Uninstall SMS agent with command line

Hi there!

You can uninstall the sms agent in a computer with the following parameters:

msiexec /X {GUID}

Where GUiD is the id of the product. You can find this on the regedit, in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Too, you can try with the followings guids:

{83AD5E71-80C0-4818-B6E4-CA2607B6A141}

{FCDC3CDD-F53E-4239-8CA5-BC492942931B}

{D8EF2D11-47CF-45E5-B423-47B29706DE12}

Regards

Anuncios

Special offer if you buy the set of exams from MCITP to MCSE 2012

Hi!

I read that Microsoft has created an offer for MCITPs that if you buy a set of exams for upgrade to MCSE Cloud, Desktop or Server Infraestructure you have the 70-417 free plus the free training for that exam.

http://bsf01.com/Microsoft_Vouchers/MCSE_WS2012Upgrades.aspx

Regards!

FREE eBook: Windows 8 An Overview for IT Pros

Hi!

Is ready for download the free book from MSPress, Windows 8 An Overview for IT Pros.

http://blogs.technet.com/b/keithmayer/archive/2012/11/02/free-ebook-windows-8-for-it-pros.aspx#.UKKid4ezKSo

Inside you can find:

  • Hardware Innovations

Touch; Long battery life; Thiner, lighter, faster; Sensors and security; New Form Factors

  • Experiencing Windows 8

Walk-through the new UI and key improvements to Task Manager and File Explorer.

  • Customizing and Configuring Windows 8

Profile customization, Tile configuration, PC Settings, Redesigned NTFS

  • Networking Enhancements

BranchCache, DirectAccess, Mobile broadband, IPv6

  • Deploying Windows 8

Windows 8 SKUs, Application Compatibility, User State Migration, Deployment and Imaging,      Windows PE, Volume Activation Management Tool, Windows-to-Go

  • Delivering Windows Apps

Windows app lifecycle, Distributing via Windows Store, Distributing with an Enterprise

  • Windows 8 Recovery

File History, Refresh and Reset, Windows Recovery Environment, DaRT, Advanced Options

  • Windows 8 Management

PowerShell 3.0, Group Policy Improvements, System Center 2012 Configuration Manager, Windows   Intune

  • Windows 8 Security

Secure boot, SmartScreen, Vulnerability mitigation and sandboxing, BitLocker, Virtual smart cards, Dynamic Access Control

  • Internet Explorer 10

New features, Group Policies for IE 10

  • Windows 8 Virtualization

Client Hyper-V, Virtual Desktop Infrastructure, Application virtualization, User state virtualization

This year is time to hand on lab!!

Regards

Marc

How works GPO Link Order

Hi!

Recently I was talking with my colleagues and I saw someone unknown about the correct link order of the GPO in GPMC so below I will talk about it and how it works.

When linking more than one GPO to an OU, we can have a problem when two GPOs have the same settings but with different configuration. Ie, A GPO  have Minimum password lenght at 0 but other GPO is configured to 8. With these we need to know  that the link order for GPO with the number 2 is processed last, and therefore has the highest precedence.

Regards!

Introducing the first Windows Server 2012 Domain Controller (Part 2 of 2)

Hi!

Greg Jaworski give us the second part of the introduciong to AD DS 2012.

See you!

http://blogs.technet.com/b/askpfeplat/archive/2012/09/06/introducing-the-first-windows-server-2012-domain-controller-part-2-of-2.aspx

—–

Welcome to part two of this blog where we discuss promoting a Domain Controller with Windows PowerShell. We also discuss how you can do the prerequisites checks before introducing the first Windows Server 2012 Domain Controller.

Promoting a Domain Controller with PowerShell

Just like in the GUI you will want to install the Active Directory Domain Services role.

