Error seen when attempting to add a new domain controller to an existing domain;
Verification of replica failed. The specified domain {Domain-Name} is still using the File Replication Service (FRS) to replicate the SYSVOL share. FRS is depreciated.
The server being promoted does not support FRS and cannot be promoted as a replica into the specified domain.
You MUST migrate the specified domain to use DFS Replication using the DFSRMIG command before continuing.
Solution: FRS is Depreciated
Before proceeding you MUST ensure all your existing domain controllers are AT LEAST Windows Server 2008. Your domain and forest functional levels should be at Windows Server 2008 (AL LEAST). It would also be a good move, to make sure all your DCs are replicating cleanly.
You need to go to one of your legacy (existing) domain controllers, and carry out the following PowerShell procedure.
First make sure that no one’s messed about with this before, issue the following command and make sure the migration process has not been previously started;
[box]
dfsrmig /getglobalstate
[/box]
Start the process.
[box]
dfsrmig /setglobalstate 1
[/box]
It can take a while, (even if you only have one Domain Controller!) Keep checking the status, with the command ‘dfsrmig /getmigrationstate’ until it says all the domain controllers have migrated to global state ‘Prepared‘.
Change the process to state 2 (Redirected).
[box]
dfsrmig /setglobalstate 2
[/box]
This typically completes a bit faster than the first state. Keep checking the status, with the command you originally used, until it says all the domain controllers have migrated to global state ‘Redirected‘.
Change the process to state 3 (Eliminated).
[box]
dfsrmig /setglobalstate 3
[/box]
As before, keep checking the status, with the command you originally used, until it says all the domain controllers have migrated to global state ‘Suceeded‘.
On the ‘Old‘ domain controllers, you need to disable the NTFRS service and stop it.
In a fit of lunacy Microsoft have called ‘their’ new browser Microsoft Edge, so we can spend the next few months confusing it with Edge. Plus every Google search for GPO settings, error messages etc will all now show search results for the old Edge Browser not the new Microsoft Edge browser! Perhaps the same doofus at Microsoft who called the Exchange sync Active Sync when Microsoft already had a product called Active Sync was involved?
Anyway I got a request from a client this week to have Microsoft Edge on their Citrix environment, there was some confusion (imagine that), because Edge does not work on server 2016, (and it’s not shipped as part of server 2016), but would Microsoft Edge work?
Installing Microsoft Edge on Server 2019/2016 (With IE11)
Why is Internet explorer still alive? Anyway If you want to install Edge on a modern Windows server firstly ensure you are fully up to date with updates! Then open IE. Internet Options > Security > Custom > Scripting > Enable Active Scripting > OK > Yes > Apply > OK.
The first test was, ‘would it run on Server 2016’, it detected the OS as Windows 10 (unsurprisingly), and installed fine;
Microsoft Edge on Remote Desktop Services
Well Citrix is really just Remote Desktop Services in a leather jacket, so the next test was,’ would it work in RDS?’ I span up an RDS farm on the bench, and was pleased to see I could select Microsoft Edge as a RemoteApp, (not that I needed to deploy it using RemoteApp, but it being detected was promising).
And in an RDS session it worked faultlessly.
Deploy Microsoft Edge on Citrix (Server 2016)
Here’s where we had a problem, it installed fine, but every time I went to open it, all I got was a ‘white screen’ for about 5 minutes, after this it burst into life, which I couldn’t really ask the client to put up with!
As this was happening when I launched the browser I ‘wrongly’ assumed it was a ‘first run‘ problem (for the uninitiated, previous Microsoft browsers got an annoying ‘how do you want to set the browser up’ routine, then finally dumped you on the MSN webpage, (does anyone actually use the MSN webpage?) While it didn’t cure my problem it’s worth mentioning how I stopped the first run dialog happening);
Controlling Microsoft Edge with Group Policies
If you are used to importing ADMX and ADML files then this will be a breeze to you. If you are really interested I cover the subject in great deal in the following post;
Computer configuration > Policies > Administrative Templates > Microsoft Edge
[/box]
Microsoft Edge: Stop Importing of Bookmarks/Favourites
Locate: ‘Automatically import another browser’s data and settings at first run‘ > Enable the policy, and select ‘Disable automatic import and the import section of the first run experience is skipped‘ > Apply > OK.
Microsoft Edge: First Run
This will disable the entire first run dialog;
Locate: ‘Hide the First-run experience and splash screen‘ > Enable the policy > Apply > OK.
