howto://upgrade Active Directory to 2012R2

Alternate title, DCPROMO is dead! Long live some little yellow triangle! 

It being past time for me to upgrade Active Directory at home to DCs running 2012R2, I wanted to put together this little walkthrough for others looking for a procedure doc to cover schema and perms, or maybe even where the hell dcpromo went! If you’d like a 20K foot overview of what you need to do in order to add a 2012R2 DC to your domain, here’s what you need to know. Continue reading “howto://upgrade Active Directory to 2012R2”

howto://fix the hardware on the destination computer is not compatible

I’m in the middle of upgrading my Hyper-V servers at home from 2012 to 2012R2. To keep things up and running, I live migrated (shared NOTHING) the VMs from the first server to be rebuilt to the second. That worked just fine. I flattened the first server, installed 2012R2, added the Hyper-V role, and tried to move a VM back to it, only to be spanked with Continue reading “howto://fix the hardware on the destination computer is not compatible”

howto://register the schema dll in 2012r2

As a follow up to upgrading AD to 2012R2, I wanted to transfer all the roles off the legacy DC. When I went to register the schema management.dll using regsvr32 in a run dialog box, like this…

regsvr32.exe schmmgmt.dll

I got spanked with this.

image

The module “schmmgmt.dll” was loaded but the call to DllRegisterServer failed with error code 0x80040201.

User Account Control (UAC) doesn’t let us do this directly from a run dialog. To do this and get it to work, you need to run this from an administrative command prompt.

Running the same command this way

image

gets this

image

and more to the point, lets you run the Active Directory Schema Management console.

howto://USE a REGEX to match everything up to the @

regex2

I use PSPAD as my default text editor. It’s been my favourite such application for years because it can do so much. Recently I was handed a CSV that contained email addresses for 25,000 users. I needed to pull out just the SMTP suffixes for some manipulation. PSPAD can do global search and replace with a REGEX and it seemed like just what I needed. The only challenge was to figure out what pattern matches everything in an email address up to and including the @ sign. Here’s the pattern I used.

^([^@]+)@

That says to start at the beginning of the line, match any number of alphanumeric characters up to, and including the @. Easy.

2018-01-29 edit-since I am copying from Archive.org and am too lazy to try to recreate all the great comments, I am adding this one from my former boss, Jim Palic of ONLC, which is an even easier way to do this.

Another easy way to do that would be to use the negation operator inside the square brackets. e.g. ^([^@]+)@ Meaning match everything that is not an @.

howto://map caps lock to windows-key

I have a little no-name Bluetooth keyboard that I like to use when travelling. It has a joystick mouse with scroll, all the important keys for editing and cursor navigation, function keys, a/v keys…the only thing it’s really missing is a Windows key. CTRL+ESC is not a substitute for the Windows key, since it doesn’t work with any WIN+ shortcuts. I really wanted a Windows key. I did some digging around on the interwebz and figured out how to map the caps lock key to the Windows key.

In other words, I made this

caps-lock-key[1]

into this!

187303_windows_button[1]

If you want to do the same thing for some older keyboard you want to use, here’s what you need to do.

1. Launch regedit.exe.

2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout.

3. Export that key and save it as undokeyboard.reg in case you want to go back, screw something up, etc.

4. Create a text file and copy the following into it.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
"Scancode Map"=hex:00,00,00,00,00,00,00,00,02,00,00,00,5c,e0,3a,00,00,00,00,00

5. Save as WINning.reg.

6. Double click it to import the settings into your Registry.

7. Reboot.

8. (Optional) Use a silver Sharpie marker to draw in the Windows logo.

Once you reboot, the CAPS LOCK key on any and every keyboard you use will be your WIN key. Of course, that may cut down on shouting, extra emphasis, license key entries, etc…but your SHIFT key is probably a little lonely anyway. Keep that undo file just in case you find yourself really needing a CAPS LOCK key. See what I did there?

 

howto://disable hibernation in Windows 8

2018-01-29 edit-this works just the same and as well in Windows 10!

Getting ready for my Windows 8.1 upgrade, I wanted to get some things cleaned up, and that included moving some VMs from my laptop to one of my Hyper-V servers. The Exchange server alone is about 100GB so I wanted to fire it up to delete some of the test accounts/mailboxes to trim it down to size before moving it. Unfortunately, it looks like my tendency to save everything had just about run me out of space. The VMs would not start!

image

Checking on things, I found myself with only a few hundred MB of free space. I started deleting ISOs and other large files that I have multiple copies of, but was only able to free up a few GB of space. My disk was still code red!

image

Looking for more things I could get rid of, I realized that I had a 13GB hibernation file sitting on the C: drive. Since I hate hibernation, I figured losing this would free up enough space to do what I needed to.

