In this post we'll run through the User Account Migration Wizard to migrate users from the source to target domain. This guide will cover migrating users that do not exist in the target domain, if they do, please wait for the next article which will cover merging user accounts with an include file and/or migrating only the siDHistory attribute (with no other attributes).

I have created 9 test users in the source domain, which are members of the global security group we migrated in the last series post.

Migrating Users

From the ADMT machine, run ADMT and select User Account Security Wizard.

Select the source and target domain, you can also select which specific domain controller to use.

Select users from the domain or use an include file (the include file will be explained in the next ADMT Series post).

I've chosen 9 test user accounts.

Select the target OU.

Select Migrate Passwords, and choose the source DC (the DC which the Password Export Service is install on). If you receive the error: Unable to establish a session with the password export server. The Password Export Services is not running on the source server. Go to the source DC and start the Password Export Server Service.

Tick Migrate Users SIDs to target domain if you require siDHistory.

Enter source domain credentials to add SID history.

You can exclude particular attributes of the user here. By default it will pull across all attributes, such as home address, telephone numbers, descriptions etc... If you want to exclude any of these from being migrated across, tick Exclude specific object properties from migration and select User in the object type box. Move any user properties you want to exclude into the excluded properties box.

Conflict management, if you are unsure if a group with the same name exists in the target domain leave the default setting in place.

Click Finish

If you click view log you can see that the user object and password has been migrated. As we previously migrated the global group, the user has also been added to that.

You can now see the users in the target domain.

Group membership updated.

SID history carried across.

ADMT Series – 1. Preparing Active Directory
ADMT Series – 2. Preparing the ADMT Machine
ADMT Series – 3. SID History
ADMT Series – 4. Password Export Server
ADMT Series – 5. Machine Preparation
ADMT Series – 6. Service Account Migration Wizard
ADMT Series – 7. Group Account Migration Wizard
ADMT Series – 8. User Account Migration Wizard
ADMT Series – 9. Merging Users with a Different sAMAccountName
ADMT Series – 10. Security Translation Wizard - Local Profiles
ADMT Series – 11. Computer Migration Wizard

Is the last post we looked at a vanilla user account migration, assuming a clean target domain.

There may be a situation where the users have already been created in the target domain with a different sAMAccountName. For example, the user Branch Warren might have the sAMAccountName of bwarren in the source domain but branch.warren in the target.

Source

Target

To get around this you can use an include file to map these different sAMAccountNames together when migrating. The include file is in the following format, and if we use the example above would look like this:

Sourcename,TargetSAM,TargetUPN
bwarren,branch.warren,branch.warren@target.local

Creating the Include File

To generate this list you can use CSVDE to pull out the required information from the two forests. The final include file will require a bit of manual preparation to get into the correct format.

From the source domain:

csvde -d "OU=source,DC=source,DC=local" -f sourceinclude.csv -l "sAMAccountName"

From the target domain:

csvde -d "OU=target,DC=target,DC=local" -f targetinclude.csv -l "sAMAccountName, userPrincipalName"

Create the include CSV file in the same format as the example above, I've created three users which I need to migrate and merge with an include file.

Sourcename,TargetSAM,TargetUPN
jjackson,Johnnie.Jackson,Johnnie.Jackson@target.local
jcutler,jay.cutler,jay.cutler@target.local
bwarren,branch.warren,branch.warren@target.local

Once you have this in place, the migration process is very similar to the method outlined in the last blog post. When you are asked to select users, choose Read objects from an include file, specify the Include file you created above.

Clear all check boxes.

When you get to the conflict management screen, choose Migrate and merge conflicting, leave both tick boxes empty.

Click finish, and view log. Here you can see the account being merged, passwords being migrated and sIDHistory completed.

If you open up one of the users, you can see the attributes have been carried across from the source domain user.

Migrating Only the siDHistory

When you migrate users, all attributes are carried across unless otherwise specified. There may be a scenario where the user objects in the target domain need to be kept untouched but siDHistory brought across. You can achieve this with the object property exclusion options. Run through the user migration and tick Exclude specific object properties from migration, select object type User and move all attributes into the excluded properties box.

Run through and finish the rest of the wizard. You can confirm that only the siDHistory has been brought across by running ldifde and comparing the two files.