————————Begin PowerShell———————————————————

get-windowsfeature AD-Domain-Services

Display Name Name Install State

———— —- ————-

[ ] Active Directory Domain Services AD-Domain-Services Available

get-windowsfeature AD-Domain-Services | install-windowsfeature

or just

install-windowsfeature –Name AD-Domain-Services

Success Restart Needed Exit Code Feature Result

——- ————– ——— ————–

True No Success {Active Directory Domain Services}

WARNING: Windows automatic updating is not enabled. To ensure that your newly-installed role or feature is

automatically updated, turn on Windows Update.

————————End PowerShell———————————————————

Now in PowerShell we can actually do the prerequisite checks without promoting the machine to a Domain Controller. This will help us in the planning phase to identify issues and properly address them before we hit a potential roadblock installing the first DC.

————————Begin PowerShell———————————————————

Test-ADDSForestInstallation

cmdlet Test-ADDSForestInstallation at command pipeline position 1

Supply values for the following parameters:

DomainName: pfeadupg.test

SafeModeAdministratorPassword:

Confirm SafeModeAdministratorPassword:

WARNING: Windows Server 2012 domain controllers have a default for the security setting named “Allow cryptography

algorithms compatible with Windows NT 4.0″ that prevents weaker cryptography algorithms when establishing security

channel sessions.

For more information about this setting, see Knowledge Base article 942564

(http://go.microsoft.com/fwlink/?LinkId=104751).

————————End PowerShell———————————————————

You will then be given items that need to be addressed on a forest level.

To test items at a domain level.

————————Begin PowerShell———————————————————

Test-ADDSDomaininstallation

cmdlet Test-ADDSDomainInstallation at command pipeline position 1

Supply values for the following parameters:

NewDomainName: pfeadupg.test

ParentDomainName: pfeadupg.test

SafeModeAdministratorPassword:

Confirm SafeModeAdministratorPassword:

Message Context RebootRequired Status

——- ——- ————– ——

Verification of prerequisi… Test.VerifyADPrepPrerequis… False Error

WARNING: Windows Server 2012 domain controllers have a default for the security setting named “Allow cryptography

algorithms compatible with Windows NT 4.0″ that prevents weaker cryptography algorithms when establishing security

channel sessions.

For more information about this setting, see Knowledge Base article 942564

(http://go.microsoft.com/fwlink/?LinkId=104751).

Verification of prerequisi… Test.VerifyDcPromoCore.DCP… False Error

Test VerifyOutboundReplica… Test.VerifyOutboundReplica… False Success

————————End PowerShell———————————————————

What is different in this output you will notice is the Test VerifyOuboundReplication however it says Success. Yes we do check to ensure that Outbound Replication is enabled and that you aren’t doing the old isolate the schema master trick. We don’t recommend that and my coworker Doug Symalla wrote a good post about that here.

http://blogs.technet.com/b/askpfeplat/archive/2012/05/28/best-practices-for-implementing-schema-updates-or-how-i-learned-to-stop-worrying-and-love-the-forest-recovery.aspx

We do check this in the GUI as well, but will only flag it if it is disabled.

image_thumb19

Now to test at an individual DC level.

————————Begin PowerShell———————————————————

Test-ADDSDomainControllerInstallation

cmdlet Test-ADDSDomainControllerInstallation at command pipeline position 1
Supply values for the following parameters:
DomainName: pfeadupg.test
SafeModeAdministratorPassword:

Confirm SafeModeAdministratorPassword:
Message                       Context                                      RebootRequired                        Status
——-                       ——-                                      ————–                        ——
Test VerifyADPrepPrerequis… Test.VerifyADPrepPrerequis…                         False                       Success
WARNING: Windows Server 2012 domain controllers have a default for the security setting named “Allow cryptography
algorithms compatible with Windows NT 4.0” that prevents weaker cryptography algorithms when establishing security
channel sessions.

