Domain Controller Preference Order


How to configure locator preferences for domain controllers (DCs).  How to set priority and weight on domain controllers.  Force clients to consistently connect to the same domain controller.


Clients connect to different DCs within the same site.  IPv4 DNS server search has no effect on this random behavior.  


(a) Assign priority and weights to DNS SRV-records via GPO (i.e., registry changes);
(b) Or, change subnet topology for simple DC Subnet Prioritization;


All DCs are located within the same Active Directory (AD) site.

Domain Controller Priority within a Site

Domain DNS SRV-records assign priority and weight values that determine DC preference.  Clients connect to the domain controller (DC) with the lowest priority value.  By default, priority for all DCs is set to zero.  For example, assume a site has two DCs:
  • ·     DC-X with a priority of 0 (i.e., preferred).
  •        DC-Y with a priority of 2.
In this example, Windows clients connect to DC-X because it has the lowest priority value.  Clients only connect to DC-Y when DC-X is unavailable (e.g., maintenance).  

Domain Controller Weights

What happens when all the DCs share the same priority?  In this situation, DC preference is determined by SRV-record weight values.  Unlike priority, clients prefer higher weight values over lower values.

What happens if all DCs have the same weight values?  By default, DCs weight value is set to 100.  Clients connect round-robin when all DCs use the same priority and weight values.

What happens when same-site DCs have the same priority and different weight values?  Weight is not absolute.  Weight is proportionate.  In other words, clients may disproportionately connect to any available DC. 

Clients are more likely to connect to DCs with higher weights.  Clients are less likely to connect to lower weights DCs.  Weight preference uses a simple formula:  DC weight (i.e., single server) divided by the sum of all DCs weights:

For Example, assume three DCs within a single AD site (Table 1):

Table 1
Determine domain controller preference based on weights.

Connection Odds
 = 10/60
 = 1/6
 = 20/60
 = 2/6
 = 30/60
 = 1/2
Note:  This assumes client and domain controllers reside in the same site and use the same priority values.

DC Preference Configuration

  1. Set priority and weight via the registry:
  2. Create new 32-bit DWORDs:
  3. Assign DC priority and weight values.
  4. Restart the NETLOGON service to publish to SRV records

Subnet Prioritization

Clients prefer to connect to DCs on the same IP subnet.  For example, let’s say we have a single AD site.  This site consists of one Windows 10 client and two DCs (Table2):

Subnet Prioritization

IP address
Preferred DC

  Note:  All hosts reside in the same AD site.  DC01 and DC02 use default weight and priority values.

In this situation, all hosts belong to the same AD-site.  Both DCs have the same preference values (i.e., default).   WIN-10 and DC-X belong to the same IP subnet.  However, DC-Y resides on a separate IP subnet.  DC-X is the preferred DC.  Clients only connect to DC-y when DC-X is unavailable (e.g., maintenance).  

Additional Thoughts:

I recommend minimal registry changes –especially to DCs.  Implement priority and weight changes with caution.  Also consider, registry changes can be difficult to troubleshoot.  Therefore, it’s prudent to push these changes out via GPO. 
Subnet Prioritization seems to be the simplest approach.  That is, if you’re comfortable with internetworking.  Simply create a new gateway.  Add routes.  Assign the subnet to the second DC.  Done.

That’s It!


Fix the Shutdown Event Tracker in RDP


How to disable the unexpected shutdown prompt for remote desktop users.  The remote desktop server (RDS) displays the shutdown tracker warning after patching updates.  This shutdown error causes confusion and unnecessary help desk calls.


Remove local\Users group permissions from shutdown.exe:  c:\windows\system32\shutdown.exe


Both local administrators and local users, have read and execute permissions, on this system file.  Remove the local user group in order to hide unwanted shutdown messages.  Also note, this change may require ownership changes from the Trusted Installer to the local administrator group.

That's It!

How to Setup a Virtual Smart Card

Fun with Virtual Smart Cards!


Steps on how to enable a virtual smart card.


Virtual smart cards require a computer with an initialized TPM.  N.B., Windows 10 initializes the TPM by default.

Virtual Smart Card Configuration:

tpmvscmgr.exe create /name VSC /pin prompt /puk prompt /adminkey random /generate

Reset the Virtual Smart Card:

tpmvscmgr.exe destroy /instance root\smartcardreader\0000

PINs, PUKs, and Keys:

  1. Smart Card Personal Identity Number (PIN).  The PIN is essentially a password.  The PIN can be changed by the end user from any domain computer:

     CRTL-ALT-Delete → Change Password → Change PIN.
  2. Smart Card Personal Unlock Key (PUK).  Windows locks the PIN after three unsuccessful attempts.  End users can use their PUK to unblock their PIN:

     CRTL-ALT-Delete → Change Password → Unblock Smart Card.

