DC Promotion fails ‘FRS is Depreciated’

FRS is Depreciated KB ID 0001579

Problem

Error seen when attempting to add a new domain controller to an existing domain;

Verification of replica failed. The specified domain {Domain-Name} is still using the File Replication Service (FRS) to replicate the SYSVOL share. FRS is depreciated.

The server being promoted does not support FRS and cannot be promoted as a replica into the specified domain.

You MUST migrate the specified domain to use DFS Replication using the DFSRMIG command before continuing.

Solution: FRS is Depreciated

 

Before proceeding you MUST ensure all your existing domain controllers are AT LEAST Windows Server 2008. Your domain and forest functional levels should be at Windows Server 2008 (AL LEAST). It would also be a good move, to make sure all your DCs are replicating cleanly.

You need to go to one of your legacy (existing) domain controllers, and carry out the following PowerShell procedure. 

First make sure that no one’s messed about with this before, issue the following command and make sure the migration process has not been previously started;

[box]

dfsrmig /getglobalstate

[/box]

Start the process.

[box]

dfsrmig /setglobalstate 1

[/box]

It can take a while, (even if you only have one Domain Controller!) Keep checking the status, with the command ‘dfsrmig /getmigrationstate’ until it says all the domain controllers have migrated to global state ‘Prepared‘.

Change the process to state 2 (Redirected).

[box]

dfsrmig /setglobalstate 2

[/box]

This typically completes a bit faster than the first state. Keep checking the status, with the command you originally used, until it says all the domain controllers have migrated to global state ‘Redirected‘.

Change the process to state 3 (Eliminated).

[box]

dfsrmig /setglobalstate 3

[/box]

As before, keep checking the status, with the command you originally used, until it says all the domain controllers have migrated to global state ‘Suceeded‘.

On the ‘Old‘ domain controllers, you need to disable the NTFRS service and stop it.

[box]

Set-Service ntfrs -StartupType Disabled
Stop-Service ntfrs

[/box]

Now attempt to promote your new domain controller again.

Related Articles, References, Credits, or External Links

NA

Microsoft Edge on Server 2019/2016 (and Citrix)

KB ID 0001657

Problem

In a fit of lunacy Microsoft have called ‘their’ new browser Microsoft Edge, so we can spend the next few months confusing it with Edge. Plus every Google search for GPO settings, error messages etc will all now show search results for the old Edge Browser not the new Microsoft Edge browser! Perhaps the same doofus at Microsoft who called the Exchange sync Active Sync when Microsoft already had a product called Active Sync was involved?

Anyway I got a request from a client this week to have Microsoft Edge on their Citrix environment, there was some confusion (imagine that), because Edge does not work on server 2016, (and it’s not shipped as part of server 2016), but would Microsoft Edge work?

Installing Microsoft Edge on Server 2019/2016 (With IE11)

Why is Internet explorer still alive? Anyway If you want to install Edge on a modern Windows server firstly ensure you are fully up to date with updates! Then open IE. Internet Options > Security > Custom > Scripting > Enable Active Scripting > OK > Yes > Apply > OK.

 Then go to https://www.microsoft.com/en-us/edge/business and install it manually.

Microsoft Edge on Server 2019/2016

The first test was, ‘would it run on Server 2016’, it detected the OS as Windows 10 (unsurprisingly), and installed fine;

Microsoft Edge on Remote Desktop Services

Well Citrix is really just Remote Desktop Services in a leather jacket, so the next test was,’ would it work in RDS?’ I span up an RDS farm on the bench, and was pleased to see I could select Microsoft Edge as a RemoteApp, (not that I needed to deploy it using RemoteApp, but it being detected was promising).

And in an RDS session it worked faultlessly.

Deploy Microsoft Edge on Citrix (Server 2016)

Here’s where we had a problem, it installed fine, but every time I went to open it, all I got was a ‘white screen’ for about 5 minutes, after this it burst into life, which I couldn’t really ask the client to put up with!

