Open Powershell as Administrator
Resume-VMReplication (servername) -Resynchronize
Force Hyper-V Resynchronization
Replicate Hyper-V between Workgroup servers
Enabling Hyper-V between two workgroup servers requires issuing self-signed certificates with makecert.exe and a registry key to bypass the revocation check.
The reason why makecert is required is because the certificate Enhanced Key Usage must support both Client and Server authentication, and the default IIS certificate CSR wizard does not include the client EKU.
First download makecert.exe from here: https://www.navuser.com/Data/makecert.exe
Machine #1
1. Generate a root cert:
makecert -pe -n CN=PrimaryTestRootCA -ss root -sr LocalMachine -sky signature -r PrimaryTestRootCA.cer
2. Generate a self-signed cert from the root cert:
makecert.exe -pe -n CN=HV2 -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in PrimaryTestRootCa -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 HV2.cer
3. Disable the revocation checking since that won’t work on self-signed certs:
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
Machine #2
1. Generate a root cert:
makecert -pe -n CN=RecoveryTestRootCA -ss root -sr LocalMachine -sky signature -r RecoveryTestRootCA.cer
2. Generate a self-signed cert from the root cert:
makecert.exe -pe -n CN=HV1 -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in RecoveryTestRootCa -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 HV1.cer
(Note: even though it outputs a .cer file, it automatically inserts into the LocalMachine certificate store, so there is no additional import step)
3. Copy the PrimaryTestRootCA.cer from Machine #1 and then run this command: certutil -addstore -f Root “PrimaryTestRootCA.cer”
4. Copy the RecoveryTestRootCA.cer from Machine 2 and then run certutil -addstore -f Root RecoveryTestRootCA.cer
5. Disable the revocation checking since that won’t work on self-signed certs:
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
6. Now you can select the self-signed certificate in replication on both servers.
Load MS Exchange Powershell snapin
Open regular POwershell and run:
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
How To Know Which Process is Using a File or Folder in Windows
Resource Monitor
For Windows 7 and above, you can use the built-in Resource Monitor.
Open Resource Monitor, which can be found
- By searching for resmon.exe in the start menu, or
- As a button on the Performance tab in your Task Manager
From CPU tab, use the search field in the Associated Handles section
When you’ve found the handle, you can identify the process by looking at the Image and/or PID column. You can then close the application if you are able to do that, or just right-click the row and you’ll get the option of killing the process (End Process) right there.
Kill a process using PowerShell
Open PowerShell. If required, run it as Administrator.
Type the command Get-Process to see the list of running processes
To kill a process by its name, execute the following cmdlet: Stop-Process -Name “ProcessName” -Force
To kill a process by its PID, run the command: Stop-Process -ID PID -Force
Enable the Password Reset Option in Exchange Server 2016
The easiest way to change the password of a user’s Microsoft Exchange mailbox is to use the Active Directory User and Computer (ADUC) console. You can also reset the password from the Exchange Admin Center, but this option is disabled by default. This article describes how to enable the password reset option in the Exchange Admin Center in Microsoft Exchange Server 2016.
1. Log in to exchange server with your admin credentials.
2. Open PowerShell with administrative privileges and execute the following three commands.
Add-pssnapin microsoft*
Install-CannedRbacRoles
Install-CannedRbacRoleAssignments
3. Log in to the Exchange Admin Center and click on Permissions.
Right-click ‘Organization Management’ and then click Edit.
Click the ‘+’ sign on the roles section. Select ‘Reset Password’ and then click Add. Click OK and then click Save.
4. Log out from the Exchange Admin Center.
5. When you log in again to the Exchange Admin Center and open any existing user mailbox properties, you should see the reset password option.
How to stop a Windows Backup job
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\Administrator.LOCAL>wbadmin stop job
wbadmin 1.0 – Backup command-line tool
(C) Copyright 2013 Microsoft Corporation. All rights reserved.
Are you sure you want to stop the current operation?
[Y] Yes [N] No y
The backup operation ended before completing.
C:\Users\Administrator.LOCAL>
Exchange 2010/2013/2016: Starting Exchange Services with a simple command
As an Exchange Admin, you might be looking after 1 server or several hundred.
