Basic configuration of Server Core Domain Controller

Recently I was tasked with configuring a Windows 2012 server Core as a domain controller from scratch. The process is well documented and fairly painless. I figured I would aggregate and post the process.

Assumptions:

• This process doesn't cover the basic installation of the OS. This assumes you have installed the OS for the first time as CORE and you are logged in for the first time with administrative credentials.
• We don't use IPv6 (yet). I lilke to unbind and disable the adapters and protocol needed for IPv6. If you use IP6 don't follow this guide.
• You already have an existing domain infrastructure. This process adds an additional domain controller to an existing domain.
• In my example the domain is called LAB.LOCAL.
• You will be installing DNS on the domain controller.
• You don't wish to change the default NTDS and SYSVOL locations.
• You understand what the directory services restore mode password is.

In this process we will:

• disable unneeded adapters
• disable "IP Helper" service (iphlpsvc)
• rename computer
• set IP/DNS addresses
• install AD

disable 6to4, isatap adapter, Teredo tunnel adapter

From the command line:

netsh int ipv6 isatap set state disabled

netsh int ipv6 6to4 set state disabled
netsh interface teredo set state disable

disable IP Helper service
sc config iphlpsvc start= disabled
(there is a space between = and disabled)

Start Powershell
powershell

unbind IPv6
Get-NetAdapterBinding -InterfaceAlias Ethernet | Select-Object Name,DisplayName,ComponentID

Pay attention to the name displayed for the adapter you intend to modify. Petri insider’s tip: In a fresh Server core installation with one network adapter installed, the name will be Ethernet by default.

Disable-NetAdapterBinding -InterfaceAlias Ethernet -ComponentID ms_tcpip6

Get-NetAdapter

For the next few steps I want to mention that you could alternatively use sconfig to rename the computer and set the IP + DNS address.
To start sconfig just type "sconfig" at the command line.

Set IP Address
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 10.0.0.10 -DefaultGateway 10.0.0.1 -PrefixLength 24



(if you mess up the IP address)
remove-netipaddress -ipaddress x.x.x.x -defaultgateway x.x.x.x

Set DNS address
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddress 10.0.0.100

*make sure everything looks right
ipconfig /all

Rename Computer
Rename-Computer -NewName NewComputerNAME

Reboot
(even though this is a command line command, it will work within powershell)
shutdown /r /t 1

Log back in, start PowerShell, Add computer to domain
Add-Computer -DomainName domain.local -DomainCredential (Get-Credential)

Reboot

shutdown /r /t 1

Install AD
*log back in with (administrative) domain credentials, start powershell

Install-WindowsFeature AD-Domain-Services –IncludeManagementTools

(wait a few minutes)

Install-ADDSDomainController -DomainName lab.local -InstallDNS:$True –Credential (Get-Credential)

You will be asked for a SafeModeAdministratorPassword. This is the Directory Services Restore Mode Password.

"the target server will be configured as a domain controller..."

continue with this operation? Y

(a series of warnings)

The first warning lets you know that Windows Server 2012 has defaults for certain security settings that can affect very old OSes on the network such as Windows NT 4.0. The second warns that a DNS Server delegation can’t be created. Since we’re installing DNS on this server as part of the DC promotion process, both of these errors are safe to ignore.

Reboot when complete

Credit to:
Petri, setup domain controller
http://www.petri.com/setup-domain-controller-windows-2012-server-core.htm

set and remove IP address from powershell:

https://technet.microsoft.com/en-us/library/hh826150.aspx

Quick Reference for server core tasks
https://technet.microsoft.com/en-us/library/jj592694.aspx

Uninstall program from the command line, fails as non-admin, fails as admin with RUNAS

Uninstall program using "Run As" as admin fails when a non-admin is currently logged in and UAC is disabled.

The problem is as follows:
Generally helpdesk has a need to uninstall/reinstall a program on an end-user's PC whilst the end-user is logged in. Another case is admin simply needs to uninstall a program\app\driver from a non-admin end user's computer.

