MsExchange Blog Spot Telnet25

April 26, 2016

Create installation media for IFM

Filed under: General — telnet25 @ 3:29 am

There are times, when installing domain controller, you may want to choose install from media option to start with, remote sites Domain Controllers installation. Perhaps bandwidth is the concern. In similar situations we will prepare IFM to use. Log into your domain controller as an administrator. Open Command prompt with your administrator credentials. Click start on the run menu type cmd.exe and press enter and accept any UAC prompt. At the Administrator command prompt Type:

  1. Ntdsutil
  2. activate instance ntds
  3. IFM
  4. create sysvol full <Drive>:\<InstallationMediaFolder>



You can use Robocopy to move IFM media to destination server to prepare install from media on windows 2012 R2 environment.


You can download Robocopy script from TechNet Library

Oz Casey, Dedeal (MVP North America)
Security+, Project +, Server + (Blog) (Blog) (Twitter)

April 7, 2016

Create Virtual Host via PowerShell

Filed under: General — telnet25 @ 3:43 am

This simple PowerShell script will assist you to configure virtual machines on your HyperV Server. Script will create virtual host , create virtual hard disks and mount the ISO file. All you have to do is , start the VM and follow install wizard to complete the settings.







# Script: Create_VM_App_Server_NR.ps1 
# Created With:ISE 3.0 
# Author: Casey Dedeal 
# Date: 04/06/2016 22:58:41 
# Organization:  ETC SOLUTIONS
# File Name: Create_VM_App_Server_NR.ps1 
# Comments:  First Version
Change these variables
$path = "A:\HyperV_" ( Change the Path )
$ISOPath = "A:\ISO\en_windows_server_2012_r2_x64_dvd_2707946.ISO"


Oz Casey, Dedeal (MVP North America)
Security+, Project +, Server + (Blog) (Blog) (Twitter)

February 15, 2016

Configure ISE Profile For More Efficient Scripting

Filed under: General — telnet25 @ 3:57 am

Do you want your ISE to be more efficient, when writing scripts and getting your daily work done? If your answer is “yes” here is simple profile script to assist you. Download from TechNet Scripting Center.
You can simply add more, make sure you replace the server names to make it fit to your environment. Download above profile script and add below adds-on.

# Connect Exchange 2010 Remote PowerShell
  "Connect to Exchange 2010",
        $s = New-PSSession -ConfigurationName Microsoft.Exchange `
        -ConnectionUri `
        -Authentication Kerberos
        Import-PSSession $s

# Connect Lync Remote PowerShell
  "Connect to Lync Remote PowerShell",
     $lync_S = New-PSSession -ConnectionUri `
               -SessionOption $lyncOptions `
               -Authentication NegotiateWithImplicitCredential `
               -Authentication Kerberos
     Import-PSSession $lync_S


Oz Casey, Dedeal (MVP North America)
Security+, Project +, Server + (Blog) (Blog) (Twitter)

February 11, 2016

Windows 2012 R2 Deploy Certificate Authority Step by Step Part-1

Filed under: General — telnet25 @ 4:00 am
  • Log on to <Your_Windows_2012_R2_Server> as a domain administrator.
  • Click Start, | PowerShell| Type "ServerManager" , press enter 
  • Click Add roles | next | leave default


  • Click | Next


  • Select | Active Directory Certificate Services


  • Add required Futures | Press twice Next


  • Click Next again | Select Certificate Authority | CA Web Enrolment


  • Next | Install


  • Go back to Server Manager | Post Deployment Configuration


  • Next


  • Select | Certificate Authority | CA Web Enrolment


  • Select | Enterprise CA | Next


  • Select | Root CA | Next


  • Select | Create a new Private Key | Next


  • Select | RSA # Microsoft Software Key Storage Provider | Key Length 4096 | SHA256


  • Click Next | Accept default


  • Accept Default | Click Next


  • Accept Defaults | Click Next


  • Click | Configure


  • Results page | Click Close


Part 1 is completed.

MS link

Oz Casey, Dedeal (MVP North America)
Security+, Project +, Server + (Blog) (Blog) (Twitter

January 29, 2016

VMware workstation This virtual machine appears to be in use.