For more information about this setting, see Knowledge Base article 942564
(
http://go.microsoft.com/fwlink/?LinkId=104751).
Verification of prerequisi… Test.VerifyDcPromoCore.DCP…                         False                         Error
Test VerifyOutboundReplica… Test.VerifyOutboundReplica…                         False                       Success

————————End PowerShell———————————————————

Now that we have done that we can move forward with promoting the actual DC. We will use that script we had created in the first post. However I have reset this forest and it has never had a Windows Server 2012 DC in it. This is not a continuation of what we did in the GUI. So we are not adding a second Windows Server 2012 DC. We will be preparing the forest and domain again. If this has not already been done the PowerShell cmdlet will also do this (assuming you have the correct permissions).

#
# Windows PowerShell script for AD DS Deployment
#

Import-Module ADDSDeployment
Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath “C:\Windows\NTDS” `
-DomainName “pfeadupg.test” `
-InstallDns:$true `
-LogPath “C:\Windows\NTDS” `
-NoRebootOnCompletion:$false `
-SiteName “Site-1” `
-SysvolPath “C:\Windows\SYSVOL” `
-Force:$true
First you will need to change the PowerShell execution policy.

Set-executionpolicy remotesigned

Then we will run the script which I called newdc.ps1.

.\newdc.ps1

SafeModeAdministratorPassword:

Confirm SafeModeAdministratorPassword:

The first time I ran this it failed. Again because I did not meet the FFL requirement. However the important thing to note here was that none of the prerequisite checks told me about this problem. So I fixed the problem and we will run it again.

image_thumb15

————————Begin PowerShell———————————————————

.\newdc.ps1

SafeModeAdministratorPassword:

Confirm SafeModeAdministratorPassword:

WARNING: Windows Server 2012 domain controllers have a default for the security setting named “Allow cryptography

algorithms compatible with Windows NT 4.0″ that prevents weaker cryptography algorithms when establishing security

channel sessions.

For more information about this setting, see Knowledge Base article 942564

(http://go.microsoft.com/fwlink/?LinkId=104751).

WARNING: This computer has at least one physical network adapter that does not have static IP address(es) assigned to

its IP Properties. If both IPv4 and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP addresses

should be assigned to both IPv4 and IPv6 Properties of the physical network adapter. Such static IP address(es)

assignment should be done to all the physical network adapters for reliable Domain Name System (DNS) operation.

WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it

does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually

create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain

“pfeadupg.test”. Otherwise, no action is required.

WARNING: Windows Server 2012 domain controllers have a default for the security setting named “Allow cryptography

algorithms compatible with Windows NT 4.0″ that prevents weaker cryptography algorithms when establishing security

channel sessions.

For more information about this setting, see Knowledge Base article 942564

(http://go.microsoft.com/fwlink/?LinkId=104751).

WARNING: This computer has at least one physical network adapter that does not have static IP address(es) assigned to

its IP Properties. If both IPv4 and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP addresses

should be assigned to both IPv4 and IPv6 Properties of the physical network adapter. Such static IP address(es)

assignment should be done to all the physical network adapters for reliable Domain Name System (DNS) operation.

WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it

does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually

create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain

“pfeadupg.test”. Otherwise, no action is required.

Message Context RebootRequired Status

——- ——- ————– ——

Operation completed succes… DCPromo.General.1 False Success

————————End PowerShell———————————————————

Since I did not specify a Safe Mode password in my script I was prompted for this. This way no passwords are exposed in a text file. However if you wanted to fully automate this then that can be done.

Just like in part 1 we basically performed /forestprep and /domainprep as part of the DC promotion process. However, we know many of our customers might not want to do this. In this case using the Windows Server 2012 media or a copy of the media you can run the adprep command(s) just like you did in previous versions of Windows. Adprep has also been enhanced so the command does not have to run from the schema master in the case of /forestprep and from the infrastructure master in the case of /domainprep and /rodcprep. It has also been enhanced to fix an invalid infrastructure FSMO reference that some customers hit when running /rodcprep in Windows Server 2008 and Windows Server 2008 R2.