    The PUK is optional but I recommend it.   It's simply too easy to lock the PIN! 

    The PUK changes the PIN.  Keep the PUK safe and only use it when its absolutely necessary.

    In addition, Windows does not include native tools to change the PUK. In order to choose a new PUK, the virtual smart card must first be deleted (i.e., destroyed) and then recreated.  Of course, this process deletes all certificates on the smart card.
  3. Admin Key.  The key benefit to the admin key is that it allows Administrators to generate certificate keys for enrolling-on-the-behalf of others.  Organizations that do not use enrollment stations should simply generate a random admin key.    


Quickly Uninstall Single KB Update


Uninstalling Windows Updates is a pain in the neck!
  • The Windows Update GUI provides a long list of KB updates.  
  • Updates are organized by date and not by KB numbers.  
  • It lacks a built-in search function! 

Figure 1.  Windows Update History:
No search for you (CRL+F)!   :(


Use the command line to search and uninstall specific updates.

List installed patches:
wmic qfe list

Uninstall specific patch:
wusa /uninstall /kb:xxxxx

That's It!

Fix Chrome Extensions in RDP


RDP users cannot install Chrome extensions from the Chrome Web Store.


  • Could not install package
Figure 1:  Chrome Temp Directory Error


  1. User logs onto RDP.  User does not open Chrome.
  2. Admin creates a new directory on the system drive.  This new directory holds user Chrome AppData.  For example:  c:\\mkdir c:\Temp\RDP\
  3. Move user’s Chrome AppData to the new directory.  For example:
    c:\move "c:\users\stevenjordan\AppData\Local\Google\Chrome" "c:\temp\RDP\stevenjordan\"
  4. Delete original folder if necessary. 
  5. Create new symbolic junction where the old data was located.  This junction links to the new location:

c:\mklink /j c:\users\stevenjordan\AppData\Local\Google\Chrome\

Junction created for c:\users\smjordan\AppData\Local\Google\Chrome\
=== c:\temp\RDP\stevenjordan\Chrome\
Figure 2:  New Symbolic Junction for Chrome extension.


Chrome extensions reference DOS device paths.  Let's consider how dynamic profile disks use symbolic junctions that point to different disks:
c:\Users  dir 
02/23/2018  11:29 AM  bgates {\??\Volume{a5ae22c7-18b8-11e8-968e-00145de79140}
The junction link causes the problem.  Ironically, a second junction link fixes this issue:

c:\Users\bgates\AppData\Local\Google dir
 Directory of c:\Users\bgates\AppData\Local\Google

02/20/2018  10:58 AM   DIR
02/20/2018  10:58 AM   DIR
02/20/2018  10:58 AM   JUNCTION  Chrome c:\temp\RDP\bgates\Chrome
09/16/2015  07:46 AM   DIR       Chrome Cleanup Tool
05/14/2014  06:09 AM   DIR       CrashReports
03/11/2014  04:26 PM   DIR       Google Talk
12/04/2017  02:27 AM   DIR       Software Reporter Tool

0 File(s)              0 bytes
7 Dir(s)  36,942,458,880 bytes free
Note how the new junction link points to the system drive.

Additional Thoughts:

This solution is implemented on a per-user basis.  It does not universally "fix" Chrome extensions for all RDP users.  Nonetheless, it may be a good fit because it narrows the scope of untrusted applications.

Alternatively, use Group Policy to change user environmental variables:

Group Policy
→ Computer Configuration
      → Administrative Templates
         → System
            → Group Policy
               → Configure user Group Policy loopback processing mode:
                       Enabled:  On
                       Mode:  Merge

   → User Configuration
      → Windows Settings
         → Preferences
            → Environment (right-click) → New
               → New Environment Properties:
                      Action:  Update
                      User Variable=Check
              → Environment (right-click) → New
                      Action:  Update
                      User Variable=Check

This change has a wider-scoping impact.  It affects all related AppData programs -not just Chrome.  It impacts all RDP users (without GP filtering).  Avoid the system drive if possible -use a secondary disk instead.  In addition, loopback processing applies user configurations to computer objects (i.e., RDP servers).

That's It!


Fix Broken Checkpoints


How to delete Hyper-V checkpoints that cannot be deleted.


Checkpoint cannot be removed from the Hyper-V Manager.


