ads

Style3[OneLeft]

Style3[OneRight]

Style5[ImagesOnly]

Style2

Domain Controller Preference Order












Outline:

How to configure locator preferences for domain controllers (DCs).  How to set priority and weight on domain controllers.  Force clients to consistently connect to the same domain controller.

Problem: 

Clients connect to different DCs within the same site.  IPv4 DNS server search has no effect on this random behavior.  

Solution:

(a) Assign priority and weights to DNS SRV-records via GPO (i.e., registry changes);
(b) Or, change subnet topology for simple DC Subnet Prioritization;

Assumptions:

All DCs are located within the same Active Directory (AD) site.

Domain Controller Priority within a Site

Domain DNS SRV-records assign priority and weight values that determine DC preference.  Clients connect to the domain controller (DC) with the lowest priority value.  By default, priority for all DCs is set to zero.  For example, assume a site has two DCs:
  • ·     DC-X with a priority of 0 (i.e., preferred).
  •        DC-Y with a priority of 2.
In this example, Windows clients connect to DC-X because it has the lowest priority value.  Clients only connect to DC-Y when DC-X is unavailable (e.g., maintenance).  

Domain Controller Weights

What happens when all the DCs share the same priority?  In this situation, DC preference is determined by SRV-record weight values.  Unlike priority, clients prefer higher weight values over lower values.

What happens if all DCs have the same weight values?  By default, DCs weight value is set to 100.  Clients connect round-robin when all DCs use the same priority and weight values.

What happens when same-site DCs have the same priority and different weight values?  Weight is not absolute.  Weight is proportionate.  In other words, clients may disproportionately connect to any available DC. 

Clients are more likely to connect to DCs with higher weights.  Clients are less likely to connect to lower weights DCs.  Weight preference uses a simple formula:  DC weight (i.e., single server) divided by the sum of all DCs weights:

          
For Example, assume three DCs within a single AD site (Table 1):

Table 1
Determine domain controller preference based on weights.

Domain
Controller
Priority
 (Default)
Weight
Formula
Connection Odds
DC10
0
10
10/(10+20+30)
 = 10/60
 = 1/6
17%
DC20
0
20
20/(10+20+30)
 = 20/60
 = 2/6
33%
DC30
0
30
30/(10+20+30)
 = 30/60
 = 1/2
50%
Note:  This assumes client and domain controllers reside in the same site and use the same priority values.

DC Preference Configuration

  1. Set priority and weight via the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
  2. Create new 32-bit DWORDs:
    LdapSrvWeight
    LdapSrvPriority
  3. Assign DC priority and weight values.
  4. Restart the NETLOGON service to publish to SRV records

Subnet Prioritization

Clients prefer to connect to DCs on the same IP subnet.  For example, let’s say we have a single AD site.  This site consists of one Windows 10 client and two DCs (Table2):

Table2
Subnet Prioritization

Host
Priority
Weight
IP address
Preferred DC
WIN-10


192.168.1.1/24

DC-X
0
100
192.168.1.100/24
Yes
DC-Y
0
100
192.168.2.100/24
No
  Note:  All hosts reside in the same AD site.  DC01 and DC02 use default weight and priority values.

In this situation, all hosts belong to the same AD-site.  Both DCs have the same preference values (i.e., default).   WIN-10 and DC-X belong to the same IP subnet.  However, DC-Y resides on a separate IP subnet.  DC-X is the preferred DC.  Clients only connect to DC-y when DC-X is unavailable (e.g., maintenance).  

Additional Thoughts:

I recommend minimal registry changes –especially to DCs.  Implement priority and weight changes with caution.  Also consider, registry changes can be difficult to troubleshoot.  Therefore, it’s prudent to push these changes out via GPO. 
 
Subnet Prioritization seems to be the simplest approach.  That is, if you’re comfortable with internetworking.  Simply create a new gateway.  Add routes.  Assign the subnet to the second DC.  Done.

That’s It!

References:


Fix the Shutdown Event Tracker in RDP













Problem:

How to disable the unexpected shutdown prompt for remote desktop users.  The remote desktop server (RDS) displays the shutdown tracker warning after patching updates.  This shutdown error causes confusion and unnecessary help desk calls.

Solution:

Remove local\Users group permissions from shutdown.exe:  c:\windows\system32\shutdown.exe

 

Both local administrators and local users, have read and execute permissions, on this system file.  Remove the local user group in order to hide unwanted shutdown messages.  Also note, this change may require ownership changes from the Trusted Installer to the local administrator group.