After introduction of the first Windows Server 2012 Domain Controller

Just like in part 1 we can now run the BPA. We can run this via PowerShell just like we were able to in Windows Server 2008 R2. The BPA documentation for Windows Server 2008 R2 is located here and works on Windows Server 2012.

http://technet.microsoft.com/en-us/library/dd378893(v=WS.10).aspx

http://technet.microsoft.com/en-us/library/dd759206.aspx

The below output is only a snip since the PowerShell cmdlet will return all results include passed results. The link above will allow you to exclude and filter the output.

————————Begin PowerShell———————————————————

invoke-bpamodel –bestpracticesmodelid Microsoft/Windows/DirectoryServices

get-bparesult Microsoft/Windows/DirectoryServices

ResultNumber : 37
ResultId     : 3415681431
ModelId      : Microsoft/Windows/DirectoryServices
SubModelId   :
RuleId       : 45
ComputerName : PARENT-DC3
Context      :
Source       : PARENT-DC3
Severity     : Error
Category     : Configuration
Title        : CN=DES User,OU=ServiceAcccounts,DC=pfeadupg,DC=test should not be configured for DES only
Problem      : A user account or trust for domain pfeadupg.test is configured for Data Encryption Standard (DES) only.
DES is considered weak cryptography and is no longer enabled by default in Kerberos authentication in
Windows 7 and Windows Server 2008 R2.
Impact       : User accounts and trusts configured for DES only will have authentication failures.
Resolution   : User accounts and trusts should use Advanced Encryption Standard (AES) or RC4 Kerberos encryption keys.
Compliance   :
Help         : 
http://go.microsoft.com/fwlink/?LinkId=168859
Excluded     : False

————————End PowerShell———————————————————

Just like in the GUI results from the first post the BPA identifies items such as the user account with DES enabled. You want to be aware of these things since it may affect an application or service. The best thing to do is to first test this in a lab, but if for some reason you can’t do this or the lab doesn’t match production you should definitely run this on the first Windows Server 2012 Domain Controller that you introduce.

Summary

So to wrap up this blog post we have covered what it takes to introduce the first Windows Server 2012 Domain Controller in your environment. We have covered using both the GUI as well as Windows PowerShell. We also covered some things you need to consider such as the forest functional level.

Thanks,

Greg

Introducing the first Windows Server 2012 Domain Controller (Part 1 of 2)

Guys,

The PFE Greg Jaworski gie us an introduction to WS 2012 DS.

See you!

http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-windows-server-2012-domain-controller.aspx

——

Greg Jaworski here again to discuss introducing the first Windows Server 2012 Domain Controller. We will discuss things such as extending the schema, enhancements to the Domain Controller promotion process (it is no longer called dcpromo), and things you should be doing to ensure a smooth upgrade and minimal issues. This will be a two part blog post. In the first part we will cover the GUI way of introducing the first Windows Server 2012 Domain Controller. In the second post we will cover the PowerShell way of doing this and also how you can take a look at your environment before introducing that first Windows Server 2012 Domain Controller.

Premier Field Engineering has significant experience in the area of AD upgrades. Many times we are onsite during various parts of the upgrade process. We also have discussions about upgrades during Active Directory Risk Assessments (ADRAP) and have an entire offering called the Active Directory Upgrade Assessment (ADUA) to assist with the upgrade process. We understand the concerns of upgrades. Many managers and IT people do not like the words irreversible, forest recovery, and no back-out plan. People also tend to not like mission critical applications breaking.

Using the GUI

The first thing you need to do of course is install Windows Server 2012. There are several new installation options. Also while we recommend Server Core you can now move between core and full with just a reboot. We also have the new Minimal Server Interface which will give you core GUI components like Server Manager, but no Internet Explorer or Windows Media Player. So if you would rather get started with full and then move to Server Core or Minimal Server Interface especially on that first Domain Controller you can now do that.

Server Manager looks different however. For the purposes of keeping this blog post somewhat manageable I will not be showing all screen shots. Please see our previous post on Server Manager for more detail on the enhancements there.

Add the Active Directory Domain Services Role. If you run dcpromo.exe you will get a message pointing you to go to Server Manager.

imageYou will the choose Active Directory Domain Services. You can also choose DNS Server at this point as well. If you don’t choose this and check the DNS box as in the past we will install the DNS role as part of that process.