Filed under: General — telnet25 @ 9:27 pm

If you are running your own LAB with VMWare workstation and getting the erros “ This  virtual machine apperas to be in use” here is qucik solution.


If you try to take the ownership of the virtual host, you will receive “Could not open virtual machine …” warnings and it will ask you if you want to remove it from library. Which for obvious reasons you would not want to do that


Open the virtual machine folder and locate the folders ends wih .L


You will need to delete them……


If you try to take the ownership of the virtual host, you will receive “Could not open virtual machine …” warnings and it will ask you if you want to remove it from library. Which for obvious reasons you would not want to do that

After deletion you will noticed the Virtual host will start with no issues. What are these folders and files in them for ? The running VM machnine will lock the files to prevent conflics and consistency problems on the virtual disks, if not they could get corrupted.The lock files gets created on the same directory as VMDK files. If you like to read more here is the article.

Oz Casey, Dedeal (MVP North America)
Security+, Project +, Server + (Blog) (Blog) (Twitter)

January 25, 2016

Moving and Seizing FSMO Roles Via PowerShell

Filed under: General — telnet25 @ 4:24 am

In Active directory forest, there are five FSMO roles that are assigned to one or more domain controllers. Two of these FSMO roles are forest wide and it can only be seen at Forest level. Three of the FSMO roles are domain wide.

Schema Master FSMO Role

Responsible for performing updates to the directory schema. Schema Master Role can process updates to the directory schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. There is only one schema master per directory.

Domain Naming Master FSMO Role

The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. Domain Name Master DC is can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories.

RID Master FSMO Role

The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.

When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.

Each Windows DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC’s allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain’s RID master. The domain RID master responds to the request by retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting DC. There is one RID master per domain in a directory.

PDC Emulator FSMO Role

The PDC emulator is necessary to synchronize time in an enterprise. Windows includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.

In a Windows domain, the PDC emulator role holder retains the following functions:

Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.

Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.

Account lockout is processed on the PDC emulator. Any lockout notification is sent to PDC immediately

Windows clients (workstations and member servers) and down-level clients that have installed the distributed services client package do not perform directory writes (such as password changes) preferentially at the DC that has advertised itself as the PDC; they use any DC for the domain.

Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.

If a logon authentication fails at a given DC in a domain due to a bad password, the DC will forward the authentication request to the PDC emulator to validate the request against the most current password. If the PDC reports an invalid password to the DC, the DC will send back a bad password failure message to the user.

All domain controllers which receives an incorrect authentication request will poll the PDC Emulator as a “second opinion” before rejecting the user. (PDC always knows the most recently modified passwords)

Account lockout is processed on the PDC emulator. Any account lockout is immediately sent as a notification to the PDC Emulator.

Infrastructure FSMO Role

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference.

NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC’s event log.

If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.


Moving and Seizing FSMO roles:

Before exploring with PowerShell make sure you understand the difference in between moving the FSMO roles compared to Seizing them. Moving, both DC’s involved are alive and willingly to give up and accept the new role. Changes to. DIT database replicated among the domain controllers. Seizing involves the current FSMO role owner is no longer available and its role forcibly moved to another available DC. When you move forcibly FSMO roles (-Force) you cannot bring the DC back online as it would create issues.


PS C:\> Move-ADDirectoryServerOperationMasterRole -Identity DC2 -OperationMasterRole SchemaMaster

PS C:\> Move-ADDirectoryServerOperationMasterRole -Identity DC2 -OperationMasterRole DomainNamingMaster

PS C:\> Move-ADDirectoryServerOperationMasterRole -Identity DC2 -OperationMasterRole PDCEmulator

PS C:\> Move-ADDirectoryServerOperationMasterRole -Identity DC2 -OperationMasterRole RIDMaster

PS C:\> Move-ADDirectoryServerOperationMasterRole -Identity DC2 -OperationMasterRole InfrastructureMaster

Moving All FSMO Roles , is much easier

PDC Emulator – 0

RID Master – 1

Infrastructure Master – 2

Schema Master – 3

Domain Naming Master – 4

Move-ADDirectoryServerOperationMasterRole -Identity DC2 –OperationMasterRoles 0,1,2,3,4


