“Error:Error constructing or Publishing certificate” while requesting a certificate for Lync server

Recently, I was working on installing Lync Server 2010 for testing purposes , all was going smoothly till I reached the certificate request and assignment step . When I ran the certificate request wizard I was able to complete the request but with a warning as shown below :

Utilizing the power of Active Directory module for PowerShell to accomplish tasks fast and easy

I was working with a customer , who requested for an easy way to do the following two tasks :

1. Identify all the installed operating system versions and their current service packs for all computers in his company’s Active Directory Domain.
2. List all disabled computers accounts all over the domain and move them to a designed OU for review prior deletion

As his Active Directory is hosted by Windows Server 2008 R2 domain controllers I advised him to utilize the capabilities of Windows PowerShell with Active Directory module , as follow :

First of all , let’s list all available modules for Windows PowerShell , then import the one for Active Directory by executing the following commands at an elevated Windows PowerShell window :

Get-Module –ListAvailable

Import-Module ActiveDirectory

Windows Server roles and features duplication on multiple servers using PowerShell

In the process of servers preparation you may have multiple servers which will play the same role and thus require installation of the same Windows Server role(s) , role service(s) and feature(s) .

Most of admins do it the hardest way , by installing the role(s) , role service(s) and feature(s) names(s) for each server using Server Manager .

An alternative way to be used is to install all required role(s) , role service(s) and feature(s) on a single server , export it to .XML file and then use the exported file to automate installation of the remaining servers .

Here is how to do :

• Source Server Preparation : Install the required role(s) , role service(s) and feature(s) normally on one server using the traditional way ( Server Manager )
• Once installation is completed , start an elevated Windows PowerShell Modules

Reset domain Administrator account password using only your Windows installation media !

Do you know that you can reset your Active Directory Administrator account password without login into your Active Directory ? . In this post , I will explain in a step by step mode how you can do this using only  your Windows installation media which can be used to reset the Administrator account password if forgotten and you have no other user(s) with privilege(s) to do the reset.

For this tutorial I will use a virtualized domain controller with Windows Server 2008 R2 with SP1 as Operating System.

Here is the detailed procedure :

• Mount Windows Server 2008 R2 ISO/DVD 

• Restart your domain controller and choose to boot from DVD when prompted

• At “Install Windows”  click next

DHCP resiliency with Windows Server 2012 ; Awesome !!

DHCP is designed to reduce the administration burden and complexity of configuring hosts on a TCP/IP-based network, such as a private intranet. Using the DHCP Server service, the process of configuring TCP/IP on DHCP clients is automatic .

Windows Server 2008 R2 provided two mechanisms for DHCP server role resiliency , as follow :

DHCP in a Windows failover cluster. This option places the DHCP server in a cluster with an additional server configured with the DHCP service that assumes the load if the primary DHCP server fails. The clustering deployment option uses a single shared storage. This makes the storage a single point of failure (SPoF), and requires additional investment in redundancy for storage. In addition, clustering involves relatively complex setup and maintenance.

Split scope DHCP. Split scope DHCP uses two independent DHCP servers that share responsibility for a scope. Typically 70% of the addresses in the scope are assigned to the primary server and the remaining 30% are assigned to the backup server. If clients cannot reach the primary server then they can get an IP configuration from the secondary server. Split scope deployment does not provide IP address continuity and is unusable in scenarios where the scope is already running at high utilization of address space, which is very common with Internet Protocol version 4 (IPv4).

Error “FX:{6FBE5D92-C65A-41DC-AEBF-09D8845F68A1}” launching VAMT 3.0 installed on Windows Server 2008 R2

As I was installing Volume Activation Management Tool ( VAMT ) for Windows 8 activation and as soon as installation finished , I  went to open the console for VAMT 3.0 when I crashed with FX:{6FBE5D92-C65A-41DC-AEBF-09D8845F68A1} , as shown below :

Monitor Group Membership Changes in a real-time manner

One of the common security issues for IT admins is monitoring Active Directory groups memberships , so a notification is raised for each time a member is added to a group .

Most of admins assume that an expensive monitoring system must be in place in order to accomplish this task , fortunately this is a wrong  assumptions . All you need is the following  :

Enable account management audit :

• On a domain controller open Start > Administrative Tools > Group Policy Management
• Create a new Group Policy Object ( GPO ) linked to domain controllers OU with a descriptive name [ For my lab I named it Audit Account Management ]

• Edit the newly created GPO as follow : Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy , then set enable for Audit account management at least for success 

Windows Server 2012 virtual labs

Experience the release candidate for Windows Server 2012 firsthand in these virtual labs. You can test drive new and improved features and functionality, including server management and Windows PowerShell, networking, Hyper-V, and new storage solutions.

Getting started

It's simple. No complex setup or installation is required to try Windows Server 2012 running in a full-featured virtual lab. You get a downloadable manual and a 90-minute block of time for each module. Before you start, read the minimum system requirements. Next, select a virtual lab from the list below. Then, you will see an application called "holSystems LaunchPad Online" which will launch the lab.

Labs list :

Preparing Windows Server 2008 R2 with Service Pack 1 for Exchange 2013 Preview installation

As I showed in earlier post how you can install Exchange 2013 Preview on Windows Server 2012 Release Candidate , I will show in this one how you can prepare for its installation on Windows Server 2008 R2 with SP1 after which you can proceed with installation as shown here . 

As you may guessed that installation with Windows Server 2008 R2 SP1 will involved more preparation rather with Windows Server 2012 due to required of some pre-installation patching which already done for Windows server 2012 .

Microsoft introduced Exchange 2013 Preview in a two roles only architecture ( Client Access Server and Mailbox Server ) which can be either installed in combination on a single box or separated each on its dedicated box.

Recover Active Directory Objects using Active Directory Recycle Bin

Recovering deleted objects was one of the hardest issues for Active Directory admins as it requires performing of an authoritative restore for Active Directory backup [ Authoritative restore includes performing of a non-authoritative restore followed by using of NTDSutil to mark certain Active Directory objects as authoritative objects so it can not be overwritten during post restore replication sync. ] 

Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers.

In this post I’ll show you how to raise functional level , enable Active Directory Recycle Bin and finally restore a deleted Active Directory object [ User object ] 

First : Set forest to Windows 2008 R2 mode :

This can be accomplished using  Active Directory Domain and Trusts snap-in or Active Directory module for PowerShell by using the following command :

Set-ADForestMode [-Identity] <ADForest> [-ForestMode] <ADForestMode>

 

In Active Directory module for PowerShell you can verify the result by executing Get-ADForest | FL Name,ForestMode cmdlet

For my lab environment :

  Set-ADForestMode -Identity itguydiaries.net -ForestMode Windows2008R2Forest