Find Domain Schema Version

Find Domain Schema Version KB ID 0000025 

Problem

You want to upgrade or find out your current Schema version, or check that an” adprep / forestprep” command has worked correctly.

Solution

Find Domain Schema Version: PowerShell

Use the following sytax
[box]

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectversion

[/box]

Post Server 2016 Find Domain Schema Version

The value is populated with Server 2016 again.

If you check the value above on a domain that has Windows 2012 domain controllers, you will see the value is ‘not set’.

If the entry is blank;

Instead navigate to this registry key;

[box][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters[/box]

Locate the ‘Schema Version’ Note: the figure in brackets is the decimal value!

Find Domain Scheman Version For Windows Servers Before 2012 RTM

1. For Windows Server 2003 you will need to Install the Support Tools on your server. (2008, 2008 R2, and 2012 have the tools built in).

2. Press (Windows Key+R) > adsiedit.msc > {enter}

3. Right Click > CN=Schema,CN=Configuration,DC=domain,DC=com > Properties

<pNote: If you cannot see this you need to select “Connect To” then pick “Schema”.

4. On the Attribute Editor tab > Locate objectVersion.

 

What Are The Windows Server Schema Versions?

20: Windows 2000

30: Windows 2003 RTM, Windows 2003 SP1, and Windows 2003 SP2

31: Windows 2003 R2

44: Windows Server 2008 RTM

47: Windows Server 2008 R2 (and SBS 2011)

56: Windows Server 2012 RTM

69: Windows Server 2012 R2

87: Windows Server 2016 RTM

88: Windows Server 2019 RTM

88: Windows Server 2022

91: Windows Server 2025

Related Articles, References, Credits, or External Links

NA

Windows Server – Sysprep

KB ID 0000729 

Problem

I don’t deploy large amounts of servers at once, so Windows Server sysprep is not as important as it is with the client operating systems I deploy. But I do need to create virtual machine templates, (mostly for testing), but some clients like to have server templates. I prefer to manually sysprep and shutdown a server then either convert or clone it to a template.

Thankfully sysprep is in the same place as it was with Server 2008 R2.

Solution

As before you can either run sysprep from command line by navigating to its location and running it with the correct switches. Or simply browse to it with Windows Explorer and double click it.

Related Articles, References, Credits, or External Links

Server 2008 R2 Where is Sysprep

Management Framework 5.1 Update Not Applicable

KB ID 0001599

Problem

Seen while attempting to install Microsoft Management Framework 5.1 on Server 2012 R2, (to upgrade PowerShell).


Windows Update Standalone Installer
The update is not applicable to your computer

Solution

Well in the the end it turns out I was being a doofus! I was installing W2K12-KB3191565-x64.msu which is for Server 2012 (Not Server 2012 R2!) Look a bit lower, you need Win8.1AndW2K12R2-KB3191564-x64.msu.

The solution was in front of me the whole time!

Related Articles, References, Credits, or External Links

NA

HP Intelligent Provisioning Cant See USB Media?

KB ID 0001555

Problem

Life was simpler when we had DVD Drives and a wallet full of CD/DVDs! I was building an HP DL360 This morning and needed to install Windows. I created a bootable USB with Unetbootin and selected a Windows Server ISO, it wouldn’t boot. So I thought ‘Fine I’ll play the game” I pressed F10 for Intelligent Provisioning.

After selecting USB media – the system could not see my USB Drive? 

After a couple of seconds head scrathing the penny dropped, it wants the iso not a bootable drive, (doofus!) So I used a FAT formatted USB and that didn’t work either?

Option 1: Use iLO

Before you all start emailing me, you can install an operating system from virtual media WITHOUT and advanced iLO licence! Annoyingly I was building the server on the bench, so I had to connect my laptop into the iLO with a crossover cable but, here’s me proving it works.

Option 2: Use ExFAT

Format your USB drive using ExFAT, luckily I use macOS and Disk Utility will format a drive using ExFAT for me.

