Tag: Active Directory

Performance Tuing Guidelines for Windows Server 2016

Microsoft Windows Server 2016 Performance Tuning Guide

Yesterday Microsoft released the official Windows Server 2016 Performance Tuning Guide. The guide provides a collection of technical articles with guidance for IT professionals responsible for deploying, operating and tuning Windows Server 2016 across the most common server workloads. The guide is especially helpful if you deploy roles like, Active Directory, Hyper-V, Storage Spaces Direct, Remote Desktop Servers, Web Servers, Windows Server Containers and Networking features.

It is important that your tuning changes consider the hardware, the workload, the power budgets, and the performance goals of your server. This guide describes each setting and its potential effect to help you make an informed decision about its relevance to your system, workload, performance, and energy usage goals.

You can find the documentation on the new docs.microsoft.com platform, where now all the Windows Server 2016 documentation is available. Here you can find the: Performance Tuning Guidelines for Windows Server 2016

If you are looking for hardware recommendations check out my blog post: My Hardware Recommendations for Windows Server 2016 and you can also check my blog post about Getting started with Windows Server 2016 and System Center 2016



Hyper-V Gernal Access dinied error

Hyper-V over SMB: Set SMB Constrained Delegation via PowerShell

When you are having configured a Hyper-V over SMB configuration, which means the virtual machines are running on Hyper-V host and are stored on a SMB file share, and you try to manage the virtual machine remotely from Hyper-V Manager or Failover Cluster Manager, you will run into access denied errors. The same error can also happen if you try live migrate the virtual machine. This error is caused because you are using the credentials from the machine which Hyper-V or Failover Cluster Manager is running on to access the file share via the Hyper-V host. This “double-hop” scenario is not by default not allowed because of security reasons. You can find more about Kerberos Authentication on TechNet.

To avoid this error you have to configure the SMB Constrained Delegation in Active Directory to allow this scenario for specific “double-hops”. In Windows Server 2012 Microsoft made setting up Kerberos constrained delegation much easier by introducing resource-based Kerberos Constrained Delegation. This it wasn’t that easy to deploy and required some step. In Windows Server 2012 R2 Microsoft introduced new Windows PowerShell cmdlets to configure SMB Constrained Delegation directly from PowerShell. These cmdlets are offered by the Active Directory PowerShell module.

On your management box or where ever you want to configure SMB Constrained Delegation you have to install the Active Directory PowerShell module. (You don’t need the module on the Hyper-V host or SMB file servers)

Now you can use the following cmdlets.

  • Get-SmbDelegation –SmbServer FileServer
  • Enable-SmbDelegation –SmbServer FileServer –SmbClient HyperVHost
  • Disable-SmbDelegation –SmbServer FileServer [–SmbClient HyperVHost] [-Force]

For example if you are running a two node Hyper-V cluster and you use a Scale-Out File Server cluster (SOFS01) as virtual machine storage, the configuration could look like this.

Because these cmdlets only work with the new resource-based delegation, the Active Directory forest must be in “Windows Server 2012” functional level. A functional level of Windows Server 2012 R2 is not required.

And as I mentioned before you can also use System Center Virtual Machine Manager (VMM) to manage your storage, which uses a different approach and does not need the configuration of Kerberos Constrained Delegation.

 



Import MSOnline PowerShell Module

Change Office 365 password expiration policy

Well if you are using Office 365 and you may have the need to change the password expiration policy for some accounts. (Important: This is not recommended, in my opinion password changes are even more important when using cloud services.)

To change the password expiration policy for an user on Office 365 you have to to this with Windows PowerShell.

To manage Windows Azure Active Directory with PowerShell, where also your Office 365 users are stored, you have to do some simple steps.

First make sure you have installed the .NET Framework 3.5 on your management machine.

Install Microsoft Online Services Sign-in Assistant: Install the appropriate version of the Microsoft Online Services Sign-in Assistant for your operating system from the Microsoft Download Center. Microsoft Online Services Sign-In Assistant for IT Professionals RTW.