That's It!

How to Setup a Virtual Smart Card


Fun with Virtual Smart Cards!







Outline:

Steps on how to enable a virtual smart card.

Assumptions:

Virtual smart cards require a computer with an initialized TPM.  N.B., Windows 10 initializes the TPM by default.

Virtual Smart Card Configuration:

tpmvscmgr.exe create /name VSC /pin prompt /puk prompt /adminkey random /generate

Reset the Virtual Smart Card:

tpmvscmgr.exe destroy /instance root\smartcardreader\0000

PINs, PUKs, and Keys:

  1. Smart Card Personal Identity Number (PIN).  The PIN is essentially a password.  The PIN can be changed by the end user from any domain computer:

     CRTL-ALT-Delete → Change Password → Change PIN.
  2. Smart Card Personal Unlock Key (PUK).  Windows locks the PIN after three unsuccessful attempts.  End users can use their PUK to unblock their PIN:

     CRTL-ALT-Delete → Change Password → Unblock Smart Card.

    The PUK is optional but I recommend it.   It's simply too easy to lock the PIN! 

    The PUK changes the PIN.  Keep the PUK safe and only use it when its absolutely necessary.

    In addition, Windows does not include native tools to change the PUK. In order to choose a new PUK, the virtual smart card must first be deleted (i.e., destroyed) and then recreated.  Of course, this process deletes all certificates on the smart card.
  3. Admin Key.  The key benefit to the admin key is that it allows Administrators to generate certificate keys for enrolling-on-the-behalf of others.  Organizations that do not use enrollment stations should simply generate a random admin key.    

References:

https://docs.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started

Quickly Uninstall Single KB Update







Problem: 

Uninstalling Windows Updates is a pain in the neck!
  • The Windows Update GUI provides a long list of KB updates.  
  • Updates are organized by date and not by KB numbers.  
  • It lacks a built-in search function! 

Figure 1.  Windows Update History:
No search for you (CRL+F)!   :(






















Solution:

Use the command line to search and uninstall specific updates.

List installed patches:
wmic qfe list

Uninstall specific patch:
wusa /uninstall /kb:xxxxx

That's It!

Fix Chrome Extensions in RDP



Problem:  

RDP users cannot install Chrome extensions from the Chrome Web Store.

Errors:

  • Could not install package
  • COULD_NOT_GET_TEMP_DIRECTORY
Figure 1:  Chrome Temp Directory Error







Solution:

  1. User logs onto RDP.  User does not open Chrome.
  2. Admin creates a new directory on the system drive.  This new directory holds user Chrome AppData.  For example:  c:\\mkdir c:\Temp\RDP\
  3. Move user’s Chrome AppData to the new directory.  For example:
    c:\move "c:\users\stevenjordan\AppData\Local\Google\Chrome" "c:\temp\RDP\stevenjordan\"
  4. Delete original folder if necessary. 
  5. Create new symbolic junction where the old data was located.  This junction links to the new location:

c:\mklink /j c:\users\stevenjordan\AppData\Local\Google\Chrome\
"c:\temp\RDP\stevenjordan\Chrome\"

Junction created for c:\users\smjordan\AppData\Local\Google\Chrome\
=== c:\temp\RDP\stevenjordan\Chrome\
Figure 2:  New Symbolic Junction for Chrome extension.







Analysis:

Chrome extensions reference DOS device paths.  Let's consider how dynamic profile disks use symbolic junctions that point to different disks:
c:\Users  dir 
02/23/2018  11:29 AM  bgates {\??\Volume{a5ae22c7-18b8-11e8-968e-00145de79140}
The junction link causes the problem.  Ironically, a second junction link fixes this issue:

c:\Users\bgates\AppData\Local\Google dir
 
 Directory of c:\Users\bgates\AppData\Local\Google

02/20/2018  10:58 AM   DIR
02/20/2018  10:58 AM   DIR
02/20/2018  10:58 AM   JUNCTION  Chrome c:\temp\RDP\bgates\Chrome
09/16/2015  07:46 AM   DIR       Chrome Cleanup Tool
05/14/2014  06:09 AM   DIR       CrashReports
03/11/2014  04:26 PM   DIR       Google Talk
12/04/2017  02:27 AM   DIR       Software Reporter Tool

0 File(s)              0 bytes
7 Dir(s)  36,942,458,880 bytes free
Note how the new junction link points to the system drive.