Seizing FSMO Roles:

Once last time, be very cautious when using –Force (Seizing) option

Move-ADDirectoryServerOperationMasterRole -Identity DC2 -OperationMasterRole PDCEmulator -Force

Move-ADDirectoryServerOperationMasterRole -Identity DC2 -OperationMasterRole RIDMaster -Force

Move-ADDirectoryServerOperationMasterRole -Identity DC2 -OperationMasterRole InfrastructureMaster -Force

Move-ADDirectoryServerOperationMasterRole -Identity DC2 -OperationMasterRole SchemaMaster -Force

Move-ADDirectoryServerOperationMasterRole -Identity DC2 -OperationMasterRole DomainNamingMaster -Force

Move-ADDirectoryServerOperationMasterRole -Identity DC2 –OperationMasterRole 0

Move-ADDirectoryServerOperationMasterRole -Identity DC2 –OperationMasterRole 1

Move-ADDirectoryServerOperationMasterRole -Identity DC2 –OperationMasterRole 2

Move-ADDirectoryServerOperationMasterRole -Identity DC2 –OperationMasterRole 3

Move-ADDirectoryServerOperationMasterRole -Identity DC2 –OperationMasterRole 4

Move-ADDirectoryServerOperationMasterRole -Identity DC2 –OperationMasterRole 5

Oz Casey, Dedeal (MVP North America)
Security+, Project +, Server + (Blog) (Blog) (Twitter)

January 24, 2016

Active DIRECTORY Interview Questions PART 1

Filed under: General — telnet25 @ 8:12 pm



New year  and new challange, perhaps your current contract is not doing well and you have decided to move on. If you are going to head up interview you might want to take your time and look at the questions and answers I have posted online. Purpose of these questions to improve your change getting a new job, perhaps push you to face with reality. As I do interviews with my peers most of the time I wanted to share few tips to help and assist with interview process. If these questions will challange you, you must invest time on your Active Directory knowladge and make sure you are upto current.

Getting to Know Your Basics

This basic guidelines, questions and answers will provide you information which should assist with your interview.
You should study and get much better, deeper knowledge when it comes to Active Directory.

Dress up decent on your interview, look clean this always helps , promotes positive energy.
Don’t go to interview tired, you need to be fresh.
Make multiple copy of your resume and take it with you, when you sit down in the interview room, hand over your resume to people who don’t have them.
Your answers need to be brief and professional if you are calming to be Senior Engineer. When you are asked to provide more comprehensive information, provide technical details.
It is perfectly okay to say “I do not know” I will look it up and get back to you. Do not “BS” Most likely the person who is asking you the question do know the correct answer.
If you are asked to rate your skill set, scale from 1 to 10, 1 being weak, and 10 is strong” rate yourself always in humble way. Most experience and smart administrators and Engineers will rate themselves solid 7, instead of 10.
At the end of the interview, when you are asked, “Do you have any questions to us” you must show some interest and ask questions if you want the job

Good Luck with your interview and here is the download link for Interview Questions


As professinal courtacy , please leave your comments and once again good luck with your interview.


Oz Casey, Dedeal  ( MVP North America)
Security+, Project +, Server + (Blog) (Blog) (Twitter)

September 22, 2015

Install Windows 2012 RODC step by step

Filed under: Windows 2012 — telnet25 @ 1:54 am

If you are looking for step by step instructions to develop plan to install Windows 2012 R2, this article might ease your task.

#Install Windows 2012 RODC

Preparing and Promoting Windows 2012 R2 Server to be Additional Domain Controller into Existing Windows 2008 R2 Forest/Domain

  1. Click start and click on PowerShell
  2. On the PowerShell window type hostname and press enter
  3. Make sure the server Name is in compliance with the serve name standard in your organization
  4. Rename the Server by using PowerShell
  5. Open PowerShell and type the following command

Rename-Computer -NewName ServerName

In the example below we renamed the server to RODC001 by typing

· Rename-Computer –NewName RODC001

· Press enter (Computer will require reboot for changes to take effect)


  1. From PowerShell window type “ncpa.cpl” and configure static IP address for your domain controller


  1. Reboot the server by typing on the PowerShell

· Shutdown –r –f –t 5 and press enter


  1. After server reboots, use remote desktop software (RDP) to log back onto Server and provide administrator credentials.