  • Hyper-V Manager shows a checkpoint.  No option to remove checkpoint.
  • VM disk directory has VHDX and AVHD files:


1. Use PowerShell to view existing snapshot:
PS C:\Users Get-VMSnapshot -VMName

VMName  Name    SnapshotType CreationTime           
------  ----    ------------ ------------          
tfs     tfs     (2/13/2018 - 2:52:36 PM) Standard
2. Remove VM-Snapshot.
PS C:\User Get-VMSnapshot -VMName tfs | Remove-VMSnapshot 3. Confirm Snapshot has been removed.

PS C:\Users Get-VMSnapshot -VMName tfs
PS C:\Users
That's It!

How to Setup BranchCache


Quick and Easy BranchCache Setup.


 This article provides instructions on how to implement BranchCache.


  • Three office locations:  
    • Primary office in Atlanta (ATL).   
    • Branch offices in Chicago (CHI) and Washington D.C (DCA).
  • CHI and ATL host local file servers (i.e., hosted cache mode).
  • DCA is the only office without a dedicated file server (i.e., distributed cache mode).
  • All clients use Windows Enterprise.

Implement BranchCache:

  • Install the BranchCache Role and Feature.
  • BranchCace SSL Certificates.  
  • BranchCache Group policy.

Step 1.  Add Roles and Features.

Run the Add Roles and Features Wizard on each file server.  Install the (a) BranchCache for Network Files Role; and (b)the BranchCache Feature.
Install-WindowsFeature BranchCache -IncludeManagementTools Enable-BCHostedServer -RegisterSCP

Step 2.  Adjust Caching.

BranchCache stores files in two directories:  (a) HashCache and (b) DataCache.
File servers store file hashes in the HashCache directory.  Remote Hosted Cache servers, as well as Distributed Cache clients, use files hashes for content tracking and updates.

The DataCache directory stores content derived from the hash.  This directory contains cached remote content (i.e., files) that are served to local clients.  Both directories are stored on the system drive -not good!

Adjust the Cache Location:

netsh branchcache set publicationcache directory=D:\BranchCache\ netsh branchcache set localcache directory=D:\LocalCache\

The default HashCache size is a measly 1% of the system disk.  The Data Cache is slightly improved with 5% of total disk.  Now consider that most system drives hold less that than 100GB.  5GB does not provide enough storage to make BrachCache worthwhile.  Let's make BrachCache useful:

Adjust the Cache Size:

Netsh branchcache set publicationcachesize size=5 percent=TRUE Netsh branchcache set localcachesize size=5 percent=TRUE
Additional caching attributes will be configured via Group Policy (Step 4).

Step 3. BranchCache SSL

BranchCache SSL certificates support Windows 7 clients.  It's not necessary for organizations with only Windows 8 or Windows 10 clients.  Of course, the file server will probably require certificates for other services -just not BranchCache.
Any trusted SSL certificate will work with BranchCache.  We simply need to associate the server certificate with BranchCache:  
  1. Add a server certificate in the personal certificate directory for each  BranchCache hosted cache server (e.g., ATL and CHI).
  2. Bind the SSL certificate hash (i.e., thumbprint) to the hosted cache server.  Use the following command: NETSH HTTP ADD SSLCERT IPPORT= CERTHASH=xxxxxxxxxxx APPID={d673f5ee-a714-454d-8de2-492e4c1bd8f8}
    N.B.,  CERTHASH is the certificate's thumbprint.  Further certificate information found here.

Step 4.  Group Policy

Use Group Policies to adjust caching attributes and client settings.

Policies for the File Servers:  

Table 1.  BranchCache Policy for File Servers.

Turn on BranchCache
  Administrative Templates/
Hash Publication for BranchCache
Administrative Templates/  Network/
Value 2
(Hash publication for all shared folders).
MinContentLength Registry Key
Windows Settings/

Default caching 64KB. 
New caching 32K.
Set as low as 4KB. 

N.B., Low values may impact performance.

Policies for Windows clients:

Table 2.  BranchCache policies for Win 8 and Win 10:
Turn on BranchCache
 Administrative Templates/
Configure BranchCache for network files
Computer Configuration/
 Administrative Templates/
Enable Automatic Hosted Cache Discovery by Service Connection Point
Computer Configuration/
 Administrative Templates/
Set BranchCache Distributed Cache mode
Computer Configuration/
 Administrative Templates/
Note:  BranchCache for network files uses round trip latency.  Value 10 = 10ms.  Hosted Cache mode is for location with dedicated file servers.  Distributed Caching is for locations without dedicated file servers.