Run before:

ldifde -f user_before.ldf -d "CN=lee.priest,OU=target,DC=target,DC=local

Run after:

ldifde -f user_after.ldf -d "CN=lee.priest,OU=target,DC=target,DC=local

Winmerge is a pretty handy tool to compare two files, here they are side-by-side:

ADMT Series – 1. Preparing Active Directory
ADMT Series – 2. Preparing the ADMT Machine
ADMT Series – 3. SID History
ADMT Series – 4. Password Export Server
ADMT Series – 5. Machine Preparation
ADMT Series – 6. Service Account Migration Wizard
ADMT Series – 7. Group Account Migration Wizard
ADMT Series – 8. User Account Migration Wizard
ADMT Series – 9. Merging Users with a Different sAMAccountName
ADMT Series – 10. Security Translation Wizard - Local Profiles
ADMT Series – 11. Computer Migration Wizard

This post will cover the Security Translation Wizard from the context of migrating local user account profiles into the target domain. This step is crucial if you want your users to maintain the same local profile. The Translation Wizard needs to be run before migrating the computers. If you decide to skip this step, the users will receive a new profile when they logon to the target domain for the first time:

Be aware this process can take some time, I've seen it take up to 40-45 minutes on some older laptops.

Translation Security Wizard - For Local Profiles

From the ADMT machine, run ADMT and select Security Translation Wizard.

Next.

If you have migrated the source domain user accounts, you can select Previously Migrated Objects- this will pull the list of the source and target SIDs from the ADMT database for mapping across the new permissions. This is probably the best method if you have migrated the users across, or if you don't need granular control over the process.

You can use a SID mapping file to link two accounts from the source and target domain. In the migration I recently went through, the accounts had already been created in the target domain, and there was no requirement for SID history. I decided that merging the user accounts wasn't necessary. As I hadn't migrated the users I was unable to use the previously migrated objects option, as ADMT has no history of the account SIDs in the ADMT database. A SID mapping file was used instead.

The SID Mapping file can be in the following formats:

OldSID,NewSID

or

OldSID,TARGET\USER

or

SOURCE\USER,TARGET\USER

For demonstration purposes I have migrated a bunch of users accounts so I can choose the previously migrated objects option.

Select the source and target domain, you can also select which specific domain controller to use.

Select computers from the domain or use an include file.

We will be translating profiles on a Windows XP SP3 test machine.

Choose the objects you wish to translate.

Files and folders - Select this option to translate security on files and folders on the targeted computer.
Local groups - Select this option to translate security on the local groups on the targeted computer.
Printers - Select this option to translate security on the local printers that are configured on the targeted computer.
Registry - Select this option to translate security on registry settings on the targeted computer.
Shares - Select this option to translate security on the shared resources on the targeted computer.
User profiles - Select this option to translate security on the local user profiles on the targeted computer.
User rights - Select this option to translate security on the user rights on the targeted computer.

Here you can choose to replace, add or remove the permissions. Add is the safest option and is what I would recommend in most cases.

Select Finish.

Run the pre-check and make sure it passes, then choose run pre-check and agent operation.

If you click on Agent Detail and View Log you will be able to see what actions have been carried out. We have already migrated the user Ronnie Coleman so we see:

2012-05-19 17:00:36 Translating user profile, source account='Ronnie.Coleman', target account='Ronnie.Coleman'

After the profiles have been translated you will want to migrate the computers straight away.

What happens to the profile?

To show you what's happened I've logged into XP1. You can see that the target user has been granted full permission over the local profile. As we chose the Add option, the source domain user also maintains access.

The migrated user in the target domain has been added to the profile list in the registry, and the profile is pointing to the source user's profile. You can view this under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList.

Target SID / User

Source SID / User

The next part of the series will run through migrating the computer objects and computer domain affiliation to the target domain.

ADMT Series – 1. Preparing Active Directory
ADMT Series – 2. Preparing the ADMT Machine
ADMT Series – 3. SID History
ADMT Series – 4. Password Export Server
ADMT Series – 5. Machine Preparation
ADMT Series – 6. Service Account Migration Wizard
ADMT Series – 7. Group Account Migration Wizard
ADMT Series – 8. User Account Migration Wizard
ADMT Series – 9. Merging Users with a Different sAMAccountName
ADMT Series – 10. Security Translation Wizard - Local Profiles
ADMT Series – 11. Computer Migration Wizard

This post will cover the process of migrating computers from the source domain to the target domain. After you migrate a batch of local user profiles, migrate the corresponding batch of user workstations.

ADMT Supported Operating Systems for Computer Migration

ADMT 3.2 - supports the migration of computers that run Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2.

ADMT 3.1 - supports the migration of computers that run Windows 2000 Professional, Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008

ADMT 3.0 - supports the migration of computers that run Windows 2000 Professional, Windows XP, Windows NT 4, Windows 2000 Server, and Windows Server 2003.

Computer Migration

From the ADMT machine, run ADMT and select Computer Migration Wizard.

Select the source and target domain, you can also select which specific domain controller to use.

Select computers from the domain or use an include file. This may be quite useful if you're doing an OU at a time as you can export objects of an OU via ADUC (right click -> export list).

Select the target OU.

Choose the objects you wish to translate.

Here you can choose to replace, add or remove the permissions. Add is the safest option and is what I would recommend in most cases.

