Upgrading from Evaluation to Standard on a Domain Controller – Windows Server 2012 R2

Upgrading from Evaluation to Standard on a Domain Controller – Windows Server 2012 R2

Very interesting scenario. We used the 2012 R2 Evaluation copy when it came out and 6 months later it was just about to expire and the machine would shutdown every 1 hour. Getting to know how to convert from Evaluation to Standard/Datacenter I quickly got overwhelmed by the “You cannot convert domain controllers”. Since my server was a DC and my only DC I had to play a bit in order to achieve the conversion. First I install a virtual machine with a normal standard 2012 R2. I install AD and promote it to a DC. I confirm that AD has replicated to DC2 and then I demote the original server. Before I demote it I make sure that I transfer all the master roles to DC2. Once all is done and the server DC1 is demoted I run the command to convert from Eval to Standard copy. After the reboot the command has run successful. Then I promote DC1 to domain controller again, I move all the master roles back to it, i demote DC2, remove it from the domain, delete it from AD and the migration completed successfully. So in this “conversion” video we have the chance to actually experience demoting and promoting of domain controllers and transfer of master operational roles. Enjoy.

Here are all the articles you may need in the process :

http://technet.microsoft.com/en-us/library/cc778806%28v=ws.10%29.aspx

http://technet.microsoft.com/en-us/library/cc755885%28WS.10%29.aspx

https://www.google.bg/search?q=netlogon.dns&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=sb&gfe_rd=cr&ei=AbagU7HUKsXc8geYzoGQCg

http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_26902640.html

http://blogs.interfacett.com/how-to-demote-a-domain-controller-dc-in-windows-server-2012-active-directory-domain-services-ad-ds

http://support.microsoft.com/kb/296882

http://technet.microsoft.com/en-us/library/jj574204.aspx

And the video

VSS Writers with corresponding services

VSS Writers with corresponding services

Each VSS writer corresponds to a service. Instead of rebooting the whole server, when we need to register VSS Writers or get it out of Failed state,  we can only restart the relevant service. I haven’t seen a complete list so far so we will add them one by one :

http://msdn.microsoft.com/en-us/library/windows/desktop/bb968827%28v=vs.85%29.aspx#system_writer

VSS Writer

Service Name

Service Display Name

ASR Writer VSS Volume Shadow Copy
BITS Writer BITS Background Intelligent Transfer Service
COM+ REGDB Writer VSS Volume Shadow Copy
IIS Config Writer AppHostSvc Application Host Helper Service
IIS Metabase Writer IISADMIN IIS Admin Service
Microsoft Exchange Writer MSExchangeIS Microsoft Exchange Information Store
Microsoft Hyper-V VSS Writer vmms Hyper-V Virtual Machine Management
Registry Writer VSS Volume Shadow Copy
Shadow Copy Optimization Writer VSS Volume Shadow Copy
System Writer CryptSvc Cryptographic Services
WMI Writer Winmgmt Windows Management Instrumentation
WIDW Writer WIDWriter Windows Internal Database
HYPER-V VMMS Hyper-V Virtual Machine Management Service
Data Deduplication Writer DFSR Distributed File System Replication
SPSearch4 VSS Writer SPSearch4 Sharepoint Foundation Search V4

Failed Security Audits 4625 HMWorker Exchange 2013

Failed Security Audits 4625 HMWorker Exchange 2013

One of the first problems I encountered after Installing Exchange 2013 on Windows Server 2012 ( and R2 ) was that my security log grew to 200k events in just a few days. Event ID 4625 Unknown user name or bad password coming from your Healthmailox usually under the name of HealthMailbox4d14f344f…@domainname. The process producing it was “C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe”. The problem itself is a bit masked. On the client side you can barely notice any problems but your Event Viewer is a different story. The problem indicates problems with your Health mailboxes even without upgrading or migrating. It happens with new installs too. So searching the web I found the solutions which at this point are very limited for such new technologies as Windows Server 2012 R2 and Exchange 2013.

I found the solution of re-creating your Health monitoring mailboxes to be working well for me. Here is how :

Open Exchange Management Shell as Administrator and type :

Get-Mailbox -monitoring | Get-MailboxStatistics

get-mailbox-monitoring

As you can see the ItemCount is large. We will be removing these mailboxes but we don’t have the full names displayed here. So we will run the same command put “| fl” it.