As it was working in RDS and not working on Citrix, then the problem was probably Citrix*. Citrix is one of my weaker subjects, so credit for the actual fix should go to my colleague (Dan Brookes).
*After I had discounted existing group policies, and other installed applications.
Running Microsoft Edge while it was ‘hanging’ and looking at what was going on in ‘Process Monitor’ showed a lot of hook64.dll entries;
This pointed to the culprit, open the registry Editor (regedit) and navigate to;
[box]
HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > CtxUvi
[/box]
Locate the UviProcesExcludes REG_SZ value, edit it and add ‘msedge.exe;‘ to the end.
Theres probably one service you can restart, but I simply rebooted the server, (problem solved).
FSLogix and Microsoft Edge
If you are running FSLogix you should also add an ‘exclusion’ to the Redirections.xml file, (located in your \\{domain-name}\NETLOGON folder).
I’ve been aware of Let’s Encrypt for a while, they are a non profit Certification Authority, who will provide you with a free certificate, and you can use them for most things you want to secure with a digital certificate. The only reason I’ve never used them in the past is, their certificates have a short (3 month) lifespan, and I see enough things breaking when people forget to renew 12 month certificates! This site went down a couple of years ago because the certificate expired while I was on holiday in Las Vegas, and is was a pain to get fixed!
I’ve got some work coming up that requires me to have a publicly signed certificate, so I thought I’d give it a whirl, it was incredibly easy and painless.
Obviously you need a Windows server, with the IIS role installed, and a website that you want to secure. It does not already need to have a certificate or have https configured, if you have or have not already done that it will all be reconfigured for you! In additional you need a publicly registered domain name, you’re on my website so you know I have one of those, and finally a DNS host record (A Record) that you will use to browse to the web server. The will be ‘stamped’ onto the certificate as the certificate common name (CN).
The website will need to be publicly accessible via TCP Port 443 (https) on the IP address you’ve set in public DNS.
To do all the heavy lifting you need a peice of software, the easiest (I’ve seen) is win-acme (at time of writing the latest version is 2.1.14.996) you simply download it as a zip file.
Extract the contents of that zip file to a folder on your hard drive.
I’ve only got one website, you may be hosting multiple sites, select the appropriate number.
I’m replacing every binding (you can have multiple bindings per site, but I’ve never seen that myself) > It then shows the bindings it finds > Select ‘A’ for all.
Yes to continue > No (unless you want the EULA to open in a web window for you to read) > Yes to agree to the terms (without reading them, shame on you!) > Enter a contact email address.
The software will go and get your certificate, install it, and bind it to your website. If it fails at this point it’s usually because the name for the certificate does not match your public DNS name, or the firewall is stopping your traffic.
Force IIS to Use Let’s Encrypt Free Certificate
To force client to use HTTPS and not HTTP, you will need to tick the option below (Require SSL);
If you take a look at your certificate you will see it’s got a three month lifespan, BUT, you dont have to worry about renewing it because…
Let’s Encrypt Free Certificate Auto Renewal
As well as getting your certificate, win-acme also created a scheduled task to check your certificate validity and renew it before it expires. Cool eh?
Where Does Win-ACME Store its information
Good question, it took me a little while to find that out, essentially once ran it creates a new folder in %programdata% (That’s a hidden folder on the C drive usually) called win-acme all your settings are in there, so if you make a mistake like entering the wrong email address, you can delete this folder and start again.
How To Remove Let’s Encrypt IIS Free Certificate & Settings
Remove the certificate from IIS.
Remove the win-acme folder from %Programdata%.
Delete the scheduled update task from ‘Task Sheduler‘.
Related Articles, References, Credits, or External Links
When attempting a File Server Migration why isn’t this better publicised? Did you know Microsoft have a set of Migration tools, and one of them is for file servers? Now traditionally I’d use RoboCopy or XCopy to migrate files and folders, and for ‘User Profiles’ I would normally back them up, and restore them to the new server. This is because the file permissions on ‘correctly deployed’ user profiles mean you can’t open them.
How about a tool, that migrates all the files, folders and profiles while maintaining all the NTFS permissions, AND Share permissions!
Windows File Server Migration Tools
Source Server Pre-requisites
Server 2003: .Net 2.0 (With SP1), and PowerShell 2.0, and 25MB free drive space.
Server 2008: PowerShell and 25Mb free drive space.
Server 2008 R2 and Newer: 25Mb free drive space.
All: UDP port 7000 needs to be open, from source to the destination server.
File Server Migration Server 2008 to Server 2019
File Server Migration from Server 2003!
