server 2008 R2) to Windows Server 2016, (or newer).

Version of log file is not compatible with the Jet version 0xc8000202 (ESE: 514 Jet_errBadLogVersion)

You will also see the following events logged;

Event ID 17

Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: xx/xx/xxxx xx:xx:xx
Event ID: 17
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: 2019-CA.migrate.com
Description:
Active Directory Certificate Services did not start: Unable to initialize the database connection for MIGRATE-CA. Version of log file is not compatible with Jet version 0xc8000202 (ESE: -514 JET_errBadLogVersion).

Event ID 454

Log Name: Application
Source: ESENT
Date: 1xx/xx/xxxx xx:xx:xx
Event ID: 454
Task Category: Logging/Recovery
Level: Error
Keywords: Classic
User: N/A
Computer: 2019-CA.migrate.com
Description:
certsrv.exe (1268,P,98) Restore0001: Database recovery/restore failed with unexpected error -514.

Event ID 640

Log Name: Application
Source: ESENT
Date: xx/xx/xxxx xx:xx:xx
Event ID: 640
Task Category: General
Level: Warning
Keywords: Classic
User: N/A
Computer: 2019-CA.migrate.com
Description:
certsrv.exe (1268,P,98) Restore0001: Error -1919 validating header page on flush map file “C:\Windows\system32\CertLog\{CA-Name}.jfm”. The flush map file will be invalidated.
Additional information: [SignDbHdrFromDb:Create time:00/00/1900 00:00:00.000 Rand:0 Computer:] [SignFmHdrFromDb:Create time:00/00/1900 00:00:00.000 Rand:0 Computer:] [SignDbHdrFromFm:Create time:01/17/2020 22:30:48.514 Rand:248810345 Computer:] [SignFmHdrFromFm:Create time:01/17/2020 22:30:48.529 Rand:4091580707 Computer:]

Solution

OK, if you followed a good CA migration guide like mine here, then you already have a copy of the the Database, CA certs, Private keys, and Registry settings. So you are good, don’t panic.

This has happened because the source Jet Database that Certificate Services used on the old 2008 Server, (Note: not 2008 R2) is simply too old to be upgraded straight to the one on Server 2016 or newer.

You need to spin up a 2012 R2 server, migrate Certificate Services, onto that, then migrate to Server 2016 (or 2019) from there.

Related Articles, References, Credits, or External Links

NA

VMware vSphere Hot Add and Hot Plug

KB ID 0000527 

Problem

I was trying to hot add some memory to a VM the other day, and found the option grayed out. Normally I’d just down the VM, add the memory, then bring it back up. But it was a production server and I was pretty sure the OS supported it.

A quick Google search told me why it was grayed out, but it also transpired there was little to no information on what version of Windows hot add and hot plug would work with.

Solution

I’m not going to argue the semantics of the differences between “hot add” and “hot plug”, if I’m taking about hot add I’m talking about memory, if I’m talking about hot plug I’m talking about adding CPUs. You also need to be aware that to date Few OS’s support hot remove or hot unplug. If you try you will see the following;

vSphere version 6 or 6.5 (Hot Unplug )

It simply wont let you lower the value;

Note: With a Supported O,S (i.e. Server 2016 and 2019) you CAN hot remove CPU.

vSphere version 5.0 or 5.5

Hot Add Memory/ CPU in vSphere 6 & 6.5

As with earlier version of vSphere, to enable hot plug or hot remove, the machine has to be shut down. Then the option can be enabled. Select the VM > Edit Settings.

Memory: Virtual Hardware > Memory > Tick ‘Memory Hot Plug’ > Save.

CPU: Virtual Hardware > CPU > Tick ‘Enable CPU Hot Add’ > Save.

Hot Plug, Hot Add  in the vSphere HTML5 Client

Hot Add Memory/ CPU in vSphere 5 & 5.5

As for memory and CPU settings you will probably see what I was seeing. Both the options are not changeable.

2. Sorry but to enable this feature you need to power off the client machine, then when you edit its settings > Options > Advanced > Memory/CPU_Hotplug > You can enable hot add and hot plug > OK . Power the VM back on again.

3. Now you will see you have the option to hot add memory and hot plug CPUs.

What Operating Systems support this?

Like I said above, I did some testing because information is thin on the ground, this is what I was actually able to make work.

With 2008 R2 Standard

1. As you can tell from the table memory hot add will work but to add a CPU will need a reboot. Before I started I had 2 CPUs and 4GB of memory.

