Prevent connection of unauthorized USB-devices?

Prevent connection of unauthorized USB-devices?

Is there a way to prevent connection of unauthorized USB-devices? We have Win 7 Pro clients today but will probably upgrade to 8.1 Pro soon. We are running a Windows Server 2008 R2 server enviroment.

I want to:
1. Configure which USB-devices that are allowed
2. Prevent connectivity of unauthorized USB-devices
3. Prevent file copy to and from devices other than authorized encrypted USB thumb drives
4. Only allow charge function when connecting a smartphone



to get this you should have an encryption system in your environment connected across all your system, and it takes long time than what you really think

the easy way to prevent non-allowed USB is to disable the USB port itself from the device manager and you need to input your credentials there as an administrator to enable them again.

there are several vendors providing SW like what you are looking for but as my experience it's very complicated to manage and not friendly use.



to get this you should have an encryption system in your environment connected across all your system, and it takes long time than what you really think

the easy way to prevent non-allowed USB is to disable the USB port itself from the device manager and you need to input your credentials there as an administrator to enable them again.

there are several vendors providing SW like what you are looking for but as my experience it's very complicated to manage and not friendly use.



Thank you. If I disable the USB-ports in BIOS can I enable connectivity on certain devices? We must be able to connect keyboard, mouse and authorized USB thumb drives.



For the requirements you have disableing the ports is not a solution.

Then you need special software to accomplish this.

Be aware that your users can bring an identical Thumbdrive (same brand, model and make) and this one will work too then. This kind of USB restriction software will usually look at device Vendor and ID and they are the same for the same product.



Ok. Is it possible to physically lock connected USB-devices like keyboard, mouse etc.?
If it is possible to disable the opportunity to save files from external devices and copy files to external devices via OS security that might be a better solution.



Locking ports can be done with this little thingy:
http://www.kensington.com/us/us/4483/k67720us/usb-port-lock-with-square-cable-guard#.VUiV1dS1Gko

Strange boot issue - Windows 7 - If I remove 2nd harddrive, windows
wont boot

Strange boot issue - Windows 7 - If I remove 2nd harddrive, windows wont boot

I have a 2nd harddrive that is starting to fail (data storage only drive), and when I replaced it with a new 1TB drive,
I got an error message and Windows 7 wouldnt boot until I put the 2nd drive in again.

Both the old and new secondary drives are completely empty (however in Disk Manager I can see the old secondary drive is missing 1 mb, so there must be some boot files there).

I have used Paragon Disk Manager before, but completely uninstalled it. But there must be some lingering boot files/data on the secondary harddrive (even though appears to be completely empty).

I have checked bcdedit and msconfig and Advanced System Settings --> Startup and Recovery --> Settings and looks like everything is booting from the C: drive.

How can I fix this and put back all boot related files only to the C: drive?

Thank you,
HappyT



Have you tried running fixmbr from the recovery console?



Have you tried running fixmbr from the recovery console?



Your issue is that the drive you removed altered the reference to your drive and possibly a reference is missing.
Did you clone the new drive from the old drive? Often drives come with vendor CD to migrate the data from the old onto the new.
An option when the system is booting is to try to opt for the boot option (escape, F12, etc)
When prompted hopefully you can differentiate between the OS drive and the data drive I.e. One is 320GB and the other is 1TB and within the boot menu, you can differentiate, I.e, one if both are from the same manufacturer it might be ..... Differentiated, pick the one with the OS and see if you can boot from it.

Did you alter the cabling? I.e. Switching the drives positions?

You need to reconstruct the boot record using bootrec/bcdedit.

When you boot with the second drive in place look at diskmgmt.msc to see how is the second drive listed, does it have any system, boot, page file reference?



is windows set to show hiden files and folders?
probably you have the system partition (100-200 Mb) on the second drive
if you copy that partition to the other drive with a partition manager - it should boot again



With the paragon disk manager make sure your OS disk is set to "Active". Currently your other disk probably is the active disk. Things like that happen if you install an OS with both disks there. I always recommend to remove all unneeded disks before installing an OS.



To fix it, first create a system repair disk:http://windows.microsoft.com/en-us/windows7/create-a-system-repair-disc

Then disconnect the 2nd drive, and boot to the repair disk, and do a Startup Repair:http://windows.microsoft.com/en-us/windows/what-are-system-recovery-options#what-are-system-recovery-options=windows-7

With only the main system drive connected, Startup Repair should reconfigure BCD and place any needed boot files onto the main drive.

Power User vs Administrators

Power User vs Administrators

Greetings,
I just took over a windows-based enterprise (server and win7) and I just found out that some of my "power users" were given full rights as Domain Administrators to perform help desk type operations (ie. lockouts, password resets, software upgrades).

Is there any way I can give these people access to perform these tasks without giving them full domain privileges with access to Active Directory?

Thanks



My VM crashed over the weekend so no screenshots. :'( However, I was able to find a site that should help explain how to do this: http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Implementing-Active-Directory-Delegation-Administration.html



Yes you can use the delegation control wizard or modify ACLs for items like account lockous/resets

http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html

There is also the account operator group.

Are these manual software updates? Do they need to only update software on PCs? You can create a group to have admin rights just on workstations.

Very good idea to take them out of domain admins....good thinking and good work

Thanks

Mike



Thank yo so much...
The only question I have, that I didn't see:can you do that for specific user groups? or is this an everybody/nobody situation?



Yes, you can grant access based on a group.



If you provide the server version I can get you directions.



Thank you so much.

Windows server 2008 with AD, exchange 2010,

What is Windows application 'Route.exe' and give example

What is Windows application 'Route.exe' and give example

We googled 'route.exe' and found that It is used to block IP connections to the system but can't seem to fully understand the purpose of this utility as to how applying it to us. Can an EE give as an easy-to-understand explanation of this tool and some real live example of it being used for? (we use Windows 7 & 8)



ROUTE.EXE is for managing Network Routing Table on your computer (which assign a gateway for the requested IP) either static or dynamic
setting a static route (fixed) of an IP to invalid interface can be used to block some IPs
here is the output for it's help



ROUTE.EXE is for managing Network Routing Table on your computer (which assign a gateway for the requested IP) either static or dynamic
setting a static route (fixed) of an IP to invalid interface can be used to block some IPs
here is the output for it's help



Yes, prior placing the question we "route -?" then proceeded to google about it; there's lot of tech info.

Please excuse our ignorance on the topic, we are trying to understand it and find a use for it here.

That said, why would we want to manage the network routing table on our computer?

We read up on 'network routing table' and found technical info (from wiki, microsoft, etc.):

A routing table is a set of rules, often viewed in table format, that is used to determine where data packets traveling over an Internet Protocol (IP) network will be directed.

In computer networking a routing table, or routing information base (RIB), is a data table stored in a router or a networked computer that lists the routes to particular network destinations, and in some cases, metrics (distances) associated with those routes.

During the routing process, the routing decisions of hosts and routers are aided by a database of routes known as the routing table. The routing table is not exclusive to a router. Depending on the routable protocol, hosts may also have a routing table that may be used to decide the best router for the packet to be forwarded. IP hosts have a routing table. IPX hosts do not have a routing table.


... this brings us back to What is route.exe? why use it? Can we see real-live example of its use?

Appreciate EE patiences with us.



Never mind, I'm here to help as far as I can
the real benefits of ROUTE is only when you have multiple NIC or network card (Route call it Interface)
in this case by default each IP you request will be matched with interface IP and MASK if the required IP belongs to that network it will submit to that interface, but when you assign a static route (for a single IP or multiple IP using mask) it will respect this entry and forward to the interface you set,

another implementation when using VPN, VPN client creates a virtual interface so that all the VPN LAN requests will be routed to VPN interface and you can see that on the routing -print command



Ok, trying to understand real live situations for route.exe; when you say multiple NIC, you mean a PC with 2 internet connections (one using to AT&T the Verizon)? If so, route.exe must be used to tell the NICs their respective IP from the ISP?

(are we understanding correctly?)



Exactly

How to delete a WIndows XP user account that is the administrator
account

How to delete a WIndows XP user account that is the administrator account

Dear Experts,
I want to transfer a laptop to another person without doing a system re-install of the operating system.

I have deleted all the software.

As a security measure I would like to delete my own Windows XP user account and then create a new one of the new owner.

The trick is that my own user account is the administrator Windows XP account. Can I delete it?

Is there a piece of free software I can install to "sanitize" my laptop before handing it over?
Best Wishes,
Phil



You cannot delete the Windows XP administrator account without damage, and it should never have been used in the first instance. Also the new owner will want "administrator" to be there.

Start in your admin account and delete documents, email, favourites, cookies, temp files and anything else you can think of. Change the password to the admin account (you will give this to the new owner).

Set up a new userid for the owner as well.

Then defrag the hard drive to mostly write over top of what you deleted.

Truly, it is better to format and reinstall windows.



You cannot delete the Windows XP administrator account without damage, and it should never have been used in the first instance. Also the new owner will want "administrator" to be there.

Start in your admin account and delete documents, email, favourites, cookies, temp files and anything else you can think of. Change the password to the admin account (you will give this to the new owner).

Set up a new userid for the owner as well.

Then defrag the hard drive to mostly write over top of what you deleted.

Truly, it is better to format and reinstall windows.



Not only is it far better to format and reinstall windows, it's actually pretty simple with XP.

In addition, if you just rename the user account, the folder on disk will still have the old name.
e.g. if the user name is "Jim", then under Documents and Settings there will be a Jim folder. If you change the name of the account to "Bob", then "Bob" will show as the logged on user, etc. -- but the folder under Documents and Settings will still be "Jim". Not a big deal as long as you've cleaned it all up ... but it's much better to simply wipe the system and reinstall XP.



on most laptops you can do a factory reset from the factory restore partition
what model is this laptop?
then all data is erased



Dear Garycase,
Can I re-install Windows XP without the install disk?

