Find Domain Schema Version

Find Domain Schema Version KB ID 0000025 

Problem

You want to upgrade or find out your current Schema version, or check that an” adprep / forestprep” command has worked correctly.

Solution

Find Domain Schema Version: PowerShell

Use the following sytax
[box]

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectversion

[/box]

Post Server 2016 Find Domain Schema Version

The value is populated with Server 2016 again.

If you check the value above on a domain that has Windows 2012 domain controllers, you will see the value is ‘not set’.

If the entry is blank;

Instead navigate to this registry key;

[box][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters[/box]

Locate the ‘Schema Version’ Note: the figure in brackets is the decimal value!

Find Domain Scheman Version For Windows Servers Before 2012 RTM

1. For Windows Server 2003 you will need to Install the Support Tools on your server. (2008, 2008 R2, and 2012 have the tools built in).

2. Press (Windows Key+R) > adsiedit.msc > {enter}

3. Right Click > CN=Schema,CN=Configuration,DC=domain,DC=com > Properties

<pNote: If you cannot see this you need to select “Connect To” then pick “Schema”.

4. On the Attribute Editor tab > Locate objectVersion.

 

What Are The Windows Server Schema Versions?

20: Windows 2000

30: Windows 2003 RTM, Windows 2003 SP1, and Windows 2003 SP2

31: Windows 2003 R2

44: Windows Server 2008 RTM

47: Windows Server 2008 R2 (and SBS 2011)

56: Windows Server 2012 RTM

69: Windows Server 2012 R2

87: Windows Server 2016 RTM

88: Windows Server 2019 RTM

88: Windows Server 2022

91: Windows Server 2025

Related Articles, References, Credits, or External Links

NA

Windows: Migrate DHCP HA

Migrate DHCP HA KB ID 0001826

Problem

I got an email last week.

“Hi thanks for your video. I have two win 2012 DC DHCP on a failover/load balance config and want to migrate to new Win 2022 VMs. What’s the exact procedure? If it’s a single VM it’s easy but I’m not sure about if it’s on a failover setup.”

Well migrating the domain controller element I’ve covered before.

Migrate From Server 2012 to Server 2022 Domain Controllers

And Migrating stand-alone DHCP servers is easy.

Migrate DHCP Scope(s) to Windows Server 2022

But what if you have your DHCP servers deployed in HA – be that Load Balanced, or Hot Standby (failover)? 

How do you migrate DHCP to a new platform then ?

Solution: Migrate DHCP HA

There was very little information I could find on this subject, you can drop down to one DHCP server and perform a simple migration to Server 2022 then setup HA again of course, but I think the following solution is much more elegant, and there’s NO DOWNTIME to worry about.

Windows Migrate DHCP HA – Step 1 Remove HA

In my example I have some 2012 R2 Servers running DHCP (it does not matter if they are in Load balancing mode or Hot Standby, the approach is the same just the commands will vary.

I’ve got two new Windows Server 2022 servers updated and added to the domain ready to take on the DHCP HA roles.

The first thing I’m going to do is remove the failover partnership. You can do this on either of the legacy DHCP servers but the one you run the command on will be the DHCP server that remains operational after you remove the partnership (in this case 2012-dhcp-1.dingdong.com).

 

Use the following syntax, the first command gets the failover groups name, you then delete that failover group.

[box]

Get-DHCPServerv4Failover
Remove-DHCPServerv4Failover "Failover-Group-Name"

[/box]

Windows Migrate DHCP HA – Step 2 Uninstall DHCP

Go to the server you have just removed the partnership from, it will not be performing DHCP but still has the role installed.

To Remove DHCP from the redundant legacy server use the following PowerShell commands. WARNING the last command will reboot the server.

[box]

Uninstall-WindowsFeature DHCP
Uninstall-WindowsFeature RSAT-DHCP
Restart-Computer

[/box]

Windows Migrate DHCP Failover – Step 3 Create HA to Server 2022

We will now create a failover partnership to the first of our two new Windows Servers.

Firstly we need to install the DHCP role on BOTH of our new Windows Servers, register them in AD, and change a registry key to stop server manager bugging you about running the DHCP setup wizard.