2. Lets add more memory and CPUs.

3. For all machines I tested there was a lag, sometimes as little as 3-5 seconds, other times as long as 15-20 seconds, during this time you will see some processor and memory usage spikes. But as shown the memory eventually becomes available.

4. Post reboot, your extra CPUs will appear.

With 2008 R2 Enterprise and Datacenter

1. Note I’m using Datacenter here, but Enterprise is the same. I increased the memory from 4 to 5 GB, And added a further 3 CPUs.

2. It does work, you simply need to restart the “Task Manager” to reflect the increased CPU count.

3. Finished.

Related Articles, References, Credits, or External Links

NA

PowerShell: Bulk Enable / Disable Users

KB ID 0001469

Problem

I needed to work out how to bulk disable some domain users from a .CSV file this week, so I thought I’d write it up.

Disable Domain Users in Bulk from CSV

Well firstly, you need to have your users in a CSV file. For the live job I just exported all the SamAccountNames to a CSV, but here for testing I just loaded a few in manually;

Then execute the following two commands;

[box]

Import-Module ActiveDirectory 

Import-Csv -Path "C:\Temp\Users-To-Disable.csv" | ForEach-Object {Set-ADUser -Identity $_.’User-Name’ -Enabled $false}

[/box]

Let’s have a quick check, and sure enough they are disabled.

Enable Domain Users in Bulk from CSV

To re-enable them, we just need to change one word in the command, (from false to true).

[box]

Import-Module ActiveDirectory 

Import-Csv -Path "C:\Temp\Users-To-Enable.csv" | ForEach-Object {Set-ADUser -Identity $_.’User-Name’ -Enabled $true}

[/box]

A quick refresh and our users are enabled again!

Related Articles, References, Credits, or External Links

NA

Ubuntu – Joining / Logging into Windows Domains

KB ID 0000384

Problem

You have a Linux client machine, and you want to authenticate to, and log into a Windows domain. I don’t have too much history with Linux, but from what I’ve read this used to be a nightmare. Using Ubuntu (10.10) I did have a couple of hiccups, but I did get there in the end.

Note: The domain controller is a Windows 2008 R2 Server.

Solution

Notes

1. The commands needed to install the “likewise-open5” package, and join the domain, (assuming the FQDN of the domain is domaina.com and the user name you are using to join the domain is administrator).

[box]sudo apt-get install likewise-open5 sudo domainjoin-cli join domaina.com administrator sudo reboot[/box]

2. Then to allow users to logon from the Ubuntu welcome screen,

[box]sudo nano /etc/samba/lwiauthd.conf[/box]

3. Add the following line (the file will probably be empty), to Save press CTRL+X, then Y, then {enter}.

[box]winbind use default domain = yes[/box]

4. Then reboot.

[box]sudo reboot[/box]

5. To allow sudo for the domain user(s),

[box]sudo nano /etc/sudoers[/box]

Locate the line that reads “#Members of the Admin group may gain root privileges and do the following:”. Below that, type the following (assuming the domain name is domaina and the user is a member of the domain admins group, domain^users also works).

[box]%domainadomain^admins ALL=(ALL) ALL[/box]/p>

Problem 1

Error: Lsass Error [code 0x00080047]

9502 (0x251E) DNS_ERROR_BAD_PACKET – A bad packet was received from a DNS server. Potentially the requested address does not exist.

 

This plagued me for a while, I tried everything I read online (like making sure that my time was correct – which it wasn’t (see below), making sure firewalls were off (they were), make sure your DNS has a reverse lookup zone (mine has), and finally make sure there are no existing DNS records for the IP address you are connecting with (mine did so I deleted them). None of these fixed the problem, to fix it is annoyingly simple.

FIX

Firstly make sure that the Ubuntu client is looking at your domain DNS server, for it’s DNS, the following command will tell you,

[box]cat /etc/resolv.conf[/box]

Then get the domain syntax right, in my case the domain name.

[box]

[WORKS] sudo domainjoin-cli join domaina.com administrator

[WONT WORK] sudo domainjoin-cli join DOMAINA.COM administrator
[WONT WORK] sudo domainjoin-cli join domaina administrator
[WONT WORK] sudo domainjoin-cli join DOMAINA administrator

[/box]

And then it connected faultlessly.

Problem 2

Error: Lsass Error [code 0x00080047]

5 (0x5) ERROR_ACCESS_DENIED – Access is denied.