Note: Windows will also format as ExFAT 🙂

Then simply put your install .iSO file(s) on the media.

Now you can see your install media.

Option 3: Use the HP Media Creator

I didn’t try this option, but feel free to download it and give it a try, comment below to let me know how you get on.

HP USB Key Utility for Windows v3.0.0

Related Articles, References, Credits, or External Links

NA

PowerShell: Bulk Enable / Disable Users

KB ID 0001469

Problem

I needed to work out how to bulk disable some domain users from a .CSV file this week, so I thought I’d write it up.

Disable Domain Users in Bulk from CSV

Well firstly, you need to have your users in a CSV file. For the live job I just exported all the SamAccountNames to a CSV, but here for testing I just loaded a few in manually;

Then execute the following two commands;

[box]

Import-Module ActiveDirectory 

Import-Csv -Path "C:\Temp\Users-To-Disable.csv" | ForEach-Object {Set-ADUser -Identity $_.’User-Name’ -Enabled $false}

[/box]

Let’s have a quick check, and sure enough they are disabled.

Enable Domain Users in Bulk from CSV

To re-enable them, we just need to change one word in the command, (from false to true).

[box]

Import-Module ActiveDirectory 

Import-Csv -Path "C:\Temp\Users-To-Enable.csv" | ForEach-Object {Set-ADUser -Identity $_.’User-Name’ -Enabled $true}

[/box]

A quick refresh and our users are enabled again!

Related Articles, References, Credits, or External Links

NA

Scheduled Task Error 0x1

KB ID 0001457

Problem

While replacing a server, I copied over some scripts, (batch files) the client was using to back up some data. I scheduled them on the new server, but noticed they were finishing with a status of 0x1. (and not actually backing anything up!)

Solution

Edit the properties of the job > General Tab > Tick “Run with the highest privileges”.

Note: You can also tick “Do not store password. This task will only have access to local computer resources” if the process is only running on this machine.

Actions > Select the Action and edit it > Change the ‘Start In‘ section, so that it points to the folder the script is in > OK >Apply > OK.

Rerun the job and it should complete with a 0x0 status (successful).

Related Articles, References, Credits, or External Links

NA

IIS – Cannot Download File From Website (With Extension .xyz)

KB ID 0001223 

Problem

I first saw this problem a few months ago, when I wasted to download some .bin and .pkg files from a web server running IIS, into a Cisco firewall. Then again this week I needed to get a large .iso file into a clients network so I put it on a publicly accessible web server running IIS, and had the problem again.

 

Solution

On the IIS server, open administrative tools > Internet Information Services (IIS) Manager > Drill down to the default website > Locate the ‘MIME Types‘ and open them.

You will probably find there is not one for the file extension you cannot download (in this case .iso) > Add one in > Set the MIME type to;

application/octet-stream

 

Then re-try your download.

Related Articles, References, Credits, or External Links

NA

VMware Workstation – Deploying Server 2012 and Windows 8 ‘Linked Clones’ from Templates

KB ID 0000953 

Problem

VMware Workstation, is a great test tool, if i need to take a look at some new software, or plan how I’m going to do a job, and I don’t have access to the ESX server, or test bench, it’s a great tool to have on my laptop.

If you build machines form scratch, every time you need one it can take a while. To address that you can create a template and deploy machines from that. To make things even more efficient you can make then ‘linked clones’. If you use VDI you will probably be aware of linked clones, they use the hard drive of the machine they were created from, and maintain a ‘delta disk’ that holds the differences, this make them very efficient at using hard drive space, (which is good if you are running on a laptop!)

Solution

1. I’ve titled this Windows 8 and Server 2012, but this process works for just about any modern version of Windows. Build the machine that will be the template, and install all the latest updates. Locate sysprep.exe uisually in C:WindowsSyste32Sysprep, and run it. Ensure the ‘Generalize’ option is selected, and the shutdown option is set to ‘Shutdown’.