After the wizard has completed, wait x minutes before restarting the computer. This can typically be set to 0 minutes.

You can exclude particular attributes of the computer here, if needed.

Select Do not migration source object if a conflict is detected in the target domain.

At this stage the computer object will be pre-staged in the target domain, you will be able to refresh the target OU and view the object.

As usual, run the pre-check, then run pre-check and agent operation. Once the Agent operation is complete, the wizard will wait to carry out the post-check. The post check uses a A record in the target domain to contact the machine and remove the ADMT tools. You should see an A record being created on machine reboot.

If you don't, the post-check will fail- this isn't a major issue. As long as you're aware of why it failed. If the A record has not been created you will need to investigate why.

You'll probably get a message in the logs stating:

Admt unable to retrieve the dns hostname adsi property cannot be found in the property cache hr=0x8000500d

Confirmed joined.

ADMT Series – 1. Preparing Active Directory
ADMT Series – 2. Preparing the ADMT Machine
ADMT Series – 3. SID History
ADMT Series – 4. Password Export Server
ADMT Series – 5. Machine Preparation
ADMT Series – 6. Service Account Migration Wizard
ADMT Series – 7. Group Account Migration Wizard
ADMT Series – 8. User Account Migration Wizard
ADMT Series – 9. Merging Users with a Different sAMAccountName
ADMT Series – 10. Security Translation Wizard - Local Profiles
ADMT Series – 11. Computer Migration Wizard

If you install ADMT under a different user, you may receive this error when trying to access the ADMT MMC console:

Unable to check for failed actions. : DBManager.IManageDB.1 : Cannot open database "ADMT" requested by the login. The login failed.

To resolve this you will need to install the Microsoft SQL Server management Studio, download available here: http://www.microsoft.com/en-us/download/details.aspx?id=7593

Run the installer and select New SQL Server stand-alone installation or add feature to an existing installation.

Choose Add features to an existing instance of SQL Server 2008.

Select Management Tools - Basic (it's greyed out here as I've already got them installed).

Follow the rest of the installation through, when complete run the SQL Server Management Studio and connect to the SQLEXPRESS instance.

Select Security, Logins and choose New login.

Add the account that needs access to the ADMT MMC Console and select Windows Authentication.

You can see the user added, right click and select properties.

Select User Mapping, tick ADMT and give the db_owner and public role membership.

The user will also need to be local administrator on the ADMT machine. You should now be able to open the MMC console.

Handy shortcut to access the advanced context menu, it can be accessed via Winkey+X or by right clicking in the bottom left of the screen.

You may find yourself in a position where 21 days isn't enough to finish the migration, if you find yourself in this situation there are two methods for extending this limit.

The methods below should only be used as a short term solution as they technically violate the EULA, but needs must.

How to determine how many days you have left: http://blogs.technet.com/b/sbs/archive/2011/04/14/how-to-determine-the-number-of-days-left-for-sbs-2011-migration.aspx

Extend for another 7 days

This is as simple as moving the FSMO roles back over to the SBS 2003 server (http://support.microsoft.com/kb/255504)

From the SBS 2003 server open a command prompt and run netdom query fsmo - confirm the SBS 2011 server is currently holding the FSMO roles. The procedure below gracefully transfers the FSMO roles back over to the SBS 2003 server.

• ntdsutil
• roles
• connections
• connect to server SBS2003
• quit
• Transfer domain naming master
• Transfer infrastructure master
• Transfer PDC
• Transfer RID master
• Transfer schema master

Run netdom query fsmo and confirm that the SBS 2003 server now holds all of the FSMO roles. The time limit has now been extended by 7 days.

After the 28 day period (21 plus the 7 above) - Disable Shutdown

This method will prevent the source SBS 2003 server from shutting down indefinitely. From the SBS 2003 server transfer the FSMO roles back to the SBS 2011 server.

From the SBS 2003 server, download and run Process explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Find and right click sbscrexe.exe and choose suspend.

Open regedit and browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBCore.

Right click on SBCore and select permission, add the administrator account and give full control to this key and subkeys, click yes if warned.

In the right hand pane, change the "start" DWORD to 4 (from 2 default).

Now browse to C:\Windows\System32 and locate sbscrexe.exe. Right click, properties, security -> Add everyone and select deny for all.

Go back to Process explorer and select kill process, open task manager and confirm sbscrexe.exe doesn't restart.

The trial version of Server 2012 RTM is now available from Microsoft. The TechNet Evaluation Center is a little confusing as it states "Download Windows Server 2012 Release Candidate (RC)" at the top of the page. However, comparing file names to the RC confirms that this is the RTM.