Source Server: Windows Server 2003 Standard x64 (x86 supported as well)
Destination Server: Windows 2012 R2 Data Center 2012
Source Server: Here you can see my user profiles, I’ll do the migration with them, as usually they are the most ‘challenging’.
You need to create a shared folder on the Source Server, I’ve just granted everyone full control, (this is just for the migration tools).
Destination Server: Open a PowerShell windows and install the tools with the following command;
Open an administrative command window > Now you need to deploy the migrations tools to the share on the destination server, to do that use the following command;
Note: For x86 (32 bit) source servers use x86 instead of amd64. WS03 (Windows Server 2003), WS08 (Windows Server 2008), WS08R2 (Windows Server 2008 R2), and WS12 (Windows Server 2012).
Source Server: Open the folder you created earlier and within it you will find another folder that has the tools in. Open an administrative command window and change to this directory > then execute the following command;
[box]
.\smigdeploy
[/box]
Another PowerShell window will open, leave it open, and return to the destination server.
Destination Server: Here I’ve created a folder that I’m going to migrate into.
Destination Server: Open a PowerShell window and issue the following two commands;
I’ve had a Windows 2012R2 server image that I’ve ben using in EVE-NG for ever. This week it bit the dust so I thought, can I deploy a shiny new 2019 server?
EVE-NG Windows Virtual Machines
Yes! In fact the deployment procedure is the same for 2019 as it was for earlier versions of Windows server. First log onto your EVE-NG host and create the folder;
[box]
mkdir /opt/unetlab/addons/qemu/winserver-2019/
[/box]
Then ‘upload’ a copy of the Windows Server 2019 installation iso into that folder with WinSCP or FileZilla.
Now rename the ISO image file to cdrom.iso, then create a new, (empty) hard drive file, that we will install windows onto. (Note: below I’m setting it to 60GB in size).
In EVE-NG create a new Lab and add in your Windows 2019 Server, then power it on.
It wont find the hard drive, because it has not got the controller driver, click ‘Load Driver‘.
Navigate to B:\Storage\2003R2\amd64 OK > Next > It will detect and load the ‘Red Hat Virtio‘ driver and install Windows. Once done shut the Windows server down.
WARNING: If you intend to deploy ‘multiple’ Server OS’s into single EVE-NG Labs, then run ‘Sysprep‘ on the server image select ‘Generalize’ and ShutdownTHEN commit the image, once it’s shut down.
Now you need to ‘commit’ that image (so all new VMs will be created form that image). Ive written about this before, see the following link;
Install-WindowsFeature : ArgumentNotValid: The role, role service, or feature name is not valid: ‘Desktop-Experience’. The name was not found. At line:1 char:1 + Install-WindowsFeature Desktop-Experience + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (Desktop-Experience:String) [Install-WindowsFeature], Exception + FullyQualifiedErrorId : NameDoesNotExist,Microsoft.Windows.ServerManager.Commands.AddWindowsFeatureCommand
Success Restart Needed Exit Code Feature Result ——- ————– ——— ————– False No InvalidArgs {}
PS C:\Users\administrator.PNL>
[/box]
Solution
Note: You need Server Datacenter version to do this.
If you o to the flash website and it (wrongly,) thinks you are using Windows 10 (we it’s the same code, I’ll let them off,) and it also says “it’s already installed just enable it”, but it’s not there?
You need to install it with the following command;
Back in the day we just used the ‘At’ command to schedule a reboot, but starting with Server 2012 that was stopped! If you try it now you will see the following;
The AT command has been depreciated. Please use schtasks.exe instead
Solution (The Quick Way)
Execute the following command (change time and data accordingly);
You have a Windows 2019/2016, 2012, or 2008 server with plenty of storage space, and you would like to present that to an ESX/ESXi server as a datastore. You can configure a folder (or drive) as an NFS share and present it to VMware vSphere, so that it can be used as a datastore.
Note: For Server 2008 and vSphere 4/5 Scroll down.
Create NFS Shares on Windows Server 2019, 2016, and 2012
Essentially you need to add the ‘Server for NFS’ role, (Below “File and Storage Services“).
Create a folder to share, on its properties > NFS Sharing > Manage NFS Sharing.
Tick to share > Permissions.
You can add each host individually here, but I’m just changing the default rule to allow Read/Write to ALL MACHINES > Tick ‘Allow root access’ > OK.
VMWare vSphere 6 Connecting to Windows NFS Shares
Make Sure you have a VMKernel port on the same network as your NFS share.
