Use DHCP Scope info to build DNS Reverse Lookup Zones and configure DNS with Powershell

I had a customer with more than 60 DHCP Scopes but all DNS Reverse Lookup Zones were unfortunately not created, configured and/or consisted of a lot of old invalid static records. And in addition both the Primary and Reverse Zones were containing a lot of old Name Servers.

Here is the scripts I ran to fix the issues. Just remove the -whatif to actually make it do stuff.

In this case, our Name Servers had the name standard ADM-V-ADDS…. so the script will remove all other name servers. Obviously, modify to fit your environment!

 

 

Failover Cluster – An error was encountered while loading the network topology

Sharing and friendly reminder for myself as I will for sure run into this problem again in the future.

When creating a Windows Failover Cluster, you get this error message (btw, did you know you can Ctrl+C copy the text from a dialog box and paste like this);

 

Solution: In this case I had to remove the User Account from AD’s “Protected Users” group because Failover Cluster is still using NTLM and CredSSP. Relogon and it’s now possible to create the cluster, and then just add the user back into the Protected Users Group.

Using Azure DNS for Dynamic DNS with PowerShell

I’ve been using DynDNS and other Free DNS Services for  some time, but as they are getting harder and harder to use for free. Like you need to remember to logon and click a button once a month and what not. I figured it was time to migrate to Azure DNS instead. Being able to use PowerShell to handle my DNS together with everything I’ve already automated makes my life so much easier. And as I’ve already got a couple of domains and some Azure subscriptions there was more or less no increased cost for me.  As you can see in the picture, Azure DNS Pricing is really cheap.

I’ve used Task Scheduler to scheduled the script below to run at Computer Startup on one of my Hyper-V Hosts at home, and then every hour. That guarantees that if there is a power failure and I get a new IP from my ISP, when the server boots, the external DNS pointers will be updated at once and just to be sure check every hour.

In short, the script checks your External IP and compares that to the IP of the hostname you want updated. If they are not identical, it will logon to Azure and update the hostname with your current IP.
Simple as that.

In my case, I’ve setup a UserName in AzureDNS who has access to just that DNSZone and are using that UserName in the script.

 

You obviously need to migrate an existing or register a new DNS Zone to Azure and use Microsoft’s NameServers for this to work.

 

How to solve EVENT ID 1202 SceCli 0x57 Parameter is incorrect

Customer is repeatedly getting this Event ID on all Servers and Clients, especially on the Domain Controllers being logged every 5 minute.

Searching for that Error gives thousands of results, most less helpful.The way I solved this problem was like this.

  1. On one of the servers having the problem, run RSOP.MSC
  2. Resultant Set of Policies showed a Warning on the Computer policies. Selecting properties there showed the same error as in our Event Log.
  3. Browsing the Tree showed that there were a problem in the Password Policy section, from the Default Domain Policy.
  4. Which were also visible in GPMC (Group Policy Management Console)
  5. By modifying the Default Domain Policy and fixing the bad entries (no clue how they got there). The Error message (and problem) is now gone.

 

 

 

 

 

KB4048953 and KB4049065 fails to install (hungs). How to fix it.

We had a server which failed to install Windows Server / Windows 10 Service Update and November 2017 updates with the names KB4049065 and KB4048953 through Windows Update. The installation simply never completed and it looked like it hung.

Rather than go through all the various (failed) steps I did to troubleshoot it, I’ll just tell how to solve it.

  1. Start by downloading the packages from Microsoft Update Catalog to c:\temp;
    http://www.catalog.update.microsoft.com/Search.aspx?q=KB4049065 http://www.catalog.update.microsoft.com/Search.aspx?q=KB4048953 (Cumulative Update)
  2. Then expand the MSU files (using wusa.exe to install them failed for me) by doing this in a command prompt:
  3. You should now have two folders with files like this;
  4. As this is a Windows Server 2016 (or Windows 10) we can use Powershell rather than Dism to install the cab files into Windows.
  5. Open Powershell with elevated permissions (as Admin).
  6. To install both packages do this, and have patience. It took more than 4 hours for them to install on my server and it looked like the installation hung for a long time around 15%.
  7. When the installation has completed reboot the server and you are done!

 

 

Get GeoLocation with PowerShell and set NTP Server in a GPO

Using Powershell to locate your Geographical Location with the help of GeoLocation (IP-Address) is quite easy, cool and useful!

When we build Private and Hybrid Clouds across the globe in various countries and continents I want to make sure the Active Directory PDC Emulator is using a valid time source based on that location.