So far I have created a new admin account and deleted the old one. I chose the option to delete the files. Do I need to do any more than that? I have also done a defrag. I would love to reinstall Windows but do not have a disk.
Best Wishes,
Phil



Philip - do you have a restore partition? if yes, you can!

please tell me how to have 'my computer'

please tell me how to have 'my computer'

another language: Swedish windows7
I can not find 'my computer' icon on desktop

I can not find 'my computer' link on start menu



I have no experience with Swedish W7, but you should be able to click Start, then right-click on Computer, and then click Show on Desktop (whatever that is in the Swedish language). Regards, Joe



I have no experience with Swedish W7, but you should be able to click Start, then right-click on Computer, and then click Show on Desktop (whatever that is in the Swedish language). Regards, Joe



Sorry, I don't know Swedish.
But if you right click on the desktop and select personalize, then you should have "change desktop icons" on the left side of the window. Click that and select "computer" under "desktop icons" section. ok, ok,... That should give you Computer icon on your desktop.
Anyway I prefer using right click on start button and select "open windows explorer".



i now see 'my computer' on desktop



Glad to hear it!



need to create sub-zone within current zone/domain

need to create sub-zone within current zone/domain

i have a domain named domain.local, and i want to be able to type a URL consisting of "HostName.idrac.domain.local" to intuitively go to the idrac of a physical server. just the way i'd like to do it. i want the zone to exist within our current domain in DNS - domain.local. i can create a zone alongside the domain under forward lookup zones, but i'd like to create a "sub-zone" without our domain.local and populate the records there.

what would be the syntax to do it via command line? i don't see a way to do it with the DNS wizards. thanks.



DNS does not have such a thing as sub-zones. While there are certainly sib-domains, the zone concept is discreet.

Why not just create A records in your existing zone? A new zone seems like overkill.



DNS does not have such a thing as sub-zones. While there are certainly sib-domains, the zone concept is discreet.

Why not just create A records in your existing zone? A new zone seems like overkill.



To second and augment what Cliff has said,
*.domain.local A (record type "A") will forward all requests to the IP address that services children of domain.local (also known as "wildcard" ).
Then all is up to the server servicing *.domain.local to work with child subdomains.
If you create NS (nameserver) record for domain.local, you can have "A" record(s) for the children of "domain.local" for as long as you also have a DNS service serving "domain.local".
How to delegate a sub-domain to other DNS servers



Hi,

For you request you just need to create a new ( A ) record hostname.idrac then assign the ip of the Host and it will work directly.

crating a specific sub-domain if you want only to separate the administration or assign delegation.

Bahloul.



all comments were correct in their own context. my words could have been better crafted, creating a new zone/domain was not really the intent, and should not be done unless specific administration is required or another domain is needed. the "folder" showing under the domain was my intention and this answer best fit my intent. thanks for all the responses tho.



Outlook 2010 pop-up

Outlook 2010 pop-up

Why does this pop-up (see attached) when I check my email and is there a way that I can stop it from happening? Thank you -



Remove "Social" add-ins from Outlook . File, Options, Manage Add-ins.



Remove "Social" add-ins from Outlook . File, Options, Manage Add-ins.



I thick you have installed Infusionsoft Sync for Outlook on your pc or laptop.
Check article : http://ug.infusionsoft.com/category/187/8/8/Apps/Infusionsoft-Sync-for-Outlook/



Also look Outlook, View, People Pane and turn off social connectors here. You may need both settings



See attached - is this what you talking about removing?



Yes. Remove that add-in. (I keep Outlook Add-ins to a minimum for maximum performance).

Windows 8.1 a learning curve?

Windows 8.1 a learning curve?

Going with 8.1 Pro new laptops. Upgrading existing users with a new OS.
Wondering from other experiences how much is it a learning curve for the users. Is there a classic Windows 7-alike interface? Wondering how much will I have to sit down with users and go over new features, etc.

Thanks.



Assuming you wish to work in the desktop, you can start in the desktop assuming you have Windows 8.1. This is how I do it (2 years experience with Windows 8).

See my article on Ways to Improve Windows 8 as you may find it makes the learning curve shorter.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/A_16620-Ways-to-improve-Windows-8.html



Assuming you wish to work in the desktop, you can start in the desktop assuming you have Windows 8.1. This is how I do it (2 years experience with Windows 8).

See my article on Ways to Improve Windows 8 as you may find it makes the learning curve shorter.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/A_16620-Ways-to-improve-Windows-8.html



I found that the main thing they have an issue with is the start button (or lack thereof). Teach them that they can hit start and then start typing the name of the program they want and things seem to go a lot better.



My article shows a complete Programs Start facility on the right side taskbar. Everything is there.



...classic Windows 7-alike interface


Here's a 3rd party interface: http://www.classicshell.net/



You may want to consider the excellent (and free!) Classic Shell:http://www.classicshell.net/

I not only don't like the W8 interface, I don't like the W7/Vista interface, so I've been using Classic Shell to give me the good old W2K (truly Classic!) interface on all of my Vista, W7, and W8 computers. Of course, if you prefer, you may configure Classic Shell to give you the XP or Vista/W7 interface on W8.

Here's a 5-minute EE video Micro Tutorial that explains how to download, install, and configure Classic Shell — all of which happens in the 5-minute video, although you may want to spend another 10-15 minutes configuring its large number of options:http://www.experts-exchange.com/VP_211.html

Regards, Joe

Unable to remove language bar in windows 8.1 from taskbar,

Unable to remove language bar in windows 8.1 from taskbar,

In our clients (windows 8.1) language bar unable to remove, I tried in controlpanel, language settings and switching input methods.

problem is I am seeing in language bar two languages one is English and other one is Arabic, but in "Change you languages screen"

Arabic language is not visible. so how to remove completely Arabic language from my language bar.



Try to check in Control Panel --> Region and Language (dialog) --> Keyboards and Languages (tab) --> Change keyboards... (button). You might be able to find Arabic language (& keyboard) there and then remove it if you want.

Hope it helps.



Try to check in Control Panel --> Region and Language (dialog) --> Keyboards and Languages (tab) --> Change keyboards... (button). You might be able to find Arabic language (& keyboard) there and then remove it if you want.

Hope it helps.



in windows 8 controlpanel region and languages are different icons, I think you are talking about windows 7 or xp I guess. even though keyboards and languages tab I didn't see anywhere in windows 8, could you be more specific.



Right click in bottom left Corner of Screen and open the Control Panel
Then choose Language and remove any unwanted Languages.

Choose Advanced Settings (top left)
Click on Change Language Bar Hot Keys
Click the Language Bar Tab
Choose Hidden and uncheck anything else that need it.
Then OK


Also described here ....
http://www.eightforums.com/tutorials/5904-language-bar-turn-off-windows-8-a.html



@nivasnet: Sorry my bad. Didn't notice about 8.1 in the question title. It seems Eriman gave the proper solution.



nivasnet,

I've reopened this question since your award of a C grade does not seem appropriate. You should only award a C grade when an answer is incomplete or vague, and you've asked for (but not received) additional assistance. Since you failed to respond to Expert comments, it would be impossible for the Experts to provide that additional assistance.

I've awarded an A grade to the Expert comment from Eirman. If you fell that is in error, please post a Request for Attention and explain your reasoning.

SouthMod
Community Support Moderator

RDS 2012 connect users to session host servers via connection broker

RDS 2012 connect users to session host servers via connection broker

Hello,

I was led to believe that in Windows 2012 RDS, in order for clients to connect to the session host "farm" we should be pointing our RDP clients directly to the connection broker server, and they will be dropped on to one of the session host servers

If we do that however, the connections seem to go directly to the desktop of the connection broker server and not to one of the session host servers. Is there anything we need to do to enable this?



Unfortunately you were (slightly) misinformed. First, a terminology correction (because it matters in understanding how things work.)

First, farms should be no more. In most deployments, you'll be creating collections, not farms. This matters from an actual implementation standpoint in that you can have multiple unique collections and they have names that the connection broker knows about.

Now, if you want to connect to a collection and have the RDCB load balance, it *is* true that you connect to the RDCB first, unlike 2008 era when you'd connect to a member and it's redirect to the RDCB. But since there can be multiple collections, the RDCB can only redirect you to a collection member if it knows which collection you want to connect to. If you simply open the RDC and type in the RDCB, that is the server you'll connect to (even if it collocated with an RDSH server) and will not even attempt to load balance or redirect... since it doesn't know where you want to go.

And therein lies the real rub. With RemoteFX exposing a ton of new port and device redirection settings, and with advances in the RDGateway, the options for pooled VDI or assigned VDI, plus a myriad of other things, the RDC GUI is downright antiquated. It would be immensely crowded to cram yet more settings in the GUI. Since generally RDSH is deployed and intended for end users, Microsoft's thought (whether you or I agree or not) was that asking end users to remember the name of their RDGateway, RDCB, collection, and app (in the case of remoteapps) was increasingly asking end users to do something complex that is inherently simple. So the GUI for RDC simply was never redesigned and therefore doesn't expose the setting that includes the collection name.

Microsoft's approach is instead that end users can use RDWeb. They only have to remember one thing; the URL. The .rdp files generated by the RDWeb role include proper collection name with each link, so the RDCB will properly load balance when connected to in this way. Users can also "subscribe" to a feed generated by RDWeb so these .rdp files are included in their start menu. And in 8.1, users can subscribe just by using their email address so they don't even need to remember a URL. That is available either through the new modern RDP app or through the traditional desktop control panel, so you don't *have* to use the modern app at all. And finally, for managed devices (domain joined) you can use group policy to subscribe users to feeds so they don't have to do anything to have apps and desktop collections appear in their start menu. And again, all these .rdp files include the collection name so RDCB can redirect.

