Get List of All Sites & Subnets from AD Sites & Services

Below script would help you to get the list of all Sites & Servcies from AD Sites & Servcies.

$list = 'C:\temp\subnets.txt'
$nc   = ([adsi]'LDAP://RootDSE').ConfigurationNamingContext
$base = "cn=subnets,cn=sites,$nc"
$fltr = '(objectClass=subnet)'

Get-ADObject -LDAPFilter $fltr -SearchBase $base -SearchScope Subtree -Properties * |
  Select-Object Name, Location, Description, @{n='Type';e={$_.objectClass}},
                @{n='Site';e={(Get-ADObject $_.siteObject -Properties *).Name}} |
  Export-Csv $list -Delimiter "`t" -Encoding UTF8

How to Copy\Mirror OU structure from one domain to another domain.

This is one of the regular task that we have to perform during Domain migration activities. So, today we will learn how to Copy\Mirror OU structure from one domain to another domain.

For my case, I used “LDIFDE” command to export and import the OU’s from one domain to another domain.

1.      Login to the Source Domain domain controller with sufficient privileges (Domain admin).

2.      Execute below command on Elevated command prompt

ldifde -f c:\Temp\OUs.ldf -r “(objectClass=organizationalUnit)” -l objectClass,description

3.      This command will export all OU’s from the source domain and create a LDF file with the name “Ous.LDF” in the directory C:\Temp

k  Copy this file on Destination domain domain controller and edit with notepad as we need to modify the Distinguish domain name based on Target domain name.

1.      Replace Distinguish name for all OU’s with the new domain distinguish Domain name.

a.      Ex : dc=testenv,dc=local entries with the new domain’s DN dc=testcorp,dc=local

1.      Remove the Domain controller OU information from the LDF file as it will come by default on all domains and it is not required to import again in target domain.

1.      Now file is ready and run below command with elevated command prompt on Target Domain domain controller.

a.      ldifde -i -f c:\Temp\OUs.ldf

Thanks,

Baji Nannam

Service Principle Name (SPN)

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

For Win32 services, a service installer specifies the logon account when an instance of the service is installed. The installer then composes the SPNs and writes them as a property of the account object in Active Directory Domain Services. If the logon account of a service instance changes, the SPNs must be re-registered under the new account.

Example : Take SQL as an example. SQL services on the server would run with the service account. Here we will register the SPN with that service account (Some times SPN's will be registered automatically if service account delegated to Write servicePrincipalName under Service account attributes). This SPN will be used for Kerberos authentication.

Syntax to Register SPN's for SQL

setspn -s MSSQLSvc/ServerFQDNName Domainname\ServiceAccount
setspn -s MSSQLSvc/ServerFQDNName:ServicePortNumber Domainname\ServiceAccount


Get list of SPN's with one Service account

setspn -L Domainname\ServiceAccount

Stpes to Delegate Write servicePrincipalName permission to a service account
1. Open Service account properies using ADSIEDIT.MSC and go to Security Tab.
2. Click on Advanced Security --> Click Add.  Click "Select a principal" and type in SELF and click OK. Leave the Type on "Allow" and change the Applies to: "Descendant User objects."  Scroll way down and check the box that says "Write servicePrincipalName".

Windows Server 2008 R2 stuck in Recovery Mode

Windows Server 2008 R2 stuck in recovery mode

Today, i came across an issue where the server Stuck in Recovery mode and not booting up. It is giving only 3 options.
1. System Image Recovery
2. Windows Memory Diagnostic
3. Command Prompt

Other than these options, i dont see aany other windows open after server powered on. I have tried to boot the server in Safe mode Or last known Or CMD win networking etc.. but none of the options were displaying.

Then i have tried below Methods one by one and tried.

Method 1:
===============
1. Put the Windows Server 2008 R2 installation disc into the disc drive, and then start the computer.
2. Press a key when the message indicating "Press any key to boot from CD or DVD …". appears.
3. Select a language, a time, a currency, and a keyboard or another input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type sfc /scannow, and then press ENTER.

Method 2:
===============
1. Put the Windows Server 2008 R2 installation disc in the disc drive, and then start the computer.
2. Press any key when the message indicating "Press any key to boot from CD or DVD …". appears.
3. Select a language, time, currency, and a keyboard or another input method. Then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type Bootrec /RebuildBcd, and then press ENTER.