[box]

Install-WindowsFeature DHCP -IncludeManagementTools
netsh dhcp add securitygroups
Add-DhcpServerInDC -DnsName 2022-DHCP-1.dingdong.com -IPAddress 192.168.110.18
Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2

[/box]

NOW CARRY OUT THE NEXT STEP ON THE REMINING LEGACY DHCP SERVER

To create a Load Balanced Failover partnership (with a 50/50 load balance) use the following syntax. (change the values in red accordingly).

[box]

Add-DhcpServerv4Failover –ComputerName “2012-DHCP-1.dingdong.com” –PartnerServer “2022-DHCP-1.dingdong.com” –Name “DHCP-LOAD-BALANCE” –LoadBalancePercent 50 -MaxClientLeadTime 1:00:00 -StateSwitchInterval 00:45:00 -ScopeId 192.168.110.0 -SharedSecret “Password123"

[/box]

To create a Hot Standby (failover) partnership, use the following command instead.

[box]

Add-DhcpServerv4Failover -ComputerName “2012-DHCP-1.dingdong.com” –PartnerServer “2022-DHCP-1.dingdong.com” -Name “DHCP-HOT-STANDBY” -ServerRole Active -ReservePercent 10 -MaxClientLeadTime 1:00:00 -StateSwitchInterval 00:45:00 -ScopeId 192.168.110.0 -SharedSecret “Password123

[/box]

Windows Migrate DHCP Failover – Step 4 Break Replication

If you are replicating many scopes then wait a while for the servers to be ‘in sync’, the next step seems counter intuitive, as you are going to delete the very thing you have just created, but this procedure is carried out on the NEW DHCP SERVER NOT THE LEGACY ONE, (so the DHCP scope is removed from the last remaining legacy DHCP server.)

On the first new DHCP server execute the following commands. (same commands you used above in step 1).

[box]

Get-DHCPServer4Failover 
Remove-DHCPServer4Failover "Failover-Group-Name"

[/box]

Windows Migrate DHCP HA – Step 5

Now just as you did in step 2, remove the DHCP role form the last remaining legacy DHCP server.

Again, use the following commands. WARNING the last command will reboot the server.

[box]

Uninstall-WindowsFeature DHCP
Uninstall-WindowsFeature RSAT-DHCP
Restart-Computer

[/box]

Windows Migrate DHCP Failover – Step 6 Deploy new DHCP HA Configuration

Lastly, we setup a new failover relationship that is setup the same as the one we setup in step 3, but this time with the last remaining new DHCP server.

Like so.

[box]

Add-DhcpServerv4Failover –ComputerName “2022-DHCP-1.dingdong.com” –PartnerServer “2022-DHCP-2.dingdong.com” –Name “DHCP-LOAD-BALANCE” –LoadBalancePercent 50 -MaxClientLeadTime 1:00:00 -StateSwitchInterval 00:45:00 -ScopeId 192.168.110.0 -SharedSecret “Password123"

[/box]

You can now migrate any remaining roles or applications form the old servers, remove them from the domain and decommission them.

 

Related Articles, References, Credits, or External Links

Configure DHCP for Failover

The Web Site for the CA Must be Configured to use HTTPS

KB ID 0000838 

Problem

When attempting to contact a server running the Certification Authority Web Enrolment role, you may see the following error.

In order to complete certificate enrolment, the Web site for the CA must be configured to use HTTPS authentication

Solution

The correct fix is to set the web server (IIS) to serve the certificate website securely using https, though you can just set Internet explorer to ‘work’ from your client machine if you are in a hurry.

Make Internet Explorer Accept Your Certification Authority

Note: This would need to be done on every machine that you wanted to access the Certificate Services web portal from.

1. From within Internet Explorer > Internet Options > Security > Trusted Sites > Sites.

 

2. Untick ‘Require server verification (https:) for all sites in this zone’ > Then add in the URL of the CA > Close.

3. With Trusted sites still selected > Custom level > ‘Initialize and script ActiveX controls not marked as safe for scripting’ > Enable > OK > Yes.

4. Restart the browser and try again.

Set IIS to serve Certificate Services Securely (via https).

This assumes you have your CA and the web portal installed correctly.

1. On the Certificate Services Server > Launch IIS Manager > Expand {server-name} > Sites > Default Web Site > Right Click > Edit Bindings > https > Edit > Select the self signed server certificate [NOT the CA ONE] > OK.

Note: If https is missing simply add it!