As this was happening when I launched the browser I ‘wrongly’ assumed it was a ‘first run‘ problem (for the uninitiated, previous Microsoft browsers got an annoying ‘how do you want to set the browser up’ routine, then finally dumped you on the MSN webpage, (does anyone actually use the MSN webpage?) While it didn’t cure my problem it’s worth mentioning how I stopped the first run dialog happening);

Controlling Microsoft Edge with Group Policies

If you are used to importing ADMX and ADML files then this will be a breeze to you. If you are really interested I cover the subject in great deal in the following post;

Setup up a Central ‘PolicyDefinitions’ Store (for ADMX files)

Essentially download the latest msedge.adml and msedgeupdate.adml files and (on a Domain controller,) copy them to;

[box]

C:\Windows\SYSVOL\{domain-name}\Policies\PolicyDefinitions\en-US

[/box]

Note: Other Input locales are available, my servers are using English (US).

Then copy the msedge.admx and msedgeupdates.admx files to;

[box]

C:\Windows\SYSVOL\{domain-name}\Policies\PolicyDefinitions

[/box]

Microsoft Edge Stop ‘First Run’ With Group Policy

The two policies I used are both located at;

[box]

Computer configuration > Policies > Administrative Templates > Microsoft Edge

[/box]

Microsoft Edge: Stop Importing of Bookmarks/Favourites

Locate: ‘Automatically import another browser’s data and settings at first run‘ > Enable the policy, and select ‘Disable automatic import and the import section of the first run experience is skipped‘ > Apply > OK.

Microsoft Edge: First Run

This will disable the entire first run dialog;

Locate: ‘Hide the First-run experience and splash screen‘ > Enable the policy > Apply > OK.

Then either wait or force a policy refresh.

Deploy Microsoft Edge on Citrix

As it was working in RDS and not working on Citrix, then the problem was probably Citrix*. Citrix is one of my weaker subjects, so credit for the actual fix should go to my colleague (Dan Brookes). 

*After I had discounted existing group policies, and other installed applications.

Running Microsoft Edge while it was ‘hanging’ and looking at what was going on in ‘Process Monitor’ showed a lot of hook64.dll entries;

This pointed to the culprit, open the registry Editor (regedit) and navigate to;

[box]

HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > CtxUvi

[/box]

Locate the UviProcesExcludes REG_SZ value, edit it and add ‘msedge.exe;‘ to the end.

Theres probably one service you can restart, but I simply rebooted the server, (problem solved).

FSLogix and Microsoft Edge

If you are running FSLogix you should also add an ‘exclusion’ to the Redirections.xml file, (located in your \\{domain-name}\NETLOGON folder).

[box]

<Exclude>AppData\Local\Microsoft\Edge Dev\User Data\Default\Cache</Exclude>

[/box]

 

Related Articles, References, Credits, or External Links

Microsoft Edge (macOS) Migrate Bookmarks from Safari

Free Certificate for IIS with Let’s Encrypt

KB ID 0001736

Problem

I’ve been aware of Let’s Encrypt for a while, they are a non profit Certification Authority, who will provide you with a free certificate, and you can use them for most things you want to secure with a digital certificate. The only reason I’ve never used them in the past is, their certificates have a short (3 month) lifespan, and I see enough things breaking when people forget to renew 12 month certificates! This site went down a couple of years ago because the certificate expired while I was on holiday in Las Vegas, and is was a pain to get fixed!

I’ve got some work coming up that requires me to have a publicly signed certificate, so I thought I’d give it a whirl, it was incredibly easy and painless.

  • Server OS (Server 2019 Standard build 1809)
  • IIS Version 10.0.17763.1

Free Certificate Prerequisites

Obviously you need a Windows server, with the IIS role installed, and a website that you want to secure. It does not already need to have a certificate or have https configured, if you have or have not already done that it will all be reconfigured for you! In additional you need a publicly registered domain name, you’re on my website so you know I have one of those, and finally a DNS host record (A Record) that you will use to browse to the web server. The will be ‘stamped’ onto the certificate as the certificate common name (CN).

The website will need to be publicly accessible via TCP Port 443 (https) on the IP address you’ve set in public DNS.

To do all the heavy lifting you need a peice of software, the easiest (I’ve seen) is win-acme (at time of writing the latest version is 2.1.14.996) you simply download it as a zip file.