2. Once finished the machine will shutdown, in VMware Workstation right click the VM > Snapshot > Take Snapshot > Give the snapshot a sensible name > Take Snapshot.

3. Once complete > Right Click the VM again > Settings > Options Tab > Advanced > Select ‘Enable Template mode (to be used for cloning) > OK.

4. Now every time you want a new VM simply right click the template > Manage > Clone > When the wizard starts > Next.

5. Choose the snapshot name you picked in step 2 > Next > Linked Clone (if you choose full clone it creates a complete new machine and will take a LOT of system resources) > Next > Give it a name > Finish.

6. Power on your new machine and it will run the mini windows setup, and behave like a completely new VM.

Related Articles, References, Credits, or External Links

NA

VMware – Replace the ESXi Certificate

KB ID 0000974 

Problem

ESXi comes with a self signed certificate, and for most people thats fine, but some clients want to have a ‘Trusted’ certificate on theirs, and have their own PKI infrastructure for issuing them.

Below I will generate a new certificate for my ESXi server using the Active Directory Certificate Services role on Windows Server 2012. Then replace the self signed certificate with my new one.

Solution

Generating a Certificate Request From the ESXi Server

1. Before we start there are a couple of hoops to jump through, and a Windows machine (it does not mater which one), install the following tow pieces of software;

Microsoft Visual C++ 2008 Redistributable Package (x86) and Shining Light Productions installer for OpenSSL x86 version 0.98r (or later)

Accept all the defaults and it should install to C:OpenSSL-Win32 go there, and in the bin directory make a backup of the openssl.cfg file.

2. Open the original openssl.cfg file and delete everything out of it, then paste in the following text, replace the values in red with your own, and save the file.

[box]

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:PNL-ESX1, IP:10.254.254.12, DNS:PNL-ESX1.petenetlive.net

[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = Teesside
localityName = Middlesbrough
0.organizationName = PeteNetLive
organizationalUnitName = Technical Services
commonName = PNL-ESX1.petenetlive.net

[/box]

3. Open a command window and execute the following three commands;

[box]

cd C:OpenSSL-Win32Bin
openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg
openssl rsa -in rui-orig.key -out rui.key

[/box]

You will notice rui.csr has been created in the bin directory this is the file you need to request your certificate, if you open the file with Notepad you can copy the text.

Submit the Certificate Request and Get an ESX Certificate From a Windows CA

4. Open the web console of your certificate services server (it needs to be running the Certification Authority Web Enrollment role). The URL is usually http://{servers IP or Name}/Certsrv. Select ‘Request a certificate’.

5. Advanced certificate request.

6. Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

7. Paste in the text from your csr file (with no extra spaces!). Set the Certificate Template to ‘Web Server’ (the default lifetime for the Web Server template is 2 years. If you require longer, I suggest you clone the Web Server Template, change the lifetime and republish it in Active Directory Certificate Services).

8. Base 64 encoded> Download certificate.

9. Save the file as rui.cer and put it in the bin directory.

10. ESX needs the certificate to be in x509 format, so open a command window and execute the following commands;

[box]

cd C:OpenSSL-Win32bin
openssl x509 -in rui.cer -out rui.crt

[/box]

11. Enable SSH on your ESX Host.

12. Connect to the ESX host via SSH, and make a backup of the current keys (just in case).

[box]

cd /etc/vmware/ssl
mv rui.crt backup.rui.crt

mv rui.key backup.rui.key

[/box]

13. Using WinSCP copy the rui.crt and the rui.key files from the bin directory, to the /etc/vmware/ssl directory on your ESX host. WARNING: Set the copy type to ‘Text’ or ASCII or you may get some strange results.

14. Then either restart the management agents, or from your SSH session execute the following command;

[box]/sbin/services.sh restart[/box]

15. The simplest way to check is browse to the FQDN or your ESX host (the same name you used as the common name in step 2), and take a look at the certificate.

Related Articles, References, Credits, or External Links

NA