2. Expand Default Web Site > Certsrv > SSL Settings.

 

3. Tick ‘Require SSL’ > Apply.

4. That should be all you need, if it does not take effect straight away then drop to command line and run iisreset /noforce.

Related Articles, References, Credits, or External Links

NA

Running Dropbox On Windows Server

KB ID 0001489

Problem

If you are here, you have probably already found out that Dropbox is not supported on Windows Server platforms. You can install it and set it up happily but it stops working and needs to be relaunched all the time (manually).

I love dropbox! So much I actually pay for it! I run it on my management server and its handy for copying file up into my test network, so I can appreciate how annoying it is having to restart it all the time. So to fix the problem we have to use a piece of software that’s over 15 years old! 

Running Dropbox as a Service on Windows Server

First you have to stop dropbox running.

Then download srvany and extract the executable to the Dropbox install directory (C:\Program Files (x86)\Dropbox). Note: This file is form the old Server 2003 resource kit.

From an elevated command prompt run the following command;

[box]sc create Dropbox binPath= “C:\Program Files (x86)\Dropbox\srvany.exe” DisplayName= “Dropbox Service”[/box]

Run services.msc > locate the dropbox Service  > And set its ‘LogOn’ to the account you were logged in with, when you installed the Dropbox software.

Change the startup type to Automatic, (Don’t start the service yet!) > OK.

Execute the following three commands;

[box]

New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\Dropbox\Parameters

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Dropbox\Parameters -Name Application -PropertyType String -Value “C:\Program Files (x86)\Dropbox\Client\Dropbox.exe”

Start-Service Dropbox

[/box]

Update:

You also need to execute the following from an ‘Administrative command window’, (or Dropbox will stop synchronising after a few hours).

[box]

SETX /M QT_OPENGL software

[/box]

Related Articles, References, Credits, or External Links

Special Thanks to Frédéric for the SETX command to fix the timeout.

Windows Server – Schedule a Reboot

KB ID 0001321 

Problem

Back in the day we just used the ‘At’ command to schedule a reboot, but starting with Server 2012 that was stopped! If you try it now you will see the following;

The AT command has been depreciated. Please use schtasks.exe instead

Solution (The Quick Way)

Execute the following command (change time and data accordingly);

[box]

schtasks /create /tn “Scheduled Reboot” /tr “shutdown /r /t 0” /sc once /st 12:20:00 /sd 02/03/2020 /ru “System”
[/box]

Solution (The Long Way)

Launch Task Scheduler.

Create Basic Task.

Give the task a name, (and optionally a description) > Next > One time > Next > Enter the date and time for the reboot to occur > Next.

Start a program > Next > Program/Script = PowerShell > Add Arguments = Restart-Computer -Force > Next > Finish.

Related Articles, References, Credits, or External Links

NA

Run PowerShell (and Command Prompt) Administratively

KB ID 0000988

Problem

We had the ‘run as’ service way back in Windows 2000, so the concept of running a command window ‘as administrator’ should not be difficult to understand. But the amount of times I tell people ‘You need to run that as administrator’, and they reply ‘I AM an administrator’ is far too high. With PowerShell theres no way of knowing, and with command prompt the differences are subtle.

Solution

There’s a myriad of different ways to launch an administrator command window, here are a few, If I’ve missed any let me know.

Launch Powershell in Administrative Mode 

Powershell administrative mode (from Within Powershell)

If you’re already in Powershell you can open an administrative Powershell window, with the following command;

[box]

Start-Process PowerShell -Verb RunAs

[/box]

Powershell Administrative Mode (from Start Menu)

Option 1: From Start/Search > Powershell > Right Click Windows PowerShell > Run as administrator.

Option 2: Start > Right Click Windows PowerShell > Run as administrator.

Option 3: Start > Windows PowerShell > Windows Powershell > Run as Administrator.

Option 4: Right Click Start Menu (or Press Windows+X) > Window Powershell (Admin).

Powershell Administrative Mode (from Task Manager)

Launch Task Manger > File > Run new task > Powershell > Tick ‘Create this task with administrative privileges’.

Powershell Administrative Mode (from Windows Explorer)

From Windows Explorer > File > Open Windows PowerShell as administrator.

Launch Command Prompt in Administrative Mode 

Administrator Command Prompt From Start Menu. (Windows 10 and Server 2016/2019)

From the Start/Search option > Type cmd > Then right click Command Prompt and select ‘Run as administrator’.

