Showing posts with label Windows Servers. Show all posts
Showing posts with label Windows Servers. Show all posts

Wednesday 22 March 2017

Disable SMBv1 on multiple computers using PowerShell

Or, Easiest way to disable SMBv1 on multiple computers
Or, Disabling SMB V1 on multiple computers with windows PowerShell
Or, Steps for disabling SMB V1

Descriptions: Recently US-CERT has reported vulnerability with “Microsoft SMBv1”. US-CERT encourages users and administrators to review Microsoft Security Bulletin MS17-010 and apply the update. In this article, we will see how to disable SMB V1.0 from various operating systems.

Vulnerability Details: Microsoft has released a security update to address a vulnerability in implementations of Server Message Block 1.0 (SMBv1). Exploitation of this vulnerability could allow a remote attacker to take control of an affected system.

What is SMB/SMB 1.0? SMB stands for “Server Message Block”. It is a legacy file and print sharing protocol. SMB 1.0 is a vulnerable and Microsoft has deprecated it. It has server as well as client components, so when you are thinking to disable the SMB 1.0 protocol, you should do it for both platforms (client and server).

Environment Details: You have multi-OS infrastructure and want to disable SMB 1.0 on all of them. In my case, I have following Operating Systems Windows Server 2012, Windows Server 2012 R2, Windows Server 2008, Windows Server 2008 R2, Windows 10, and Windows 7.
I have copied all the relevant computer name in a text file and want to disable SMB 1.0 on all servers/computers that are listed in this txt file.
I have segregated the PowerShell commands in two sections (Client Side SMB and Server Side SMB) with supported cmdlets. You can choose and run whichever is suitable for your environment.

Precaution: You should test and understand the commands in your test environment first and run in the production if satisfied with the result thereafter.

Steps: Disabling SMB V 1.0 on various operating systems.

Open Windows PowerShell ISE (Run as Administrator) > Prepare for the below PowerShell commands











The text version of above commands are given below:

=========================================================================
DISABLE SERVER SIDE SMB V1 PROTOCOL
=========================================================================

# Disable SMB V1 - Windows Server 2012 R2, Windows 10 and Windows 8.1
$ComputersList = Get-Content -Path "D:\temp\testservers.txt"
Invoke-Command -ComputerName $ComputersList {Remove-WindowsFeature FS-SMB1 -NoRestart}

# Disable SMB V1 - Windows 8 and Windows Server 2012
$ComputersList = Get-Content -Path "D:\temp\testservers.txt"
Invoke-Command -ComputerName $ComputersList {Set-SmbServerConfiguration -EnableSMB1Protocol $false}

# Disable SMB V1 - Windows Server 2008, Windows Server R2, Windows 7 and Windows Vista
$ComputersList = Get-Content -Path "D:\temp\testservers.txt"
Invoke-Command -ComputerName $ComputersList {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force}


=========================================================================
DISABLE CLIENT SIDE SMB V1 PROTOCOL
=========================================================================

# Disable SMB V1 - Windows Server 2012 R2, Windows 10 and Windows 8.1
$ComputersList = Get-Content -Path "D:\temp\testservers.txt"
Invoke-Command -ComputerName $ComputersList {Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart}

# Disable SMB V1 - Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
$ComputersList = Get-Content -Path "D:\temp\testservers.txt"
Invoke-Command -ComputerName $ComputersList {sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi}
Invoke-Command -ComputerName $ComputersList {sc.exe config mrxsmb10 start= disabled}

Updated: 25/03/2017
IMP Note: 
1. Please replace the computer list input path with the one you are having in your environment.
2. Please replace "Remove-WindowsFeature FS-SMB1 -NoRestart" with "Uninstall-WindowsFeature -Name 'FS-SMB1'" in case the first command failed.


IMP References: If you want to know more about SMB V 1.0 and related information, you must check below KBs.






Cheers, Please write me back if you have any query of feedback on this.

Monday 23 January 2017

How to check FSMO roles using CMD or GUI?

Or, How to check FSMO roles holders in a domain?

Descriptions: In this article we will see, how to check FSMO roles and role holders domain controllers in the domain. Using CMD, its job of cone command and it can be executed from your local machine without login in to any domain controller servers and another way is to check it using GUI where you should be having access to login your domain controllers.

Steps: Checking FSMO roles using CMD
Open CMD (run as administrator)




















Type the command given below and hit enter

netdom query fsmo










Steps: Checking FSMO roles using GUI (Domain Level Roles)

From the server manager’s Tool option select Active Directory Users and Computers















Right click on your Domain Name > Select Operations Master














Now you have all the domain level FSMO roles here. You can click on each tab to check who is having which FSMO role.

