Sometime after a reboot you might notice that some of the services don’t start. It is a daunting task to go manually start them all 1 at a time.
A simple way is to run the following command from an elevated PowerShell Window:
- Get-Service *Exchange* | Start-Service
Some services like the Transport and Unified Messaging Services take a bit longer to start but the window will echo the starting of all services.
Seize Active Directory Roles
Select Start > Run, type ntdsutil in the Open box, and then select OK.
C:\Users\administrator>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server adserver2
Binding to adserver2 …
Connected to adserver2 using credentials of locally logged on user.
server connections: quit
fsmo maintenance: Transfer schema master
Server “adserver2” knows about 5 roles
Schema – CN=NTDS Settings,CN=ADSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=temp,DC=local
Naming Master – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=temp,DC=local
PDC – CN=NTDS Settings,CN=BDSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=temp,DC=local
RID – CN=NTDS Settings,CN=BDSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=temp,DC=local
Infrastructure – CN=NTDS Settings,CN=BDSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=temp,DC=local
fsmo maintenance: quit
ntdsutil: quit
Remote Desktop (RDP) shortcut keys
Shortcut key | Description |
CTRL+ALT+HOME | Activates the connection bar. |
CTRL+ALT+BREAK or one of these shortcuts:
|
Switches the client between full-screen mode and window mode. If these shortcuts don’t work, or the keys aren’t available, you can try the following alternative:
|
CTRL+ALT+END | Brings up the Windows Security dialog box for the Remote Desktop Session Host (RD Session Host) (provides the same functionality as pressing CTRL+ALT+DEL on the local computer). |
The following table describes the standard Windows shortcut keys and their equivalent Remote Desktop shortcuts that are different. (For example, Ctrl+Z is generally the ‘Undo’ shortcut on both standard Windows and Remote Desktop.)
Table 2 | ||
Windows shortcut | Remote Desktop shortcut | Description |
ALT+TAB | ALT+PAGE UP | Switches between programs from left to right. |
ALT+SHIFT+TAB | ALT+PAGE DOWN | Switches between programs from right to left. |
ALT+INSERT | Cycles through the programs in the order they were started. | |
Windows key or CTRL+ESC |
ALT+HOME | Displays the Start menu. |
ALT+SPACE BAR | ALT+DELETE | Displays the system menu. |
ALT+PRINT SCREEN | CTRL+ALT+MINUS SIGN (-) | Places a snapshot of the active window, within the client, on the clipboard. |
PRINT SCREEN | CTRL+ALT+PLUS SIGN (+) | Places a snapshot of the entire client windows area on the clipboard . |
Set time on Windows AD Server to NTP
Configure the NTP Server on Windows Server 2008, 2012, 2016 or 2019
On your Windows Server hit the Windows Button and type:
PowerShell and right-click it and select Run as Administrator
Type the following commands
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
Stop-Service w32time
Start-Service w32time
Of course, you can take any NTP Server that you want. Now verify if the time-server was set correctly on your Server by typing: w32tm /query /status
Windows backup drive is full
Windows does not manage backup space well. To manage the retained backups and not fill up the disk, run the following command from an elevated command prompt:
WBADMIN DELETE BACKUP -backuptarget:F: -keepVersions:30
**************************************
To get the versions:
WBADMIN get versions
**************************************
To delete the oldest backup version:
WBADMIN DELETE BACKUP -deleteoldest
Robocopy makes folders disappear
Robocopy may set the new directory to hidden, as that it copies the system attribute of the root folder of the drive over to the new folder. You can prevent the new directory from becoming hidden by adding the /A-:SH option/flag/switch to your robocopy command.
Move files before date with Robocopy
ROBOCOPY “E:\data” “\\testserver\data” /MOVE /E /MINLAD:20170101 /CREATE /R:1 /W:1 /TEE /V /LOG+:data.log
/MINLAD:20170101 – will move files accessed before 01/01/2017.
How to move stale computers in Active Directory to DisabledComputers OU
Create your DisabledComputers OU.