So yes, you do connect to the RDCB in 2012 to connect to a collection. But if you are using RDC, you will get the default behavior of connecting to the RDCB itself. RDC is relegated primarily to admin duties now and is not considered the end user solution anymore.



Unfortunately you were (slightly) misinformed. First, a terminology correction (because it matters in understanding how things work.)

First, farms should be no more. In most deployments, you'll be creating collections, not farms. This matters from an actual implementation standpoint in that you can have multiple unique collections and they have names that the connection broker knows about.

Now, if you want to connect to a collection and have the RDCB load balance, it *is* true that you connect to the RDCB first, unlike 2008 era when you'd connect to a member and it's redirect to the RDCB. But since there can be multiple collections, the RDCB can only redirect you to a collection member if it knows which collection you want to connect to. If you simply open the RDC and type in the RDCB, that is the server you'll connect to (even if it collocated with an RDSH server) and will not even attempt to load balance or redirect... since it doesn't know where you want to go.

And therein lies the real rub. With RemoteFX exposing a ton of new port and device redirection settings, and with advances in the RDGateway, the options for pooled VDI or assigned VDI, plus a myriad of other things, the RDC GUI is downright antiquated. It would be immensely crowded to cram yet more settings in the GUI. Since generally RDSH is deployed and intended for end users, Microsoft's thought (whether you or I agree or not) was that asking end users to remember the name of their RDGateway, RDCB, collection, and app (in the case of remoteapps) was increasingly asking end users to do something complex that is inherently simple. So the GUI for RDC simply was never redesigned and therefore doesn't expose the setting that includes the collection name.

Microsoft's approach is instead that end users can use RDWeb. They only have to remember one thing; the URL. The .rdp files generated by the RDWeb role include proper collection name with each link, so the RDCB will properly load balance when connected to in this way. Users can also "subscribe" to a feed generated by RDWeb so these .rdp files are included in their start menu. And in 8.1, users can subscribe just by using their email address so they don't even need to remember a URL. That is available either through the new modern RDP app or through the traditional desktop control panel, so you don't *have* to use the modern app at all. And finally, for managed devices (domain joined) you can use group policy to subscribe users to feeds so they don't have to do anything to have apps and desktop collections appear in their start menu. And again, all these .rdp files include the collection name so RDCB can redirect.

So yes, you do connect to the RDCB in 2012 to connect to a collection. But if you are using RDC, you will get the default behavior of connecting to the RDCB itself. RDC is relegated primarily to admin duties now and is not considered the end user solution anymore.



Hi Cliff,

Many thanks for the very detailed answer this has helped a lot! I have done some work with 2008 RDS but am new to 2012 RDS

So the long and short of it is to use RDWeb for all users both internal and external?

We have the following setup

2 x RDGateway servers with RDWeb installed (in a DMZ)
3 x Session Host servers
1 x Connection Broker

We have the a CA signed certificate installed (wildcard) and internally everything works by pointing the internal users to RDWeb (we are using split brain DNS).

We have a problem connection externally however I expect that may be a firewall issue. RDWeb page comes up but the remote apps don't connect and just time out



Using RDWeb is indeed a simple solution to your problem. It is now considered a core component for an RDS deployment and the scenario based wizard deploys it by default. Now you know why. :) Your problem could be firewall related or related to the specifics of the rdgateway setup. A few movng parts to investigate there...



Thanks again Cliff. I'm going to award you the points. I'll open up other questions in a new thread. Big believer in not polluting a question with multiple offshoot questions!



Random number generator in Windows 2008 R2 & Win 2012

Random number generator in Windows 2008 R2 & Win 2012

We plan to put into 1500 VMs' OS scheduler to run daily to make them "activate" back their
agent (could be a backup or Deep Security agent) back to the central server. Due to unknown
reasons (could be timeout or agent failed to comms back to the server), the software vendor
can't provide a permanent fix or a 'clever' agent that could self-correct itself to re-establish
connection back to the central server (so that central server could manage them)

However, with so many VMs activating back (making Tcp connections) to the central server,
the central server may not be able to take it (ie # Tcp connections max'ed out).

For Linux, I could make the script sleep a random amt of time before activating but for
Windows, is there a random number generator? I plan to put at the beginning of the
Windows batch script "ping localhost -n Random_#" (ie equiv of Linux "sleep Random_amt_time"



Have a look at my scripts at http://scripts.dragpn-it.co.uk too for some others sleep scripts



On phone at moo but you can use %random% and use set /a to divide it smaller if needed. You can also use ping using -w param to wait that many milliseconds.

Steve



Have a look at my scripts at http://scripts.dragpn-it.co.uk too for some others sleep scripts



You can configure the scheduled task as well to delay the task for a random amount of time (up to an hour).
When you edit the schedule trigger, you'll find it in Advanced Settings, "Delay task for up to ...".
Task Scheduler > Triggers
https://technet.microsoft.com/en-us/library/cc748841.aspx

If you want to go with the script, you can use the W2k3's ResKit's "sleep.exe" to actually sleep. No need to install it anywhere if you have 7zip or something similar; just unzip the downloaded .exe, then unzip sleep.exe from the rktools.msi, and drop it into the script folder or someplace in the path.
Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/en-us/download/details.aspx?id=17657

Finally, note that %random% returns a value between 0 and 32767.
The modulo operator in batch is "%", and if you want to use it in a batch file you need two of those:



Another easy "randomiser" can be to pick the last octet of the IP address say, this one uses the IP related to the default gateway which should be the user's IP address:
echo off
for /f "tokens=4 delims= " %%a in ('route print ^| find "0.0.0.0"') do for /f "tokens=1-4 delims=." %%h in ("%%a") do set host=%%k

echo %host%
pause

or

set /a num=%random% / 512

Steve



I could not get the /a right :
set aa=%random%/10
echo %aa%
9433/10


With oBDA's example, it gave missing operand:
set /a RandomMinutes = %Random% %% 60
Missing operand

Recover deleted files from a HDD

Recover deleted files from a HDD

Hello Experts,

Does anyone know of a service who can retrieve deleted files from a hard drive. I am looking for a company who specialize in this.

Thanks!



Install GetDataBack https://www.runtime.org/data-recovery-software.htm on your computer.

Attach the hard drive as a slave (through a USB caddy would be ideal) and see if GetDataBack can read the disk and identify the deleted files.

If it can then pay the full price for full functionality and recover your files.



Install GetDataBack https://www.runtime.org/data-recovery-software.htm on your computer.

Attach the hard drive as a slave (through a USB caddy would be ideal) and see if GetDataBack can read the disk and identify the deleted files.

If it can then pay the full price for full functionality and recover your files.



It is usually best you search for one (you can use google for that) which is closest to where you live. That way mail costs will usually be lower, or you can even bring the disk to them. Also first make sure that they give you an estimate for the costs. Some also won't charge you unless they actually recover data.

The best I know is Gillware, but it could be too far away....

https://gillware.com/



If the data has been overwritten then no service will help you. You will just loose your money for nothing. As suggested above install GetDataBack and scan for deleted data.
Note, if data was deleted on system drive then do not start even Windows from it. Connect it as second HDD to another PC and install GetDataBack onto that PC. Then scan your slaved drive and see what GDB finds.



Use photorec



The #1 rule of data recovery is STOP !!

Do NOTHING to the drive you need to recover data from. As noxcho noted above, do NOT boot to the drive; do not do ANYTHING that may write to the drive; etc.

If you want to use a professional recovery company, Gillware (link above) is an excellent choice. If you have ANY reservations about doing it yourself, just send the drive off to them. They have a "no recovery, no fee" policy -- but plan to pay, as they're VERY good :-)

If you want to try it yourself, GetDataBack is indeed an excellent choice. Install it on another PC; attach the drive you need to recover files from to a spare SATA port on that PC; and let it scan the drive. You'll need spare space on that computer (NOT on the drive you're working with) to store any recovered data ... and you'll have to buy a license to actually recover the files (GetDataBack will show you what it CAN recover for free; but will only actually recover those files with a paid license).

Cryptowall and Windows Server Backup

Cryptowall and Windows Server Backup

We have seen a number of CryptoWall infections over the last couple of months. In one case, we had to pay the ransom. My question relates to the potential encryption of backups. We have a number of clients running Windows Server Backup on Server 2008 or 2012. We back up to an external drive on the server. Does CryptoWall affect the Windows Server backup file when the server has been infected? I know that the latest variation deletes Shadow Copies, but cannot find a reference to the Windows Backup file. Most of our clients use ShadowProtect and we send their backups offsite. I feel pretty safe with those clients. However, some clients use the built-in Windows Server backup and do not send offsite.



Currently backups aren't affected yet. But that doesn't mean that a coming version of the virus will not be able to encrypt backups as well. The best course of action would be to make sure the backup media is only connected during the backup, and when it is finished, turned off. A further precaution is to rotate between different backup media so that should one media get corrupted, you still have an older version on another media available.



Currently backups aren't affected yet. But that doesn't mean that a coming version of the virus will not be able to encrypt backups as well. The best course of action would be to make sure the backup media is only connected during the backup, and when it is finished, turned off. A further precaution is to rotate between different backup media so that should one media get corrupted, you still have an older version on another media available.



Another thing I forgot to mention, servers themselves shouldn't not get infected (unless you are talking terminal servers), as people would need to be directly working on the server itself to get the virus installed on it. So only the users' workstation would be running the virus. As the normal PC's shouldn't have access to the backup files, they can't easily get changed by any malware.







Adprep detected that the logon user is not a member of the following
groups

Adprep detected that the logon user is not a member of the following groups

when I run adprep on my 2003 DC I get "Adprep detected that the logon user is not a member of the following groups ent admin, schema admin. ADPREP has stopped without making any changes" I added those groups to the domain admin action I'm using. no effect. HELP!



I added those groups to the domain admin action I'm using.

did you log out and log in again after you changed the group membership?



Can you try creating a new user account which is a member of those groups and run ADPREP while logged on as that user?