RC - 8400.0.WINMAIN_WIN8RC.120518-1423_X64FRE_SERVER_EN-US-HRC_SSS_X64FRE_EN-US_DV5
RTM - 9200.16384.WIN8_RTM.120725-1247_X64FRE_SERVER_EVAL_EN-US-HRM_SSS_X64FREE_EN-US_DV5

Download the Server 2012 RTM Trial here.

Microsoft are giving away a free ebook introducing Server 2012 which is worth a grab.

CBT Nuggets have released their First Look Series to Youtube for free too: http://www.youtube.com/playlist?list=PL282955A708FD70C0&feature=view_all

Azure

Microsoft Azure are providing a 90 day trial including a Server 2012 RTM virtual machine.

Signing up is quick if you already have a Microsoft account, but you will need to enter your credit card details. This made me a little on edge first but their policy seems pretty sound stating:

To protect you from accidentally incurring charges for usage beyond the included offer amount, we have introduced the Spending Limit feature. All new customers that sign up for the 90-day trial offer or one of our member offers (e.g., MSDN offer) will now, by default, have a Spending Limit of $0.00.

When your usage exhausts the monthly amounts included in your offer, we will disable your service for the remainder of that billing month, which includes removing any hosted services that you may have deployed. The data in your storage accounts and databases will be accessible in a read-only manner.

If you're not quite ready for Windows Server 2012 you can deploy any of the below instead.

Once signed up and signed in creating a virtual machine takes minutes.

Happy learning!

Today I'm going to take a look at the Server and Application Monitor from Solarwinds. If you haven't heard of Solarwinds before head over to their site and take a look. They have some pretty neat free products which are worth knowing about (everyone likes free stuff, right?!) http://www.solarwinds.com/downloads/. I'll be focusing on the installation of Solarwinds SAM (Server and Application Monitor), the dashboard, getting started and configuring alerts.

Server and Application Monitor - Agentless Application & Server Performance Monitoring

• Monitors performance & user experience for virtually any application – Microsoft® Exchange, Active
• Directory®, IIS, any ODBC database, & more
• Monitors server hardware faults & operating systems across platforms – Windows®, UNIX, Linux®, & more
• Provides expert guidance on what to monitor, why to monitor it, & optimal thresholds
• Includes customizable dashboards & reports showing trends, capacity, & performance
• Easy to download & deploy in less than an hour, easy to use, & easy on your budget.

Installation

You can download a fully functional 30 day trial directly from Solarwinds here: http://info.solarwinds.com/SAM52_thesysadmins. I've loaded it into a Server 2008 R2 guest machine on top of Hyper-V. Pre-reqs are pretty light, server-side primarily needing .NET 3.5 SP1 and 4.0.

You can perform two types of install, express and advanced. The express installation will install a local copy of SQL Express, and the advanced install will allow you to specify a dedicated SQL server. Solarwinds recommend you run the SQL data on a seperate physical server- as my test network is fairly light I opted for an express install.

The installation adds various local applications on the Solarwinds server (alert configuring, database maintenance, network discovery and others) and brings up the main admin web console on port 8787. Browse to http://solarwindsserver:8787 and login with admin (no password).

This brings you onto the main dashboard.

Dashboard and Getting Started

The dashboard is pretty bare on first start, as you'd expect but getting started is pretty straight forward. There is a "Discover my Network" wizard that allows you to configure SNMP, Windows and vCenter/ESX credentials. You can add a subnet, IP range or specific nodes to add to be discovered.

The wizard will scan the configured IP range / nodes and display the discovered nodes. You can select or deselect the nodes you want to monitor and the type of applications you want to search for.

There is a massive list of applications you can monitor, I've listed them in a text file here: Solarwinds-Applications-List

Follow the wizard through and Solarwinds SAM will start polling the configure nodes and application monitors.

The Dashboard should start to populate, you can customize the dashboard to show a whole array of useful information- it means you can really get everything you need to see at a quick glance on one screen. I've configured various layouts in the screenshots below:

Alerts

You're more than likely going to want to receive some form of alert for example when a node goes down, or physical disk space reaches n%. Managing alerts is a doddle, and I managed to setup several different alerts in a few minutes. There are a lot of options and triggers to choose from, all of the counters you'd expect to see are there, volume percent used, response time, % CPU utilization, used system memory to name a few.

Plenty of options for alert type.

Thoughts

I've been using this product on and off for around a week now and it's been very easy to setup and use. Installation was straight forward and configuring the software to perform the required monitoring wasn't a massive chore like it can be (Nagios I'm looking at you), the wizards and simple interface made everything a breeze. The Dashboard is attractive and is highly customizable which means I can set it up exactly how I like without having to touch any code. Overall it seemed like a well thought out, complete product.

I've had a few requests to open .pages files lately and found a nice and quick way to extract the .pages file to expose a PDF file which can be opened within Windows. The Pages file extension originates from Apple's iWorks Pages application.

Right click the .pages file and extract with 7zip (or your favorite alternative).