Additional Thoughts:

This solution is implemented on a per-user basis.  It does not universally "fix" Chrome extensions for all RDP users.  Nonetheless, it may be a good fit because it narrows the scope of untrusted applications.

Alternatively, use Group Policy to change user environmental variables:

Group Policy
→ Computer Configuration
      → Administrative Templates
         → System
            → Group Policy
               → Configure user Group Policy loopback processing mode:
                       Enabled:  On
                       Mode:  Merge

   → User Configuration
      → Windows Settings
         → Preferences
            → Environment (right-click) → New
               → New Environment Properties:
                      Action:  Update
                      User Variable=Check
                      Name=Temp
                      Value=c:\Temp\RDP\%USERNAME%
              → Environment (right-click) → New
                      Action:  Update
                      User Variable=Check
                      Name=TMP
                      Value=c:\Temp\RDP\%USERNAME%

This change has a wider-scoping impact.  It affects all related AppData programs -not just Chrome.  It impacts all RDP users (without GP filtering).  Avoid the system drive if possible -use a secondary disk instead.  In addition, loopback processing applies user configurations to computer objects (i.e., RDP servers).

That's It!

References:
https://blogs.technet.microsoft.com/grouppolicy/2009/05/13/environment-variables-in-gp-preferences/
https://devtidbits.com/2009/09/07/windows-file-junctions-symbolic-links-and-hard-links/
https://blogs.msdn.microsoft.com/jeremykuhne/2016/04/21/path-format-overview/
https://blog.brankovucinec.com/2017/01/09/users-cant-install-google-chrome-extensions-on-rds-farm/

Fix Broken Checkpoints

Summary:

How to delete Hyper-V checkpoints that cannot be deleted.

Problem: 

Checkpoint cannot be removed from the Hyper-V Manager.

Symptoms:

  • Hyper-V Manager shows a checkpoint.  No option to remove checkpoint.
  • VM disk directory has VHDX and AVHD files:



Solution:

1. Use PowerShell to view existing snapshot:
PS C:\Users Get-VMSnapshot -VMName tfs.stevenjordan.net

VMName  Name    SnapshotType CreationTime           
------  ----    ------------ ------------          
tfs     tfs     (2/13/2018 - 2:52:36 PM) Standard
2. Remove VM-Snapshot.
PS C:\User Get-VMSnapshot -VMName tfs | Remove-VMSnapshot 3. Confirm Snapshot has been removed.

PS C:\Users Get-VMSnapshot -VMName tfs
PS C:\Users
That's It!

How to Setup BranchCache


Guide:  

Quick and Easy BranchCache Setup.

Overview:  

 This article provides instructions on how to implement BranchCache.

Topology:  

  • Three office locations:  
    • Primary office in Atlanta (ATL).   
    • Branch offices in Chicago (CHI) and Washington D.C (DCA).
  • CHI and ATL host local file servers (i.e., hosted cache mode).
  • DCA is the only office without a dedicated file server (i.e., distributed cache mode).
  • All clients use Windows Enterprise.
      


Implement BranchCache:

  • Install the BranchCache Role and Feature.
  • BranchCace SSL Certificates.  
  • BranchCache Group policy.

Step 1.  Add Roles and Features.

Run the Add Roles and Features Wizard on each file server.  Install the (a) BranchCache for Network Files Role; and (b)the BranchCache Feature.
PowerShell:
Install-WindowsFeature BranchCache -IncludeManagementTools Enable-BCHostedServer -RegisterSCP

Step 2.  Adjust Caching.

BranchCache stores files in two directories:  (a) HashCache and (b) DataCache.
File servers store file hashes in the HashCache directory.  Remote Hosted Cache servers, as well as Distributed Cache clients, use files hashes for content tracking and updates.

The DataCache directory stores content derived from the hash.  This directory contains cached remote content (i.e., files) that are served to local clients.  Both directories are stored on the system drive -not good!

Adjust the Cache Location:

netsh branchcache set publicationcache directory=D:\BranchCache\ netsh branchcache set localcache directory=D:\LocalCache\

The default HashCache size is a measly 1% of the system disk.  The Data Cache is slightly improved with 5% of total disk.  Now consider that most system drives hold less that than 100GB.  5GB does not provide enough storage to make BrachCache worthwhile.  Let's make BrachCache useful:

Adjust the Cache Size:

Netsh branchcache set publicationcachesize size=5 percent=TRUE Netsh branchcache set localcachesize size=5 percent=TRUE
Additional caching attributes will be configured via Group Policy (Step 4).