Extract the contents of that zip file to a folder on your hard drive.

Apply For & Install the Free Certificate

Open an administrative command prompt > Navigate to the folder you just created > run wacs.exe

Press ‘n‘ for create certificate.

I’ve only got one website, you may be hosting multiple sites, select the appropriate number.

I’m replacing every binding (you can have multiple bindings per site, but I’ve never seen that myself) > It then shows the bindings it finds > Select ‘A’ for all.

Yes to continue > No (unless you want the EULA to open in a web window for you to read) > Yes to agree to the terms (without reading them, shame on you!) > Enter a contact email address.

The software will go and get your certificate, install it, and bind it to your website. If it fails at this point it’s usually because the name for the certificate does not match your public DNS name, or the firewall is stopping your traffic.

Force IIS to Use Let’s Encrypt Free Certificate

To force client to use HTTPS and not HTTP, you will need to tick the option below (Require SSL);

If you take a look at your certificate you will see it’s got a three month lifespan, BUT, you dont have to worry about renewing it because…

Let’s Encrypt Free Certificate Auto Renewal

As well as getting your certificate, win-acme also created a scheduled task to check your certificate validity and renew it before it expires. Cool eh?

Where Does Win-ACME Store its information

Good question, it took me a little while to find that out, essentially once ran it creates a new folder in %programdata% (That’s a hidden folder on the C drive usually) called win-acme all your settings are in there, so if you make a mistake like entering the wrong email address, you can delete this folder and start again.

How To Remove Let’s Encrypt IIS Free Certificate & Settings

  1. Remove the certificate from IIS.
  2. Remove the win-acme folder from %Programdata%.
  3. Delete the scheduled update task from ‘Task Sheduler‘.

Related Articles, References, Credits, or External Links

NA

Windows File Server Migration (Maintain Share & NTFS Permissions)

KB ID 0001201

Problem

When attempting a File Server Migration why isn’t this better publicised? Did you know Microsoft have a set of Migration tools, and one of them is for file servers? Now traditionally I’d use RoboCopy or XCopy to migrate files and folders, and for ‘User Profiles’ I would normally back them up, and restore them to the new server. This is because the file permissions on ‘correctly deployed’ user profiles mean you can’t open them.

How about a tool, that migrates all the files, folders and profiles while maintaining all the NTFS permissions, AND Share permissions!

Windows File Server Migration Tools

Source Server Pre-requisites

  • Server 2003: .Net 2.0 (With SP1), and PowerShell 2.0, and 25MB free drive space.
  • Server 2008: PowerShell and 25Mb free drive space.
  • Server 2008 R2 and Newer: 25Mb free drive space.
  • All: UDP port 7000 needs to be open, from source to the destination server.

File Server Migration Server 2008 to Server 2019

File Server Migration from Server 2003!

  • Source Server: Windows Server 2003 Standard x64 (x86 supported as well)
  • Destination Server: Windows 2012 R2 Data Center 2012 

Source Server: Here you can see my user profiles, I’ll do the migration with them, as usually they are the most ‘challenging’.

You need to create a shared folder on the Source Server, I’ve just granted everyone full control, (this is just for the migration tools).

 

Destination  Server: Open a PowerShell windows and install the tools with the following command;

[box]

Install-WindowsFeature Migration –ComputerName {computer-name}

[/box]

Open an administrative command window > Now you need to deploy the migrations tools to the share on the destination server, to do that use the following command;

[box]

cd C:\Windows\System32\ServerMigrationTools

SmigDeploy.exe /package /architecture amd64 /os WS03 /path \\{Destination-Server}\{folder-name}

[/box]

Note: For x86 (32 bit) source servers use x86 instead of amd64. WS03 (Windows Server 2003), WS08 (Windows Server 2008), WS08R2 (Windows Server 2008 R2), and WS12 (Windows Server 2012).

Source Server: Open the folder you created earlier and within it you will find another folder that has the tools in. Open an administrative command window and change to this directory > then execute the following command;

[box]

.\smigdeploy

[/box]

Another PowerShell window will open, leave it open, and return to the destination server.