Get-Mailbox -monitoring | Get-MailboxStatistics | fl

get-mailbox-monitoring-fl

Remove-Mailbox -Identity HealthMailbox4d14f344f6294c1fb8d3f45bf436452a and confirm Y.

remove-mailbox

Do this for the rest of the health monitoring mailboxes. Take their Identities from the “Get-Mailbox -monitoring | Get-MailboxStatistics | fl” command.

After your are done deleting them you will have to re-run the PrepareAD cmd from the Exchange setup.

Navigate your Exchange Shell to the bin directory of Exchange installation:

cd “Program Files\Microsoft\Exchange Server\V15\bin”

Once there type

setup.exe /preparead /iacceptexchangeserverlicenseterms

Wait for the setup to finish and restart the Exchange Health Manager service.

net stop msexchangehm

net start msexchangehm

setup-prepare-ad

This should re-create your health mailboxes. Run the Get-Mailbox -monitoring | Get-MailboxStatistics to double check.

 

 

 

How to ping to a file and with a timestamp

How to ping to a file and with a timestamp

Have you ever had the need to ping to a file but also know when the pings happened so you can analyze the data better. Here is on example :

Open Notepad and input the following :

@ECHO OFF
:LOOPSTART
echo %time% >> ping.txt
echo %time%
ping 172.17.10.11 -n 10 >> ping.txt
GOTO LOOPSTART

Change the IP Address to the desired one and also change the name of the output file if needed ( currently it is ping.txt ). It will be created in the directory from which you are running the batch file. Also note that the current batch file will do the ping infinitely. If you want to change that remove the “-n”. The number 10 specifies how many pings it will do before timestamping and starting on the new roll.

Now save the Notepad file as ping.bat ( or a different name ) and run it. The output should look like that :

You can also download a sample batch file and edit it for your own needs. Click here.

16:00:15,91

Pinging 172.17.10.11 with 32 bytes of data:
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128

Ping statistics for 172.17.10.11:
Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
16:00:24,98

Pinging 172.17.10.11 with 32 bytes of data:
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128

Ping statistics for 172.17.10.11:
Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
16:00:34,01

Pinging 172.17.10.11 with 32 bytes of data:
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128
Reply from 172.17.10.11: bytes=32 time<1ms TTL=128

 

Moving or Deleting the SBS Monitoring database in SBS 2008

Moving or Deleting the SBS Monitoring database in SBS 2008

By default the SBS Monitoring database resides under

C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Data

which can grow to more than 4GB of size. This can cause disk space problems on the server and there is no particular need of it to be on the system drive. Here are the steps to move it to another partition.

sbsmonitoring-database-location

Stop any backup you may be running in SBS 2008

  1. Now navigate to C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Data
  2. Open the SQL Server Management Studio Express and connect to the SBSMonitoring database.SERVER\SBSMONITORINGsbsmonitoring-connection
  3. Now we have a couple of options based on what we want to do
    1. If we want to flush the database and start with a clean one of a normal size you can delete the SBSMonitoring.mdf and SBSMonitoring_Log.Ldf files. After they are deleted we need to replace them with the same database files but files but emptied. You can download them from here. This is all you need to do and can move to step 6.
    2. If we want to move the database to another partition and still use it, now that you have stopped both of the services mentioned above. Move the SBSMonitoring.mdf and SBSMonitoring_Log.Ldf  files to another partition.

Right click the database -> Tasks -> Detach. Click Ok to detach the database. If you receive this error : Msg 3701, Level 16, State 1, ServerName\SBSMonitoring, Line 1
Cannot detach the database ‘SBSMonitoring’ because it is currently in use.

Go to Services again and restart the SQL ( SBSMONITORING ) service. Click Ok and the database should detach now. Right click the Databases folder now and click Attach. On Databases to attach : click Add and browse to the new location of the database. You can now proceed to step 6.