#Join Server to Domain

Joining server to existing domain is a good practice before promoting it to be a domain controller. When a server joins to domain the host “A record” will be created within the authoritative DNS zone of your domain name space. This ensures your server is able to talk to valid domain controller and your credentials will be cached by the promotion wizard to make things but easier.

1. Click start and open PowerShell, on the PowerShell window type the following command to join the server to existing domain.

Add-Computer – -Restart


2. Provide domain administrator credentials when prompted.


3. Server has been added to Domain successfully. Reboot the server by typing following on the command line or PowerShell window.

Shutdown –r –f –t 5 and press enter

#Preparing Server to be RODC (Add futures and required roles)

1. Log into your domain (not on the local server)


2. Click start open PowerShell and type hostname and press enter

Type Ipconfig /all and press enter


3. Now we have verified correct server name is being used and the static IP address is assigned to server with valid existing DNS server on the TCP IP properties

4. Type “ServerManager” on the PowerShell to Launch Server Manager

5. Click the Manage link at the top-right of the Server Manager console.

6. Select installation type screen, ensure Role-based or feature-based installation and Click “Next”


7. Role-based or feature-based installation is selected, and then click next.


8. Select destination server screen, pick a server and click next.


9. On the Select server roles screen, select Active Directory Domain Services, and then click ok on the add futures prompt window

10. Select DNS Server and click ok on the add futures prompt window

click Next and add “Group Policy Management” click next


11. Select Group Policy Management and click next


12. Click next


13. Click Next


14. Click Install



15. Wait for all the roles and features to be installed and click “close” when finished


16. When the installation completes, click Promote this server to a domain controller.

Promoting Server to be Read Only Domain Controller

After logging back onto server open server manager by typing “ServerManager” on the PowerShell console. Click yellow triangle to open Post-Deployment configuration wizard on top.


1. On the active directory Domain Services Configuration Wizard make sure the domain name and the correct domain administrator account is being used for the domain controller promotion


2. Click next when ready, on the next page we have an option to specify GC and RODC and we can place the new DC into proper AD Site. After providing DSRM password click Next


3. Leave all the default options and click next


4. Select install from media (IMF) options for sites which have slow replication and do the initial install from media (faster) and let the replication take care of the delta.


5. Choose the DC to replicate from


6. Choose the proper directory for. DIT Database, Log files and SYSVOL, we will leave it default


7. Click next in this window you can export the settings to PowerShell script to automate additional installation. If you are satisfied, click next once again


8. Wait for Prerequisites Check to complete and finally Click install to start the installation


Verifying Successful Domain Controller Promotion

1. Log back on to domain controller with proper domain administrator credentials.

2. Click start and open PowerShell, on the PowerShell type “dssite.msc” and press enter


3. Verify the newly promoted server is showing up under proper Active Directory site and replication connection has been created by KCC.

Type “net share” and press enter to verify the SYSVOL is showing up clip_image051

4. Type DCdiag and investigate the output if any issues found.


You can download the word version of this article from following link;

Oz Casey, Dedeal  ( MVP North America)


Security+, Project +, Server + (Blog) (Blog) (Twitter)

September 18, 2015

Schema Updates Windows 2012 R2

Filed under: Windows 2012 — telnet25 @ 3:57 pm

Schema updates are important task and it is necessary for applications Operations systems etc. Active directory Schema updates can be done ahead of time or it can be done with installation of first operating system or the application ( most of the time )

In cases where schema updates needs to be done separate ahead of time , you would need to build step by step upgrading schema implementation plan. After extending schema you would need to make sure , existing applications would continue to work.