GeoLocation with Powershell

So with this small script (it’s using multiple WebServices to cycle through until it gets an answer) we can get a rough location for where we are and in my case it’s usually enough to know what country the datacenter is in.

That can then be used as you see fit. Though for me, I’m using it to update the Group Policy being applied to the PDC Emulator to point to the country specific NTP Pool with the generic pool as backup value.

That’s how easy it’s to modify a Group Policy object.

Please share any solutions using GeoLocation in the comments. It might give me some nice new ideas too!

 

How to delete files in a userprofile with Group Policy Preferences

As a follow up to my post about How to automatically Hide “Configure this local server” in Server Manager. I mentioned it’s possible to remove the individual user.config files in various ways to reset the behavior and hide the Welcome Tile. You can easily do that with a GPO like this;

Paths:

It’s a Group Policy being applied to all Server Admins utilizing Group Policy Preferences to delete two files (one for Windows Server 2012R2 and one for Windows Server 2016). But it’s only doing it once to make sure that if a admin does any changes to the file it won’t be deleted again. The idea is that it will be deleted once to reset settings to the one in ServerManager.exe.config but not repeatedly after that if the administrator saves any other changes.

 

How to automatically Hide “Configure this local server” in Server Manager

After you have installed a couple of hundred servers, you may start to feel that you have seen this text a couple of times too many and start to wonder how to get rid of it…

Hide Welcome Tile

You can obviously click the “Hide” button to hide the “Configure this local server” box, which is also called “Welcome Tile”.

Show Welcome Tile

And if you would ever want to get it back, you can find it in the “View Menu”. BUT… How do you disable the Welcome Tile by default for all users?

There is unfortunately no GPO (Group Policy) to control that. Just to set if Server Manager should auto-start or not. Which does not help in this case.

The settings in Server Manager is stored in a version folder in this location:

The configuration for Server Manager is stored in a file called user.config with the interesting bits highlighted here;

WelcomeTileVisibility

So you want to Modify the “WelcomeTileVisibility” setting in that file which can be done in numerous ways. But a easier solution is to just name and copy a file with this content to that folder.

user.config

That file only contains new default WelcomeTileVisibility setting, hiding the Welcome tile for you when you launch Server Manager. And if you do any changes in Server Manager, the new settings will be saved to that file too.

But that’s a per user setting and it has to be copied to the profile after it’s been created etc etc. Making it all a bit more complicated.
Luckily there is a better and easier way to do it, where you also help your co-workers at the same time!

In your reference image, or in your Server deployment script or with PowerShell or with Group Policies or any other way you find worthy. Just use the same information as above, but save it in this path to be machine wide;

Hide Welcome Tile for everyone

Notice that it’s still the exact same content of the file;

But it’s now stored together with the ServerManager.exe file in the system32 folder making it server wide. It’s a lot easier to copy it there just once so it’s applied to everyone rather than try to get the config file into each persons profile.

Notice: If you already have a user.config file in your Profile, it may override the settings from serverManager.exe.config so delete your user.config file to verify your new setup is working as expected.

In our environment, we are deploying the file in our Server Deployment solution, and also copying it to all server with a Group Policy Preference just in case someone installed a server manually for some unknown reason.

 

Use OMS (Log Analytic) to monitor and send alert for BlueScreen of Death

At times there is a driver or two that’s misbehaving and causing bluescreens. As the server automatically reboots after dumping memory to the memory.dmp file you might not get a report from your users that there has been a problem. And depending on your monitoring tool you might not get an alter there either. Operations Manager can easily alert you for things like that, but far from all customers use OpsMgr due to it’s complexity. Luckily, it’s just a 1 minute job to get alert in OMS if you have got a bluescreen! And as OMS can be run in Free mode, you may be able to monitor your servers for free (all depending on the amount of data you collect) and else, it’s really cheap so no big deal if you need to use a standard subscription. Anyway, lets get to the technical stuff!

First of all, enable OMS to collect Eventlog System and all Error messages.

omserrordata

Then create an Alert like this,

oms_bsod

The Alert text to be used is:

That will only alert for Crashes. You can also enable an alert for Event ID 6008 which will alert you for an unexpected shutdown. The difference is that my alert will only send an alert if there was a BSOD while an unexpected alert could also alert if someone pulled the power. Or even combine both into one alert with an OR statement. In my case, I just want to get alerted about the BSOD’s so thats the only thing I look for right now.

Tell how often is should check. There is usually no need to check more than once or twice an hour. And finally define if it should send an email alert or use one of the other alert methods.

Easy as that! Next time you get a bluescreen on a server, you will get an alert by mail so you can debug the dump and find out what’s causing it.

It will look like this,

bsodmail