  1. Now go back and restart/start the SQL Server ( SBSMONITORING ) service and Windows SBS Manager service

Checks ! You can always check if the changes you just did are working. Generate a report, email it  and see if everything works fine. If not use the following guide.

http://blogs.technet.com/b/sbs/archive/2009/07/14/sbs-2008-console-may-take-too-long-to-display-alerts-and-security-statuses-display-not-available-or-crash.aspx

Setup mail relay in Exchange 2003/2007/2010

Setup mail relay in Exchange 2003/2007/2010

At some point in your IT lives you will find yourself in the position to configure mail relay, for a device or a server in your local network. Here’s how it’s done :

Exchange 2003 :

Exchange Console -> Administrative Groups -> first administrative group -> Servers -> Servername -> Protocols -> SMTP -> Right click Properties on the Default SMTP Virtual Server -> Access tab – Relay. Click Add and insert the IP address of the device you that want to relay through your Exchange.

relay 2003

Exchange 2007/2010:

Not easy to guess if you don’t know – It is done through the use of a Receive Connector.

Go to Exchange Management Console – > Hub Transport -> Receive Connectors. Right Click and choose New Receive Connector.

Choose an appropriate name for it. For intended use choose Custom.

For Local Network Settings, leave it as it is. on Specify the FQDN type in your Fully Qualified Domain Name of your server. Example . Exchangeserver.contoso.local

On the Remote Network Settings, delete the entry 0.0.0.0-255.255.255.255 and add on your own. Input the IP address of the device that you want to relay through the Exchange server.

Click New. This will create the Connector but our job is not yet done. Right click the Connector and go to Properties. On the Authentication tab choose Externally Secured. On the permissions tab leave blank.

Open Exchange Shell. Type the following command:

The only change in the command you need to make is to put the real Connector’s name in the brackets.

Get-ReceiveConnector -Identity “Connector’s Name” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

Depending on specifics around the relay you may need to specify Exchange Users as Permissions group.

Can’t remove additional mailboxes in Outlook

Can’t remove additional mailboxes in Outlook

Have you ever wondered why you can’t close down your additional mailboxes in Outlook, returning you this error :

Can't remove additional mailbox from Outlook

Only to find out that your Account Settings tab is empty?

Can't remove additional mailbox from Outlook

Well there is still hope. There are two options. You can just re-create the Outlook profile and hope that this fixes it or you can choose to explore more options. One of these options is called Auto Mapping and is introduced in Exchange 2010 and 2013.

It basically automatically adds any mailboxes you have Full Access to directly into your Outlook client. This is designed to reduce the administrative time to give such access especially for helpdesk teams where a single click can provide you with Full Access but you need still to do a remote session to the customer’s computer and add the mailbox into their Outlook.This is for the customers that don’t know how to do it themselves and believe me 90% of them don’t.

However touching the automapping cannot be done through the GUI and would need Shell. Here is the command :

Add-MailboxPermission -Identity User1 -user “User2” -AccessRights FullAccess -InheritanceType All -AutoMapping:$false

where User 1 is the mailbox owner and User 2 is the user receiving the FullAccess rights to User1’s mailbox. -AutoMapping:$false or true turns off and on the automapping.

Can't remove additional mailbox from Outlook

Don’t worry if you run the command for users that already have Full Access to their mailboxes, it will still run the command properly.

For those of you who want to go even further here are the registry keys responsible for the Outlook profiles. Always backup your registry before editing !

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Default

Cannot browse shares through a mobile phone/SMB

Cannot browse shares through a mobile phone/SMB

Have you ever had the problem of suddenly not being able to browse your Windows computer from your smart phone, using a file explorer like ES File Explorer?

The answer lies within your security settings of the computer rather than your phone. What affects the SMB connection to your computer is the windows firewall, third party firewalls like Anti-Virus software firewalls, external firewalls, nonpaged pool or local security settings of your computer. Also have in mind that the corresponding Windows Services that are responsible for the SMB protocol are “Server Service” and “Workstation Service“.

Windows Services – First thing is to make sure that the Server and Workstation services are running. Click Start -> Run -> type services.msc. Once the window is up, navigate to the above services and make sure they are “Started’. If not right-click them and start them if stopped. If the process of starting hangs it means that you have a problem with the service. Reboot the computer and check if the service has started normally. If it doesn’t start on it’s own or if it starts but at some point it goes unresponsive you will have to troubleshoot it. Search Google and use keywords like “Server/Workstation Service hanging” and etc.

Windows Firewall – First thing you want to try is turning your windows firewall off. If that doesn’t fix your problem and your computer is still unavailable from your smart phone through SMB, that means the problem might be somewhere else. Just informational the SMB TCP port is 445.  For SMB via NetBIOS API UDP 137,138 and TCP 137 and 139.

