Enable immediate replication between AD sites

What is immediate replication?

Active Directory has 3 replication models:

  1. Within a site (Intrasite) the domain controllers use Change Notification to alert adjacent dc’s of changes made in AD. By default, after 15 seconds the first replication partner is notified and 3 more seconds to each subsequent replication partner.
  2. Between sites (Intersite) Change Notification is not used. Replication only happens on a schedule with every 15 minutes as the shortest configurable interval.
  3. Account lockout, changes to password policy, DC password changes and a few other situations trigger urgent replication which happens as quickly as the domain controllers are able and bypasses all other replication interval.

The intersite replication can however be configured to use Change Notification and this will bypass the replication schedule of the site link and replication will occur as if the domain controllers were in the same site. This does of course increase the traffic of you WAN link so make sure you have the bandwidth and latency to handle it.

How to enable immediate replication

The procedure is slightly different for automatically and manually changed sitelinks

For automatically created sitelinks:

  1. Open ADSIEDIT
  2. Connect to Configuration Naming Context
  3. Expand Sites –> Intersite Transport –> IP
  4. Right-click the relevant sitelink and select properties
  5. Change the value of “options” to 1


For manually created sitelinks:

  1. Open ADSIEDIT
  2. Connect to Configuration Naming Context
  3. Expand Sites –> (The site name) –> Servers –> (Servername) –> NTDS Settings
  4. Right-click the relevant sitelink and select properties
  5. Change the value of “options” to 8
  6. Repeat for every manually configured sitelink (if desired)


That’s all there is to it. Changes in AD will now flow as if the domain controllers are within the same site.


Deselect “automatically detect settings” in IE using GPP


Lately I struggled with finding a way to deselect “automatically detect settings” in IE for all users of a customer.


There are no GPO settings for this and the GPP IE settings doesn’t allow to set this for any IE versions before IE10 and the customer needs IE9 for compatibility issues with their SharePoint sites.

After much searching I found a way to set this  using GPP to set a registry setting.

  1. Create a new GPO or edit an existing one
  2. Navigate to User configuration – Preferences – Windows Settings – Registry
  3. Create a new registry item with the following values
    1. Name: DefaultConnectionSettings
    2. Action: Update
    4. Path: SoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections
    5. Value Name: DefaultConnectionSettings
    6. Type: REG_BINARY
    7. Data: (make sure you copy the entire line below, it’s several hundred digits)


It should look like this then


This will always clear the “Automatically detect settings” on next logon or gpupdate

View original post

Removing mail stuck in retry queue in Exchange

Everyone working with mail has seen this, messages and NDRs stuck in retry queues mostly thanks to spam and malware.

These fine lines of Powershell will remove all messages from retry queues without sending NDR for each message.

# Empty Exchange retry queues without NDR
# Written by Per-Torben Sørensen (per-torben.sorensen@evry.com)
# Version: 1.0
# Change the settings below
$Servers = "CAS01","CAS02" # Enter the name of all CAS servers
# Variables below
add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010
foreach ($server in $servers)
$retryqueues = get-queue -Server $server -filter {Status -eq "Retry"}
foreach ($queue in $retryqueues)
Get-Message -Queue $queue.identity | Remove-Message -WithNDR $false -Confirm:$false

CAWeb Enrollment error 403.14

A short blogpost about my PKI/IIS challenge today


The Certification Authority Web Enrollment is the webpage where you can logon to request certificated or download crls from your CA. One of my challenges today was that a newly installed issuing CA was unable to configure the Web enrollment webpage correctly. No matter what I did I always got the “403.14 – Forbidden” error.

After quite a bit of troubleshooting, including removing and re-adding roles using both Server Manager and powershell and reboots between the steps I was no closer to a solution. One of my Google-searches lead me to http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_26623918.html where he suggests to check that default.asp is located in the path C:WindowsSystem32CertSrven-US.

I had the file and everything there was correct, but that lead the to check the path of the website itself. For some reason IIS kept linking the /certsrv site to C:WindowsSystem32CertSrv which is the parent folder, so as soon as I changed the path from C:WindowsSystem32CertSrv to C:WindowsSystem32CertSrven-US in IIS…

View original post 3 more words

Active Directory disaster recovery with Windows Server Backup


Earlier I wrote a post on how to backup and restore objects in Active Directory with Windows Server Backup here:  https://pertorben.wordpress.com/2013/04/15/active-directory-backup-and-restore/

Here I used the command wbadmin start systemstatebackup -backuptarget:(path) to perform a system state backup on a domain controller and use Directory Service Restore Mode (DSRM) to recover deleted items, as was explained on Microsoft Technet. However there is one drawback to this method, and it’s that you can’t perform a disaster recovery of your AD using this backup, and by disaster recovery I mean that all of your servers are completely gone and you have nothing left except your backups. If you try to use a complete server restore with this backup, this is as far as you will get.

Disaster Recovery error

So in order to do a disaster recovery you need a backup that support this. With wbadmin you can run

wbadmin start backup -allcritical -systemstate -vssfull -backuptarget:(path):

With this backup you can boot a blank server form the 2012 R2 install media and select Repair your computer. Choose image restore and it should detect your backup if it’s available.