Open the quicklook folder and open the PDF version of the .pages file, most of the files I've come across allow text to be copied from the PDF.

Windows 8 Pro and Enterprise editions come with the ability to run Hyper-V. If you're anything like me, you'll have dabbled with desktop virtualization using the various solutions- Virtualbox, Vmware Workstation/Player/Server (argh) or similar. Whilst I get on well (and typically use) VMware products, having Hyper-V free and native to Windows is a great step forward and something I've moved over to recently.

Hyper-V requires a 64-bit system that has Second Level Address Translation (SLAT). SLAT is a feature present in the current generation of 64-bit processors by Intel & AMD. You’ll also need a 64-bit version of Windows 8, and at least 4GB of RAM. Hyper-V does support creation of both 32-bit and 64-bit operating systems in the VMs.

To see if your CPU is capable of running Hyper-V under Windows 8, you can view the AMD supported CPU list here: http://support.amd.com/us/kbarticles/Pages/GPU120AMDRVICPUsHyperVWin8.aspx or look here: http://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx. You'll be pleased to know that pretty much any 'i' series Intel CPU will work.

You will also want to make sure you have the relevant bios settings set: http://blogs.technet.com/b/iftekhar/archive/2010/08/09/enable-hardware-settings-in-bios-to-run-hyper-v.aspx

Installing Hyper-V

Navigate to Control Panel -> Programs and Features. You can do this various ways, for example:

• Tap the Winkey and type appwiz.cpl and enter
• Tap the Winkey and type features, down arrow to settings and choose Programs and Features
• Right click in the bottom left hand corner as explained here: http://blog.thesysadmins.co.uk/windows-8-winkeyx.html

Or.

Select Turn Windows Features on or off.

Tick both Hyper-V boxes and select OK, if the Hyper-V Platform tick box is greyed out you may not be able to install Hyper-V on that particular hardware.

The machine will now reboot.

When the machine comes back up you should now have a Hyper-V tile in the modern UI, you can also get to the Hyper-V manager by simple tapping the WinKey and typing "Hyper".

Configuring the Virtual Switch with only one NIC

You will need to configure a Virtual Switch before a virtual machine can communicate outside itself.

On the right-hand column select Virtual Switch Manager.

Select new virtual switch and decide on the switch type. External should suite most purposes.

Give the switch a name (this will be used later when you are creating virtual machines) and select with network interface to use. I only have a single NIC on my motherboard, so I chose that.

...and there we have it. Hyper-V up and running with a virtual switch ready to host virtual machines.

Additional Settings

Select Hyper-V settings in the right-hand column.

From here you can adjust the default VHD location, change the mouse release key etc...

I'm a big fan of Windows 8 and I've been using it for around a year in it's various guises (developer, release and RTM). When it was confirmed they would be providing the upgrade for a measly £14.99 I decided to run through the process and see how easy Microsoft have made it for people to upgrade to the latest and greatest.

I've detailed the experience below, it was very straight forward and quick to run through. If you're looking to upgrade and meet the requirements this is the way to do it.

Let's get the upgrade!

Head over to Microsoft's update page: http://windows.microsoft.com/en-gb/windows/upgrade-offer

You'll be asked to fill in some basic information.

Here you will need to enter a valid Windows 7 product key.

Success! Microsoft will now email you a promotion code to the address registered with a link to the Download Upgrade Assistant. I didn't really want to run this, but after a (quick) search around the site it seemed you have to.

I was already running Windows 8 (the 90 day enterprise trial), so when proceeding it was giving me the error message: Sorry, Windows 8 isn't available for online purchase in the country/region you're in. You can get around this by right clicking the Download Upgrade Assistant (Windows8-UpgradeAssistant.exe) going to the compatibility tab and setting the compatibility mode to Windows 7.

I'm told I can order Windows 8 Pro for £24.99.

It then asks if you want to purchase physical media, I do not.

Some basic information about billing.

Payment information, at this point I'm thinking "So when is it going to ask me for the promo code". I chose Paypal and pressed continue, and there was thankfully a box to put the promo code. For some reason I didn't screenshot this, but trust me- it's there!

Confirmation of final cost.

Click buy and you will be redirected, to in my case, Paypal. After you have paid you are thanked for your order and your product key is displayed (this is also emailed to the address you registered).

Windows 8 starts to download, luckily I have an amazing 2Mbit connection so I only have to wait 3 hours or so.

When the download is complete you will be asked when and how you want to install Windows8.

You can create an ISO file or an USB flash drive installation, I chose ISO which dumps Windows.iso to a location of your choice ready for burning to DVD.

Can you perform a clean install from the media?

Yes, after burning the ISO to DVD or using the flash drive to boot from you can install Windows 8 Pro. You will be prompted for your product key which you received when going through the process above.