Install Windows Azure AD Module for Windows PowerShell: Install the appropriate version of the Windows Azure AD Module for Windows PowerShell for your operating system from the Microsoft Download Center:

Import the MSOnline Windows PowerShell module

Import MSOnline PowerShell Module

Connect to your Windows Azure Active Directory Tenant or your Office 365 Tenant:

This will open a popup windows where you have to enter your credentials.

Now now you can start working with your Windows Azure Active Directory.

Connect Windows Azure AD via PowerShell

And you can now finally change the password expiration policy to never.



Import MSOnline PowerShell Module

Manage Windows Azure AD using Windows PowerShell

Well I am a huge fan of Microsoft Office 365 and we are not only using this in our company, I am also using Office 365 for my mothers restaurant. It helps us organzise stuff very easily and allows us to work from everywhere. Now the great thing about using Office 365 and Windows Azure Active Directory it that I can manage it with the same management tools I also use for my on-premise Active Directory. My favorit is of course Windows PowerShell.

To manage Windows Azure Active Directory with PowerShell, where also your Office 365 users are stored, you have to do some simple steps.

First make sure you have installed the .NET Framework 3.5 on your management machine.

Install Microsoft Online Services Sign-in Assistant: Install the appropriate version of the Microsoft Online Services Sign-in Assistant for your operating system from the Microsoft Download Center. Microsoft Online Services Sign-In Assistant for IT Professionals RTW.

Install Windows Azure AD Module for Windows PowerShell: Install the appropriate version of the Windows Azure AD Module for Windows PowerShell for your operating system from the Microsoft Download Center:

Import the MSOnline Windows PowerShell module

Import MSOnline PowerShell Module

Connect to your Windows Azure Active Directory Tenant or your Office 365 Tenant:

This will open a popup windows where you have to enter your credentials.

Now now you can start working with your Windows Azure Active Directory.

Connect Windows Azure AD via PowerShell



Windows Server 2012 Hyper-V: How to clone a Virtual Domain Controller

Windows Server 2012 Domain Controller cloning

In Windows Server 2012 added a lot of improvements to Hyper-V and Active Directory. One of Microsoft strategic goals is to virtualize every workload. With the improved scale of Hyper-V Virtual Machine it is now possible to run even high SQL workload on Hyper-V Virtual Machines. In Windows Server 2008 R2 virtualization of Active Directory had still some challenges which Microsoft addressed in Windows Server 2012. (Windows Server 2008 R2: Running Domain Controllers in Hyper-V)

  • Physical DC is required for Windows Server 2008 R2 Clusters
  • No Snapshots of virtual Domain Controllers
  • No cloning of virtual Domain Controllers
  • No online V2V migration via Snapshots
  • No restoring of virtual Domain Controller VMs

Most of this was caused by the problem of USN (update sequence numbers).

In Windows Server 2012 Microsoft included a new feature for Active Directory Domain Controllers called VM-GenerationID. At the moment you can use this feature with Windows Server 2012 Hyper-V as a hypervisor, but Microsoft also offers other hypervisor vendors to integrate this feature.

TechNet: Safe virtualization of domain controllers

“With Windows Server 2012, AD DS employs safeguards on virtual domain controllers hosted on VM-GenerationID aware hypervisors and ensures that the accidental application of snapshots or other such hypervisor-enabled mechanisms that could ‘rollback’ a virtual machine’s state will not disrupt your AD DS environment (by preventing replication problems such as a USN bubble or lingering objects). However, restoring a domain controller by applying a virtual machine snapshot is not recommended as an alternative mechanism to backing up a domain controller. It is recommended that you continue to use Windows Server Backup or other VSS-writer based backup solutions.”

Another problem was solved by Active Directory-less Cluster Bootstrapping. This basically removes the Active Directory dependencies during a cluster boot. This means you can boot up your cluster even if there is now other Active Directory server available during the boot process.

With the integration of the VM-GenerationID, Microsoft also created a new possibility which allows you to clone virtual Active Directory Domain Controllers.