Copy and save the following script as DisabledAged.ps1
*******
#Import AD module
Import-Module ActiveDirectory
$ErrorActionPreference = “SilentlyContinue”
$searchbase = “DC=domain,DC=local”
$EntGroups = “OU=Computers,DC=domain,DC=local”
$groups = Get-ADGroup -Properties Name -Filter * -searchbase $EntGroups
$inactiveOU = “OU=DisabledComputers,DC=domain,DC=local”
$Days = (Get-Date).AddDays(-180)
$computers = Get-ADComputer -Properties * -Filter {LastLogonDate -lt $Days} -SearchBase $searchbase
$DisabledComps = Get-ADComputer -Properties Name,Enabled,LastLogonDate -Filter {(Enabled -eq “False” -and LastLogonDate -lt $Days)} -SearchBase $inactiveOU
#Move inactive computer accounts to your inactive OU
foreach ($computer in $computers) {
echo $computer
Set-ADComputer $computer -Location $computer.LastLogonDate | Set-ADComputer $computer -Enabled $false
Move-ADObject -Identity $computer.ObjectGUID -TargetPath $inactiveOU
#Remove group memberships
foreach ($group in $groups) {
Remove-ADGroupMember -Identity $group -Members $computer.ObjectGUID -Confirm:$false
}
}
#Optionally remove stale computer objects from AD
#Remove stale computer accounts older than 365 days
#$RemoveStale = Get-ADComputer -Filter * -SearchBase $DisabledComps | Where-Object {$_.Location -gt (Get-Date).AddDays(-365) -and $_.Location -lt (Get-Date).AddDays(-180)}
#$RemoveStale | Remove-ADObject
*****
Run change DC=domain,DC=local to your domain and run the script.
How to get stale computers from Active Directory
Copy the text below:
*****
$DaysInactive = 90
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Properties Name,
OperatingSystem, SamAccountName, DistinguishedName | Export-CSV “C:\StaleComps.CSV” –NoTypeInformation
*****
Save as stale.ps1 then run from Powershell
If you receive the following error:
The term ‘Get-ADComputer’ is not recognized as the name of a cmdlet, function, script file, or operable program.
Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\super\desktop\Aged.ps1:5 char:15
+ Get-ADComputer <<<< -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Properties
Nam
e, OperatingSystem, SamAccountName, DistinguishedName | Export-CSV “C:\StaleComps.CSV” -NoTypeInformation
+ CategoryInfo : ObjectNotFound: (Get-ADComputer:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Run this command:
PS C:\Users\super\desktop> import-module activedirectory
If you receive a message concerning unsigned code, Set Execution Policy:
PS C:\> Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
How to find Active Directory Search Base
To find out your user and group base DN, you can run a query from any member server on your Windows domain.
To find the User Base DN:
– Open a Windows command prompt.
– Type the command: dsquery user -name <known username>
(Example: If I were searching for all users named John, I could enter the username as John* to get a list of all users who’s name is John)
– The result will look like: “CN=John.Smith,CN=Users,DC=MyDomain,DC=com”
– In Blue Coat Reporter’s LDAP/Directory settings, when asked for a User Base DN, you would enter: CN=Users,DC=MyDomain,DC=com
To find the Group Base DN:
– Open a Windows command prompt
– Type the command: dsquery group -name <known group name>.
(Example: If I were searching for a group called Users, I could enter the group name as Users* to get a list of all groups who’s name contains “Users”)
– The result will look like: “CN=Users,CN=Builtin,DC=MyDomain,DC=com”
– In Blue Coat Reporter’s LDAP/Directory settings, when asked for a User Base DN, you would enter: CN=Users,CN=Builtin,DC=MyDomain,DC=com.
Syncback on Server 2012 as scheduled task doesn’t run
User Rights
You should also make sure the user account has the necessary Windows user rights. To do this, run the Local Security Policy control panel applet (in the Administrative Tools section of the control panel). If you are using the home version of Windows then you may not have access to the Local Security Policy control panel applet (Microsoft have removed the feature from home versions of Windows).
Make sure that the user account has the following user rights:
- Act as part of the operating system
- Log on as a batch job
- Log on as a service
Make sure the user account is not listed in the following user rights:
- Deny logon as a batch job
- Deny logon as a service
Setup network on Hyper-V virtual CentOS 6
Use system-config-network-tui and set up the card. If you perform a failover, you must connect the card in Hyper-V and then configure the card again.
