“Hi thanks for your video. I have two win 2012 DC DHCP on a failover/load balance config and want to migrate to new Win 2022 VMs. What’s the exact procedure? If it’s a single VM it’s easy but I’m not sure about if it’s on a failover setup.”
Well migrating the domain controller element I’ve covered before.
But what if you have your DHCP servers deployed in HA – be that Load Balanced, or Hot Standby (failover)?
How do you migrate DHCP to a new platform then ?
Solution: Migrate DHCP HA
There was very little information I could find on this subject, you can drop down to one DHCP server and perform a simple migration to Server 2022 then setup HA again of course, but I think the following solution is much more elegant, and there’s NO DOWNTIME to worry about.
Windows Migrate DHCP HA – Step 1 Remove HA
In my example I have some 2012 R2 Servers running DHCP (it does not matter if they are in Load balancing mode or Hot Standby, the approach is the same just the commands will vary.
I’ve got two new Windows Server 2022 servers updated and added to the domain ready to take on the DHCP HA roles.
The first thing I’m going to do is remove the failover partnership. You can do this on either of the legacy DHCP servers but the one you run the command on will be the DHCP server that remains operational after you remove the partnership (in this case 2012-dhcp-1.dingdong.com).
Use the following syntax, the first command gets the failover groups name, you then delete that failover group.
Windows Migrate DHCP Failover – Step 3 Create HA to Server 2022
We will now create a failover partnership to the first of our two new Windows Servers.
Firstly we need to install the DHCP role on BOTH of our new Windows Servers, register them in AD, and change a registry key to stop server manager bugging you about running the DHCP setup wizard.
Windows Migrate DHCP Failover – Step 4 Break Replication
If you are replicating many scopes then wait a while for the servers to be ‘in sync’, the next step seems counter intuitive, as you are going to delete the very thing you have just created, but this procedure is carried out on the NEW DHCP SERVER NOT THE LEGACY ONE, (so the DHCP scope is removed from the last remaining legacy DHCP server.)
On the first new DHCP server execute the following commands. (same commands you used above in step 1).
Windows Migrate DHCP Failover – Step 6 Deploy new DHCP HA Configuration
Lastly, we setup a new failover relationship that is setup the same as the one we setup in step 3, but this time with the last remaining new DHCP server.
When attempting to contact a server running the Certification Authority Web Enrolment role, you may see the following error.
In order to complete certificate enrolment, the Web site for the CA must be configured to use HTTPS authentication
Solution
The correct fix is to set the web server (IIS) to serve the certificate website securely using https, though you can just set Internet explorer to ‘work’ from your client machine if you are in a hurry.
Make Internet Explorer Accept Your Certification Authority
Note: This would need to be done on every machine that you wanted to access the Certificate Services web portal from.
1. From within Internet Explorer > Internet Options > Security > Trusted Sites > Sites.
2. Untick ‘Require server verification (https:) for all sites in this zone’ > Then add in the URL of the CA > Close.
3. With Trusted sites still selected > Custom level > ‘Initialize and script ActiveX controls not marked as safe for scripting’ > Enable > OK > Yes.
4. Restart the browser and try again.
Set IIS to serve Certificate Services Securely (via https).
This assumes you have your CA and the web portal installed correctly.
1. On the Certificate Services Server > Launch IIS Manager > Expand {server-name} > Sites > Default Web Site > Right Click > Edit Bindings > https > Edit > Select the self signed server certificate [NOT the CA ONE] > OK.
Note: If https is missing simply add it!
2. Expand Default Web Site > Certsrv > SSL Settings.
3. Tick ‘Require SSL’ > Apply.
4. That should be all you need, if it does not take effect straight away then drop to command line and run iisreset /noforce.
Related Articles, References, Credits, or External Links
If you are here, you have probably already found out that Dropbox is not supported on Windows Server platforms. You can install it and set it up happily but it stops working and needs to be relaunched all the time (manually).
I love dropbox! So much I actually pay for it! I run it on my management server and its handy for copying file up into my test network, so I can appreciate how annoying it is having to restart it all the time. So to fix the problem we have to use a piece of software that’s over 15 years old!
Running Dropbox as a Service on Windows Server
First you have to stop dropbox running.
Then download srvany and extract the executable to the Dropbox install directory (C:\Program Files (x86)\Dropbox). Note: This file is form the old Server 2003 resource kit.
Back in the day we just used the ‘At’ command to schedule a reboot, but starting with Server 2012 that was stopped! If you try it now you will see the following;
The AT command has been depreciated. Please use schtasks.exe instead
Solution (The Quick Way)
Execute the following command (change time and data accordingly);
We had the ‘run as’ service way back in Windows 2000, so the concept of running a command window ‘as administrator’ should not be difficult to understand. But the amount of times I tell people ‘You need to run that as administrator’, and they reply ‘I AM an administrator’ is far too high. With PowerShell theres no way of knowing, and with command prompt the differences are subtle.