This turned out to be a variation on the problem above, If you put in the domain name in UPPER CASE you will see this error.

[box]

[WORKS] sudo domainjoin-cli join domaina.com administrator

[WONT WORK] sudo domainjoin-cli join DOMAINA.COM administrator

[/box]

If you would like to add your domain user(s) to the welcome screen click here.

Update 04/01/12

Attention:  PeteNetLive – Suggestion 

Message: Hi,

Thanks very much for you YouTube and description of joining Ubuntu to a domain.  There was however one step extra that I needed to do to enable to logon screen to show users other than the local use and the guest account.  To do this I had to add the following line to /etc/lightdm/lightdm.conf

greeter-show-manual-login=true

I was joining Ubuntu 12.10 to the domain so maybe it is specific to 12.10 since you didn’t experience it but it would be good to add it to your article along with the other fixes to issues.

Thanks again.

From: Roland Elferink

Related Articles, References, Credits, or External Links

Thanks to Roland Elferink for the update.

Original Article written 27/01/11

Windows – Explorer Has Stopped Working – Crashes Windows

KB ID 0000388 

Problem

Spend any time working in windows and sooner or later something will upset Windows Explorer, and when it crashes it has a habit of taking something with it (usually your desktop experience – or something you’ve been working on and have not saved!).

The underlying problem can be anything from some poorly coded software, a dodgy device driver, or a wayward Windows update. But you can offset the problem by running Windows Explorer in its own sandboxed process, then if it does fail, it wont break anything else.

Warning there is a slight performance overhead to doing this but if you have a reasonable machine – crack on!

 

Solution

1. Open Windows Explorer (Windows Key +E)

2. Click Tools > Folder Options > View > Place a tick next to “Launch folder windows in a separate process” > Apply.

Note: If you can’t see the Tools Menu Press F10.

 

Related Articles, References, Credits, or External Links

NA

Windows – Get a List of all Installed Programs (and Updates)

KB ID 0000619

Problem

I needed to get a list of installed programs from a server I was having problems with, so I could compare the results with another server. Note: This will work on Windows client OS’s as well.

Solution

1. On the machine in question launch a command window.

2. To display all the installed programs execute the following two commands;

[box]
WMIC

product get name,version [/box]

3. To export all the installed programs to a text file (c:ProgramList.txt) execute the following two commands;

[box]
WMIC

/output:c:ProgramList.txt product get name,version [/box]

4. Here’s the sort of information you can get.

5. To export all the installed updates to a text file (c:UpdateList.txt) execute the following two commands;

[box]
WMIC

/output:C:UpdatelList.txt QFE get [/box]

Note: You can get a list of updates by running the ‘systeminfo’ command but this gives you much more information.

6. Here’s the sort of information you can get.

 

Related Articles, References, Credits, or External Links

NA

Enable Aero for RDP “One or more of the themes has been disabled by Remote Desktop Connection settings”

KB ID 0000647 

Problem

If you have enabled Aero on your remote machine, when you connect to it via RDP you will see this error, (if you try and change the theme to Aero).

One or more of the themes has been disabled by Remote Desktop Connection settings

Solution

1. Close your RDP session, and launch the RDP client software again > Options > Experience > Place a tick in “Menu and window animation”.

2. Reconnect to your machine.

Related Articles, References, Credits, or External Links

NA

Windows Server – Fine Grained Password Policies

KB ID 0000765 

Problem

Before server 2008 if you wanted more than one password policy, you had to create a sub domain just to do that! with Server 2008 we were given fine grained password policies, which were fine (if a little clunky), and involved you creating ‘Password Settings Objects’.

They were a pain if you were not used to them e.g. five minutes is entered as 00:00:05:00. But now Microsoft have made things a LOT EASIER (though they made a good job of hiding it!).

Solution

1. From Server Manager (ServerManager.exe) > Local Server > Tools > Active Directory Administrative Center.

2. System container.

3. Password Settings Container.

4. New > Password Settings > Configure as required > Add > Locate the Security group you want to apply the policy to > OK > OK.

Note: The Precedence dictates which policy will apply if the same user has multiple policies applied to them.

5. You can then create other policies to apply to different groups.

To See What Policies are Applying to a User

6. Locate the user (while still in Active Directory Administrative Center) Right click > View resultant password settings > If a policy is in place it will open.

7. If there is no policy in place you will see, “User does not have resultant fine grained password settings. Please check the user’s domain password settings”.

 

Related Articles, References, Credits, or External Links

NA