 

image

After installation completes you will be prompted to make the server a Domain Controller.

clip_image009

Just like in Windows Server 2008 R2 just installing the role simply copies the bits in the proper location it does not make the machine a Domain Controller. At this point if you click the link you will then start the DC promotion wizard. If you don’t for whatever reason you will be able to do this from Server Manager later.

clip_image011

Once you click that link the Active Directory Domain Services Configuration Wizard will launch.

clip_image013

If there is an issue with the environment that will prevent you from introducing the DC you will get an error message. Instead of this happening at the end of the wizard you will be stopped to address this before you can continue. You will also notice that this message is “inline” so that I can continue on. This is an error message however so we need to address this. If we click show more we will get the standard dialog box with more detail on the error message.

clip_image015

As you can see by the below error message Windows Server 2012 does not support the Windows 2000 FFL. You will need to raise the FFL to Windows Server 2003 or higher to introduce the first Domain Controller. You will not be able to continue on until you address this. For the purposes of this blog I raised the FFL to Windows Server 2003 and continued on.

clip_image017

Now I received another message however this is only a warning and I can continue. In this case the warning is that I can’t introduce an RODC at this point since we did not detect any Windows Server 2008 or higher DCs in the environment. Again we can click on Show more to get additional details.

clip_image019

clip_image021

Now we receive another warning about a DNS delegation.

clip_image023

This message is stating that we can’t update your DNS infrastructure. This might be because you are using a second level domain (ex. contoso.com) and we can’t update the top level domain, you are using non Microsoft DNS, or the account you are using doesn’t have access to do this. So you may need to go back and either create the DNS delegation or update an existing DNS delegation.

clip_image025

We can now choose to Install from Media and we can also choose if we want to do initial replication from a specific DC or allow Windows to pick the DC. This process is site aware and will pick a DC in that site if one is available.

clip_image027

We can choose paths for our database, logs, and SYSVOL. Our guidance has not changed here and like any database we recommend splitting logs and the database on different spindles. You can choose the More about Active Directory paths for additional information.

clip_image029

As you can see in the below screenshot if you have not already prepared the forest/domain the Domain Controller promotion process will do this for you. For those of you who prefer that this not be one integrated step you can still run adprep. We will not be covering this in this post since it has been documented numerous times over the years. There is one notable change however. Adprep no longer needs to be run from a FSMO holder. Adprep is still located on the Windows media if you plan on running it from one of the existing DCs in the environment.

clip_image031

You will get the typical summary page of your selections and then new in Windows Server 2012 we will do a Prerequisites Check. You can also export all of your selections to a PowerShell script.

clip_image033

In Windows Server 2008 R2 you were able to export this to a dcpromo unattend file. In Windows Server 2012 this will be a PowerShell script. As was the case in Windows Server 2008 R2 this script will be specific to what you performed. So in this case this will be adding a Domain Controller to an existing domain which is the most common scenario. If you are creating a new domain or forest then you will have to modify or create a different script. We will use this script when we promote a Domain Controller with PowerShell in part 2 of this blog post.

clip_image035

You can see that we have performed a prerequisites check. This is a new feature in Windows Server 2012 that will make you aware of potential issues or concerns before you complete making the server a Domain Controller. However in many cases this could be too late in the process. If you have been planning the upgrade for months and aren’t aware of these issues then it could make you go back to the planning phase delaying the upgrade by several months. These checks can also be run with Windows PowerShell. We will discuss this in part 2 of this blog post.

clip_image037

Here we are extending the schema. So this is the equivalent of adprep /forestprep.

clip_image039

Now we are running adprep /domainprep.

image

We have extended the schema and prepared the domain. At the end of the process we are again made aware of potential issues that we may need to address since we now have a new Operating System that has stricter security requirements. The server will then reboot and just like in previous versions of Windows we will now have a Domain Controller and can do whatever checks your organization deems necessary to ensure that everything is running smoothly. We will only do what is exactly necessary so since we did not introduce an RODC the forest was not prepared for Read Only Domain Controllers.