Steps: Checking FSMO roles using GUI (Forest Level Roles)

From Server Manager’s tool option, select Active Directory Domain and Trust











Right Click on Active Directory Domain and Trust > Select Operations Master















Here you have the Domain Naming FSMO role

















Now to check the Schema Master Role, Run > MMC > Add/Remove Snap in > Select Active Directory Schema > Click OK to add the snap-in > Right Click on the Active Directory Schema > Select Operations Master













Here you have the Schema Master Role holder details






















That’s all guys, cheers!!
Please write me back if you have any query of feedback.

Sunday 22 January 2017

Active Directory Schema console is not visible in Domain Controller

Or, Where is Active Directory Schema console in Domain Controller server?
Or, How to add Active Directory Schema console snap-in?
Or, How to register Active Directory Schema in domain controller server?

Descriptions: First things first, you may not be able to see the Active Directory Schema console on your domain controller server because its hidden by default and required to be registered first before you can access the schema console. After registration of Schema, you will have to add the snap in from MMC to access the console of Active Directory Schema.

Don’t worry, it’s not a big deal. Just a single command and few GUI steps and you are done. J

Steps: Schema Registration

Open CMD (run as administrator)




















Type the command given below and hit enter > Click OK
regsvr32 schmmgmt.dll














Steps: Adding Active Directory Schema Snap-in Console

Go to Run > Type mmc and hit enter > Click yes if prompted on pop-up window
















Go to File menu > Select Add/Remove Snap-in





















Select Active Directory Schema > Click on Add > Click OK


















That’s it, here you have the Active Directory Schema Console






Cheers, please write me back if you have any query of feedback.

System State Backup in Windows Server 2012

Or, How to take System State Backup of Windows Server 2012 DCs?
Or, How to run system state backup using wbadmin utility?

Descriptions: As NTBACKUP utility is no more available in Window Server 2012 Operating System, you still have WBADMIN to perform system state backup of your servers. WBADMIN utility is part of Windows Server Backup feature in windows server 2012.

Windows Server Backup Feature can be installed using Server Manager’s Roles and Features installation wizard.

Yes, please!! You must install this feature before you think of using WBADMIN for system state backup.











Steps: Using WBADMIN for system state backup

Open CMD (run as administrator)




















Type the command below and hit enter

wbadmin start systemstatebackup -backuptarget:E: -quiet

you can choose the backup target as per your scenario. In my case, I am using E:\ drive as a backup target.

The Backup will be initiate now, wait till it completed successfully.















Cheers, Please write be back if you have any query or feedback.

Saturday 21 January 2017

Error ‘the value for option backuptarget is missing’ on Windows Server 2012

Or, WBADDMIN Error (Systemstatebackup): the value for option backuptarget is missing

Descriptions: Even when you are trying correct commands to perform systemstate backup on windows server 2008 or 2012 using wbadmin (e.g. the command ‘wbadmin start systemstatebackup -backuptarget:E: -quiet’ is correct but ends with error), it is being encountered with error ‘the value for option backuptarget is missing’.

Guys, if you don’t do, my suggestion is, always think of reboot after installing any role, feature or components on windows operating systems as per your convenience. No matter the type of installation is required reboot or not. Anyways, it’s your choice at all. J

Possible Reason: You have recently installed powershell along with windows backup feature and trying to perform systemstate backup without taking server reboot after the installation of this feature. Remember, I said always think of taking reboot after installing anything on windows operating systems.

Solution/Workaround:  Reboot your server > run CMD as administrator > try to re-execute the command... it should work… in my case it worked well…


Wait till the backup is completed successfully.














Cheers...please write me back if you have any query or feedback.

Creating date wise log file in Robocopy backup.

Or, How to take backup of shared or local folders using Robocopy?
Or, Robocopy command to take backup and exporting backup log files date wise.

Descriptions: Using Robocopy for shared folders or local folders backup is one of the good way to perform flat files/data backup in Windows. It’s an inbuilt utility in windows by Microsoft, no need to download or purchase it separately.

Normally, administrators do use robocopy with source, destination and export logs arguments in the robocopy command and rename the log files manually everyday... that’s waste of time frankly... J

Here in this article, we will see how we can set the robocopy command to take backup of data, export log in a txt file and keep the log file name with execution date included. We are going to get it done with batch script..

e.g. If the log file name is fileserverbackup.txt, it should be exported with name fileserverbackup-YYYYMMDD.txt

Please note, I have used some special switched to for best backup output. you should understand the behaviour of special switches before using them.

You can use Robocopy /? for more help on robocopy command and switches.