I added those groups to the domain admin action I'm using.

did you log out and log in again after you changed the group membership?



I actually rebooted a couple times, but the third time is a charm.





Windows 8.1 - Icon for PowerShell

Windows 8.1 - Icon for PowerShell

Hello,

In Windows 8.1 how can I place an icon for PowerShell on my desktop?

Thanks,
Steve



Sorry...missed that you're on W8...those are W7 instructions. I use Classic Shell in my W8 systems, so I'm not very familiar with the Metro interface, but these steps should work in W8:
Hover in the upper right to get the Search icon

Type power in the Apps box and you'll see Windows PowerShell on the left

Right-click it

You'll see Open file location on the bottom

Click it

You'll now see a folder on the desktop with the PowerShell shortcut in it

Right-click it and select Copy

Right-click anywhere on your desktop and select Paste

That should do it. Regards, Joe

Update: If you want it pinned to Start or the Taskbar, select that instead of Open file location in the 4th step.



Right click the icon -> Sent to -> Desktop (create shortcut)



Create a shortcut with following path (Which is default for PowerShell)..



Hi Steve,

Here's the procedure:
Start menu
All Programs
Accessories
Windows Power Shell (the group)
Windows Power Shell or Windows Power Shell (x86) (whichever one you want on the desktop)
Right-click
Copy
Click anywhere on your desktop and hit Ctrl-V (Paste)

That should do it. Regards, Joe



Hi Joe,
I'm in 8.1. Totally blanking out here, when I go to the start menu (the screen with all those big icons for programs) I don't see ALL PROGRAMS. When I right click on the Windows icon, I don't see ALL PROGRAMS. I know I should know better, but drawing a blank.



Thanks



It's easy to create a ShortCut as I mentioned earlier.. You could just go to Desktop, Right click > New > Select ShortCut

Then copy paste the path which I mentioned in previous post.. Click Next and the Finish..


Or just browse to following path (I guess you have installed the windows in C: drive) and copy the Windows PowerShell shortcut to your desktop...

C:ProgramDataMicrosoftWindowsStart MenuProgramsSystem Tools

Let me know if you find any issues..

How lastLogontimeStamp update in DC?

How lastLogontimeStamp update in DC?

According to MS the lastLogontimeStamp update follow this process:
1. (Assuming the value of the ms-DS-Logon-Time-Sync-Interval is at the default of 14)
2. User logs on to the domain
3. The lastLogontimeStamp attribute value of the user is retrieved
4. 14 – (Random percentage of 5) = X
5. Current date – value of lastLogontimeStamp = Y
6. X = Y – update lastLognTimeStamp
7. X > Y – do not update lastLogontimeStamp


What I'm not sure to understand is "Random percentage of 5". What does it mean?



What I'm not sure to understand is "Random percentage of 5". What does it mean?

14 days minus random percentage of 5 days

Also see the below link for further details.
https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms676824%28v=vs.85%29.aspx

Will.



What I'm not sure to understand is "Random percentage of 5". What does it mean?

14 days minus random percentage of 5 days

Also see the below link for further details.
https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms676824%28v=vs.85%29.aspx

Will.



Is it like this:
14 days minus random percentage of 5 days = 14 days - (X/100*5)



Below is how the last logonTimeStamp is updated.


1. (Assuming the value of the ms-DS-Logon-Time-Sync-Interval is at the default of 14)
2. User logs on to the domain
3. The lastLogontimeStamp attribute value of the user is retrieved
4. 14 - (Random percentage of 5) = X
5. Current date - value of lastLogontimeStamp = Y
6. X = Y - update lastLognTimeStamp
7. X > Y - do not update lastLogontimeStamp

Reference: http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
Credit for this above example goes to Warren from the Active Directory Team Blog Post.

Will.



ok so it's like what I said then:
14 days minus random percentage of 5 days = 14 days - (X/100*5)

Where x/100 is the random pourcentage.

Thanks



Replace Windows Server 2003 with Windows Server 2012 R2

Replace Windows Server 2003 with Windows Server 2012 R2

Hello all,
I have done this many times with going to 2012 but going to 2012R2 caused an issue that I don't know how to fix.
This is for a client that has one file server that is 2003 and needs to be replaced.
The steps that I take are:
1) Install 2012server
2) Add ADS Role on 2012
3) Copy files and folders from 2003 to 2012 server
4) Transfer FSMO roles
5) Shutdown 2003 server
6) Run metadata cleanup
7) Change IP address on 2012 server to what 2003 server was
8) Rename 2012 server to same name as 2003 server
9) Setup shares on folders for 2012 server

The issue is that when I went to rename the 2012 server to same name as 2003 server it said that it could not do that and then told me I had to reboot.
After reboot I had on the new server the name of the new server but it would not be recognized by that name. Instead it is recognized by the old name.
SOOOOOOO
I put the old 2003 server in place and seized the FSMO roles back. Removed the temporary 2012 server name from AD and DNS. All is working fine on the old server.
I completely removed everything from the new 2012 R2 server (AD DS, DNS, demoted the file server) then I put a different IP address and gave it a completely new name.
I redid steps 1 and 2 and both the server see each other.
DNS is working. I checked it by adding a new user on the old server under AD Users and Computers, found it 5 minutes later on the new server AD Users and Computers, deleted it from the new server and it was deleted from the old server 5 minutes later.
My question is when I get to the step to rename the new server to the old server's name, is there a special way that I am supposed to do this?
Thanks,
Kelly W.



Has DNS had time to clear up? The client end might be using cached settings to the former IP of the new server and not the reconfigured one. The steps you are doing look good. I've done similar migrations without issue.
After hours would be the best to do this.
Do the steps you are doing up to the rename and reboot.

Then on the new DC, go to the DNS server and clear the cache.
Then on the DC itself, do an ipconfig /flushdns
Then on the client, do an ipconfig /flushdns

Then give it a try.



Has DNS had time to clear up? The client end might be using cached settings to the former IP of the new server and not the reconfigured one. The steps you are doing look good. I've done similar migrations without issue.
After hours would be the best to do this.
Do the steps you are doing up to the rename and reboot.

Then on the new DC, go to the DNS server and clear the cache.
Then on the DC itself, do an ipconfig /flushdns
Then on the client, do an ipconfig /flushdns

Then give it a try.



Do you only have 1 DC? I didn't see a step where you delete the other computer account. It likely won' let you since it is a DC. you don't really need to do a metadata cleanup.
What you need to do is the steps where you add the new server, then dcpromo down the old server. Then reboot shut it down then remove that computer account.
Then do the rename and re-ip



Sorry I did not make myself clear
Yes it is 1 DC.
I actually did the computer deletion on step 6 of running the metadata cleanup.
The issue is when I tried to change the name of the 2012 server it states that it cannot change the name of a domain controller.
I have never seen this when replacing out servers that are domain controllers.



Renames are allowed on 2012 DC's I've done this exact (well similar thing) many times.

I usually have environments with 2 or 4 DC's and I'll DC promo down one of the old DC's then remove it from the domain, then rename/re-IP the new server coming in as the old DC name then DCPROMO it up. Then do the others the same way.
I don't do metadata cleanups since I'm not seizing anything.
This way I don't have to change users server references or retarget DNS client settings, etc. Probably the same reason you do it.

I would normally have 2 DC, so I have a backup incase things went south. Since you only have 1 DC, it's a little different.
I guess that is why you do the metadata cleanup so you still have DC to go back to.

Did you explore the DNS cache, or maybe next time set the DNS TTL down to 1 minute so the cache cleans up fast.



No, I will explore the DNS cache.
I am going to go back into the client's early tomorrow morning.
Had to get them up and going on their old server so they could work today.

Windows Server 2012 R2 DHCP Server Bindings Not listing NIC's

Windows Server 2012 R2 DHCP Server Bindings Not listing NIC's

Hi All,

Simple question, can't figure out the answer and am looking for the easy way (ask you all).

I have a Windows Server Standard 2012 R2 Server, I had to remove the NIC's (removed the drivers as well) and replaced them, long story don't want to get into that. I have now the IP's to static but when I go into the DHCP Manager, it shows it is running but it is not binded to any IP's....

I go to Add/Remove Bindings and nothing is listed....

How can I get the newly setup IP's as binded in DHCP????



OHH and I REALLY don't want to have to uninstall/reinstall or unconfigure/reconfigure DHCP, that is WORSE case scenario.

Thanks again



OHH and I REALLY don't want to have to uninstall/reinstall or unconfigure/reconfigure DHCP, that is WORSE case scenario.

Thanks again



are you sure that you assigned the same old IP?

Zac



DHCP will use the first statically configured binding it finds. Can you post an ipconfig of the DHCP server?

Dan



Here is ipconfig /all on the server, removed some key names:


Windows IP Configuration

Host Name . . . . . . . . . . . . :
Primary Dns Suffix . . . . . . . : .com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : .com

Ethernet adapter Ethernet 7:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) I350 Gigabit Network Connection #3
Physical Address. . . . . . . . . : 00-1E-67-CF-C0-12
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.2.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet 6:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Ethernet Converged Network Adapter X540-T2 #2
Physical Address. . . . . . . . . : A0-36-9F-3A-B4-F4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet 5:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Ethernet Converged Network Adapter X540-T2
Physical Address. . . . . . . . . : A0-36-9F-3A-B4-F6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{A1F7E3A5-CA7A-48E8-A13A-525C6DB6CB9A}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{658F7DF8-1A41-4270-8CF9-66DEE97D1E85}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{7E324E9E-A65C-4781-85C0-36C59AEFB036}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes



Also I am SURE I am using the same IP's.

Note: Prior in Windows 2008 R2 I used: dnscmd . /ResetListenAddresses 192.168.1.11

and that worked, not helping now in this case (I also have DNS setup on this server)



All of the enabled NIC as showing DHCP enabled. This is the problem. You need to uncheck the enable DHCP on the interface that you want DHCP to run on and manually assign the address.