clip_image043

After introduction of the first Windows Server 2012 Domain Controller

So what should you do now that the server has rebooted and is a DC. Well the prerequisites check only really checks things that will specifically impact the introduction of a DC. So the next thing you should do is run the Best Practices Analyzer (BPA) for Active Directory.

clip_image045

Once in Server Manager and you have chosen the AD DS role scroll down and you will see a section called Best Practices Analyzer. You can then go to Tasks and choose to run the BPA scan. This BPA scan can also be run from Windows PowerShell.

clip_image047

The initial filter will only show Warnings and Errors. You can also look at Informational issues as well as issues that Passed.

image

While many of these are general best practices (time configuration, virtualization…) One you might notice that could be important though is this. This one could break an application or service.

clip_image051

In Windows Server 2008 R2 we disabled DES encryption types for Kerberos by default. This setting is on a DC by DC basis so in that case only Windows Server 2008 R2 and Windows Server 2012 DCs would not allow DES encryption types. So you really need to check in two places for issues that could affect services and other applications that rely on Active Directory. Unfortunately you can’t run the BPA unless the machine is already a Domain Controller so unlike the PowerShell cmdlets earlier in the blog you can’t run this ahead of time. This is why you should have a lab that looks as close to production as possible. This will allow you to flush out these issues prior to introducing new DCs in production.

What don’t we check

The key thing here is that if you are moving from Windows Server 2003 all the way to Windows Server 2012 you need to be aware of the changes and potential issues from Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012. If you are moving from Windows Server 2008 R2 then there are less things to worry about of course. Though if you aren’t aware of some of these issues then you will need to address those. Here is an example of a few things the BPA and Prerequisites Checker don’t check. We plan to have a follow up post to provide more detail on this.

· We don’t inventory existing application or services on the DC. If you are using existing hardware and not doing an in place upgrade you need to document what else is on that DC (DHCP, DNS, WINS, CA, IAS, Terminal Services Licensing)

· Since Windows Server 2008 we no longer store the Lan Manager hash (LMHash). If you have old applications or gasp really old versions of Windows you need to address this.

· We don’t check other Microsoft applications or 3rd party applications. An example from Windows Server 2008 is Live Communications Server 2005 and Office Communications Server 2007. These products had an issue when the schema was extended for Windows Server 2008.

958980 Office Communications Server or Live Communications Server 2005 does not work correctly after you upgrade a domain controller to Windows Server 2008

http://support.microsoft.com/kb/958980/EN-US

· We provide you the warning about NT4Crypto, but we don’t actually look for NT 4.0 machines or trusts. Third party NAS devices, and older implementations of Samba could also be affected.

For Windows Server 2008 and Windows Server 2008 R2 we provided a TechNet article and a fellow PFE Glenn LeCheminant had a running blog post.

http://blogs.technet.com/b/glennl/archive/2009/08/21/w2k3-to-w2k8-active-directory-upgrade-considerations.aspx

http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx

We plan on doing something similar here.

Summary

So to wrap up part one of this blog post we have covered what it takes to introduce the first Windows Server 2012 Domain Controller using the GUI in your environment. We have also covered using the Best Practices Analyzer after the first Windows Server 2012 Domain Controller is introduced. We then provided a brief summary of some items that are not checked. While we have improved the Domain Controller promotion process and added additional functionality to make you aware of issues you may run into this does not replace proper planning. At the same time we are trying to reduce the “fear” that many have of these tasks. Upgrading your Active Directory provides significant benefits and new features and also keeps you in a supported state. If your Active Directory is still all Windows Server 2003 the time is now to start planning your upgrade. In part two of this blog post we will cover doing this same task using Windows PowerShell. We will also cover how you can do the prerequisite checks ahead of time so that you are well prepared to introduce that first DC and to reduce or remove any “surprises”.

Thanks,

Greg