If you're using Windows 8 and frequently lock your machine, you'll have come across the lock screen which you can either drag up with your mouse or press any button on the keyboard to lift. Now whilst this looks fairly slick it takes around second or so after the initial key press for it to start registering your password entry, if you're fairly quick at typing this can equate to 3-4 key presses. This has been annoying me for a little while as I continue to bash in my password to only realise it's missed out the first few characters. So here's how to disable it.

To disable

Tap the winkey and type gpedit.msc and press enter.

Browse to Computer Configuration > Administrative Templates > Control Panel > Personalization > Do not display the lock screen.

Set this to enable.

Nice little tip for opening an administrative command prompt without having to right click. This will actually work for most applications, but I use it most for this!

Tap the Windows key, type CMD and press SHIFT+CTRL+Enter, UAC will trigger if you have it enabled, ALT+Y to press Yes.

If you have the Command Prompt pinned, you can set it to always run as an administrator by right clicking the pinned shorcut, going to Properties and Advanced. Tick Run as administrator.

When you try and run DCPromo from the explorer shell on Windows Server 2012, you will receive the following message "The Active Directory Domain Services Installation Wizard is relocated in Server Manager. For more information, see http://go.microsoft.com/fwlink/?LinkId=220921."

No DCPromo, what now?! DCPromo is deprecated in Windows Server 2012, so adding an additional Domain Controller is slighter different than in earlier versions. The new process is still straight forward, and the wizard will even extend the schema (to version 56) for you- meaning it's a one-stop process. Adding a Windows Server 2012 Domain Controller requires a Windows Server 2003 forest functional level or higher on your existing forest.

Promoting a Server 2012 to a Domain Controller

1. Open Server Manager, select Local Server on the left hand side then choose Manager -> Add roles and Features.

2. Next.

3. Next.

4. Select the server you wish to promote.

5. Tick Active Directory Domain Services.

6. Click Add Features.

7. Next.

8. Next.

9. Install.

10. In Progress.

11. Close.

12. You'll now notice you have a notification, prompting you to promote this server to a domain controller.

13. We are adding a domain controller to an existing domain, specify the domain and domain administrator credentials.

14. It will make the additional DC a DNS and GC by default, we do not want to make this a Read Only Domain Controller. You have the option to add the DC to a particular Site. Enter your DSRM password (as usual, keep this safe!).

15. You can typically ignore the warning about DNS delegation, a more detailed explanation can be found here: http://technet.microsoft.com/en-us/library/cc754463(WS.10).aspx

16. You can install from Media, which is useful if you are promoting a DC in a branch office with a poor connection- it will significantly reduce the initial Active Directory replication. You can specify a particular DC for the initial replication.

17. Default locations.

18. This screen tells us it will prepare the Forest, Schema and domain for us (Server 2012 uses Schema Version 56).

19. Review screen and option to view the Powershell script.

20. Click Install.

21. The install will tick over and when it has finished the server will be restarted.

The server will now reboot and the promotion is complete.

Over the last couple of years I've started listening to more technical Podcasts. This initially stemmed from having to do more housework (!) but has spread to longer commutes or trips, especially in the car. I find it's a great way, without having to pay too much attention to keep up to date with various topics and news.

I listen to a small handful of Podcasts regularly, so go and check them out.

Security Now
Windows Weekly
This Week in Enterprise Tech
Runas Weekly
Techsnap
Portforward Podcast

I tried a couple of Android applications to automate the download of new episodes without much success until I stumbled on a recommendation for Pocket Casts. It currently costs £1.99, and it's the best Android application I've found for the job. I've set it to automatically download when a new episode is released and to only keep the last 2 episodes. You can also set the episode updates to occur only when using WiFi, which is great for those with more restrictive data tariffs.

Have a podcast to recommend? Please use the comments below.

The post Podcasts appeared first on The Sysadmins.

The process for setting up a PPTP VPN in Server 2012 with 1 network card is very similar to that of Server 2008 R2. Please be aware that PPTP is vulnerable to dictionary attack and should be considered unencrypted. There is a great post explaining why here.

Server Side (Server 2012)

• Head to Server Manager, click on Manager, Add Roles and Features
• Role-based or feature-based installation
• Make sure the server you want to install the RRAS role is selected
• Select Remote Access
• View items and click add features
• Next as you do not need to add any features
• Tick DirectAccess and VPN (RAS)
• This shows the Role services which are requested and then added
• When the feature installation is complete click close
• Select Remote Access in Service manager
• Right click the Server with the Remote Access role install and choose Remote Access Management
• Select Run the Getting Started Wizard
• Select Deploy VPN Only, the familiar RRAS console will appear
• Right click the server and choose configure and enable routing and remote access
• If you select "Remote Access" give the following error "Less than two network interfaces were detected on this machine. For standard VPN server configuration at least two network interfaces need to be installed
• Select Custom Configuration to get around this, then select VPN Access, folow it through to the end
• Right click Routing and remote access and select properties
• Browse to the IPv4 tab and assign a static pool of IPs for the remote clients
• Now load up ADUC (Active Directory Users and Computers) and double click the user you wish to give access
• Select the Dial-in tab and set the Network Access permission to Allow Access

