Usually, when we add a computer to a security group, we need to restart in order for the computer to see that it is now a member of this group. To bypass this, we can delete the system’s Kerberos ticket and run GPUpdate.
I came across this error during an Exchange deployment in one of the Universities of Canada :). The EMC would not connect:
“The attempt to connect to http://server.domain.com/PowerShell using “Kerberos” authentication failed: connecting to remote server failed with the following error message : The WinRM client cannot complete the operation within the time specified. Check if the machine name is valid and is reachable over the network and firewall exception for Windows Remote Management service is enabled. For more information, see the about_Remote_Troubleshooting Help topic.”
There are some blog posts on the internet around how to fix the connectivity problem to the server, but none of them were working in my case.
In my situation, the server EMC was pointing to the server that didn’t come back after reboot (but this is another story). EMC would connect fine to a different working server.
As a workaround I’ve added a “new” Exchange forest and was managed to connect, but I wanted to actually fix the issue.
So, the solution is simple :).
The following list of tools and scripts could be in use if you need to do an Active Directory (AD) Health Check, or if you simply would like to know more about your network infrastructure.
Of course, this is not a full list, but I think this is a most important and … Feel free to send me an email or put a comment if you know addition tool or script.
- Server documentation using SYDI-Server scripts
- MS Baseline Security Analyzer
- Performance Analysis the PAL tool (lets you script and start the counters)
|Active Directory Topology Diagrammer||Map out current AD topology, including domains, sites and OUs||Microsoft Downloads||Three Visio files||Requires Visio to be installed on the scanning computer.|
|Microsoft IT Environment Health Scanner||General health status of AD||Microsoft Downloads||HTML report||Running scan requires server subnets and internal firewall IP address|
|DNSLINT||Assess AD-integrated DNS||Windows Server Support Tools||HTML report||Dnslint /ad /s [ip address of DC]|
|DCDIAG||Diagnose domain controller health||Windows Server Support Tools||Text file||dcdiag /v /c /d /e /s:domain.net > c:\dcdiag.log|
|NETDIAG||Diagnose problems with network services||Windows Server Support Tools||Text file||netdiag.exe /v > c:\netdiag.log|
|REPADMIN||Examine site replication links||Windows Server Support Tools||Text file||repadmin.exe /showrepl [dc name] /verbose /all /intersite > c:\repl.txt (run separately for each DC)
Not a tool but from Microsoft is the Security Compliance Manager helps to document and harden DCs by applying GPOs:
I’ve already mentioned many time that I’m disabling IPv6 almost on all my servers and workstation.
In today days, I really don’t see a reason to have it enabled (maybe in next few years, but not now).
Let’s see today how to disable / enable IPv6 via Group Policy (GPO)…
Jeff Guillet created the corresponding admx template. Jeff wrote the attached ADMX and ADML files to enable the configuration of IPv6 using Group Policy.
Copy each file to the computer you will use to configure the policy.
IPv6Configuration.zip – This ZIP file contains both the ADMX and ADML files:
- IPv6Configuration.admx – Copy this file to %SYSTEMROOT%\PolicyDefinitions
- IPv6Configuration.adml – Copy this file to%SYSTEMROOT&\PolicyDefinitions\en-US (Replace en-US with your country’s language, as necessary)
Now log into the computer and use the Group Policy Management Console(GPMC) to configure the IPv6 settings. The new policy will be located under Computer Configuration > Policies > Administrative Templates > Network > IPv6
Configuration, as shown below:
Here, you can configure the following IPv6 settings:
- Enable all IPv6 components (Windows default)
- Disable all IPv6 components (the setting you probably want)
- Disable 6to4
- Disable ISATAP
- Disable Teredo
- Disable Teredo and 6to4
- Disable all tunnel interfaces
- Disable all LAN and PPP interfaces
- Disable all LAN, PPP and tunnel interfaces
- Prefer IPv4 over IPv6
Note that you must restart the computer for the configuration to go into effect.
Time to time is necessary upgrade or change Server Hardware. In average, companies change hardware for servers every 3-5 years. Furthermore, yes, this time we could get problems with doing that. Move Installed Windows to the same the physical computer is not a big deal, but move Installed Windows to different physical computer sometimes is not so easy. Let see how to do this by using standard NTBACKUP.
In this article I’ll show you how to create a system state backup on one computer and restore it to a different physical computer.
Before I start, let make sure that we are speaking the same language.
I’m going to mention words like “Source Computer” and “Destination Computer“.
The source computer is defined as the OLD computer. On this computer you create the system state backup. The destination computer is the new computer where you will move our Installed Windows.