If it does not come up, look in /etc/udev/rules.d/70-persistant-net.rules and see which “ethX” interface has the correct mac address. Either rename your ifcfg-ethx file in /etc/sysconfig/network-scripts or use system-config-network-tui to setup the correct “ethX” interface and restart the network.
How to check Hyper-V replication status automatically
Copy and paste the following into a text file and save as c:\checkrep.ps1.
*****************************************************************
Add-PSSnapin Microsoft.Exchange.Management.Powershell.Admin -erroraction silentlyContinue
##### Configuration Section Starts #####
$SMTPName = “mail.ncol.net”
$EmailMessage = new-object Net.Mail.MailMessage
$SMTPServer = new-object Net.Mail.SmtpClient($SMTPName)
$EmailMessage.From = “admin@domain.com”
$EmailMessage.To.Add(“techsupp@ncol.net”)
#$EmailMessage.To.Add(“9197021111@vtext.com”)
##### Configuration Section Ends#####
#Build a nice file name
$date = get-date -Format M_d_yyyy_hh_mm_ss
$csvfile = “.\AllAttentionRequiringVMs_”+$date+”.csv”
#Build the header row for the CSV file
$csv = “VM Name, Date, Server, Message `r`n”
#Find all VMs that require your attention
$VMList = get-vm | where {$_.ReplicationHealth -eq “Critical” -or $_.ReplicationHealth -eq “Warning”}
#Loop through each VM to get the corresponding events
ForEach ($VM in $VMList)
{
$VMReplStats = $VM | Measure-VMReplication
#We should start getting events after last successful replication. Till then replication was happening.
$FromDate = $VMReplStats.LastReplicationTime
#This string will filter for events for the current VM only
$FilterString = “<QueryList><Query Id=’0′ Path=’Microsoft-Windows-Hyper-V-VMMS-Admin’><Select Path=’Microsoft-Windows-Hyper-V-VMMS-Admin’>*[UserData[VmlEventLog[(VmId='” + $VM.ID + “‘)]]]</Select></Query></QueryList>”
$EventList = Get-WinEvent -FilterXML $FilterString | Where {$_.TimeCreated -ge $FromDate -and $_.LevelDisplayName -eq “Error”} | Select -Last 3
#Dump relevant information to the CSV file
foreach ($Event in $EventList)
{
If ($VM.ReplicationMode -eq “Primary”)
{
$Server = $VMReplStats.PrimaryServerName
}
Else
{
$Server = $VMReplStats.ReplicaServerName
}
$csv +=$VM.Name + “,” + $Event.TimeCreated + “,” + $Server + “,” + $Event.Message +”`r`n”
}
}
#Create a file and dump all information in CSV format
$fso = new-object -comobject scripting.filesystemobject
$file = $fso.CreateTextFile($csvfile,$true)
$file.write($csv)
$file.close()
#If there are VMs in critical health state, send an email to me and my colleague
If ($VMList -and $csv.Length -gt 33)
{
$Attachment = new-object Net.Mail.Attachment($csvfile)
$EmailMessage.Subject = “[ATTENTION] Replication requires your attention!”
$EmailMessage.Body = “The report is attached.”
$EmailMessage.Attachments.Add($Attachment)
$SMTPServer.Send($EmailMessage)
$Attachment.Dispose()
}
Else
{
$EmailMessage.Subject = “[NORMAL] All VMs replicating Normally!”
$EmailMessage.Body = “All VMs are replicating normally. No further action is required at this point.”
$SMTPServer.Send($EmailMessage)
}
*****************************************************************
Change the relevant email information at the beginning of the document.
Now open Task Scheduler.
Create a Basic Task. Name it Check Replication. Next.
Set the Trigger to the frequency you want the script to run. Next.
Set the Action to Start A Program. Next.
Enter powershell.exe in the Program box.
Enter c:\checkrep.ps1 in the Add Arguments box.
Enter c:\ in the Start In box. Next.
Open the properties of the Task and on the General tab select “Run whether user is logged in or not” and “Run with the highest privileges”.