How to clone a virtual Domain Controller

Preparation

  • A Windows Server 2012 Hyper-V server is needed. In the future maybe other hypervisors will also support VM-GenerationID.
  • A deployed Windows Server 2012 domain controller (virtualized or physical) that hosts the PDC emulator role. To check which server hosts the PDC role you could use the following PowerShell command.
    PowerShell PDC
  • A source virtual Domain Controller with Windows Server 2012 hosted on a Windows Server 2012 Hyper-V server. This will be the VM which will be cloned from. This cannot be the Domain Controller with the PDC role. In my example case this is VirtualDC1.

 

Step 1

Grant the source virtualized domain controller the permission to be cloned. Add the source domain controller to the Cloneable Domain Controllers group. You can do this over Active Directory Users and Computers, the Active Directory Administrative Center or Windows PowerShell. In my case I added the computer object VirtualDC1 to the Cloneable Domain Controllers group.

Cloneable Domain Controllers

With Windows PowerShell this would be done like this.

Step 2

In the TechNet manual step to would now be to run Get-ADDCCloningExcludedApplicationList, this will check for applications which are not evaluated for cloning. If your source domain controller is a new clean setup with any special applications you can skip this step. If you have installed any application which is listed when you run Get-ADDCCloningExcludedApplicationList you have to create a Custom DC Clone Allow List. You can do this with the following PowerShell command.

Step 3

Run New-ADDCCloneConfigFile on the source domain controller (VirtualDC1), which allows you the configuration of your new domain controller clone (in my case VirtualDC2), such as Name and IP Address.

New-ADDCCloneConfigFile

 

Note: The new domain controller has to be on the same site.

There are a lot of options you can configure your virtual server. For more information check out the TechNet page.

Step 4

In step for you have to export the source virtual machine (VirtualDC1) and import it as a new virtual machine (VirtualDC2). You can do this via Hyper-V Manager GUI or via the cool way with Windows PowerShell. Check out my blog post about doing import and export of virtual machines via Windows PowerShell.

Import-VM

Import-VM Copy

After the import of your virtual machine is done you should rename it. In my example this will be VirtualDC2. After the import is finished you can boot up the virtual machines and you will have a new domain controller in your infrastructure.

Domain Controller cloning

By the way Peter Noorderijk wrote a blog post called The future of a virtual domain controller on the Hyper-V.nu blog.



Automated Active Directory Deployment with PowerShell

Powershell

For a small presentation at KTSI I created a PowerShell script will automatically will deploys Active Directory Servers, adds other member servers, creates Organization Units and adds users via Powershell Remoting. As source there is a XML configuration file and CSV files for User Data.

Install AD with Powershell

This script is just for Lab deployments not for production, and it is not perfect, but I think maybe some people will enhance this script with their own code.

I do not support this script. it is just something I need to deploy my test environments and nothing more. More it shows diffrent

You can find more information about it works in this document.

XML Config file:

The PowerShell Script:



How to add a Windows Server 2008 R2 Core as Secondary Domain Controller (replica)

This is a small How to which shows you how you can add a Windows Server 2008 R2 Core as a Secondary Domain Controller or Replica.

  1. sconfig Windows Server 2008 R2First configure the Core Server, Name, Domain, IP Adresse and more. You can use the command sconfig to run the Server Configuration Utility.
  2. Now you can go back to the Command Promt.
  3. Now you have to possibilities to install a Domain Controller. First you run dcpromo with a unattend file you have created and copied on the server, or you run dcpromo with some parameters. I decided to run dcpromo with the necessary parameters because I just need a simple replica.
  4. Now you can run the command on the Command Promt
    Dcpromo Windows Server 2008 R2 Core Dcpromo /unattend /replicaOrnewDomain:replica /replicaDomainDNSName:corp.pepsi.local /ConfirmGC:yes /username:corp’administrator /Password:* /safeModeAdminPassword:PepsiPassword
  5. After that the Server will run the installer and reboot.
    Windows Server 2008 R2 Core DCPROMO
  6. A replication connection was created
    Windows Server 2008 R2 AD Replication

If you need more Information about Active Directory Creation on a Windows Server 2008 Core Server you can checkout the Microsoft KB947034.