Destination Server: Here I’ve created a folder that I’m going to migrate into.

Destination Server: Open a PowerShell window and issue the following two commands;

[box]

add-pssnapin microsoft.windows.servermanager.migration

Receive-SmigServerData

[/box]

You will be asked to provide a password, (use what you want, but remember it, you will need it in a minute).

You now have a five minute window to get the migration running, or you will need to re-issie the last command again. 

Source Server: Return to your open PowerShell Window, and issue the following command;

[box]

Send-SmigServerData -ComputerName {destination-computer-name} -SourcePath {path-to-source-folder} -DestinationPath {path-to-destination-folder} -include all -recurse

[/box]

Supply the password, then go and put your feet up.

Destination Server: You can watch progress here.

Profiles migrated! And permissions intact.

Don’t forget to change the path to the user profile, on the user(s) user object(s) in Active Directory.

If you have a lot you can do them in bulk by multi-selecting the users.

 

Related Articles, References, Credits, or External Links

XCOPY – Insufficient Memory

Migrating – Folders and Share Permissions

EVE-NG: Create Windows Server 2019 VM

KB ID Article 

Problem

I’ve had a Windows 2012R2 server image that I’ve ben using in EVE-NG for ever. This week it bit the dust so I thought, can I deploy a shiny new 2019 server?

EVE-NG Windows Virtual Machines

Yes! In fact the deployment procedure is the same for 2019 as it was for earlier versions of Windows server. First log onto your EVE-NG host and create the folder;

[box]

mkdir /opt/unetlab/addons/qemu/winserver-2019/

[/box]

Then ‘upload’ a copy of the Windows Server 2019 installation iso into that folder with WinSCP or FileZilla.

Now rename the ISO image file to cdrom.iso, then create a new, (empty) hard drive file, that we will install windows onto. (Note: below I’m setting it to 60GB in size).

[box]

mv en_windows_server_2019_updated_nov_2020_x64_dvd_860005f.iso cdrom.iso
/opt/qemu/bin/qemu-img create -f qcow2 virtioa.qcow2 60G

[/box]

In EVE-NG create a new Lab and add in your Windows 2019 Server, then power it on.

It wont find the hard drive, because it has not got the controller driver, click ‘Load Driver‘.

Navigate to B:\Storage\2003R2\amd64 OK > Next > It will detect and load the ‘Red Hat Virtio‘ driver and install Windows. Once done shut the Windows server down.

WARNING: If you intend to deploy ‘multiple’ Server OS’s into single EVE-NG Labs, then run ‘Sysprep‘ on the server image select ‘Generalize’ and Shutdown THEN commit the image, once it’s shut down.

Now you need to ‘commit’ that image (so all new VMs will be created form that image). Ive written about this before, see the following link;

EVE-NG: Committing / Saving Qemu Virtual Machine Settings

But essentially get the ‘Pod Number’ from user management, and the Lab ID from Lab details.

Get the Node ID from the virtual machine, and execute the following command;

[box]

cd /opt/unetlab/tmp/POD-Number/Lab-ID/Node-Number/
e.g.
cd /opt/unetlab/tmp/1/b56699c-31b5-4399-af2e-697eab12981d/2/

[/box]

Lastly, don’t forget to tidy up and delete the ISO image now you no longer need it.

[box]

cd /opt/unetlab/addons/qemu/winserver-2019
rm -f cdrom.iso

[/box]

Related Articles, References, Credits, or External Links

NA

Windows Server 2019 (&2016): Enable Flash

KB ID 0001484

Problem

Back in server 2012 this was an easy fix;

Windows Server 2012 – Enable Flash

However try and do that on Server 2019 or 2016 and this happens;

[box]

Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\administrator.PNL> Install-WindowsFeature Desktop-Experience

Install-WindowsFeature : ArgumentNotValid: The role, role service, or feature name is not valid: ‘Desktop-Experience’.
The name was not found.
At line:1 char:1
+ Install-WindowsFeature Desktop-Experience
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Desktop-Experience:String) [Install-WindowsFeature], Exception
+ FullyQualifiedErrorId : NameDoesNotExist,Microsoft.Windows.ServerManager.Commands.AddWindowsFeatureCommand

Success Restart Needed Exit Code Feature Result
——- ————– ——— ————–
False No InvalidArgs {}

PS C:\Users\administrator.PNL>

[/box]

Solution

Note: You need Server Datacenter version to do this.