DataStore View > Right click the ‘Cluster‘ > Storage > New Datastore > NFS > Next > NFS 3 > Next.
Give the datastore a name > Select the share name (prefix it with a forward slash, and remember they are case sensitive!) > Enter the IP or FQDN of the NFS server > Next > Next > Finish.
Create NFS Shares on Windows Server 2008
Gotchas
1. The system will not work if you do not have a vmkernel port, if you already have iSCSI or vmotion working then this will already be in place.
If not you will see an error like this,
Call “HostDatastoreSystem.CreateNasDatastore” for object “ha-datastoresystem” on ESX “{name or IP of ESX server}” failed.
2. Make sure TCP port 2049 is open between the NFS share and the ESX box. On an ESX 3.x servers you may need to run ” esxcfg-firewall -e nfsClient “.
Other Points
1. You CAN boot a windows VM from any NFS store (just because Windows cannot boot from NFS – does not mean a VM can’t).
Once upon a time, adding a domain controller that was running a newer version of the Windows Server family involved opening command line and schema prepping, and GP prepping etc. Now all this happens in the background when adding a 2019 domain controller and the wizard is doing the heavy lifting for you.
Solution
2008 to 2019 Domain Controller
2008 to 2016 Domain Controller
Obviously the server needs to be a domain member first!
For Server 2019 Forest and Domain Functional levels need to be at ‘Windows Server 2008‘. (The documentation says 2008 R2, but Server 2008 also works flawlessly).
For Server 2016 Forest and Domain Functional levels need to be at ‘Windows Server 2003‘.
Before You Start!
Remember if your ‘retiring’ domain controller is also a DNS/DHCP server you will also need to address that, and make sure you don’t have a service or device that queries the old domain controller directly (Radius Devices, Firewalls, RSA Appliances, Proxy Filters, Security door software, etc).
Procedure: Deploy a 2019 Domain Controller
With a vanilla install Server Manager will open every time you boot, (unless you’ve disabled it!) To open it manually, run ‘servermanager.exe’ > Manage > Add Roles and Features.
I usually tick the ‘Skip this page by default’ option > Next.
Role Based… > Next.
Ensure the local server is selected, (if you are managing another server, you can of course do the role install from here as well, but let’s keep things simple) > Next.
Select Active Directory Domain Services > Next.
Next.
Next.
Ensure ‘Restart’ is selected > Next.
Next.
Promote Windows Server To Domain Controller
Back in Server Manager > In the ‘Notifications’ section, click the warning triangle > ‘Promote This Server To Domain Controller’.
Assuming you already have a domain, and this is not a greenfield Install > Add a domain controller to an existing domain > Next.
Type and confirm a Directory Services Restore Mode Password (DSRM,) make it something you will remember in a crisis, or store it securely somewhere > Next.
This is fine, You see this error because it’s trying to create a delegation for this DNS zone, and there isn’t a Windows server above you in the DNS hierarchy. For example if your domain name is petelnetlive.co.uk > Then I do not have access to create a delegation in the .co domain space. (So you can safely ignore) > Next
If you have a backup of AD you can ‘Install From Media’. This used to be handy on remote sites that had awful bandwidth, as it saved you having to replicate a large Active Directly over a ‘pants’ connection > I’ve not had to do that in a long time > Next.
Unless you want to change the default AD install locations > Next.
Next.
Read any warnings > Install
Go have a coffee, we ticked ‘reboot’ earlier so it will complete, then reboot the server, which will come back up as a domain controller.
You will notice, (if you’re interested,) that your schema version is now 88 (Server 2019), or 87 (Server 2016).
Seen when attempting to deploy Window Server 2016, as an ‘Image‘ (Parent VM,) with VMware Horizon View.
‘VM With Unsupported Guest OS’
I double checked, and Server 2016 (Standard and DataCenter) were supported, as was Server 2019 (Standard and DataCenter.) The image also had a new version of the VMware Horizon View agent installed in it?
Solution
In my case this was an embarrassingly easy fix, previously I’d deployed Windows 7, 8, and 10 with Horizon View, this was the first time I’d ever deployed a server OS as a VDI image, (With Windows Server Datacenter, this works out cheaper, licensing wise).
By Default: VMware Horizon View does not allow server operating systems, (even though they are supported.) You just need to enable the feature! Launch Horizon Administrator, View Configuration > Global Settings > Edit > Tick ‘Enable Windows Server Desktops‘ > OK.
Doh! That cost me two hours, (hope it saved you some time).
Related Articles, References, Credits, or External Links