The problem is that if UAC is turned OFF (never notify), you cannot remove(uninstall) a program, even though you are logged in as an ADMIN, via the runas command. The process fails.
When I say UAC is disabled, I mean User Account Control is set to "never notify"

For Example:
Joe User (non admin) is currently logged in.
UAC is disabled on the user's PC (see image above).
You, a domain admin, are at the user's PC - either in person or via a screen sharing technology.
You run (from command line) "runas /user:BillyTheAdmin@domain.local cmd"
You are prompted for your password - you enter your password
A new command line opens with your credentials, you type "appwiz.cpl"
   (Alternatively you could have run "runas /user:BillyTheAdmin@domain.local appwiz.cpl")
add\remove programs opens, you select the program you wish to remove, click Uninstall.
You are prompted with "You must be an administrator.... The process fails, the app is not uninstalled/removed.

In the above scenario, IF UAC was ENABLED you would be prompted again for your username/password and the process would succeed.

*Note: To access the user account control settings as an admin by running the following:
C:\Windows\System32\UserAccountControlSettings.exe

To work around the issue and AVOID logging out the user you can uninstall\remove apps from the command line. In this example, I want to remove the Live Meeting 2007 client.

1. Open a command prompt as an administrator
    In my example, run "runas /user:BillyTheAdmin@domain.local cmd"

2. Input WMIC and press Return. You will see a prompt that looks like this:
wmic:root\cli>

3. At the new prompt, execute the following command:
product get name

This will generate a list of installed applications. On my computer (very fast PC) this took 30 seconds to return results, be patient.

4. At the prompt, execute the following command:
product where name="exact product name" call uninstall
where application name is the name of the program you wish to uninstall (use the exact name provided by the previously generated list).

In the image below, the output is from "product get name". I want to uninstall the live meeting client.

5. When prompted, input "y" to confirm that you wish to uninstall the application and press Return. In the image below the line is very long (I tried to capture it, sorry if the image appears small).

The application will be uninstalled. You will get a quasi-useless return code.

Type "Exit" to leave WMIC
Type "Exit" to close the cmmand line

Lync 2010, disable "suggested contacts" from Outlook 2010

We use Lync 2010. In my scenario, I ONLY want to see GAL/GAB, Lync Enabled users in Lync. Your situation may differ.

By default Lync 2010 pulls from Outlook's contacts when using "Search" in Lync. I find this feature annoying because we don't use Lync for calls of any kind. We only use Lync for IM and Presence internally. Hence, seeing my Outlook Contacts in Lync is of ZERO use to me. All of my Contacts show up as "Presence Unknown".

example: Tom Smith is a GAL, internal, Lync enabled user. Tom Jones of from my contact list.



Very simple Solution:

On Lync Server (mgt shell)
set-CsClientPolicy -Identity global -ExcludedContactFolders "Contacts"

This will now exclude Outlook Contact from populating Lync searches....great.

Fast Forward, upgrade Office from '07 to 2010.
Lync is now showing contacts again. This time from Outlook's "Suggested Contacts", a new feature of Outlook 2010. Suggested Contacts is a new contact folder starting in Outlook 2010. I find this feature completely useless but that is another topic.

To Get Lync to stop pulling suggested contacts into Lync searches do this:

set-CsClientPolicy -Identity global -ExcludedContactFolders "Contacts;Suggested Contacts"

To view the policy:

Get-CsClientPolicy -identity global

Check the settings:

Error delegating, Outlook 2010, The Delegates were not saved correctly, cannot activate send-on-behalf-of list, KB2593557

Outlook 2010, error delegating AGAIN.

I had a previous post with problems delegating calendar access in Outlook 2007. Now I am having problems with users delegating Inbox access in Outlook 2010.

Error looks like:

Again, KB2593557 claims to fix the problem but it does NOT! It only suppresses the error.

Add "Write personal information" (and Read personal information) to the "SELF" object in AD on the ACL.

As I looked through my users (randomly), I found some user account already had this set properly and others did not. I do not know how or why this came about but I intend on fixing it.

I figured that I would set the settings at once for all users
use this script

--== Begin Script ==--
$mailboxes = Get-Mailbox

foreach ($mailbox in $mailboxes)
 {
 $user = $mailbox.alias
 $mailboxname = $mailbox.name
 Write-Host "Processing... $user,$mailboxname"
 Add-ADPermission -Identity "$mailboxname" -User 'NT Authority\self' `
    -AccessRights ReadProperty, WriteProperty -Properties 'Personal Information'
 }

--== End Script ==--

Save as .ps1, run from Exchange Management Shell

Booking room calendars over 180 days out on Exchange 2010 (affects Exchange 2007 also).