After the restore you have a complete server restored form the point in time of which the backup was taken. From here you can seize any FSMO roles if you need, then and start promoting more domain controllers. In a disaster recovery scenario I would rather promote new domain controllers instead of running restore on every single Domain Controller. Note that your NIC will most likely be set to default on the restored server so you may need to set the correct IP address again.

So the big question now is: Can you use this backup procedure to do a restore of a deleted object in AD, instead of a complete Disaster recovery? The answer is yes. You don’t need to have 2 backups (one of AD and one for disaster recovery). All you need is the backup from this post and follow the procedure form the post I linked at the top to restore deleted object in AD.

Import missing VM into Hyper-V

I want to share a little story which once again proved to me how easier IT is when you learn a little Powershell.

I recently had an outage on my Hyper-V server (Windows 10 server build 9841 btw) which hold my lab environment at home. The server lost connection with an SSD drive (E:\) containing almost 15 VMs, but this was luckily fixed my reattaching the SATA-cable to the drive.

However, when the server booted and my E:\ drive had returned, all the VMs on the drive was missing. Both in the Hyper-V management console and in powershell when I ran “Get-VM”. The files and VHDs was intact so it was only a matter of importing them to Hyper-V.

So here I had two choices:

  1. Import the VMs one by one in a 5-click wizard
  2. Import the VMs with Powershell

After fiddling around with sending the configuration files for each VM into a foreach loop, and still not making it work I tried something simpler. All I needed was a 1-liner which listed the config files and piped them into the import-vm cmdlet and the following line imported all the VMs on my E: drive into Hyper-V and I could start the VMs with no need to change any kind of configuration.

Get-ChildItem E:\Hyper-V -Recurse *.vmcx | Import-VM

Once again Powershell proves to be an amazing tool.

Preparing for Windows 9 with dualboot

As most of you know, Microsoft will announce Windows 9 om September 30th 2014 which is in 2 weeks as I write this. Now I am very excited about this product and considering there hasn’t been any information about the new features yet I predict a lot of testing when the technical preview (really Microsoft, just call it a beta) is released to the public.

So how do we test this new operating system?

The initial thought is to use a hypervisor, like Hyper-V, and create VM’s with Win9 on, but imo that really isn’t a very good way to try the client OS. Therefore I wanted to share my approach which is to initially install Windows 9 on a VHDX file and set it in a dualboot configuration with my Windows 8.1 system which I’m currently using. Unless I find something that tells me otherwise, Windows 9 will shortly be my main OS. There are 2 big advantages to running this in a VHDX with dualboot instead of a vm:

  1. You get a much more true test how the OS will run on your hardware since it actually reaches your physical hardware with the exception of hard drive which is virtual. I find this particularly important when testing a client OS.
  2. You can by all means and purposes replace you current installation but it is still very easy to fall back to should something occur, or if you just have to get some files that you haven’t backed up or put into the cloud

So now that I have convinced you all on why this is a good idea I will show you how to easily do it. In the procedure below I’m using Windows 8.1 to mimic the Windows 9 iso since it’s not available until 2 weeks from now.

There are 3 stages for getting a VHDX file in dualboot with your existing 8.1 installation:

  1. Create a vhdx file
  2. Apply the new Windows image to the vhdx file
  3. Set up the boot configuration


Create the vhdx file.

Here I create a dynamically expanding 40GB vhdx file on the folder c:\boot on my C:\ drive.

Create the folder to store the vhdx file, C:\boot in this example

open an elevated commandprompt and type the following

create vdisk file=c:\boot\win9.vhdx type=expandable maximum=40960
attach vdisk
list disk

Verify that the VHD is selected by the star on the left

create partition primary
format fs=ntfs quick

Now the vhdx fine has a formatted and active partition, in this case it was mounted as E:


Apply the new Windows image to the vhdx file

Now that the vhdx file is ready, you mount up your newly downloaded Windows 9 iso, in this case it’s mounted as D:

First you have to pick the SKU you want from the iso. Note the name and Index#  from this command (Again Windows 8.1 is used in this example)

dism /get-imageinfo /imagefile=d:\sources\install.wim


Now I see I can either install Windows 8.1 or 8.1 Pro. Since I want 8.1 Pro so I must apply Index 1 to my vhdx

dism /apply-image /imagefile=d:\sources\install.wim /index:1 /applydir:e:\

Wait for the operation to complete


Set up the boot configuration

The vhdx file is ready but not set up as a boot option on your computer so we still work in the elevated commandprompt.
Add the vhdx to the boot menu

bcdboot e:\windows

To check you boot configuration

bcdedit /enum

The boot configuration

Notice that the description is the same which makes it confusing but the device tells us which is the vhdx-file. Also the vhdx file is the default boot option.

If you want your current installation as default boot then simply run

bcdedit /default {current}

And last I want to change the desciption to tell them apart, which hopefully won’t be necessary with the genuine Windows 9 iso.

bcdedit /set {b42c4225-3dc5-11e4-94b6-c190548f218f} description “Windows 9”

After you run bcdedit /enum again you should see something like this


Finally we are ready to test this, simply reboot your computer and you should see the new and improved boot menu in Windows 8.1

The boot menu

Make sure you check out “Change defaults or choose other options”, lots of neat stuff there.

Final words: Yes, I am perfectly aware of all the tools that can do this for you, but you won’t improve you skills in diskpart, dism og bcdedit by using those tools. The best way to improve in something is to work with it.