Switch to 720 for a better experience.

http://www.youtube.com/watch?v=I67MD6Vjfvg

Client Side (Windows 8)

• Tap the Winkey and type VPN, press the down arrow and enter, select Set up a virtual private network (VPN) connection
• Type the IP of the server hosting the PPTP VPN server (or more likely the public address forwarding to the PPTP Server) and give the connection a name
• Click on the network icon in the tray, right click the PPTP connection and choose view connection properties
• Head to the Security tab and select PPTP (Windows will work this out if you don't, so it's not really that necessary
• Go to Networking, IPv4, Properties, Advanced and unselect Use default gateway on remote computer
• Click the network icon in the tray, select the PPTP VPN connection and collect
• Type your credentials
• In the video I typed ncpa.cpl to get quick access to the connection details, note I was allocated one of the IPs from the pool we configured on the PPTP server
• You should be good to go!

Switch to 720 for a better experience.

http://www.youtube.com/watch?v=m2C32HUvFxg

Networking

• Enable forwarding for TCP Port 1723 (PPTP) to your Windows 2012 Server
• The firewall must support GRE

The post Server 2012 PPTP VPN With 1 NIC appeared first on The Sysadmins.

So... I popped onto a server the other day to check something and I see this in the corner. Your computer is about to restart. xx:xx:xx remaining before your computer restarts automatically. Your computer must restart to complete the installation of applications and software updates.

Not good! It's the middle of the day, on pretty much the busiest month of the year so I need to find a way to stop this. Dug around and couldn't find any clean documented way of suppressing the reboot so had to get dirty.

I fired up Process Explorer with the long shot of finding the process that was counting down and automating the restart. Luckily I see SCNotification under CcmExec and kill it, the countdown and tray icon disappear and I go and make myself a coffee. Good job Tom...

As it happens the process just respawned and the countdown continued. In the end I had to kill the SCnotifications process and pause CcmExec, which worked.

CcmExec is now paused, so you will want to schedule a reboot. Expect to see a few of these in the event log until you do:

The post SCCM 2012 – Stop “Your Computer is About to Restart” appeared first on The Sysadmins.

A couple of years ago I posted an article which explained a couple of free methods to monitor and get reports for event logs. Whilst they might be handy for a smaller environment, as the number of servers and devices that require monitoring increases, a more enterprise and robust solution is needed.

How do you currently monitor your logs, be it your router, firewall or Windows servers? In my travels I find a lot of Sysadmins will manually peruse the logs, normally ad-hoc or when an issue has been detected. This ends in slow detection for potential issues, security threats and isn't particularly efficient.

This brings us nicely to a review for Solarwinds Log and Event Manager (I'll called this LEM for the rest of the review). When I was asked to review this product I was keen to try it out. LEM allows you to collect all these logs into a central point and to view live events as they happen, search for past events and even take automatic action with what they call active response.

As with most of these types of products, it's hard to review everything. So I'll give a brief overview on installation, real time analysis, active response, nDepth and overall use of the product.

Log Collection, Analysis, and Real-Time Correlation

• Collects log & event data from tens of thousands of devices & performs true real-time correlation
• Powerful Active Response technology enables you to quickly & automatically take action against threats
• Advanced IT Search employs highly effective data visualization tools – word clouds, treemaps, & more
• Quickly generates compliance reports for PCI DSS , GLBA, SOX, NERC CIP, HIPAA, & more
• Out-of-the-box correlation rules, reports, & responses enable speedy deployment in an hour or less

Installation

Solarwinds provide a virtual appliance, which makes testing and deploying LEM extremly straight forward. Simply import the appliance into your Hyper-V or ESXi environment. The appliance boots up and presents the options needs to configure LEM intitially, for example setting the IP address, timezone, reboot/shutdown, disk usage, ping, top and other helpful tools for maintenance of the guest.

Agents are required on any device that can't provide SNMP, for Windows you can either install the Agent locally or use the remote deployment method to deploy the agent to multiple servers. LEM Agents can be installed on Windows, Linux and Mac OS X.