Third Party AV Firewalls – Every Anti Virus software has a “Real-time Protection” on its own. This is a firewall similar to the windows firewall and can many times be the cause of unsuccessful connections to the computer by many applications. Browse your AV and try to make a filter or exception rule for the SMB  protocol knowing its ports from above. Ultimately you can try turning it off for a brief moment just to confirm that it is the one blocking the SMB connections.

External Firewalls – External firewalls won’t be the problem if you are connecting to a VPN and  then browsing your shares at home or if you are already into the local network via your wireless connection. But if you use any other method to connect to your SMB shares the external firewall like a router might block the SMB connection. Perhaps looking at the router’s settings and port forward the SMB ports can help you.

Non Paged Pool in Windows 7 – If you have noticed not only that you cannot browse successfully through SMB but your Computer browser service starts but if you refresh your Services screen just 1 sec later you will notice that the service stops. Checking the Event Viewer and its System logs will reveal that every time you try an event is logged which is :

ource: srv
Event ID: 2017
Level: Error
The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.

Apparently you need to tell Windows that you want to use the machine as a file server and that it should allocate resources accordingly.  Set the following registry key to ’1′:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\LargeSystemCache

and set the following registry key to ’3′:

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\Size

After making these changes and restarting it will take effect.

Local Security Settings – This has to be the most significant and the most hidden purpose of why your shares are unavailable. File explorers like ES File Explorer do not support encryption of the passwords sent over the network to authenticate the SMB connection. It rather uses plain text which may cause conflict with the internal security settings of the computer.

Windows XP – Start -> Settings -> Control Panel -> Administrative Tools – > Local Security Settings

Cannot browse shares through a mobile phone/SMB

Windows 7 – Click Start and type Local Security Policy. Open it.

Cannot browse shares through a mobile phone/SMB

Reboot the computer.

If for some reason you can’t do it with the above, it can also be done by editing the registry responsible for it –

– Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\parameters]
– Set “EnablePlainTextPassword”=dword:00000001

 

 

 

 

How to easily create bootable USB or DVD

How to easily create bootable USB or DVD

Create bootable USB or DVD has never been easier these days. There is a tool from microsoft design just to do that with minimum user knowledge.

It’s called Windows 7 USB DVD Download Tooand you can download it from here.

Once you download and install it there are only few steps ahead to create a bootable CD or a bootable USB flash drive.

create bootable usb

After your installation is done. Open the tool.

 

Choose the desired ISO image.

windows_7_usb_2.png

Choose the media you want to make bootable.

windows_7_usb_3.png

Let’s say you choose USB. The only thing left is to click Begin copying 🙂 and that’s it. It will copy over the image to your USB or DVD and make it bootable. Give it some time and if it stays on 95% for some time and you think something is wrong, just give it another 4-5 minutes and it will complete successfully 🙂 Be patient.

windows_7_usb_4.png

OR

if you want to create your own without this tool only using CMD and Diskpart – here is what you need to do

Run CMD

type diskpart

you now enter the Diskpart utility. What you type next is:

list disk (see which number is your flash drive. Let’s say it is Disk 3)

select disk 3

clean (deletes data from USB)

create part pri ( if it gives you error just skip this part )

select part 1

format fs=ntfs quick (formats it in NTFS)

active (this is the important part)

exit

Now mount your iso file and copy all the content to the flash drive. If you have a DVD do the same.

Your USB is bootable and ready !

 

Clear Cached Credentials in Windows

Clear Cached Credentials in Windows

How to Clear Cached Credentials in Windows. Wonder where all the “Remember Password” ticks are going? They go to the Stored User Names and Passwords.

Open Command Prompt

Type rundll32.exe keymgr.dll, KRShowKeyMgr

This will bring the Stored User Names and Passwords. You will see all your saved credentials. You can view/edit/remove them and also Backup and Restore them in and from credential backup files ( .crd ). Clearing passwords is used in various troubleshooting scenarios for different software.

Clear Cached Credentials in Windows

Here is a link of a problem with Microsoft Lync 2010 client that cannot present the option of specifying username and is resolved by clearing the cached credentials that Lync uses.

http://social.technet.microsoft.com/Forums/en-US/ocsclients/thread/87dd5c8a-9bfe-4b58-98bf-3782f451c14a