If you o to the flash website and it (wrongly,) thinks you are using Windows 10 (we it’s the same code, I’ll let them off,) and it also says “it’s already installed just enable it”, but it’s not there?

You need to install it with the following command;

Server 2019

[box]dism /online /add-package /packagepath:”C:\Windows\servicing\Packages\Adobe-Flash-For-Windows-Package~31bf3856ad364e35~amd64~~10.0.17763.1.mum”[/box]

Server 2016

[box]dism /online /add-package /packagepath:”C:\Windows\servicing\Packages\Adobe-Flash-For-Windows-Package~31bf3856ad364e35~amd64~~10.0.14393.0.mum”[/box]

You will then need to reboot!

Post reboot, you will see Windows Server will now download updates for Flash, and it’s enabled.

Related Articles, References, Credits, or External Links

NA

Windows Server – Schedule a Reboot

KB ID 0001321 

Problem

Back in the day we just used the ‘At’ command to schedule a reboot, but starting with Server 2012 that was stopped! If you try it now you will see the following;

The AT command has been depreciated. Please use schtasks.exe instead

Solution (The Quick Way)

Execute the following command (change time and data accordingly);

[box]

schtasks /create /tn “Scheduled Reboot” /tr “shutdown /r /t 0” /sc once /st 12:20:00 /sd 02/03/2020 /ru “System”
[/box]

Solution (The Long Way)

Launch Task Scheduler.

Create Basic Task.

Give the task a name, (and optionally a description) > Next > One time > Next > Enter the date and time for the reboot to occur > Next.

Start a program > Next > Program/Script = PowerShell > Add Arguments = Restart-Computer -Force > Next > Finish.

Related Articles, References, Credits, or External Links

NA

Adding Windows Server NFS Shares to VMware ESX

KB ID 0000319

Problem

You have a Windows 2019/2016, 2012, or 2008 server with plenty of storage space, and you would like to present that to an ESX/ESXi server as a datastore. You can configure a folder (or drive) as an NFS share and present it to VMware vSphere, so that it can be used as a datastore.

Note: For Server 2008 and vSphere 4/5 Scroll down.

Create NFS Shares on Windows Server 2019, 2016, and 2012

Essentially you need to add the ‘Server for NFS’ role, (Below “File and Storage Services“).

Create a folder to share, on its properties > NFS Sharing > Manage NFS Sharing.

Tick to share > Permissions.

You can add each host individually here, but I’m just changing the default rule to allow Read/Write to ALL MACHINES > Tick ‘Allow root access’ > OK.

VMWare vSphere 6 Connecting to Windows NFS Shares

Make Sure you have a VMKernel port on the same network as your NFS share.

DataStore View > Right click the ‘Cluster‘ > Storage > New Datastore > NFS > Next > NFS 3 > Next.

Give the datastore a name > Select the share name (prefix it with a forward slash, and remember they are case sensitive!) > Enter the IP or FQDN of the NFS server > Next > Next > Finish.

Create NFS Shares on Windows Server 2008

Gotchas

1. The system will not work if you do not have a vmkernel port, if you already have iSCSI or vmotion working then this will already be in place.

If not you will see an error like this,

Call “HostDatastoreSystem.CreateNasDatastore” for object “ha-datastoresystem” on ESX “{name or IP of ESX server}” failed.

2. Make sure TCP port 2049 is open between the NFS share and the ESX box. On an ESX 3.x servers you may need to run ” esxcfg-firewall -e nfsClient “.

Other Points

1. You CAN boot a windows VM from any NFS store (just because Windows cannot boot from NFS – does not mean a VM can’t).

2. NFS Datastores are limited to 16TB.

3. vSphere supports up to 64 NFS Datastores (ESX supports up to 32).