Here are the problem(s):


Ethernet adapter Ethernet 7:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) I350 Gigabit Network Connection #3
Physical Address. . . . . . . . . : 00-1E-67-CF-C0-12
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.2.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet 6:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Ethernet Converged Network Adapter X540-T2 #2
Physical Address. . . . . . . . . : A0-36-9F-3A-B4-F4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled



DHCP is enabled on both of these interfaces. This is preventing DHCP from using either of them.

Also, where is your gateway address and where are the DNS server addresses?

Dan

Windows 7 - Windows Update error: "Cannot currently check for
updates ..."

Windows 7 - Windows Update error: "Cannot currently check for updates ..."

I have a Windows 7 laptop. I've run several antivirus products, no threats found.

When I try to check for Updates, I'm getting the error: "Windows Update cannot currently check for updates, because the service is not running. You may need to restart your computer."

I've looked for Windows Update Service in the Services, but can't find it.

What could be wrong? Thanks



I checked "Installed Updates" and I don't actually see anything that's been installed since 2012, except for an Adobe Reader update that was installed today when I downloaded a new version of Adobe Reader.



I checked "Installed Updates" and I don't actually see anything that's been installed since 2012, except for an Adobe Reader update that was installed today when I downloaded a new version of Adobe Reader.



Never mind. I found the answer:(at an elevated command prompt):
net stop wuauserv
cd %systemroot%
ren SoftwareDistribution SoftwareDistribution.old
net start wuauserv



SoftwareDistribution can get corrupt
but it's safe to delete its contents.
it will be rebuild the next time you run windowsupdate.
So it's safe to delete that SoftwareDistribution.old folder too.



btw when you delete the contents of SoftwareDistribution
it's also a good time to delete the contents of c:/windows/temp



Make sure when you post a question next time that all avenues have been tried before posting.

Deploying PS2PDF for over 200 machines

Deploying PS2PDF for over 200 machines

Hi

What is PS2PDF for God sake? Does not do the same function as Cute PDF? If not what is the difference?

How can I deploy it for over than 200 Windows 7 machines using any tool any what so ever


Help please

Thanks



It converts PS/EPS formatted output files to PDF. Yes, it is similar in functionality to CutePDF, adobe acrobat, foxit pro... but unlike these which are used as printers to convert output from applications into PDF, it is a command line tool and can be integrated into cutePDF
I.e. you print to a file (.ps) or you are provided with a ps/eps file and then have to convert it to PDF

You can use GPP to copy the files or GPO to push the install depending on the type you have .zip or .msi?



It converts PS/EPS formatted output files to PDF. Yes, it is similar in functionality to CutePDF, adobe acrobat, foxit pro... but unlike these which are used as printers to convert output from applications into PDF, it is a command line tool and can be integrated into cutePDF
I.e. you print to a file (.ps) or you are provided with a ps/eps file and then have to convert it to PDF

You can use GPP to copy the files or GPO to push the install depending on the type you have .zip or .msi?



group policy will generally let you do an MSI file only if i recall -- if you have an EXE or anything else, you will need to look at the likes of PDQ Deploy or Desktop Central or Microsoft SCCM. More so if you have 200 machines. I use both PDQ apps in Pro mode, Deploy and Inventory and its money well spent, saved us a great deal over the last few years, good support and updates.

We use it for all non-MS deployments, but have actually now created admin installs of Office, Visio etc, and now push them out via Deploy, alongside Java, Flash, all web browsers and even our desktop wallpaper change last week.

http://www.manageengine.com/products/desktop-central/
http://www.adminarsenal.com/pdq-deploy







Windows patch server implementation

Windows patch server implementation

hi

We apply manually windows patch to every clients and servers in our eviornment. We have windows 2012, 2008, Win7 and XP network of almost 200 computers. Some systems are not having internet access as per policy. I would like to implement one windows 2012 server who distribute patches automatically to all clients and server periodically.

I don't know what to do and how to implement. Don't know what to use for this feature. Kindly advise
thanks



you would want to implement WSUS in your environment; it is included with windows server

Windows Server Update Services Overview
https://technet.microsoft.com/en-us/library/hh852345.aspx



you would want to implement WSUS in your environment; it is included with windows server

Windows Server Update Services Overview
https://technet.microsoft.com/en-us/library/hh852345.aspx



thanks



I've requested that this question be closed as follows:
Accepted answer: 0 points for swatujct's comment #a40785495

for the following reason:
na



"thanks" is not a solution



swatujct,

If seth2740's answer is your selected answer, you will need to click the "Accept as Solution" link above the answer and not below. Otherwise, you will need to delete the answer or accept your own solution..

A moderator will follow up in a few days to make sure the question is closed out properly.

Mr Wolfe
Community Support Moderator

"you can't do that"



Accepting a single comment



Accepting multiple solutions



Answered the question yourself



Answered the question yourself but with the experts help



Delete the question



Grading - This one is especially important and often overlooked. Not as straightforward as it may seem.

I need a quick refresher on where to force a specific homepage in IE on
a Windows 2008r2 domain

I need a quick refresher on where to force a specific homepage in IE on a Windows 2008r2 domain

We have a windows 2008r2 domain and force a specific URL for everyone's homepage when they open I.E. I know the URL needs to be pasted into a specific GPO. Can someone point me there?



user preferences control panel settings internet settings /new now select for which browser



user preferences control panel settings internet settings /new now select for which browser



1. Run group policy from gpedit.msc or Administrative Tools.
2. Navigate User Configuration>Administrative Templates>Internet Explorer.
3. In the right side, double-click on Disable change home page settings.
4. check Enable.
5. Type the home page name, for example, http://www.experts-exchange.com
6. Close to save the settings.







Dropbox syncing

Dropbox syncing

I have two identical ENVY 15t notebooks and am trying to sync them so that any changes made on one of the computers to a document I put in the Dropbox folder is automatically reflected on the other computer. I installed Dropbox on both machines. Looking at the Dropbox internet page on each computer side by side, they are identical (meaning the user name is the same, email is the same, even the browser address name is the same) problem is that while testing it I put a document in the dropbox folder on machine (1) but it doesn't show up on machine (2). I also took a couple of pictures on my iPhone and they downloaded to machine (2) but don't show up on machine (1).

My understanding is that once I install Dropbox on both computers using the same email address that if I put a document in either computer's Dropbox folder, it would automatically show up on the other computer. What am I doing wrong?



Have you set up an account at Dropbox.com ?



Have you set up an account at Dropbox.com ?



Apparently I have. When I type "Dropbox.com on Firefox, it pu;;s up what I have in my Dropbox folder



When you add something to the dropbox folder on machine #1, does it show up at Dropbox.com (even if it doesn't show up on your other machine)?

What about when you do the same on machine #2?



I added a document to the Dropbox folder on machine 1 and went to Dropbox and it showed up on machine 1 but not on machine 2. I then did the same thing on machine 2 and the document showed up on Dropbox on machine 2 but not machine 1.



I incorrectly told you that both machines have the same email account in settings. I tried to change one of them so that would both have the same email account but it won't let me because it says that that email is already in use. I noticed on the left menu that there is a "share" item. Is that something I need to use in orther for the two machines to share their stuff?

Boot problem in Windows 2008 R2

Boot problem in Windows 2008 R2

Hi,
after reboot, I am unable to start my Windows Server 2008 R2 server, even with recovery option (F8).
I booted server with original SO dvd, and I am trying to recovery OS from there.
I am able to see the two partitions (C: = SO and D: data), but from menu I don't see any operating system to recover.

Anyway, I can run command prompt.
What can I do?
Thank you



I used: bootsect /nt60 e: /MBR
Command was succesful, but OS is not recognized.



I used: bootsect /nt60 e: /MBR
Command was succesful, but OS is not recognized.



did you get any error massages when it won't boot, or what happens?
you can run a chkdsk from command prompt
and if you doubt the disk, run best a manufacturer's diag on it
most can be found on the UBCD :
Hardware diagnostic CD UBCD

go to the download page, scroll down to the mirror section, and click on a mirror to start the download
Download the UBCD and make the cd <<==on a WORKING PC, and boot the problem PC from it
Here 2 links, one to the general site, and a direct link to the download

since the downloaded file is an ISO file, eg ubcd527.iso - so you need to use an ISO burning tool
if you don't have that software, install cdburnerXP : http://cdburnerxp.se/

If you want also the Ram tested - run memtest86+ at least 1 full pass, - you should have NO errors!

For disk Diagnostics run the disk diag for your disk brand (eg seagate diag for seagate drive) from the HDD section - long or advanced diag ! (runs at least for30 minutes)

http://www.ultimatebootcd.com/ ultimate boot cd
http://www.ultimatebootcd.com/download.html download page

** you can make a bootable cd - or bootable usb stick



When you get to the command line and see C: and D: what directories are there on these drives?
And what are the sizes of these drives?



I had a similar issue where the root problem was an antivirus software creating folders and files in the system reserved partition after a full system scan.

I opened a command prompt from the windows intallation dvd, launched notepad, selected save as, navigated to the drives list, and erased the folders and files created on the system reserved partition by the infamous software (i used notepad but you can use anything that makes you able to explore system drives from the installation dvd)

Then if I remember well, launched the repair installation option and had about 3 reboots (dont touch any key, just be pacient) in the repair process untill the Operating system started again.



Forgot to say that before doing what I say in my previous post I used bootsect command as well and was succesfull, but muy O.S. still wasnt starting. This made me start thinking on a problem on the system recovery partition.

Copy files while keeping Date & Time Stamp intact

Copy files while keeping Date & Time Stamp intact

I have multiple external hard drives that I have used for one reason or another. I am consolidating the various drives into one big NAS drive. That catch is I need to keep the attributes and most important the date and time stamps intact when I consolidate them onto the new drive. I know I can use xcopy from a command line but it can be tedious give the number of drives and files that have to be copied over. That is unless you have the right command syntax that allows for spaces in path names which I haven't been able to get to work.