******************************************************************
If you receive an error:
“Your script is blocked from executing due to the execution policy.”
You need to set it on the client PC to Unrestricted. You can do that by calling Invoke with
Set-ExecutionPolicy Unrestricted
within Windows Powershell (x86) app.
How to configure an internal relay connector for Exchange 2013
Go to the webpage of the exchange management page (https://exchangeserver/ecp)
Go to the Mail flow > Receive Connectors > + for add a new connector.
Enter a name for the connector. If you want to relay outside your organization than you need to select Frontend Transport role instead of the Hub Transport role.
Leave the setting below unchanged.
Remove the IP address which are shown in the picture below.
You get an error that the field is required. (click on the + to add a new range)
Enter a single IP address or a local LAN address which is allowed to email via the exchange server.
The remote network settings will show the list like below.
When clicked on finished. You have to edit the relay connector and go to security tab.
Select the option “Anonymous users”.
Click on Save..
Now you have to open a powershell CLI of exchange on the exchange server ( with administrative rights ).
Get-ReceiveConnector “Receive Connector Name” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
Exchange 2013 mailbox move stuck at StatusDetail FailedOther
You have to remove the current move request and resubmit:
Remove-MoveRequest -Identity userID
New-MoveRequest -Identity “userID” -TargetDatabase “Mailbox Database 0422167200” -BatchName “userID” -BadItemLimit “200”
How to find and remove a Service on Server 2008, 2012 and 2016
Run command prompt as Administrator
Find the keyname with “sc getkeyname”:
C:\Users\administrator.LOCAL>sc getkeyname “Atlassian JIRA”
[SC] GetServiceKeyName SUCCESS
Name = JIRASoftware151216105308
Now delete the key using:
C:\Users\administrator.LOCAL>sc delete “JIRASoftware151216105308”
Perform a full backup on Exchange to purge logs
1. Open Command prompt as Administrator
2. Launch Diskshadow
A.Add volume d:
B.(optional, add one line for each additional drive to include) Add volume X:
C.Begin Backup
D.Create
E.End Backup
3. At this step you should notice the following events in the application log indicating that the backup was indeed successful and logs will now be deleted.
Here’s some screenshots from the process:
Backup all SQL Databases at once
Problem
Sometimes things that seem complicated are much easier then you think and this is the power of using T-SQL to take care of repetitive tasks. One of these tasks may be the need to backup all databases on your server. This is not a big deal if you have a handful of databases, but I have seen several servers where there are 100+ databases on the same instance of SQL Server. You could use SQL Server Management Studio to backup the databases or even use Maintenance Plans, but using T-SQL is a much simpler and faster approach.
Solution
With the use of T-SQL you can generate your backup commands and with the use of cursors you can cursor through all of your databases to back them up one by one. This is a very straight forward process and you only need a handful of commands to do this.
Here is the script that will allow you to backup each database within your instance of SQL Server. You will need to change the @path to the appropriate backup directory.
File Naming Format DBname_YYYYDDMM.BAK
DECLARE @name VARCHAR(50) — database name
DECLARE @path VARCHAR(256) — path for backup files
DECLARE @fileName VARCHAR(256) — filename for backup
DECLARE @fileDate VARCHAR(20) — used for file name
— specify database backup directory
SET @path = ‘C:\Backup\’
— specify filename format
SELECT @fileDate = CONVERT(VARCHAR(20),GETDATE(),112)
DECLARE db_cursor CURSOR FOR
SELECT name
FROM master.dbo.sysdatabases
WHERE name NOT IN (‘master’,’model’,’msdb’,’tempdb’) — exclude these databases
OPEN db_cursor
FETCH NEXT FROM db_cursor INTO @name
WHILE @@FETCH_STATUS = 0
BEGIN
SET @fileName = @path + @name + ‘_’ + @fileDate + ‘.BAK’
BACKUP DATABASE @name TO DISK = @fileName
FETCH NEXT FROM db_cursor INTO @name
END
CLOSE db_cursor
DEALLOCATE db_cursor
File Naming Format DBname_YYYYDDMM_HHMMSS.BAK
If you want to also include the time in the filename you can replace this line in the above script:
— specify filename format
SELECT @fileDate = CONVERT(VARCHAR(20),GETDATE(),112)
with this line:
— specify filename format
SELECT @fileDate = CONVERT(VARCHAR(20),GETDATE(),112) + REPLACE(CONVERT(VARCHAR(20),GETDATE(),108),’:’,”)
Notes
In this script we are bypassing the system databases, but these could easily be included as well. You could also change this into a stored procedure and pass in a database name or if left NULL it backups all databases. Any way you choose to use it, this script gives you the starting point to simply backup all of your databases.