4. Thin provisioned disks will “re-expand” when moved/cloned to another NFS Datastore (THOUGH NOT in a vSphere environment).

5. On Server 2008 R2 NFS can only support 16 TCP connections, to raise the limit see here.

Related Articles, References, Credits, or External Links

NA

Adding a Windows Server 2019/2016 Domain Controller

KB ID 0001262

Problem

Once upon a time, adding a domain controller that was running a newer version of the Windows Server family involved opening command line and schema prepping, and GP prepping etc. Now all this happens in the background when adding a 2019 domain controller and the wizard is doing the heavy lifting for you.

Solution

2008 to 2019 Domain Controller

2008 to 2016 Domain Controller

Obviously the server needs to be a domain member first!

  • For Server 2019 Forest and Domain Functional levels need to be at ‘Windows Server 2008‘. (The documentation says 2008 R2, but Server 2008 also works flawlessly).
  • For Server 2016 Forest and Domain Functional levels need to be at ‘Windows Server 2003‘.

Before You Start!

Remember if your ‘retiring’ domain controller is also a DNS/DHCP server you will also need to address that, and make sure you don’t have a service or device that queries the old domain controller directly (Radius Devices, Firewalls, RSA Appliances, Proxy Filters, Security door software, etc).

Procedure: Deploy a 2019 Domain Controller

With a vanilla install Server Manager will open every time you boot, (unless you’ve disabled it!) To open it manually, run ‘servermanager.exe’  > Manage > Add Roles and Features.

I usually tick the ‘Skip this page by default’ option > Next.

Role Based… > Next.

Ensure the local server is selected, (if you are managing another server, you can of course do the role install from here as well, but let’s keep things simple) > Next.

Select Active Directory Domain Services > Next.

Next.

Next.

Ensure ‘Restart’ is selected > Next.

Next.

Promote Windows Server To Domain Controller

Back in Server Manager > In the ‘Notifications’ section, click the warning triangle > ‘Promote This Server To Domain Controller’.

Assuming you already have a domain, and this is not a greenfield Install > Add a domain controller to an existing domain > Next.

Type and confirm a Directory Services Restore Mode Password (DSRM,) make it something you will remember in a crisis, or store it securely somewhere > Next.

This is fine, You see this error because it’s trying to create a delegation for this DNS zone, and there isn’t a Windows server above you in the DNS hierarchy. For example if your domain name is petelnetlive.co.uk > Then I do not have access to create a delegation in the .co domain space. (So you can safely ignore) > Next

If you have a backup of AD you can ‘Install From Media’. This used to be handy on remote sites that had awful bandwidth, as it saved you having to replicate a large Active Directly over a ‘pants’ connection > I’ve not had to do that in a long time > Next.

Unless you want to change the default AD install locations > Next.

Next.

Read any warnings  > Install

Go have a coffee, we ticked ‘reboot’ earlier so it will complete, then reboot the server, which will come back up as a domain controller.

You will notice, (if you’re interested,) that your schema version is now 88 (Server 2019), or 87 (Server 2016).

 

Find out your Domain Schema Version

Related Articles, References, Credits, or External Links

NA

VMware Horizon: ‘VM With Unsupported Guest OS’

KB ID 0001592

Problem

Seen when attempting to deploy Window Server 2016, as an ‘Image‘ (Parent VM,) with VMware Horizon View.

‘VM With Unsupported Guest OS’

I double checked, and Server 2016 (Standard and DataCenter) were supported, as was Server 2019 (Standard and DataCenter.) The image also had a new version of the VMware Horizon View agent installed in it?

Solution

In my case this was an embarrassingly easy fix, previously I’d deployed Windows 7, 8, and 10 with Horizon View, this was the first time I’d ever deployed a server OS as a VDI image, (With Windows Server Datacenter, this works out cheaper, licensing wise).

By Default: VMware Horizon View does not allow server operating systems, (even though they are supported.) You just need to enable the feature! Launch Horizon Administrator, View Configuration > Global Settings > Edit > Tick ‘Enable Windows Server Desktops‘ > OK.

Doh! That cost me two hours, (hope it saved you some time).

Related Articles, References, Credits, or External Links

NA