 

image

To disable hibernation in Windows 8, do this.

  1. Open an administrative command prompt.
  2. Enter the following command:
    powercfg /hibernate off [enter]image
  3. Check to see you have more space freed up!

image

Yes, I am still code red. I’m a hoarder (of data, anyway.) I don’t have any specific reason why I don’t hibernate…I just don’t. I may have had a bad experience in the past that I have suppressed, or maybe I just want the disk space back. Whatever the reason, I don’t mind telling my computer to go the <bleep> to sleep. When I do, I always hear myself doing it in Samuel L. Jackson’s voice.

howto://get upns for a list of sams

ps

I often find the need to have a list of UPNs when the only thing the customer provides me is a list of sAMAccountNames. Far too often users’ SAM and UPN don’t match, so it’s not as simple as tacking the UPN suffix onto the SAM and calling it a day. If you have a list of SAMs and you need to get UPNs, here’s two ways to do it. This assumes you have admin rights in AD, and a workstation on which you also have admin rights.

Single domain

The first way works well if you have a single domain, or just need to search a single domain.

1. Install the RSAT tools if they are not already in place. You will need the AD specific pieces.

2. Create a text file with one sAMAccountName per line. Name it users.txt.

3. Launch PowerShell and cd to the folder containing users.txt

4. Import the AD Module using this command
import-module activedirectory

5. Run this command
get-content users.txt | get-aduser | ft samaccountname, userprincipalname >userslist.txt

6. If you need to search a different domain, add the -searchscope “dc=sub,dc=example,dc=com” to the get-aduser command to specify the domain.

Entire Forest

If you want to quickly and easily search the entire forest, it’s a little more complicated.

You can do it the “low and slow” way using this. Substitute the servername for a GC in your environment, and your forest root where appropriate. This will take a LOOONGGG time to complete, but gets you there in a one liner.

$list | % {write-verbose $_ -verbose; get-aduser -ldapfilter "(samaccountname=$_)" -server gc-server1:3268
-searchbase "dc=sub,dc=example,dc=com"} | select samaccountname, userprincipalname  | export-csv .\upns.csv

Or if you are in a hurry and want to also use Excel, you can do this.

1. Run this command to just get EVERYBODY’s data.
get-aduser -ldapfilter "(samaccountname=*)" -server siladdc01:3268 -searchbase "dc=dir,dc=labor, dc=gov" | export-csv c:\scratch\allusers.csv

2. Import the data into Excel. Delete every column except the sAMAccountName and UPN, and delete all the header rows.

3. Create a new worksheet in Excel.

4. Import your source list into that.

5. Create the following formula in the next column of your second worksheet.

=VLOOKUP(A1,allusers!A:B,2,FALSE)

That will compare the sAMAccountNames in your source file to the full dump, and where it finds an exact match in column A, it will put in the UPN from column B.

howto://dump a list of users with email address and upn

I needed to dump a list of all users in a forest so that I could compare their UPN to their email address. I came up with this PS command that will connect to a GC, enumerate all users in the forest, and output a CSV that lists their displayname, emailAddress, and UPN. It will skip users with blank email or display, or accounts that are disabled.

The scriptlet assumes whoever runs it has administrative rights, and has the RSAT tools for AD installed on the machine they are using so the AD module exists. It doesn’t require anything else.

import-module activedirectory

get-aduser -filter {(EmailAddress -like “*”) -and (DisplayName -like “*”) -and (Enabled “True”)} -searchscope subtree -searchbase ‘dc=yourdomain,dc=tld‘ -properties DisplayName, EmailAddress, UserPrincipalName, proxyAddresses -server yourgc.yourdomain.tld:3268 | select-object displayname, emailaddress, userprincipalname | export-csv c:\scratch\users.csv

Make sure you change the variables in italics to match your environment. Hope this helps someone out.

