Deselect “automatically detect settings” in IE using GPP

idefixwiki

Lately I struggled with finding a way to deselect “automatically detect settings” in IE for all users of a customer.

ADS

There are no GPO settings for this and the GPP IE settings doesn’t allow to set this for any IE versions before IE10 and the customer needs IE9 for compatibility issues with their SharePoint sites.

After much searching I found a way to set this  using GPP to set a registry setting.

  1. Create a new GPO or edit an existing one
  2. Navigate to User configuration – Preferences – Windows Settings – Registry
  3. Create a new registry item with the following values
    1. Name: DefaultConnectionSettings
    2. Action: Update
    3. Hive: HKEY_CURRENT_USER
    4. Path: SoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections
    5. Value Name: DefaultConnectionSettings
    6. Type: REG_BINARY
    7. Data: (make sure you copy the entire line below, it’s several hundred digits)

460000000B00000001000000000000000000000000000000000000000000000020B9952FC3BBCC0100000000000000000000000002000000170000000000000000000000000000000000000000000001000000001C00000000000000000000000000000000200000002000000010000001000000ED0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFC0B0EAF9D426D011BBBF00AA006C34E4020000000A000066000000000000000000B55700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

It should look like this then

ADS_reg

This will always clear the “Automatically detect settings” on next logon or gpupdate

View original post

Advertisements

Removing mail stuck in retry queue in Exchange

Everyone working with mail has seen this, messages and NDRs stuck in retry queues mostly thanks to spam and malware.

These fine lines of Powershell will remove all messages from retry queues without sending NDR for each message.


# Empty Exchange retry queues without NDR
# Written by Per-Torben Sørensen (per-torben.sorensen@evry.com)
#
# Version: 1.0
#*********************************************************************************************
# Change the settings below
#
$Servers = "CAS01","CAS02" # Enter the name of all CAS servers
#*********************************************************************************************
# Variables below
#
add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010
#*********************************************************************************************
foreach ($server in $servers)
{
$retryqueues = get-queue -Server $server -filter {Status -eq "Retry"}
foreach ($queue in $retryqueues)
{
Get-Message -Queue $queue.identity | Remove-Message -WithNDR $false -Confirm:$false
}
}

CAWeb Enrollment error 403.14

A short blogpost about my PKI/IIS challenge today

idefixwiki

The Certification Authority Web Enrollment is the webpage where you can logon to request certificated or download crls from your CA. One of my challenges today was that a newly installed issuing CA was unable to configure the Web enrollment webpage correctly. No matter what I did I always got the “403.14 – Forbidden” error.

After quite a bit of troubleshooting, including removing and re-adding roles using both Server Manager and powershell and reboots between the steps I was no closer to a solution. One of my Google-searches lead me to http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_26623918.html where he suggests to check that default.asp is located in the path C:WindowsSystem32CertSrven-US.

I had the file and everything there was correct, but that lead the to check the path of the website itself. For some reason IIS kept linking the /certsrv site to C:WindowsSystem32CertSrv which is the parent folder, so as soon as I changed the path from C:WindowsSystem32CertSrv to C:WindowsSystem32CertSrven-US in IIS…

View original post 3 more words

Active Directory disaster recovery with Windows Server Backup

Hello.

Earlier I wrote a post on how to backup and restore objects in Active Directory with Windows Server Backup here:  https://pertorben.wordpress.com/2013/04/15/active-directory-backup-and-restore/

Here I used the command wbadmin start systemstatebackup -backuptarget:(path) to perform a system state backup on a domain controller and use Directory Service Restore Mode (DSRM) to recover deleted items, as was explained on Microsoft Technet. However there is one drawback to this method, and it’s that you can’t perform a disaster recovery of your AD using this backup, and by disaster recovery I mean that all of your servers are completely gone and you have nothing left except your backups. If you try to use a complete server restore with this backup, this is as far as you will get.

Disaster Recovery error

So in order to do a disaster recovery you need a backup that support this. With wbadmin you can run

wbadmin start backup -allcritical -systemstate -vssfull -backuptarget:(path):

With this backup you can boot a blank server form the 2012 R2 install media and select Repair your computer. Choose image restore and it should detect your backup if it’s available.

DR_AD_OK

After the restore you have a complete server restored form the point in time of which the backup was taken. From here you can seize any FSMO roles if you need, then and start promoting more domain controllers. In a disaster recovery scenario I would rather promote new domain controllers instead of running restore on every single Domain Controller. Note that your NIC will most likely be set to default on the restored server so you may need to set the correct IP address again.

So the big question now is: Can you use this backup procedure to do a restore of a deleted object in AD, instead of a complete Disaster recovery? The answer is yes. You don’t need to have 2 backups (one of AD and one for disaster recovery). All you need is the backup from this post and follow the procedure form the post I linked at the top to restore deleted object in AD.