Testing Active Directory Schema updates can be trick task as schema updates are “One Way”  meaning the schema updates needs to get done on your domain controller holds the schema master FSMO role from there it gets replicated to all other domain controllers within the Active directory forest environment. Time to time Active directory engineers will recommend stopping inbound and outbound AD replication on the Schema Master Role holder DC and believing this would prevent schema changes getting replicated to rest of the domain controllers within the environment. Which in reality buys you “Nothing or very little” . When you realize your critical legacy application is no longer functioning due to recent schema updates, your only option is to perform Forest Level recovery and this will be a “surgery” in term of getting everything up and running and especially  large environments. The domain controllers you shutdown will only buy you  recovery time “recover from your backup , active directory database” and you will still have to deal with having old .DIT , SysVOL etc. to replicate rest of the domain controllers and deal with FSMO roles.

If you are not familiar with process check out my previous article “ Active Directory From Total Lost Disaster Recovery Basic Steps.” and make sure you have developed restoring Active Directory from total lost white paper for your environment.

in order to perform AD recovery You need to understand the BurFlag keys and what they do and how to  Perform an authoritative  SYSVOL restore Set BurFlags to D4 or none authoritative restore D2 and understand the crucial difference in between. 

Extending Schema

We will extend the schema from windows 2008 R2 to windows 2012 R2. We will document steps and verify the schema version change.

  1. Log onto your existing windows 2008 R2 Server via RDP ( Remote Desktop Services) with your domain administrator privileges and provide your credentials when prompted.
  2. In order to extend the schema you will need to be member of Schema Admins security group.
  3. After successful logon , click start and on the search menu type PowerShell and press enter.
  4. On the PowerShell window type
Import-Module ActiveDirectory


On the PowerShell window type the following one liner PowerShell to find out the current schema version

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Properties objectversion


let’s explore the schema version numbers

Schema versions :

  • 69 = Widows 2012 R2
  • 56 = Windows 2012
  • 47 = windows Server 2008 R2
  • 44 = Windows Server 2008

You will need adprep folder to perform the schema updates."adprep" folder is located within windows 2012 R2 install CD , under support folder, copy "adprep" folder onto C drive of the domain controller ( windows 2008 R2)


From C:\Temp\adprep folder we will start executing adarep to perform schema updates.

Adprep /? Will show all available options;



Adprep /ForestPrep and press enter , you will need to type letter "C" to confirm and start the schema upgrade.

Adprep /ForestPrep


Schema changes will get done on the schema master first and from there it will get replicated to your other domain controllers. You can use "netdom" to find out the domain controller holds the schema master role and remember there is only one schema master per active directory forest.



Now run the Domain Prep


Now we need to run the PowerShell to get the Schema object version  69 = Widows 2012 R2

Oz Casey, Dedeal  ( MVP North America)
Security+, Project +, Server + (Blog) (Blog


August 9, 2015

Move Ad Computer Accounts from csv File into Target OU.

Filed under: General — telnet25 @ 11:24 pm

In this example we will move selected computer accounts from csv file into target OU. You will need to prepare csv file similar the one below and name the first column “CN”  and save it to server where you will be running the script from.This script will be very handy if you need to move computers from different locations into selected target OU.

You will need to change few things within the script to make it work within your environment.

$TargetOU = ‘OU=Computers,OU=VA,DC=TekPros,DC=com’  (Change this to make sure it suits your needs)



Here is the script

# This script will help to move bulk ad computer accounts into target OU
# Written 08/08/15 Casey, Dedeal
# Fell free to change use any part of this script

#Importing AD Module
Write-Host " Importing AD Module….. "
import-module ActiveDirectory
Write-Host " Importing Move List….. "
# Reading list of computers from csv and loading into variable
$MoveList = Import-Csv -Path "C:\Temp\PC_Move_List.csv"
# defining Target Path
$TargetOU = ‘OU=Computers,OU=VA,DC=TekPros,DC=com’
$countPC    = ($movelist).count
Write-Host " Starting import computers …"

foreach ($Computer in $MoveList){   
    Write-Host " Moving Computer Accounts…"
    Get-ADComputer $Computer.CN | Move-ADObject -TargetPath $TargetOU

Write-Host " Completed Move List "

Write-Host " $countPC  Computers has been moved "

You can download the script from this link

Oz Casey, Dedeal  ( MVP North America)
Security+, Project +, Server + (Blog) (Blog)


Next Page »

Blog at