• LEM 5.5, full install package for VMware ESX/ESXi 4.0+ :

http://downloads.solarwinds.com/solarwinds/Release/LEM/SolarWinds-LEM-v5.5.0-Evaluation-VMware-p1520.exe

• LEM 5.5, full install package for HyperV:

http://downloads.solarwinds.com/solarwinds/Release/LEM/SolarWinds-LEM-v5.5.0-Evaluation-HyperV-p1520.exe

Real Time Analysis

Once you've pointed your browser at the LEM guest and logged in you're presented with the Ops Center dashboard, which allows you to get a high level overview of what's been happening on your network. You can move, delete or add new widgets depending on your requirements/taste. The Monitor tab at the top takes us to the monitor view. In monitor view you are able to see all events occurring live, although you are more likely to choose one of the predefined filters in place. You can also create your own filters, although out of the box the default filters are pretty good (there's even filters for PCI/HIPAA events).

Selecting one of the events populates the event details pane, which gives you a more detailed view of the event, to the left of this pane you can create your own widgets for quickly identifying trends.

The real time monitoring interface isn't just for monitoring events, it also allows you to perform various tasks against the events that are being populated live. For example, you're able to select a particular host/event and run a whois, nslookup or traceroute. It's nice to have it right there, without having to open a separate command prompt. You can also take the event into nDepth and see historical details for the event.

You can actively respond to an event, some popular items are pre-populated but "All actions" offers a lot more. The respond menu allows you to (for example) restart a machine when you see a particular problem reported or block an IP if you detect a port scan.

nDepth

nDepth provides the ability to search through all of the event data and log messages, the log data is stored in real time and comes with a handful of saved searched to get you started. The dashboard gives you a quick view into how many events have been logged each day, and provides a word cloud which highlights the most repeated terms logged in the time-frame set. It's a nice way to provide a visual representation of what's going on.

You can build searches with drag and drop, a common theme through LEM, enabling you to spot trends or anomalies. Once you have the data you need, you can formulate a report and export to PDF. Again there are various templates and the ability to drag and drop different items into the report. The reports look great.

Active Response

The rules section is used to create, configure and manage rules- which are then in turn used to monitor and respond to events. Now, this is where I get really interested in LEM as automatically responding to something based on a set of events is just well... cool! The scope for the rules and active responses is pretty huge, although you may need to spend a little time getting used to how to construct the rules. The out of the box rules are great, and there are lots of them to get you started. Some of the possible Active Responses and actions:

• Restart stopped Anti-virus
• Remote Desktop Launch after business hours
• Non-admin server logon
• Block IP Addresses
• Kill processes
• Force user log-off
• Disable user/computer accounts
• Stop/start/restart service

Here is one of the active responses that detects if Minesweeper is started. It will then kill the process and display an alert window on the offending machine.

Here is one of the rules to notify you of any changes made to any security group with "admin" in the title.

Thoughts

The GUI is fairly easy to get used to, the only real annoyance I found is that I kept pressing the back button on my mouse- which would take me back to the previous page before I had logged into LEM and I'd have to log back in. This is probably more my fault than LEM, but it was frustrating nonetheless. Whilst bringing up the LEM guest, the built in rules, filters and so forth are great- Solarwinds LEM is something you will have to spend a bit of time on to get the most out of, that's true of most monitoring solutions though.

I've been using LEM on and off for a couple of weeks now and have come away pretty impressed, it does a great job easing the task of log monitoring and provides a great way to get a better view of what's actually happening on the network. Not only that but it adds automation to responses based on events.

There is plenty of support on the product in the form of video guidance and of course the Thwack community.

Don't have time to configure and trial LEM? Why not try Solarwind's live demo of the product here.

The post Solarwinds – Log and Event Manager [Sponsored Review] appeared first on The Sysadmins.

Fine grained password policies were introduced back in Server 2008, and the process for creating them, whilst not massively difficult wasn't particularly intuitive. Microsoft have improved this a lot with Server 2012, custom password policies are now easier to create, assign and monitor.

How to Create a Password Setting

Open Active Directory Administrative Center, expand System, find the password settings container, select new and password settings.

These settings should all be familiar to you, if you've ever set a domain password policy before with group policy. If not, please refer to this Technet page for more detail about each of the settings.

In this example I've disabled the account lockout policy, and added the Sales security group.

To add users or groups, select add and find the object in Active Directory.

View members of a password setting, or check if a user has a password setting applied

There are two easy ways to find which users or groups are assigned to a custom password setting, or if a user is a member of a password setting.

To find what users/groups are members of a custom password setting, simply find the policy in the password settings container and double click. View the "Directly applies to" box, to view the members (See the 2nd screenshot above for an example).

To see if I particular user has a custom policy against it, simply right click the user within the Active Directory Administrative Center and select view resultant password settings. If there is a password setting against the user, it will open the policy to expose the current settings.

If a user does not have a custom password policy, it will show you a message stating "User does not have resultant fine grained password settings. Please check the user's domain password settings."

Much easier, I'm sure you'll agree.

The post Server 2012 – Active Directory Fine Grained Passwords Revisited appeared first on The Sysadmins.