Step 3. BranchCache SSL

BranchCache SSL certificates support Windows 7 clients.  It's not necessary for organizations with only Windows 8 or Windows 10 clients.  Of course, the file server will probably require certificates for other services -just not BranchCache.
Any trusted SSL certificate will work with BranchCache.  We simply need to associate the server certificate with BranchCache:  
  1. Add a server certificate in the personal certificate directory for each  BranchCache hosted cache server (e.g., ATL and CHI).
  2. Bind the SSL certificate hash (i.e., thumbprint) to the hosted cache server.  Use the following command: NETSH HTTP ADD SSLCERT IPPORT=0.0.0.0:443 CERTHASH=xxxxxxxxxxx APPID={d673f5ee-a714-454d-8de2-492e4c1bd8f8}
    N.B.,  CERTHASH is the certificate's thumbprint.  Further certificate information found here.

Step 4.  Group Policy

Use Group Policies to adjust caching attributes and client settings.

Policies for the File Servers:  

Table 1.  BranchCache Policy for File Servers.

Policy
Path
Setting
Function
Turn on BranchCache
ComputerConfiguration/
  Administrative Templates/
  Network/
   BranchCache
Enabled
Hash Publication for BranchCache
ComputerConfiguration/
Administrative Templates/  Network/
LanmanServer
Enabled:
Value 2
(Hash publication for all shared folders).
MinContentLength Registry Key
ComputerConfiguration/
Preferences/
Windows Settings/
Registry/
MinContentLength
Reg_D
WORD:

32768
(Decimal)
Default caching 64KB. 
New caching 32K.
Set as low as 4KB. 

N.B., Low values may impact performance.

Policies for Windows clients:

Table 2.  BranchCache policies for Win 8 and Win 10:
Policy
Path
Setting
Turn on BranchCache
ComputerConfiguration/
 Administrative Templates/
  Network/BranchCache
Enabled
Configure BranchCache for network files
Computer Configuration/
 Administrative Templates/
  Network/
   BranchCache
Enabled
Value:10
Enable Automatic Hosted Cache Discovery by Service Connection Point
Computer Configuration/
 Administrative Templates/
  Network/
   BranchCache
Enabled
Set BranchCache Distributed Cache mode
Computer Configuration/
 Administrative Templates/
   Network/
    BranchCache
Enabled
Note:  BranchCache for network files uses round trip latency.  Value 10 = 10ms.  Hosted Cache mode is for location with dedicated file servers.  Distributed Caching is for locations without dedicated file servers.

BranchCache Firewall Policies:

     BranchCache requires inbound and outbound client firewall rules.
Table 3.  BranchCache Inbound Firewall Group Policies
Policy
Path
Action
BranchCache Content Retrieval (HTTP-In)
Computer Configuration/
  Policies/
   Windows  Settings/
    Security Settings/
     Windows Firewall with
      Advanced Security/
       Inbound Rules
a. Right-click Inbound Rules. 

b. Left-click New Rule.    

c. Add predefined BranchCache rules.
BranchCache Hosted Cache Server (HTTP-In)
BranchCache Peer Discovery (WSD-In)
BranchCache Content Retrieval (HTTP-Out)
Computer Configuration/
  Policies/
   Windows  Settings/
    Security Settings/
     Windows Firewall with
      Advanced Security/
       Outbound Rules
a. Right-click Inbound Rules.
  
b. Left-click New Rule.

c. Add predefined BranchCache rules.
BranchCache Hosted Cache Clietnt (HTTP-Out)
BranchCache Hosted Cache Server (HTTP-Out)
BranchCache Peer Discovery (WSD-Out)

Optional:  BranchCache for WSUS and IIS Servers


BranchCache also accelerates content for web servers and BITS application servers.  Simply install the BranchCache feature and ensure the service is running.  No other configuration steps are necessary.  

Evaluate

User PowerShell and Performance monitor to ensure BranchCache works:
That's It!


References:

Force AD DC Replication CMD


Goal:  

Synchronize Active Directory in a flash.

Problem:  

How to quickly force domain controller replication throughout the domain.

Solution:

   repadmin /syncall /AdeP


That's It!