BranchCache Firewall Policies:

     BranchCache requires inbound and outbound client firewall rules.
Table 3.  BranchCache Inbound Firewall Group Policies
BranchCache Content Retrieval (HTTP-In)
Computer Configuration/
   Windows  Settings/
    Security Settings/
     Windows Firewall with
      Advanced Security/
       Inbound Rules
a. Right-click Inbound Rules. 

b. Left-click New Rule.    

c. Add predefined BranchCache rules.
BranchCache Hosted Cache Server (HTTP-In)
BranchCache Peer Discovery (WSD-In)
BranchCache Content Retrieval (HTTP-Out)
Computer Configuration/
   Windows  Settings/
    Security Settings/
     Windows Firewall with
      Advanced Security/
       Outbound Rules
a. Right-click Inbound Rules.
b. Left-click New Rule.

c. Add predefined BranchCache rules.
BranchCache Hosted Cache Clietnt (HTTP-Out)
BranchCache Hosted Cache Server (HTTP-Out)
BranchCache Peer Discovery (WSD-Out)

Optional:  BranchCache for WSUS and IIS Servers

BranchCache also accelerates content for web servers and BITS application servers.  Simply install the BranchCache feature and ensure the service is running.  No other configuration steps are necessary.  


User PowerShell and Performance monitor to ensure BranchCache works:
That's It!


Force AD DC Replication CMD


Synchronize Active Directory in a flash.


How to quickly force domain controller replication throughout the domain.


   repadmin /syncall /AdeP

That's It!

Check DFSR for Backlogs


Determine if file share replication is up-to-date between shares.


DFS replication propagation reports show usually high replication times (e.g., 11 days instead of 11 seconds).  Users complain about missing data.


Use DFS diagnostic commands to check for backlogs.  Large backlogs indicate replication problems (e.g., insufficient staging size, failed pre-seeding, etc.).


C:\dfsrdiag backlog /rgname:"contoso\data\content" /rfname:Namespace-Folder /sendingmember:server1-hostname /receivingmember:server2-hostname

No Backlog - member 


Fix Win NAT-T for L2TP and IKEv2


Windows 2012 RRAS IPsec VPN does not support NAT-T out-of-the-box.  By default, RRAS only works with public IP addresses -no NAT.  Windows 10 clients cannot connect with L2TP from outside the office.  Windows 2016 does not support L2TP for any client from behind routers running NAT.


Enable NAT-T on both Windows servers and the clients.  NAT-T allows the VPN server to serve clients (e.g., Windows 10, Android, Apple iOS) from behind the NAT device.  Modify MTU. 


Why NAT-T? 

IPsec uses Encapsulating Security Payload (ESP) to encrypt packet headers and payloads.  By default, ESP is not compatible with Port Address Translation (PAT).  This is because TCP uses ports and ESP does not.  

TCP and ESP are different Internet protocols. TCP uses protocol number 6.  N.B., TCP protocol number 6 is not the same thing as TCP port 6.  TCP ports are communication endpoints.  For example, TCP uses port 80 for web traffic.  

ESP uses protocol (i.e., not port) number 50.   ESP is a protocol without ports.  Network Address Translation (NAT) uses port translation PAT to bind traffic flows with internal hosts.  Therefore, ESP does not work with NAT.

NAT-T allows ESP to work from behind NAT.  It encapsulates ESP protocol 50 inside User Datagram Protocol (UDP) 4500.   N.B, NAT-T is not the same as IPsec over UDP.

Enable NAT-T 

NAT-T is enabled on most operating systems (e.g., Android) -Windows is the exception.  Fortunately,  we can enable NAT-T on Windows 10 and Windows 2012 with a few simple changes. 

Windows IPsec clients are supposed to work from any location.  Therefore, only enable NAT-T on the 2012 RRAS server.  

Create a new registry key to enable NAT-T.

  1.   Edit Registry or create GPO:


  1.   Create new DWORD value:   AssumeUDPEncapsulationContextOnSendRule

  1.   Modify DWORD value:  2

These changes will fix those pesky L2TP-NAT problem.  

Troubleshooting Issues

Make sure clients use the latest edition of Windows 10.  Early versions had quirks where clients simply would not connect via NAT-T.  

   NAT-T does not work with  the following editions:

  • version 10240
  • version 1511 (i.e. November Update)
   Unconfirmed (may or may not work):  
  • version 1607 (i.e., Anniversary Update)

  • version 1703 (i.e., Creators Update)
   NAT-T works great with the registry fix and Creators Update.


Some folks had to toggle the NAT-T registry value in order to connect (  I assume this fix was for the November or Anniversary Update.  


Don't forget to adjust the Max Segment Size (MSS):  

That's It!