So, I'm looking for a GUI based application that runs on Windows 7 that will allow me to copy from source to destination while keeping the attributes but more importantly the time stamp dates in tact.



regarding the time stamp you mentioned above, which date/time attribute do you refer to? Create Time, Modify Time or Access Time? they are different time stamps for the same single file.



regarding the time stamp you mentioned above, which date/time attribute do you refer to? Create Time, Modify Time or Access Time? they are different time stamps for the same single file.



...the right command syntax that allows for spaces in path names...

I didn't know xcopy doesn't allow you to copy folders with spaces in the names. Mine works fine here. Still, it doesn't address your other issue...

...to keep the attributes and most important the date and time stamps intact...

For that, you can use Robocopy with the /DCOPY:DAT switches.

By default, directory timestamps are not copied over so you need the T switch in /DCOPY:DAT

For file attribute info, you will want to look at these switches...



Which NAS device would that be? Most consumer devices have USB port for copying from external HD to a folder on the NAS. That would also be an easy way of copying all your data. After the copy you just move the files to a desired location as that does not modify timestamps.



@ bbao - I'm referring to create date. For example on some of the USB drives there are folders that contain pictures. These folders and pictures are random but due to the date they were placed on the original drive I can tell the time era for example a trip to the beach.

@NewVillageIT - I think you may be right. Windows 7's explorer sees the file names in it's explorer with spaces, I just wasn't able to create the right syntax to copy say F:usersfamilyMy PicturesTrip To Beachfiles to H:My PicturesTrip to BeachOcean City2012 etc. I will try Robocopy for the GUI and see if it helps.

@gerwinjansen - Although, I do have a NAS (FreeNas) used for backups for servers, on my home network, it was the wrong choice of words on my part. I am actually using a Seagate 3TB Bakup Plus.

All, the drives are connected to my laptop via the USB ports. I also have the other drives that were old internal drives from my old computers plugged into my other USB ports as needed. The trick is copying them to the Seagate USB Drive. So i.e. I have to copy a 250 GB drive (F:) and all it's contents keeping the create date/time the same to my new 3TB Seagate drive (H:) Sure I can cut and paste or move but it loses the date/time stamp which is what I need.



That Seagate is not a NAS, so I'd go for robocopy with the date option.

There are a few robocopy front-end gui's out there but I only use the command line. Just try one I'd say.

DNS, AD, DC issues at remote sites

DNS, AD, DC issues at remote sites

We have four subnets on our network:
192.9.100.x (Main)
192.168.4.x (Remote)
192.168.6.x (Remote)
192.168.8.x (Remote)

At those three locations DNS doesn't seem to propagate. Also, domain controllers can't be contacted other than initial log in. For example, I'm trying to share a user's printer so others in that office can print to it but it doesn't "see" any of the other users. In the network mmc I should see ALL machines on network. I only see the ones on that specific subnet. What could be causing this. Everything works as it should on the main subnet.



What networking equipment exists between main site and remote sites? Can you ping the 192.9.100.x network from remote locations?



What networking equipment exists between main site and remote sites? Can you ping the 192.9.100.x network from remote locations?



There is some proprietary equipment from TW that handles the circuits. One router and switch per location. Yes, 192.9.100.x can be pinged from remote locations.



Ok, so I'm not sure if this will help... but, we have a main site, and 6 remote locations each on it's own subnet. We have a firewall at each site that we direct the traffic to our Primary Domain Controller for DNS. I wonder if the TW equipment or your router is configured to direct the traffic.. or can you figure out where it's looking to for the DNS services... if anywhere.



Yea the traffic isn't being passed to those remote sides. I guess I can ask TW if they know anything about this. We can't be the only ones having this problem.

Another thing, we have to add these machines to our domain at our main office. If we try at the remote offices it says a DC can't be reached. But it allows users to authenticate because they sign in every morning obviously.



The credentials are cached, so the aren't technically authenticating. Your sites aren't getting DNS information because it can't contact the DC. TW maybe able to alter the equipment for that routing, or you may need to put in a firewall or equivalent equipment to direct traffic to main site for DNS.

Servers not downloading all of the assigned updates

Servers not downloading all of the assigned updates

I have a mix of Windows 2008R2 and Windows 2003 servers at one of my clients. I approved Windows updates for the servers a couple of weeks ago. Most of the updates downloaded and installed with no problems, but I noticed at the time that some of the updates on several servers didn't download. These servers are set by group policy to detect and download updates but not to install them automatically. In WSUS, the computer "updates needed" report shows the updates under the Approval column as "Install" but the status column shows "Not Installed," where it should be "Downloaded."

Nothing has changed since the servers were restarted a couple of weeks ago after the initial installation of the other approved updates. I looked in the Windows Update log for one of the servers, but I can't find anything that stands out. It looks to me as though the server finds the update it needs (there's only one outstanding on this particular server) but just never downloads it.

2015-03-30 13:42:52:637 928 1944 AU #############
2015-03-30 13:42:52:637 928 1944 AU ## START ## AU: Search for updates
2015-03-30 13:42:52:637 928 1944 AU #########
2015-03-30 13:42:52:637 928 1944 AU <<## SUBMITTED ## AU: Search for updates [CallId = {B6316D61-9CBE-4D6B-9575-2E7071239520}]
2015-03-30 13:42:52:637 928 220c Agent *************
2015-03-30 13:42:52:637 928 220c Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
2015-03-30 13:42:52:637 928 220c Agent *********
2015-03-30 13:42:52:637 928 220c Agent * Online = Yes; Ignore download priority = No
2015-03-30 13:42:52:637 928 220c Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2015-03-30 13:42:52:637 928 220c Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2015-03-30 13:42:52:637 928 220c Agent * Search Scope = {Machine}
2015-03-30 13:42:52:668 928 220c Setup Checking for agent SelfUpdate
2015-03-30 13:42:52:684 928 220c Setup Client version: Core: 7.6.7600.320 Aux: 7.6.7600.320
2015-03-30 13:42:55:304 928 220c Misc Validating signature for C:WindowsSoftwareDistributionSelfUpdatewuident.cab with dwProvFlags 0x00000080:2015-03-30 13:42:55:319 928 220c Misc Microsoft signed: NA
2015-03-30 13:42:55:319 928 220c Misc WARNING: Cab does not contain correct inner CAB file.
2015-03-30 13:42:55:319 928 220c Misc Validating signature for C:WindowsSoftwareDistributionSelfUpdatewuident.cab with dwProvFlags 0x00000080:2015-03-30 13:42:55:335 928 220c Misc Microsoft signed: NA
2015-03-30 13:42:55:335 928 220c Setup Wuident for the managed service is valid but not quorum-signed. Skipping selfupdate.
2015-03-30 13:42:55:335 928 220c Setup Skipping SelfUpdate check based on the /SKIP directive in wuident
2015-03-30 13:42:55:335 928 220c Setup SelfUpdate check completed. SelfUpdate is NOT required.
2015-03-30 13:42:57:768 928 220c PT +++++++++++ PT: Synchronizing server updates +++++++++++
2015-03-30 13:42:57:768 928 220c PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://york:8530/ClientWebService/client.asmx
2015-03-30 13:42:57:799 928 220c PT WARNING: Cached cookie has expired or new PID is available
2015-03-30 13:42:57:799 928 220c PT Initializing simple targeting cookie, clientId = 482ec978-1913-48ae-8979-50134325e59a, target group = , DNS name = server.domain.com
2015-03-30 13:42:57:799 928 220c PT Server URL = http://WSUS:8530/SimpleAuthWebService/SimpleAuth.asmx
2015-03-30 13:43:24:051 928 220c PT +++++++++++ PT: Synchronizing extended update info +++++++++++
2015-03-30 13:43:24:051 928 220c PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://WSUS:8530/ClientWebService/client.asmx
2015-03-30 13:43:27:764 928 220c Agent * Added update {E06056E3-0199-4C68-8AC3-BDDDFF356A0A}.105 to search result
2015-03-30 13:43:27:764 928 220c Agent * Found 1 updates and 74 categories in search; evaluated appl. rules of 902 out of 1694 deployed entities
2015-03-30 13:43:27:764 928 220c Agent *********
2015-03-30 13:43:27:764 928 220c Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
2015-03-30 13:43:27:764 928 220c Agent *************
2015-03-30 13:43:27:858 928 2628 AU >>## RESUMED ## AU: Search for updates [CallId = {B6316D61-9CBE-4D6B-9575-2E7071239520}]
2015-03-30 13:43:27:858 928 2628 AU # 1 updates detected
2015-03-30 13:43:27:858 928 2628 AU #########
2015-03-30 13:43:27:858 928 2628 AU ## END ## AU: Search for updates [CallId = {B6316D61-9CBE-4D6B-9575-2E7071239520}]
2015-03-30 13:43:27:858 928 2628 AU #############
2015-03-30 13:43:27:858 928 2628 AU Successfully wrote event for AU health state:0
2015-03-30 13:43:27:858 928 2628 AU Featured notifications is disabled.
2015-03-30 13:43:27:858 928 2628 AU AU setting next detection timeout to 2015-03-30 18:41:51
2015-03-30 13:43:27:858 928 2628 AU Successfully wrote event for AU health state:0
2015-03-30 13:43:27:858 928 2628 AU Successfully wrote event for AU health state:0
2015-03-30 13:43:32:772 928 220c Report REPORT EVENT: {1CA3D6A9-90BA-4DF2-A201-13A2A4F8B138} 2015-03-30 13:43:27:764-0400 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Software Synchronization Windows Update Client successfully detected 1 updates.
2015-03-30 13:43:32:772 928 220c Report REPORT EVENT: {727C06EB-A5D7-4DBD-BC38-3AD544D6428C} 2015-03-30 13:43:27:764-0400 1 156 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Pre-Deployment Check Reporting client status.
2015-03-30 13:43:32:772 928 220c Report CWERReporter finishing event handling. (00000000)
2015-03-30 13:52:59:874 928 220c Report Uploading 2 events using cached cookie, reporting URL = http://WSUS:8530/ReportingWebService/ReportingWebService.asmx
2015-03-30 13:52:59:874 928 220c Report Reporter successfully uploaded 2 events.