Method 3:
===============
1. Put the Windows Server 2008 R2 installation disc into the disc drive, and then start the computer.
2. Press a key when the message indicating "Press any key to boot from CD or DVD …". appears.
3. Select a language, a time, a currency, and a keyboard or another input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type BOOTREC /FIXMBR, and then press ENTER.
8. Type BOOTREC /FIXBOOT, and then press ENTER.
9. Type Drive:\boot\Bootsect.exe /NT60 All, and then press ENTER.

Note: In this command, Drive is the drive where the Windows Server 2008 R2 installation media is located.

For me 3rd Method worked fine and server came to normal login page.

One More : https://arcserve.zendesk.com/hc/en-us/articles/202771725-System-boot-into-Windows-recovery-mode-after-BMR

Rebuild BCD settings

o   Boot from a Windows 2008 r2 sp1 CD then enter recovery mode console

o   Run command below in order to reset BCD

Bootrec /fixmbr
Bootrec /fixboot
BCDBoot D:\Windows  --consider D drive is the system drive
Bootrec /rebuildbcd
Bootsect /nt60 all /force

Thank You !!!

How to Check\Modify the listening port for Remote Desktop

How to change the listening port for Remote Desktop

By default, if you enable RDP on the server, it will use 3389 port number to establish the connection. For security reasons, you may change the this port number from Default value to some other port.

Below are the steps :

1.Open Registry using the command : regedit
2.Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
3.On the Edit menu, click Modify, and then click Decimal.Type the new port number, and then click OK.
4.Quit Registry Editor and restart the computer.

Error while joining a server to Domain "Not enough storage is available to complete this operation"

Today, i cam across an error while joining a 2003 Server to Domain and the error is

Error message when you use a Windows Server 2003-based domain controller to join a Windows XP-based client computer to a domain: "Not enough storage is available to complete this operation"

There is no problem with the connectivity with the Domain Controller, DNS and Domain Admin Credentials. After some investigation on this and followed below steps to fix the error.

Cause : This problem occurs because the Kerberos token that is generated during authentication is more than the fixed maximum size. In the original release version of Microsoft Windows 2000, the default value of the MaxTokenSize registry entry was 8,000 bytes. In Windows 2000 with Service Pack 2 (SP2) and in later versions of Windows, the default value of the MaxTokenSize registry entry is 12,000 bytes.

To resolve this problem, increase the Kerberos token size. To do this, follow these steps on the client computer that logs the Kerberos event.

1.Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Note If the Parameters key is not present, create the key. To do this, follow these steps:
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
On the Edit menu, point to New, and then click Key. Type Parameters, and then press ENTER.
On the Edit menu, point to New, and then click DWORD Value. Type MaxTokenSize, and then press ENTER.

3.On the Edit menu, click Modify.
4. In the Base area, click Decimal, type 65535 in the Value data box, and then click OK.

Note The default value for the MaxTokenSize registry entry is a decimal value of 12,000. We recommend that you set this registry entry value to a decimal value of 65,535.

Exit Registry Editor.

Restart the computer.

Windows Activation Error "an unauthorized change was made to windows server 2008"

While logging into one Windows 2008 servers, i got below error message and not allowing me to login to the server. 

an unauthorized change was made to windows server 2008

Windows 2008 is showing error window, "an unauthorized change was made to windows windows server 2008".

You will no longer receive notifications, including those about your license or activation.

Error No. 0xC004D401

The security processor reported a file mismatch error.

This Server is not loging to Administrator.  It showing the message upto Preparing your desktop.  after that the same error is showing. As per the error I can see that the issue is with the Windows License\Activation problem.

So, i need to verify the windows licensing options on the server but server is not showing any other consoled other than error page.

Then, below steps were worked me to get the server back to normal mode.

1) Click the option that launches an Internet Browser

2) Type: %windir%\system32 into the address field

3) Find the file cmd.exe

4) Right-click on cmd.exe and select Run as Administrator

5) Type: cscript %windir%\System32\slmgr.vbs /ilc %windir%\System32\licensing\ppdlic\Security-Licensing-SLC-ppdlic.xrm-ms

6) Hit the Enter key

7) Reboot the server. 

After executing these steps on the server, it came to normal login console and allowed me to login. 

Thank You !!!