Commands and batch file:

General command with no special switches

robocopy C:\TestSourceFolder E:\DestFolder

Customized command as per suitable requirements with some special switches

robocopy C:\TestSourceFolder E:\DestFolder /E /ZB /SEC /R:3 /W:3 /TEE /UNILOG+:C:\FileServerBackup.txt

the above mentioned command will take backup well, but it will create a log file FileServerBackup.txt with no date inserted in the file name.

Recommended:

Batch script to take backup using robocopy command and then creating log files every day with date specified/added in the file name.

--------------------------------------------------------------------------------------------------------------------------
@echo off
echo wscript.echo year(date) ^& right(100 + month(date),2) ^& right(100+day(date),2)  > "%temp%\dateparts.vbs"
for /f "tokens=1 delims=" %%a in ('cscript //nologo "%temp%\dateparts.vbs"') do set yyyymmdd=%%a
echo Today is %yyyymmdd%
robocopy C:\TestSourceFolder E:\DestFolder /E /ZB /SEC /R:3 /W:3 /TEE /UNILOG+:C:\FileServerCopy-%yyyymmdd%.txt
--------------------------------------------------------------------------------------------------------------------------

Copy and paste the above given script in a text files > save as filename.bat > use this bat file in windows task scheduler.

That’s it, backup will be executed and file name will be created date wise automatically. Please make sure you tested the script carefully and deploy[ in production if it works 100% as per your requirement.

If you have any query or feedback, please write me back...

Friday 13 January 2017

How to delete windows users profile from registry?

Or, Deleting users profile from registry settings.
Or, Users Profiles registry path/location.
Or, Deleting temp profiles from registry.

Descriptions: This very common issue with windows user’s profiles that, sometime even if you delete them from C:\ drive, they still exist in registry entries. This also leads to temp profile creation of the affected users at every logon.  In many cases, temp profile becomes show stopper... It may not let you browse things properly, may encounter error while or after document savings etc...

In this kind of situation, most of the tech guys, delete user’s profiles from windows. Deleting temp profiles are required to be done at least at two level to make sure it is completely removed.

1. C:\ Drive’s Users Profiles folder and
2. Registry

Paths References:

C:\ Drive: “C:\Users











Registry:  “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList”





Steps: Deleting Users profiles from Windows C:\ Drive

Go to path “C:\Users” > Delete the User Profiles you want (in my case Techies_Sphere).










Steps: Deleting User Profile from Registry

Go to Run > Type Regedit > Press Enter > Navigate to registry path: “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList”  > Check the keys entries one by one and looks for your user name > I found the techies_Sphere as shown in below screenshot > Delete complete Key folder(s-1-s-21-xxxxxx-xxxx-xxxxx) associated with your problematic user.













That’s it. You are done.

Cheers, if you have any query or feedback on this, please write me back...

Thursday 12 January 2017

VMware tool Installation Error 2203 on windows server 2008 R2

Or, VMware tools installation failed with ‘internal error 2203’.
Or, Error 2203 while installing VMware tool, Installation Error 2203.

Descriptions: If you have tried too many random KBs and still struggling with this small issue, you must give a try to the solution explained in this KB.

In my case, the cause of the problem was, Program Files directory’s permission was not inherited to its parent folder and the current user I am logged in with is not having any permission on ‘VMware Tool’ folder.

Steps: workaround to get rid of this error.
1. Navigate to C:\Program Files\VMware
2. Assign Full Permission to Everyone on "VMware Tool" folder or assign Full Permission 3. to the current user with which you are logged in on the windows machine.
4. Assign Full Permission to Everyone on "Windows\Temp" folder.
5. Once the above trick steps completed, take a reboot of the machine and then you can proceed to initiate the VMware Tool Installation again.

Cheers. Please write me back if you have any query of feedback..

Sunday 8 January 2017

Exporting NTFS folder permission report to excel or csv file.

Or, How to export shared folders permission of a file server to excel?
Or, PowerShell script/command to export local or shared folders permission to excel or csv file.

Descriptions: Very commonly, an administrator is asked for exporting NTFS folders permission for audit and internal compliance management purpose. There are lots of freeware and paid tools available with certain terms and limitations.

Here in this article, we are going to see how we can export folders permissions without any third party freeware or paid tools.

Prerequisites:
1. Make sure you have appropriate administrative rights on the shared folders of which you want to        export permissions.

2. Have at least basic knowledge of Windows PowerShell (preferably Get-XXXXX command).

3. NTFS security script folder downloaded from MS Technet 
4. Full permission on your local system’s directory
    C:\Users\techies_sphere\Documents\WindowsPowerShell\Modules (replace techies_sphere with         your logged in user name).