Any help would be appreciated.



Look within the wsus report for this system, does it say that the update that is reflected as approved for install on this specific system (client target)?

I think mpfister might have mean is it a superseding or revised update that has not been approved?

See if the update is Security Update for Windows Server 2008 R2 x64 Edition (KB2698365) revision 105 (update revision information)



Could it be a superseeded update thats not yet declined?



Look within the wsus report for this system, does it say that the update that is reflected as approved for install on this specific system (client target)?

I think mpfister might have mean is it a superseding or revised update that has not been approved?

See if the update is Security Update for Windows Server 2008 R2 x64 Edition (KB2698365) revision 105 (update revision information)



There could be several reasons for this happening. One thing I have noticed is that some updates only apply if a specific service pack has been applied. We had a few 2008 servers that did not have SP1 on them. They were not receiving any new updates for several months. Once I installed SP1 on the server, suddenly it was downloading and installing needed updates from the past months.

The other problem could be an issue with the software distribution folder on the server. You can force the system to rebuild a new one.

1. Stop Windows Update service
2. Rename C:windowssoftwaredistribution folder
3. Start Windows Update service and check again for updates. It will recreate the softwaredistribution folder automatically.



@mpfister & arnold: The updates that are not downloading are:
Windows 2008: Yes, the one mentioned by arnold is the update that is not downloading. It's 2698365, and according to the Windows Update log it is "{E06056E3-0199-4C68-8AC3-BDDDFF356A0A}.105" which I assume means it's rev 105.

Windows 2003: There are 4 updates that aren't downloading, all Windows security updates for Windows 2003: 2698365 (x64 and x32); 2509553, 2536276, and 2638806 (x64 only). I just now noticed, looking back at my WSUS console, that these are very old updates, but they must have just showed up in the downloads over the last month (I do Windows updates on these servers once a month). They're NOT showing as having been superseded in the console. And they are on the list of needed updates for these servers. Very strange!!!



Check the status of the update in WSUS console.
Point the server to MS, for check updates to see whether this update is still reflected as needed.

one option you could download the update from MS at http://www.microsoft.com/en-us/download/details.aspx?id=30236

As was pointed out, the update could have been installed before, but something change triggering its "reflection" as needed but on a download attempt, something else is interferring. Check wsus to see whether the files/content is there.

Do you have only one WSUS server?

ieexplorer version download

ieexplorer version download

I have terminal servers running windows server 2008 enterprise sp2, they are currently running at ie8. I want to get them to ie10 or ie11, but I'm finding it difficult to get the downloads and what is supported.
I tried downloading ie10 but it was not a valid application when I went to install it.



The system requirements for Internet Explorer 9 are Windows 7, Windows Server 2008 R2, Windows Vista Service Pack 2 or Windows Server 2008 SP2 with the Platform Update. Windows XP and earlier are not supported. Internet Explorer 9 is the last version of Internet Explorer to be supported on Windows Vista.

IE10 runs only on Windows 7 and later version Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8 and Windows Server 2012.

IE7 version does support Windows XP SP2, Windows Server 2003 SP1, Windows Vista and Windows Server 2008.



The system requirements for Internet Explorer 9 are Windows 7, Windows Server 2008 R2, Windows Vista Service Pack 2 or Windows Server 2008 SP2 with the Platform Update. Windows XP and earlier are not supported. Internet Explorer 9 is the last version of Internet Explorer to be supported on Windows Vista.

IE10 runs only on Windows 7 and later version Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8 and Windows Server 2012.

IE7 version does support Windows XP SP2, Windows Server 2003 SP1, Windows Vista and Windows Server 2008.



I have 32bit version of Windows server 2008 enterprise sp2, which on of the servers I have ie9 running, the rest of them at ie8. I want to get to ie10 or ie11, is it possible on a 32bit version?



IE10 or IE11 is definitely not support or compatible with Windows server 2008 enterprise sp2 32bit version.





Develop a standard win 2012 configuration guidline

Develop a standard win 2012 configuration guidline

Regardless of the role (i.e. DNS, Print, Web, Terminal, DHCP, Application, Active Directory, etc) of the windows 2012 server,
I am trying to put together a configuration guidance list that can be followed and used to securely build and configure a 2012 server. I have used CIS and Microsoft compliance check tools to show me baseline configuration vulnerabilities but that tool is used after system is active. Please share any configuration recommendations I should have to secure and protect a 2012 server before it is configured for a specific role.

This is what I have thus far if the server requires a windows GUI Platform
1) Install & configure Antivirus Software
2) Install & configure Windows Update
3) Install & configure Malware Software
4) Install & configure Firewall Software
5) Install & configure HIPS/HIDS Agent
6) Install & configure AppLocker
7) Install & configure the server role
8) Install & configure vendor software (based on server role: i..e. Application server - SQL Server or Deltek Time Card Software)
9) Run CIS, Microsoft, Nessus baseline configuration audit software

Thank you in advance.



"Regardless of the role" ...no such thing. The purpose of the server is integral to the checklist. Every single step you listed, I can show a counterpoint where a specific role or applications makes that step irrelevant, or even worse, antithetical to the server's purpose. You can't simply make a lost in a void. Each deployment is about meeting the needs as specified, and *that* becomes about project management.

Sure, you could argue that you are making a baseline for common deployments. But even then, applocker? I'd argue *most* servers don't need it. That is a client lockdown tool. A HIPS on every server? Hmmm..... and a CIS/Nesses scan? If this is really about building a solid baseline, wouldn't you do it once and then rely on the system? Rescinding each time seems redundant. And those are just the easy low hanging fruit.



"Regardless of the role" ...no such thing. The purpose of the server is integral to the checklist. Every single step you listed, I can show a counterpoint where a specific role or applications makes that step irrelevant, or even worse, antithetical to the server's purpose. You can't simply make a lost in a void. Each deployment is about meeting the needs as specified, and *that* becomes about project management.

Sure, you could argue that you are making a baseline for common deployments. But even then, applocker? I'd argue *most* servers don't need it. That is a client lockdown tool. A HIPS on every server? Hmmm..... and a CIS/Nesses scan? If this is really about building a solid baseline, wouldn't you do it once and then rely on the system? Rescinding each time seems redundant. And those are just the easy low hanging fruit.



Ok, I need to develop a secure baseline checklist for each server role listed below:
Active Directory Domain Services role
Application Server role
DHCP Server role
DNS Server role
File Services role
Hyper-V role
Network Policy and Access Services role
Print Services role
Terminal Services role
Web Server role
Windows Deployment Services role



Plenty of books cover those roles in detail. No need to reinvent (or rewrote) the wheel.



ok



Thanks

drive not accessible

drive not accessible

Hi

After restarting my pc, windows 8.1 tried to repair HDD
That failed.... it just stayed on the screen for ages
I waited for a long time...however, now i've given up, and just need to access the files

I've plugged it into another computer but get this



Most easy thing is to boot up a knoppix or other live linux cd on the pc with the drive and access the files from the live system. Linux will not obey any NTFS ACLS and you have full access to all files and folders.

knoppix can be obtained from here: http://knopper.net/



Most easy thing is to boot up a knoppix or other live linux cd on the pc with the drive and access the files from the live system. Linux will not obey any NTFS ACLS and you have full access to all files and folders.

knoppix can be obtained from here: http://knopper.net/



Try check disk in command prompt

type chkdsk /f I:
It will repair drive if Hard Disk not have any problem



nothing happens on checkdisk

knopper is a very difficult website.... which ISO do i need?
http://ftp.uni-kl.de/pub/linux/knoppix/



ADRIANE-KNOPPIX_V7.2.0gCD-2013-07-28-DE.iso



or the full DVD http://ftp.uni-kl.de/pub/linux/knoppix/DVD/KNOPPIX_V7.4.1DVD-2014-09-15-EN.iso

Sharepoint question

Sharepoint question

I am using the built in sharepoint that comes free with Windows server 2008 R2.
I had a user change your name because she got married. I've made the changes in AD last year, and everything was fine, but the user just asked me why when she logs into sharepoint, it uses her old name.

I tried deleting the user and every time I add the user, even though I use the new format: domainusername
it still reverts back to the old last name.

I searched through AD, and the old name doesn't exist anywhere. How do I resolve this issue?

I'm puzzled.



Try this, line by line
Add-PSSnapin Microsoft.SharePoint.Powershell
$web = Get-SPWeb http://webapp
$user = get-spuser -web $web -identity "Incorrect display name exactly as it is shown in SharePoint"
Set-SPuser -identity $user -web $web -DisplayName "New display name to be set by PowerShell"

User names should be in the format DomainUserName

This is just a band aid for what might be a larger problem, such as UPS not syncing or running.

Hope that helps



Try this, line by line
Add-PSSnapin Microsoft.SharePoint.Powershell
$web = Get-SPWeb http://webapp
$user = get-spuser -web $web -identity "Incorrect display name exactly as it is shown in SharePoint"
Set-SPuser -identity $user -web $web -DisplayName "New display name to be set by PowerShell"

User names should be in the format DomainUserName

This is just a band aid for what might be a larger problem, such as UPS not syncing or running.

Hope that helps



are you saying to run that code on my sharepoint server, right?