Solution
There’s a myriad of different ways to launch an administrator command window, here are a few, If I’ve missed any let me know.
Launch Powershell in Administrative Mode
Powershell administrative mode (from Within Powershell)
If you’re already in Powershell you can open an administrative Powershell window, with the following command;
[box]
Start-Process PowerShell -Verb RunAs
[/box]
Powershell Administrative Mode (from Start Menu)
Option 1: From Start/Search > Powershell > Right Click Windows PowerShell > Run as administrator.
Option 2: Start > Right Click Windows PowerShell > Run as administrator.
Option 3: Start > Windows PowerShell > Windows Powershell > Run as Administrator.
Option 4: Right Click Start Menu (or Press Windows+X) > Window Powershell (Admin).
Launch Task Manger > File > Run new task > Powershell > Tick ‘Create this task with administrative privileges’.
Powershell Administrative Mode (from Windows Explorer)
From Windows Explorer > File > Open Windows PowerShell as administrator.
Launch Command Prompt in Administrative Mode
Administrator Command Prompt From Start Menu. (Windows 10 and Server 2016/2019)
From the Start/Search option > Type cmd > Then right click Command Prompt and select ‘Run as administrator’.
Command Prompt (Admin) – Windows 10 (& Server 2016/2019)
Right click the Start Button > Command Prompt (Admin)
Command Prompt (Admin) – Windows 8 (& Server 2012) Quick Links Menu
Press Windows Key+X > Select Command Prompt (Admin)
Administrator Command Prompt From Start Menu. (Windows 8 and Server 2012)
If you have the new Windows 8/2012 Start Menu (that we can’t call Metro any more) then type ‘command’ in the search window, then either right click and select ‘Run as administrator’, or press Ctrl+Shift+Enter to launch.
If you have the traditional start menu enabled or are running Windows 7/Vista, you can type command in the search/run box, then
Create An Always Run As Administrator Command Prompt Shortcut
1. Right click and empty area of your desktop > New > Shortcut.
2. Set the location to ‘cmd’ > Next > Call it Admin Command > Finish.
3. Right click your new shortcut > Properties.
4. Shortcut > Advanced > Run as administrator > Apply > OK.
Launch Admin Command Prompt from Task Manager.
Launch Task Manager (Ctrl+Shift+Esc) > File > Run new task > cmd > Tick ‘Create this task with administrative privileges’.
Launch Command Prompt ‘As Administrator’ From Command/Run.
I’m not a fan of this, in fact I only include it here for completeness, you can call a command windows and run it as administrator from command (or the run box (Windows Key+R). The reason I don’t like this is, you need to enter the machines local administrators password for it to work.
[box]
runas /user:%computername%administrator cmd
[/box]
If theres any I’ve missed feel free to drop me an email, and I will update the article.
Related Articles, References, Credits, or External Links
I’ve got nothing against the Windows firewall, it’s certainly a lot easier to manage now than it was back in the XP SP2 days. But I find a lot of clients still just ‘want it gone’ and, providing they have a decent corporate firewall in front of them that’s fair enough.
Solution
1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.
2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.
3. Give the policy a sensible name so you can see what it is doing later.
4. Right click your new policy > Edit.
5. Navigate to;
[box]
Computer Configuration > Policies > Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections
[/box]
6. Set the policy to disabled.
7. Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.
9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines).
SBS Note
An (SBS) Small Business Server domain enables the client firewall by default! The policy us called Windows Firewall Policy, which is usually linked to the computer OU under ‘My Business’.
Related Articles, References, Credits, or External Links
Group Policy Preferences (GPP) first came in with Server 2008 and were enhanced for Server 2008 R2, To be able to apply them to older Windows clients, you need to install the “Client side Extensions” (CSE), You can either script this, deploy with a group policy, or if you have WSUS you can send out the update that way. From windows 7 onwards they are already installed.
Solution : Group Policy Preferences
You may not have noticed, but if you edit or create a group policy anow, you will see there is a “Preferences” branch. Most IT Pro’s will have seen the addition of the “Policies” folder some time ago because it adds an extra level to get to the policies that were there before 🙂
OK Cool! What can you do with them?
1. Computer Preferences: Windows Settings
Environment: Lets you control, and send out Environment variables via Group Policy.
Files: Allows you to copy, modify the attributes, replace or delete a file (for folders see the next section).
Folder: As above, but for folders.
Ini Files: Allows you to Create, Replace, Update or Delete an ini file.
Registry: Allows you to Create, Replace, Update or Delete a Registry value, You can either manually type in the reference use a Wizard, or extract the key(s) values you want to send them out via group policy.