IMP Note: In some cases, you might not be able to see the full folder path, Most probably, WindowsPowerShell and Modules folder. To complete the folder path structure, you can create missing folders manually as well. Finally, the folder path should look like ‘C:\Users\techies_sphere\Documents\WindowsPowerShell\Modules’.

Steps:
Go to the folder path C:\Users\techies_sphere\Documents\WindowsPowerShell\Modules.
Copy the complete NTFSSecurity folder inside Modules folder









Verify if you have all these files inside the NTFSSecurity Folder.













Navigate to the folder for which you want to export permissions. I am my case in below example screenshot, I want to export folder permissions of folder MyData-Test-1.











To prepare your command, Replace folder path and csv export location as per your requirement in below command:
Get-NTFSAccess -Path \\192.168.161.10\TestSharedFolder\MyData-Test-1 | Export-Csv C:\TestFiles\permissions.csv

Open Windows PowerShell as Administrator

















Run the command you prepared in above step






That’s it. You can now get your permissions.csv file from your csv export location. In my case, its C:\TestFiles\

Cheers, please write me back if you have any query of feedback on this…

Saturday 7 January 2017

Installing vCenter Server 6.0 on Windows Server with embedded Platform Services Controller

Or, How to install vCenter Server 6.0 on windows server 2012 R2?
Or, vCenter Server 6.0 installations guide step by step….

Descriptions: In this article we are going to see, how we can install vCenter Server 6.0 on windows server operating system platform including embedded platform service controller. If you have larger infrastructure of Virtual Servers, you can think to have separate platform service controller but if you have 50-100 or 200 VMs approx, its good to go with single vCenter server with inbuilt platform service controller.

Steps: (Installing vCenter Server 6.0)

Open the vCenter Installer > Right Click on the Autorun Application > Run As Administrator > Click OK if prompted














Select vCenter Server for Windows > Click on Install














Click Next














Accept the license agreement > Click Next














Select vCenter Server and Embedded Platform Services Controller > Click Next
















On this screen, make sure the System name is appearing as local machine’s FQDN > Click Next














Select Create a new vCenter Single Sign-on domain > fill the all required fields as per your environment > Click Next














Better to go with option Specify a user service account > Use any privileged account as per your requirement > Make sure the user account you are using here is member of local admin group on the local system > Click Next














Click Use an Embedded Database or if you want to use any external database, it’s your choice..., I am going with default














Leave all field to default and Click Next














Choose the Installation directory or leave it to default and Click Next














Click Next














Click Install














Wait for Installation to be completed……














Click Finish to close the installation Wizard














To verify of the installation is done correctly, you can use vSphere client to login to your vCenter Server..

For the first time login, you can use following details to connect your vCenter server:
IP/Host Name:  Your vCenter server IP
User Name:        administrator@vsphere.local
Password:           the password you gave while installation of vCenter server.

After successful logon, this is how it will look like..














Cheers, have a happy virtualization… Please write me back for any query or feedback….

Saturday 8 October 2016

What is Group Policy Loopback Processing in Active Directory?

Or, How to enable Group Policy Loopback Processing for a Group Policy Object?
Or, In what situation, you should think of using Group Policy Loopback Processing?

Descriptions:
Guys, Group Policy Loopback Processing is one of the cool feature of Active Directory Group Policy Management but you must be conscious and understand it very well while playing with this feature. Please note that Group Policy Loopback Processing is only supported in Active Directory Environment. There may be some case where you may need to apply a User Based Policy on Computers OU or a Computer based policy on Users OU.

In this kind of scenario, you can use Group Policy Loopback Processing to achieve your goals.

How to enable Group Policy Loopback Processing for a GPO?

Steps: Open Group Policy Management Console (gpmc.msc) > Locate the GPO on which you want to enable “Group Policy Loopback Processing” > Right Click on the GPO and Select Edit > Navigate to Computer Configuration\Policies\Administrative Templates\System\Group Policy > Select Configure User Group Policy Loopback Processing Mode and Open it.










Select Enable > Now Choose the options as per your requirement “Merge” or “Replace” > Click OK.

















Note: if you are not sure choosing replace mode, you may go ahead with Merge option. Make sure you understand the risk before applying these settings to any production GPO.

Understanding Merge and Replace Modes in Group Policy Loopback Processing.

Merge Mode
In this mode, when the user logon process initiated, the user's list of GPO is gathered by using the function GetGPOList. The GetGPOList function is then processed by using the computer's location based OUs in AD.

Replace Mode
In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

There are some good stuffs related to this concept written well on MS TechNet. You may refer the below TechNet article for more.