I've never worked with powershell, so hopefully that won't brake anything
Just to confirm the format, let me know if this is what I should be entering:
Add-PSSnapin Microsoft.SharePoint.Powershell
$web = Get-SPWeb http://webapp
domainusername = get-spuser -web $web -identity "First name & last name spelled incorrectly"
Set-SPuser -identity domainuser -web $web -DisplayName "First name & last name spelled incorrectly"

where it says http://webapp do I change this to my own http address of my sharepoint?

also, can this break anything? I'll do a backup, but I have no idea how to restore it if it breaks sharepoint



Yes, your address of you SharePoint goes where is says http://webapp
If you have never worked with PowerShell, you might want to read up on it some however before you start.



what is UPS not syncing, so how would I know what the exact problem is, just curious?



since the snapin was already installed, it didn't install it.

Then it the 2nd line fine with no errors

The third line though came back with an error. The picture is attached.

Disable the Swipe Edge on Windows 8.1

Disable the Swipe Edge on Windows 8.1

Hi there

Can someone please tell me how to disable the annoying orange arrow on the middle left of the screen.

I have removed Gesture from the mouse settings but still appears.

Any Help

Thanks



Try these steps:- Bring up the Charms bar (press the Windows + C keys together) then click on Settings
- Click Change PC Settings at the bottom
- Click PC and devices on the left hand pane
- Click Corners and edges
- Turn off Allow switching between apps along with anything else you want to disable
- Exit when done



Try these steps:- Bring up the Charms bar (press the Windows + C keys together) then click on Settings
- Click Change PC Settings at the bottom
- Click PC and devices on the left hand pane
- Click Corners and edges
- Turn off Allow switching between apps along with anything else you want to disable
- Exit when done



Worked ... I hate Windows 8



It's not so bad once you get used to it :)

Glad I could help.





mail record to one ip and mx to another

mail record to one ip and mx to another

Hi All,

Can I have mail.domain.com.au point to local server IP and MX.domain.com point to hosted exchange with a different ip.
Will this stuff up my email delivery?

What happened was, I started email migration using mail.domain.com as the source, but now that have a dns change to mx.doma.com, i can't continue the migration because there is no longer a mail.domain.com.

So if i add a mail.domain.com back to the server IP and keep the MX.domain.com to the new mail server. will this cause email problems.

Thanks in advance.



i forgot to mention mail.domain.com is a A record and mx.domain.com is an MX record.



i forgot to mention mail.domain.com is a A record and mx.domain.com is an MX record.



The short answer is, yes. A domain's MX record tells the internet where to send mail for that domain. An MX record references an A record, but it does not have to be the A record for the mail server. Often, companies will have incoming mail delivered to a spam filter, which then delivers to the mail server.

The email trouble you might have is with internal clients -- if they are looking for incoming mail at mail.domain .com, it won't be there unless it is being forwarded there by MX.domain.com







Windows 2008R2 RDP login random issues

Windows 2008R2 RDP login random issues

Weird RDP login issues having since weekend:
Cannot RDP into the server: Login attempt failed
Creates security event below:
If i login via IP logs in ok then Im able to login ok with DNS name.
If i disable loopbackcheck on the server Im able to login, but then it breaks my websites running on that server.

Any suggestions?



...RDP login issues having since weekend


If your server has updates KB3002657 and KB3046049, this user resolved it by removing them: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/Q_28636661.html#a40671657



I have verified Time is in sync second to second with Domain Controllers , so that is not the issue.



...RDP login issues having since weekend


If your server has updates KB3002657 and KB3046049, this user resolved it by removing them: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/Q_28636661.html#a40671657



Aaaaaaaaaaaaaa that killed me!

Thank you!



Thanks for the confirmation, itmti. I'm glad to help. Hope your'e ok. Have a nice day..



Wifi, 802.1x, simple certificate selection, CA

Wifi, 802.1x, simple certificate selection, CA

Hey

We have installed a new CA - it works fine.

On our Windows 7 machines we now have 1 new machine certificate from the new CA and one from the old CA.

Both are working for WIFI auth.

Some of the old certificates are about to expire . On some machines (Windows 7) it seems to be using the old (and expired certificate) - so its unable to connect to wifi.

How do I deal with this issue? (expired certificates from old CA)

We use computer auth + simple certificate selection.

Thanks in advance

Mike



Simple Certificate Selection is designed so that it'll remember your choice if you choose one certificate over the other. Also, if the old certificate is expired, Windows will choose the new valid, as long as it is installed - and, of course valid.

However, you should revoke all certs from old CA when demoting it, as long as new CA is up and running.



Simple Certificate Selection is designed so that it'll remember your choice if you choose one certificate over the other. Also, if the old certificate is expired, Windows will choose the new valid, as long as it is installed - and, of course valid.

However, you should revoke all certs from old CA when demoting it, as long as new CA is up and running.



Jakob> Thanks for your time ;) I have many Windows 7 boxes with one expired (Old CA) and one valid (New CA).

About 70% are unable to logon to our WIFI. As soon as I delete the expired certificate its able to connect to the WIFI.

Therefore I suspect Windows to use the expired certificate for WIFI.

Best regards

Mike



Yes ---- that's true---- It'll probably used the last used certificate. (but I was darn sure it would deselect expied certs).
Are you authenticating with computer certs only, or computer and user?

In autoenrollment settings, have you selected Remove Revoked Certificates, Renew Expired and Update Pending Requests?

You could try to create a new template on new CA - choose the old template as superseded template, and make sure that "Update Certificates that use certificate templates" - and see if expired certs from old CA will be updated with new certs from new CA.
To make this easier - restrict autoenroll to a limited group of computers/users for the new test template.



Hey

Only using computer certs. ;)

Yes, I use Remove Revoked Certificates, Renew Expired and Update Pending Requests...

I'll try Monday. ;) have a nice weekend.

Mike



any news?

When should we install RODC?

When should we install RODC?

When should we install RODC?



if you need a domain controller in a dmz, read-only can be placed there



if you need a domain controller in a dmz, read-only can be placed there



Or if you have a site that should have a domain controller but isn't physically secured.



@Seth
if you need a domain controller in a dmz, read-only can be placed there

Have a DC in the DMZ is a security risk even with a RODC. A DC should not be required in a DMZ.

One of the main reasons why you would use an RODC in a remote site is for physical security restrictions, no technical users at the site, faster logon times because of network latency, or only a few users a at single site.

Personally I would not use an RODC because with Networks today they are robust enough to handle multiple user authentication to a hub site. This also minimized server licenses a long with maintenance of the server itself.

Below is a technet which explains where they would be useful.
https://technet.microsoft.com/en-us/library/cc732801%28v=ws.10%29.aspx

Will.



RODC are meant for smaller branches with few users, not secured, no backup infrastructure in place or there is low bandwidth. Under no circumstances should a DC be placed in the DMZ. If there are systems that needs authentication in the DMZ then there solutions such as ISA (firewall rules, etc.) that could be used.



So if I have good bandwidth capacity and have just 50 users at site is it preferable to mount RODC or normal DC?

Can't list installed roles and features on Windows Server 2012 R2

Can't list installed roles and features on Windows Server 2012 R2

I have two domain controllers and a single application server running SCOM stood up in a recently built domain/forest. I am attempting to view what roles and features are currently installed on each using an account with enterprise admin privileges and I'm getting an error. The Server Manager console shows a 'Manageability' issue of "Online - Cannot get role and feature data". When I try to run the 'Add Roles and Features Wizard' I get the message of "The request to list features available on the specified server failed". When I attempt to run 'Get-WindowsFeature' from powershell, I get the following:



Try logging in with another admin account. This account may have some restrictions.

========================

Server Manager cannot get role and feature inventory data from the target server. The user might not have access rights to role and feature data on the target server, or the data might not be readable. To grant role and feature inventory data access rights to standard (non-Administrator) users, administrators should run the Enable-ServerManagerStandardUserRemoting cmdlet on the target server. For more information about how to use this cmdlet (and disable standard user management access when it is no longer needed), see the cmdlet Help topic for Enable-ServerManagerStandardUserRemoting.

https://social.technet.microsoft.com/wiki/contents/articles/13444.windows-server-2012-server-manager-troubleshooting-guide-part-ii-troubleshoot-manageability-status-errors-in-server-manager.aspx
===============



Try logging in with another admin account. This account may have some restrictions.

========================

Server Manager cannot get role and feature inventory data from the target server. The user might not have access rights to role and feature data on the target server, or the data might not be readable. To grant role and feature inventory data access rights to standard (non-Administrator) users, administrators should run the Enable-ServerManagerStandardUserRemoting cmdlet on the target server. For more information about how to use this cmdlet (and disable standard user management access when it is no longer needed), see the cmdlet Help topic for Enable-ServerManagerStandardUserRemoting.

https://social.technet.microsoft.com/wiki/contents/articles/13444.windows-server-2012-server-manager-troubleshooting-guide-part-ii-troubleshoot-manageability-status-errors-in-server-manager.aspx
===============



This sounds like more than a permissions issue--sounds like your "catalog" of features is corrupted. Check out this link for an explanation and suggestions and run this command
dism /online /cleanup-image /restorehealth



This issue is usually caused by a corruption in the Component Based Servicing Subsystem (DCOM). It is generally related to incorrect permissions. In order to solve it, you will want to change the Default Authentication level to "connect".

1
Open the Component Services management console




Capture.JPG 14 KB






2
Browse to the location Component Services --> Computers --> MyComputer.




Capture.JPG 34 KB






3
Right-click on the MyComputer branch and select 'Properties'.




Capture.JPG 35 KB






4
Go to Default properties Tab and make sure that default authentication level is set to 'Connect' and Default Impersonation level is set to 'Identify'.




Capture.JPG 40 KB





Microsoft has a TID that discuss this issue further:An error message occurs when you click Roles under the Server Manager console in Windows Server 2008
-saige-



All good recommendations, but my problem dealt with host intrusion software. I still gave out points for those that provided a solution. Thanks!



There was an error in this gadget