kerberos response codes

code message meaning
0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN: Client not found in Kerberos
database
0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN: Server not found in Kerberos
database
0x8 KDC_ERR_PRINCIPAL_NOT_UNIQUE: Multiple principal entries in
database
0xA KDC_ERR_CANNOT_POSTDATE: Ticket not eligible for postdating
0xC KDC_ERR_POLICY: KDC policy rejects request
0xD KDC_ERR_BADOPTION: KDC cannot accommodate
requested option
0xE KDC_ERR_ETYPE_NOTSUPP: KDC has no support for
encryption type
0xF KDC_ERR_SUMTYPE_NOSUPP: KDC has no support for
checksum type
0x12 KDC_ERR_CLIENT_REVOKED: Clients credentials have
been revoked
0x17 KDC_ERR_KEY_EXPIRED: Password has expired change
password to reset
0x19 KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication
required
0x1B KDC_ERR_MUST_USE_USER2USER: principal valid for
user2user only
0x1C KDC_ERR_PATH_NOT_ACCEPTED: KDC Policy rejects transited
path
0x1D KDC_ERR_SVC_UNAVAILABLE: A service is not available
0x1F KRB_AP_ERR_BAD_INTEGRITY: Integrity check on decrypted
field failed
0x20 KRB_AP_ERR_TKT_EXPIRED: Ticket expired
0x21 KRB_AP_ERR_TKT_NYV: Ticket not yet valid
0x22 KRB_AP_ERR_REPEAT: Request is a replay
0x23 KRB_AP_ERR_NOT_US: The ticket isn’t for us
0x24 KRB_AP_ERR_BADMATCH: Ticket and authenticator
don’t match
0x25 KRB_AP_ERR_SKEW: Clock skew too great
0x29 KRB_AP_ERR_MODIFIED: Message stream modified
0x34 KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP,
retry with TCP
0x3C KRB_ERR_GENERIC: Generic error

im in ur datastreams, fixup’in’ ur protokols

So the other day, I found myself involved in two different attempts to fix the same problem, which had apparently been an issue for over a year for these guys. They both wanted to use FTP to move files from a host on one segment, to an FTP server on another segment. Sounds simple, right? Well if it was, I wouldn’t be writing this article, would I?

 

Situation:
-Two hosts need to communicate with one another using FTP
-across a firewall
-NAT is in place
-the FTP server is using the non-standard port 1959

First, a review of FTP is in order. The current RFC for FTP is 959. Note that FTP commands embed network addressing within the Application layer of the protocol each time a PORT command (amongst others) is issued. The client embeds its IP address in the command, as so.

PORT 010,001,001,024,016,002

Note that the address is represented as padded, comma separated octets. The FTP server uses that information to open a connection back to the client for the data transfer. In this instance, the FTP client is on one network segment, the FTP server is on another, and there is a firewall between them. In the stream, the client’s network traffic is translated by the firewall so that it appears to be at the desired address, even though it is located on another network. This is transparent to both hosts, and to the user. Unfortunately, the FTP server cannot access the FTP client at the real ip.addr (10.1.1.24) because the NAT represents the FTP client as having ip.addr 10.3.1.24.

While Network Address Translation is frequently used, there are limitations to what it can do. The normal NAT process can only alter ip.addrs at the Network layer, and port numbers at the Transport layer. For many protocols, this is sufficient to permit the use of NAT, and to do so in a way that is transparent to the user, the hosts, and the application protocol(s) in use. There are however certain protocols that embed the ip.addr and/or port within the Application layer, as FTP does in its port commands. NAT does not inspect the Application layer, so when the destination host receives traffic with one set of addressing at the Network and/or Transport layer, and another set of addressing at the Application layer, problems will occur. This will break RPC traffic completely. For other traffic, there is the fixup command.

PIX firewalls have a feature called fixup which is enabled by default for many protocols on default (IANA assigned) ports. In the firewall configuration, this command is present.

fixup protocol ftp 21

Fixup does several things, but in this case we are most interested in its ability to basically perform NAT functions at the Application layer. Fixup can substitute the NAT address for the real one in the PORT commands transparently, neatly fixing the problem. Of course, if the FTP service had been bound to the default port, this would not have been a problem to begin with. The necessary action on the firewall is to add this command.

fixup protocol ftp 1959

Problem solved.

Summary:

  1. Whenever possible, stick with default ports.
  2. When using NAT, evaluate the protocols in use for whether or not they play nicely with NAT.
  3. Use the fixup protocol command to inspect the application layer and make relevant corrections.
  4. Remember that not all protocols can be fixed up!

here endeth the lesson 😉