Of the highest importance thing should be remembered. To make our life easy, the source and destination computers must use the same type of Hardware Abstraction Layer (HAL), otherwise you will fight with changing the HAL, but it’s already other story :). In this article we will deal with servers that have same HAL. Just for your knowledge, to figure out the computer HAL type that you are using on each computer, follow these steps:
- Click Start, point to Settings, click Control Panel, and then click System.
- On the Hardware tab, click Device Manager, and then expand the Computer branch.
- ACPI multiprocessor computer = Halmacpi. dll
- ACPI uniprocessor computer = Halaacpi. dll
- Advanced Configuration and Power Interface (ACPI) computer = Halacpi. dll
- MPS multiprocessor computer = Halmps. dll
- MPS uniprocessor computer Halapic. dll standard computer = Hal. dll
- Compaq SystemPro multiprocessor or 100% compatible = Halsp. dll
The first step is creating a Full System Backup of Source Computer. Use Windows Backup to back up the system drive, the system drive subfolders, and the system state. Before doing a backup, on the source computer, log on by using the Administrator account, and then stop all non-critical services and services that you typically stop before you perform a backup. This may include any service that puts locks on files. This includes antivirus, disk scanning, and indexing services. Verify that the TCP/IP start value is set to 1. This value is located in the following registry subkey:
The second part is to install Operating System on the Destination Computer. The source and destination computers must use identical operating system versions. For example, you cannot run Windows 2000 Advanced Server on destination computers if on the source computer was Microsoft Windows 2000 Server. The best practice is to install Windows on the destination computer by using the same installation media that used to install the source computer. Additionally, the destination computer must use the same logical drive letter (%systemdrive%) and path (%systemroot%) as the source computer. Also, on to the destination computer, by using Disk Management, create, format, and assign drive letters to any additional volumes that may be required to hold a system state component. Make sure that all drive letters match those of the source computer. Disk space for volumes on the destination computer should be as least as large as corresponding volumes on the source. For domain controllers, the locations of the Active Directory directory service database, Active Directory log files, FRS database, and FRS log files must also be identical for the source and destination computers. For example, if the Active Directory database log files on the source computer were installed on C:\WINNT\NTDS, the destination computer must also use the C:\WINNT\NTDS path.
If the Source server is Windows 2000 computers, Hotfix 810161 or Windows 2000 Service Pack 4 must be installed. These items must also be installed on the destination computer before you restore the backup. Windows Server 2003 and Windows XP do not have any hotfix or service pack level requirements for this kind of restore operation. If the source computer runs Windows 2003 SP1 please install Windows 2003 SP1 on the destination computer as well. If you do not do this, you will get the error noted below:
Error message when you restore a Windows Server 2003 Service Pack 1-based backup on a Windows Server 2003-based computer: Windows could not start because an error in the software.
Now, on the destination, please create C:\Backup folder. Put a copy of the C:\Boot.ini file and the whole %systemroot%\Repair folder, including all of its subfolders, in the C:\Backup folder.
So far, so good, we can start to restore processes on our destination server (Our new, just fresh installed Server). So, to restore the backup on the destination computer, follow these steps:
- Click Start, click Run, type ntbackup, and then click OK.
- On the Tools menu, click Options, click the Restore tab, and then click Always replace the file on my computer.
- Restore the system state from the backup that you performed on source computer. Make sure that you select the option to restore to the original location.
After the restore operation is completed, DO NOT RESTART, instead, just follow these steps:
- Copy the Boot.ini file from the C:\Backup folder that you created in step 6. Copy the Repair folder and its subfolders from the C:\Backup folder to the %systemroot%\Repair folder.
- Reinstall the destination computer’s hard disk controller drivers.
- Verify that the source computer is turned off, disconnected from the network, or has been reinstalled by using a different computer name and IP address.
- Restart the new computer, and then verify that it is functioning correctly. Install / Update necessary hardware drivers.
I’ve tested this solution several times on Microsoft Windows Server 2003, Microsoft Windows Server 2000 and Microsoft Windows XP Professional and always this solution worked for me! I hope this article will help you as well :).
AADC AD Architecture Autodiscover Azure Azure AD Connect Cloud Cloud Security Deployment DNS DSC Exchange ExpressRoute express route Hybrid Hybrid Cloud Hyper-V ISO Mac Mail Mailbox Microsoft Cloud Microsoft IT Multifunction Device nslookup O365 Office 365 Outlook Outlook Online OWA Permissions PowerShell Premises private cloud ProCloud Essentials Public Folders Recover Recovery SCP Security SYNC UPN Virtual Machine VM VPN