How to Setup a Legal Notice Before Login in Group Policy
This is a very easy setting that may also substitute for signing the computer usage agreements every year.
legal-notice-group-policy-settings
1.Open up your Group Policy Management Console (gpmc.msc)
2.Go to the Group Policy Object in your domain, right click on Default Domain Policy and select Edit…
3.Once the Group Policy Editor is up, using the treeview on on the left go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
4.To edit the title of the windows change: Interactive logon:Message title for users attempting to log on
5.To edit the message text change: Interactive Logon:Message text for users attempting to log on
Use Robocopy to move shares with permissions.
robocopy source destination /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /LOG:Robocopy.log
Here’s what the switches mean:
source :: Source Directory (drive:\path or \\server\share\path).
destination :: Destination Dir (drive:\path or \\server\share\path).
/E :: copy subdirectories, including Empty ones.
/ZB :: use restartable mode; if access denied use Backup mode.
/DCOPY:T :: COPY Directory Timestamps.
/COPYALL :: COPY ALL file info (equivalent to /COPY:DATSOU). Copies the Data, Attributes, Timestamps, Ownser, Permissions and Auditing info
/R:n :: number of Retries on failed copies: default is 1 million but I set this to only retry once.
/W:n :: Wait time between retries: default is 30 seconds but I set this to 1 second.
/V :: produce Verbose output, showing skipped files.
/TEE :: output to console window, as well as the log file.
/LOG:file :: output status to LOG file (overwrite existing log).
How to configure Exchange to redirect OWA HTTP requests to HTTPS requests in IIS 7
To enable SSL redirection to the OWA virtual directory, follow these steps:
- Start IIS 7 Manager.
- Expand the server, expand Sites and select the Default Web Site.
- Double-click HTTP Redirect.
- Select the Redirect requests to this destinationcheck box, and then enter /owa.
- Select the Only redirect requests to content in this directory (not subdirectories)check box.
- Select Found (302) from the Statuscode drop-down list.
- Click Apply to save the settings.
Note The changes that you made to the Default Web Site will propagate down to the virtual directories for that site. - Expand the Default Web Site.
- Select the aspnet_client virtual directory.
- Double-click HTTPRedirect.
- Clear the check box for Redirect requests to this destination.
- Click Apply to save the settings.
- Repeat steps 9-12 for the following virtual directories:
- Autodiscover
- Ecp
- EWS
- Microsoft-Server-ActiveSync
- OAB
- Owa
- PowerShell
- PowerShell-Proxy
- Rpc
How to add Trusted Sites
We need to go to the Computer Configuration ““> Administrative Tools ““> Windows Components ““> Internet Explorer ““> Internet Control Panel ““> Security Page and then double click to the zone assignment list in the right pane as you can see below.
After you double click on site to the zone assignment list you will see a window to enable the settings and configure it. Click enabled. Then click show. On the show contents screen click add.
By clicking add we can add URLs and specify what zone we want them to be placed in like so:
The number 2 denotes the number of the zone. In this case it is the trusted zone. Microsoft breaks down the settings as follows:
- Intranet zone – sites on your local network.
- Trusted Sites zone – sites that have been added to your trusted sites.
- Internet zone – sites that are on the Internet.
- Restricted Sites zone – sites that have been specifically added to your restricted sites.
After clicking OK you can wait for your default refresh of Group Policy which is 15 minutes by default or you can run gpupdate.exe from any workstation to see if it worked. You can also restart the workstations to force the update.
To configure the behavior of Automatic Updates
- In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
- In the details pane, click Configure Automatic Updates.
- Click Enabled and select one of the following options:
- Notify for download and notify for install. This option notifies a logged-on administrative user prior to the download and prior to the installation of the updates.