Import missing VM into Hyper-V

I want to share a little story which once again proved to me how easier IT is when you learn a little Powershell.

I recently had an outage on my Hyper-V server (Windows 10 server build 9841 btw) which hold my lab environment at home. The server lost connection with an SSD drive (E:\) containing almost 15 VMs, but this was luckily fixed my reattaching the SATA-cable to the drive.

However, when the server booted and my E:\ drive had returned, all the VMs on the drive was missing. Both in the Hyper-V management console and in powershell when I ran “Get-VM”. The files and VHDs was intact so it was only a matter of importing them to Hyper-V.

So here I had two choices:

  1. Import the VMs one by one in a 5-click wizard
  2. Import the VMs with Powershell

After fiddling around with sending the configuration files for each VM into a foreach loop, and still not making it work I tried something simpler. All I needed was a 1-liner which listed the config files and piped them into the import-vm cmdlet and the following line imported all the VMs on my E: drive into Hyper-V and I could start the VMs with no need to change any kind of configuration.

Get-ChildItem E:\Hyper-V -Recurse *.vmcx | Import-VM

Once again Powershell proves to be an amazing tool.

Preparing for Windows 9 with dualboot

As most of you know, Microsoft will announce Windows 9 om September 30th 2014 which is in 2 weeks as I write this. Now I am very excited about this product and considering there hasn’t been any information about the new features yet I predict a lot of testing when the technical preview (really Microsoft, just call it a beta) is released to the public.

So how do we test this new operating system?

The initial thought is to use a hypervisor, like Hyper-V, and create VM’s with Win9 on, but imo that really isn’t a very good way to try the client OS. Therefore I wanted to share my approach which is to initially install Windows 9 on a VHDX file and set it in a dualboot configuration with my Windows 8.1 system which I’m currently using. Unless I find something that tells me otherwise, Windows 9 will shortly be my main OS. There are 2 big advantages to running this in a VHDX with dualboot instead of a vm:

  1. You get a much more true test how the OS will run on your hardware since it actually reaches your physical hardware with the exception of hard drive which is virtual. I find this particularly important when testing a client OS.
  2. You can by all means and purposes replace you current installation but it is still very easy to fall back to should something occur, or if you just have to get some files that you haven’t backed up or put into the cloud

So now that I have convinced you all on why this is a good idea I will show you how to easily do it. In the procedure below I’m using Windows 8.1 to mimic the Windows 9 iso since it’s not available until 2 weeks from now.

There are 3 stages for getting a VHDX file in dualboot with your existing 8.1 installation:

  1. Create a vhdx file
  2. Apply the new Windows image to the vhdx file
  3. Set up the boot configuration

 

Create the vhdx file.

Here I create a dynamically expanding 40GB vhdx file on the folder c:\boot on my C:\ drive.

Create the folder to store the vhdx file, C:\boot in this example

open an elevated commandprompt and type the following

diskpart
create vdisk file=c:\boot\win9.vhdx type=expandable maximum=40960
attach vdisk
list disk

Verify that the VHD is selected by the star on the left

create partition primary
format fs=ntfs quick
active
assign
exit

Now the vhdx fine has a formatted and active partition, in this case it was mounted as E:

 

Apply the new Windows image to the vhdx file

Now that the vhdx file is ready, you mount up your newly downloaded Windows 9 iso, in this case it’s mounted as D:

First you have to pick the SKU you want from the iso. Note the name and Index#  from this command (Again Windows 8.1 is used in this example)

dism /get-imageinfo /imagefile=d:\sources\install.wim

dism_find_index

Now I see I can either install Windows 8.1 or 8.1 Pro. Since I want 8.1 Pro so I must apply Index 1 to my vhdx

dism /apply-image /imagefile=d:\sources\install.wim /index:1 /applydir:e:\

Wait for the operation to complete

 

Set up the boot configuration

The vhdx file is ready but not set up as a boot option on your computer so we still work in the elevated commandprompt.
Add the vhdx to the boot menu

bcdboot e:\windows

bcdboot
To check you boot configuration

bcdedit /enum

The boot configuration

Notice that the description is the same which makes it confusing but the device tells us which is the vhdx-file. Also the vhdx file is the default boot option.

If you want your current installation as default boot then simply run

bcdedit /default {current}

And last I want to change the desciption to tell them apart, which hopefully won’t be necessary with the genuine Windows 9 iso.

bcdedit /set {b42c4225-3dc5-11e4-94b6-c190548f218f} description “Windows 9”

After you run bcdedit /enum again you should see something like this

bcdedit_displayname

Finally we are ready to test this, simply reboot your computer and you should see the new and improved boot menu in Windows 8.1

The boot menu

Make sure you check out “Change defaults or choose other options”, lots of neat stuff there.

Final words: Yes, I am perfectly aware of all the tools that can do this for you, but you won’t improve you skills in diskpart, dism og bcdedit by using those tools. The best way to improve in something is to work with it.