Command Prompt (Admin) – Windows 10 (& Server 2016/2019) 

Right click the Start Button > Command Prompt (Admin)

Command Prompt (Admin) – Windows 8 (& Server 2012) Quick Links Menu

Press Windows Key+X > Select Command Prompt (Admin)

Administrator Command Prompt From Start Menu. (Windows 8 and Server 2012)

If you have the new Windows 8/2012 Start Menu (that we can’t call Metro any more) then type ‘command’ in the search window, then either right click and select ‘Run as administrator’, or press Ctrl+Shift+Enter to launch.

If you have the traditional start menu enabled or are running Windows 7/Vista, you can type command in the search/run box, then

Create An Always Run As Administrator Command Prompt Shortcut

1. Right click and empty area of your desktop > New > Shortcut.

2. Set the location to ‘cmd’ > Next > Call it Admin Command > Finish.

3. Right click your new shortcut > Properties.

4. Shortcut > Advanced > Run as administrator > Apply > OK.

 

Launch Admin Command Prompt from Task Manager.

Launch Task Manager (Ctrl+Shift+Esc) > File > Run new task > cmd > Tick ‘Create this task with administrative privileges’.

Launch Command Prompt ‘As Administrator’ From Command/Run.

I’m not a fan of this, in fact I only include it here for completeness, you can call a command windows and run it as administrator from command (or the run box (Windows Key+R). The reason I don’t like this is, you need to enter the machines local administrators password for it to work.

[box]

runas /user:%computername%administrator cmd

[/box]  

If theres any I’ve missed feel free to drop me an email, and I will update the article.

Related Articles, References, Credits, or External Links

NA

Windows Group Policy – Disable The Local Windows Firewall

KB ID 0001090

Problem

I’ve got nothing against the Windows firewall, it’s certainly a lot easier to manage now than it was back in the XP SP2 days. But I find a lot of clients still just ‘want it gone’ and, providing they have a decent corporate firewall in front of them that’s fair enough.

Solution

1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.

2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.

3. Give the policy a sensible name so you can see what it is doing later.

4. Right click your new policy > Edit.

5. Navigate to;

[box]

Computer Configuration > Policies > Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections

[/box]

6. Set the policy to disabled.

7. Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.

9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines).

SBS Note

An (SBS) Small Business Server domain enables the client firewall by default! The policy us called Windows Firewall Policy, which is usually linked to the computer OU under  ‘My Business’.

Related Articles, References, Credits, or External Links

Windows – Open a Firewall Port with Group Policy

Group Policy Preferences and Client Side Extensions

Group Policy Preferences KB ID 0000389

Problem

Group Policy Preferences (GPP) first came in with Server 2008 and were enhanced for Server 2008 R2, To be able to apply them to older Windows clients, you need to install the “Client side Extensions” (CSE), You can either script this, deploy with a group policy, or if you have WSUS you can send out the update that way. From windows 7 onwards they are already installed.

Solution : Group Policy Preferences

You may not have noticed, but if you edit or create a group policy anow, you will see there is a “Preferences” branch. Most IT Pro’s will have seen the addition of the “Policies” folder some time ago because it adds an extra level to get to the policies that were there before 🙂

OK Cool! What can you do with them?

1. Computer Preferences: Windows Settings

Environment: Lets you control, and send out Environment variables via Group Policy.

Files: Allows you to copy, modify the attributes, replace or delete a file (for folders see the next section).

Folder: As above, but for folders.

Ini Files: Allows you to Create, Replace, Update or Delete an ini file.

Registry: Allows you to Create, Replace, Update or Delete a Registry value, You can either manually type in the reference use a Wizard, or extract the key(s) values you want to send them out via group policy.

Network Shares: Allow you to Create, Replace, Update, or Delete shares on clients via group policy.

Shortcuts: Allows you to Create, Replace, Update, or Delete shortcuts on clients via group policy.

2. Computer Preferences: Control Panel Settings

Data Sources: Allows you to Create, Replace, Update, or Delete, Data Sources and ODBC settings via group policy. (Note: there’s a bug if your using SQL authentication see here).

Devices: Lets you enable and disable hardware devices by type and class, to be honest it’s a little “clunky”.

Folder Options: Allows you to set “File Associations” and set the default programs that will open particular file extensions.