- Auto download and notify for install. This option automatically begins downloading updates and then notifies a logged-on administrative user prior to installing the updates.
- Auto download and schedule the install. If Automatic Updates is configured to perform a scheduled installation, you must also set the day and time for the recurring scheduled installation.
- Allow local admin to choose setting. With this option, the local administrators are allowed to use Automatic Updates in Control Panel to select a configuration option of their choice. For example, they can choose their own scheduled installation time. Local administrators are not allowed to disable Automatic Updates.
- Click OK.
How to create mapped drives in Group Policy
To create a new Mapped Drive preference item
- Open the Group Policy Management Console . Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit .
- In the console tree under User Configuration , expand the Preferences folder, and then expand the Windows Settings folder.
- Right-click the Drive Maps node, point to New , and select Mapped Drive .
- In the New Drive Properties dialog box, select an Action for Group Policy to perform. (For more information, see “Actions” in this topic.)
- Enter drive map settings for Group Policy to configure or remove. (For more information, see “Drive map settings” in this topic.)
- Click the Common tab, configure any options, and then type your comments in the Description box. (For more information, see Configure Common Options.)
- Click OK . The new preference item appears in the details pane.
Disable Firewall on users using group policy in server 2008, 2012
Computer Config > Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections = Disabled
After that go to client machine;
Start > Run > CMD > Gpupdate /force
Reboot.
How To Enable Remote Desktop Via Domain Group Policy Windows Server 2012 / 2008 R2 / 2008
Open the Group Policy Management and create a new GPO, and edit.
1 – Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > “Windows Firewall: Allow Inbound Remote Desktop Exception”
2 – Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > enable the policy “Allow Users to connect remotely using Remote Desktop Services” Note: this used to be > Windows Components > Terminal Services > “Allow users to connect remotely using Terminal Services”
To deploy printers to users or computers by using Group Policy
To deploy printer connections to users or computers by using Group Policy, you must add the printer connections to a Group Policy object (GPO) as described in the procedure.
- Open Print Management.
- In the left pane, click Print Servers, click the applicable print server, and click Printers.
- In the center pane, right-click the applicable printer, and then click Deploy with Group Policy.
- In the Deploy with Group Policy dialog box, click Browse, and then choose or create a new GPO for storing the printer connections.
- Click OK.
- Specify whether to deploy the printer connections to users, or to computers:
- To deploy to groups of computers so that all users of the computers can access the printers, select the The computers that this GPO applies to (per machine) check box.
- To deploy to groups of users so that the users can access the printers from any computer they log onto, select the The users that this GPO applies to (per user) check box.
- Click Add.
- Repeat steps 3 through 6 to add the printer connection setting to another GPO, if necessary.
- Click OK.
Change Windows password in Remote Desktop
CTRL-ALT-END is the key combo to send a CTRL-ALT-DEL to the remote RDP desktop. Useful for changing passwords on workstations and servers remotely.
Permissions that need to be set to allow automate users home directory creations
When you configure home directory for user (from “Active directory users and computers” – in Windows 2000/2003/2008/2012 domain or “User manager for domains” – in NT4 domain), you should add root share that will contain the user home directory – \\servername\users$\%username%. To allow automatic creation of this home folder, there need to configure correct NTFS and Share permissions on home folder root share.
Right click the folder > Properties > Sharing > Advanced Sharing. Name the share and add a “$” to the end to make it a hidden share.
Click Permissions on the share.
To allow automate home directory creations, please make sure to apply this security settings on the root folder that should contain the user home directory.
Administrators: Full Control
System: Full Control
Authenticated Users: Full Control
Now click OK > OK to get back to the Folder Properties.
Now we need to configure the NTFS permissions, so we need to be on the “Security” tab of the folder we created earlier.
1. Turn off inheritance on the folder and copy the permissions. You do this by:
a. Click the Advanced button found on the Security tab.
b. Clear Allow inheritable permissions to propagate to this object check box in the Advanced Security Settings dialog box.
c. Click Copy when prompted by the Security dialog box.