Network Shares: Allow you to Create, Replace, Update, or Delete shares on clients via group policy.
Shortcuts: Allows you to Create, Replace, Update, or Delete shortcuts on clients via group policy.
2. Computer Preferences: Control Panel Settings
Data Sources: Allows you to Create, Replace, Update, or Delete, Data Sources and ODBC settings via group policy. (Note: there’s a bug if your using SQL authentication see here).
Devices: Lets you enable and disable hardware devices by type and class, to be honest it’s a little “clunky”.
Folder Options: Allows you to set “File Associations” and set the default programs that will open particular file extensions.
Local Users and Groups: Lets you Create, Replace, Update, or Delete either local users OR local groups. Handy if you want to create an additional admin account, or reset all the local administrators passwords via group policy.
Network Options: Lets you send out VPN and dial up connection settings to your clients, handy if you use PPTP Windows Server VPN’s.
Power Options: With XP these are Power Options and Power Schemes, With Vista and later OS’s they are Power Plans. This is much needed, I’ve seen many “Is there a group policy for power options?” or disabling hibernation questions in forums. And you can use the options Tab, to target particular machine types (i.e. only apply if there is a battery present).
Printers: Lets you install printers (local or TCP/IP), handy if you want all the machines in accounts to have the accounts printer. for further info see,
Scheduled Tasks: Lets you create a scheduled task or an immediate task (Vista or Later), this could be handy to deploy a patch or some virus/malware removal process.
Service: Essentially anything you can do in the services snap in you can push out through group policy, set services to disables or change the logon credentials used for a service. In addition you can set the recovery option should a service fail.
Drive Mappings: Traditionally done by login script or from the user object, but use this and you can assign mapped drives on a user/group basis.
Environment: As above lets you control and send out Environment variables via Group Policy, but on a user basis.
Files: As above. allows you to copy, modify the attributes, replace or delete a file (for folders see the next section), but on a user basis.
Folders: As above, but for folders on a user by user basis.
Ini Files: As above, allows you to Create, Replace, Update or Delete an ini file, on a user by user basis.
Registry: As above, allows you to Create, Replace, Update or Delete a Registry value, You can either manually type in the reference use a Wizard, or extract the key(s) values you want to send out via group policy, this time for users not computers.
Shortcuts: As Above, allows you to Create, Replace, Update, or Delete shortcuts on clients via group policy for users.
4. User Configuration: Control Panel Settings
All of the following options are covered above on “Computer Configuration”
Data Sources Devices Folder Options Local Users and Groups Network Options Power Options Printers Scheduled Tasks
Internet Settings: Using this Group Policy you can specify Internet Explorer settings/options on a user by user basis.
Regional Options: Designed so you can change a users Locale, handy if you have one user who wants an American keyboard.
Start Menu: Provides the same functionality as right clicking your task bar > properties > Start Menu > Customise, only set user by user.
Related Articles, References, Credits, or External Links
For everyone who simply does not disable the Windows firewall, then you need to be able to manage what ports are open on your machines. The simplest way to do this is via group policy. This week I had to open TCP port 9503 on the local firewall of my McAfee Move Offload Servers. Below I will open that port on all my machines, but in production I will only apply the GPO to the OU with my Move Offload servers in it.
Solution
1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.
2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.
3. Give the policy a sensible name so you can see what it is doing later.
7. As this is a new policy the list will be empty, (you can return and add multiple entries to this policy later if you require further ports opening). In the example below I’ve opened port 9053, over TCP, the asterisk means ‘from anywhere’, I’ve Enabled the rule, and called it McAfee Move.
<Scope>: Where the traffic is coming from, i.e 192.168.1.1, or 192.168.1.0/24, or simply ‘localsubnet’ or ‘*’ for everywhere. You can enter multiple values separated with a comma.
<Name>: A simple text entry to define what the exception is.
8. OK > Apply > OK > Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.
9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines.)
10. To make sure it has worked on the target machine > Windows Key+R > WF.msc {Enter} > Inbound Rules > Your rule should be visible.
11. If you open the rule you can see its been applied by group policy, and check the correct port has been defined.
Related Articles, References, Credits, or External Links
As I’ve said UAC is a good thing, it’s there for a reason, but in this case I was logged onto a clients domain servers, with an administrative account, doing administration! Every time I tried to open regedit, Active Directory Users and Computer, or even a command line window, I was getting prompted.
Solution
Even if you have disabled UAC, there are some times when it does not properly ‘go-away’. To make it stop you need to edit the following registry key;
[box]HKLM > SOFTWARE > Microsoft > Windows > CurrentVersion >Policies > System[/box]
Locate the ‘EnableLUA’ Value and change it to 0 (zero).
Reboot the server, problem solved
Related Articles, References, Credits, or External Links
Thanks to Paul Sanderson for pointing this out to me.