Local Users and Groups: Lets you Create, Replace, Update, or Delete either local users OR local groups. Handy if you want to create an additional admin account, or reset all the local administrators passwords via group policy.

Network Options: Lets you send out VPN and dial up connection settings to your clients, handy if you use PPTP Windows Server VPN’s.

Power Options: With XP these are Power Options and Power Schemes, With Vista and later OS’s they are Power Plans. This is much needed, I’ve seen many “Is there a group policy for power options?” or disabling hibernation questions in forums. And you can use the options Tab, to target particular machine types (i.e. only apply if there is a battery present).

Printers: Lets you install printers (local or TCP/IP), handy if you want all the machines in accounts to have the accounts printer. for further info see,

Deploying Printers with Group Policy Preferences

Scheduled Tasks: Lets you create a scheduled task or an immediate task (Vista or Later), this could be handy to deploy a patch or some virus/malware removal process.

Service: Essentially anything you can do in the services snap in you can push out through group policy, set services to disables or change the logon credentials used for a service. In addition you can set the recovery option should a service fail.

3. User Configuration: Windows Settings

Applications: Answers on a Postcard? I can’t work out what these are for!

Drive Mappings: Traditionally done by login script or from the user object, but use this and you can assign mapped drives on a user/group basis.

Environment: As above lets you control and send out Environment variables via Group Policy, but on a user basis.

Files: As above. allows you to copy, modify the attributes, replace or delete a file (for folders see the next section), but on a user basis.

Folders: As above, but for folders on a user by user basis.

Ini Files: As above, allows you to Create, Replace, Update or Delete an ini file, on a user by user basis.

Registry: As above, allows you to Create, Replace, Update or Delete a Registry value, You can either manually type in the reference use a Wizard, or extract the key(s) values you want to send out via group policy, this time for users not computers.

Shortcuts: As Above, allows you to Create, Replace, Update, or Delete shortcuts on clients via group policy for users.

4. User Configuration: Control Panel Settings

All of the following options are covered above on “Computer Configuration”

Data Sources Devices Folder Options Local Users and Groups Network Options Power Options Printers Scheduled Tasks

Internet Settings: Using this Group Policy you can specify Internet Explorer settings/options on a user by user basis.

Regional Options: Designed so you can change a users Locale, handy if you have one user who wants an American keyboard.

Start Menu: Provides the same functionality as right clicking your task bar > properties > Start Menu > Customise, only set user by user.

 

Related Articles, References, Credits, or External Links

Deploying Printers with Group Policy Preferences

Windows – Open a Firewall Port with Group Policy

Define Inbound Port Exceptions

KB ID 0000979 

Problem

For everyone who simply does not disable the Windows firewall, then you need to be able to manage what ports are open on your machines. The simplest way to do this is via group policy. This week I had to open TCP port 9503 on the local firewall of my McAfee Move Offload Servers. Below I will open that port on all my machines, but in production I will only apply the GPO to the OU with my Move Offload servers in it.

Solution

1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.

2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.

3. Give the policy a sensible name so you can see what it is doing later.

4. Right click your new policy > Edit.

5. Navigate to;

[box]

Computer configuration > Policies >Administrative Templates > Network > Network Connections >Windows Firewall > Domain Profile > Windows Firewall: Define inbound port exceptions

[/box]

6. Open the policy and enable it > Show.

7. As this is a new policy the list will be empty, (you can return and add multiple entries to this policy later if you require further ports opening). In the example below I’ve opened port 9053, over TCP, the asterisk means ‘from anywhere’, I’ve Enabled the rule, and called it McAfee Move.

Port Exception Syntax

<Port>:<Transport>:<Scope>:<Name>

  • <Port>: Number in decimal from 0 to 65,335
  • <Transport>: TCP or UDP
  • <Scope>: Where the traffic is coming from, i.e 192.168.1.1, or 192.168.1.0/24, or simply ‘localsubnet’ or ‘*’ for everywhere. You can enter multiple values separated with a comma.
  • <Name>: A simple text entry to define what the exception is.

8. OK > Apply > OK > Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.

9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines.)

10. To make sure it has worked on the target machine > Windows Key+R > WF.msc {Enter} > Inbound Rules > Your rule should be visible.

11. If you open the rule you can see its been applied by group policy, and check the correct port has been defined.

 

Related Articles, References, Credits, or External Links

Windows Group Policy – Disable The Local Windows Firewall