2. Click OK to return to the Security tab. Ensure we have the following permissions set:
Administrators: Full Control
System: Full Control
Creator Owner: Full Control
Authenticated Users: Read & Execute, List Folder Contents, Read
3. Change permissions for Authenticated Users so they cannot access other users’ folders. You do this by:
a. Click Advanced on the Security tab.
b. Click Authenticated Users, and then click Edit.
c. On the Permissions Entry for HOME dialog box, drop down the Apply onto and select This folder only.
d. Click OK twice.
How to set Internet time on Windows Server 2008 R2
To configure an internal time server to synchronize with an external time source, follow these steps:
- Change the server type to NTP. To do this, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\W32Time\Parameters\Type - In the pane on the right, right-click Type, and then click Modify.
- In Edit Value, type NTP in the Value data box, and then click OK.
- Set
AnnounceFlags
to 5. To do this, follow these steps:
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\W32Time\Config\AnnounceFlags - In the pane on the right, right-click AnnounceFlags, and then click Modify.
- In Edit DWORD Value, type 5 in the Value data box, and then click OK.
Notes
- If an authoritative time server that is configured to use an AnnounceFlag value of 0x5 does not synchronize with an upstream time server, a client server may not correctly synchronize with the authoritative time server when the time synchronization between the authoritative time server and the upstream time server resumes. Therefore, if you have a poor network connection or other concerns that may cause time synchronization failure of the authoritative server to an upstream server, set the AnnounceFlag value to 0xA instead of to 0x5.
- If an authoritative time server that is configured to use an AnnounceFlag value of 0x5 and to synchronize with an upstream time server at a fixed interval that is specified in SpecialPollInterval, a client server may not correctly synchronize with the authoritative time server after the authoritative time server restarts. Therefore, if you configure your authoritative time server to synchronize with an upstream NTP server at a fixed interval that is specified in SpecialPollInterval, set the AnnounceFlag value to 0xA instead of 0x5.
- Locate and then click the following registry subkey:
- Enable NTPServer. To do this, follow these steps:
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\W32Time\TimeProviders\NtpServer - In the pane on the right, right-click Enabled, and then click Modify.
- In Edit DWORD Value, type 1 in the Value data box, and then click OK.
- Locate and then click the following registry subkey:
- Specify the time sources. To do this, follow these steps:
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\W32Time\Parameters - In the pane on the right, right-click NtpServer, and then click Modify.
- In Edit Value, type Peers in the Value data box, and then click OK.
Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes that you make in step 5 will not take effect.
- Locate and then click the following registry subkey:
- Select the poll interval. To do this, follow these steps:
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval - In the pane on the right, right-click SpecialPollInterval, and then click Modify.
- In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 Decimal. This value configures the Time Server to poll every 15 minutes.
- Locate and then click the following registry subkey:
- Configure the time correction settings. To do this, follow these steps:
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\W32Time\Config\MaxPosPhaseCorrection - In the pane on the right, right-click MaxPosPhaseCorrection, and then click Modify.
- In Edit DWORD Value, click to select Decimal in the Base box.
- In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend on the poll interval, network condition, and external time source.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\W32Time\Config\MaxNegPhaseCorrection - In the pane on the right, right-click MaxNegPhaseCorrection, and then click Modify.
- In Edit DWORD Value, click to select Decimal in the Base box.
- In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend on the poll interval, network condition, and external time source.
- Locate and then click the following registry subkey:
- Close Registry Editor.
- At the command prompt, type the following command to restart the Windows Time service, and then press Enter:
net stop w32time && net start w32time
How do I tell who’s access my Windows Server 2008 server?
If you have a server hosting user profiles or home directories, you can check the output of NET SESSION from its console – this will give you the list of all computers and users connected to it.
Or NET SESSION > c:\sessions.txt to save this info to a text file.
Setup NTP server in Windows Server 2008 R2
Run these commands from a command prompt:
Stop the time service
net stop w32time
Set the manual peer list external servers
w32tm /config /syncfromflags:manual /manualpeerlist:”0.us.pool.ntp.org,1.us.pool.ntp.org,2.us.pool.ntp.org,3.us.pool.ntp.org”
Set the connection as reliable
w32tm /config /reliable:yes
Start the time service back up
net start w32time
Test the configururation
w32tm /query /configuration