While booking a recurring event with a room calendar, I receive the message "This resource can only be scheduled up to 180 days in advance". Actual e-mail below. I was booking a biweekly event for a year.

-----Original Appointment-----
From: Training Room
Sent: Friday, November 21, 2014 5:16 PM
To: removed
Subject: Declined: Sales Meeting
When: Tuesday, June 09, 2015 8:30 AM-10:00 AM (UTC-05:00) Eastern Time (US & Canada).
Where: Training Room

Your meeting request was declined.

This resource can only be scheduled up to 180 days in advance. The end time should fall before 5/21/2015.

All times listed are in the following time zone: Eastern Standard Time

Come to find out that this is the default setting.

Execute Get-MailboxCalendarSettings "<mailbox alias>" | fl

Look at settings for BookingWindowInDays and EnforceSchedulingHorizon.

Change the setting with:

Set-MailboxCalendarSettings <mailbox alias> -BookingWindowInDays <Days>
OR
Set-MailboxCalendarSettings <mailbox alias> -EnforceSchedulingHorizon  $False

No need to do both.

Error trying to delegate (grant) access to my Outlook Contacts - "The Delegates settings were not saved correctly. Unable to activate send-on-behalf-of list. You do not have sufficient permission to perform this operation on this object".

I was attempting to add a user with access to ONLY my contacts. I have a few thousand contacts and I have a temp user that was helping to categorize the contacts. I was trying to get organized.

Received the error "The Delegates settings were not saved correctly...".

If you go back in to TOOLS > Options > Delegates, nothing is saved/changed. For me this is happening on both Outlook 2007 and Outlook 2010 (I have multiple computers available) w/ Windows 7, 64 bit.

Per http://support.microsoft.com/kb/2593557 :

When you add a delegate, Outlook also tries to grant "send on behalf of" permission to the delegate by default. This permission is written to the publicDelegates attribute of your user object in Active Directory.

The issue that is described in "Symptoms" can occur for either (or both) of the following reasons.

• The global catalog (GC) server to which your Outlook client is connected is not local to your domain.
  
  If your Outlook client is connected to a GC that is not local to your domain, the publicDelegates attribute cannot be written to your user object in Active Directory.
• The SELF object does not have the Write Personal Information right on your Active Directory user object.

I checked that:
[1] the GC is definitely local to my domain - I only have one domain. I have 2 GCs, both are logically local and physically local.
[2] the self object does not have the Write Personal Information right on your Active Directory account

The latter was in fact true, in ADUC (advanced view) I did not have "Write Exchange Personal Information" (image below - In the image I already checked the box, originally is was not checked).
*edit - this is not correct, I was looking at the wrong attribute

**EDIT - this is incorrect
Unfortunately, Adding SELF to "Write Exchange Personal Information" did not fix the issue. Yes, I logged out and in. I also rebooted for good measure. Maybe I didn't wait long enough for AD replication. Regardless, I went ahead with the "Fix it for me..." from M$ http://go.microsoft.com/?linkid=9830127 and I was off to the races.

**EDIT
The attribute in question is "Write Personal information",  NOT "write Exchange Personal Information".

*adding the proper security DOES fix the problem.

*DO NOT run the Microsoft Fix it because, upon further investigation, this does not fix the problem, it only suppresses the error message.

This can be run/scripted via powershell

Add-ADPermission -Identity 'MailboxCanonicalName' -User 'NT Authority\self' -AccessRights ReadProperty, WriteProperty -Properties 'Personal Information'

to get the mailbox canonicalname use:
get-mailbox
or
get-mailbox | select name,alias

Good Luck

e-mail missing and automatically deleted

e-mail automatically deleted - Outlook 2010

Outlook 2010, Exchange 2007 SP3, Samsung S3 Andriod KitKat (4.4)


Today a strange scenario happened. I was on my way into the office and checking my e-mail while driving (not preferred). I noticed a few important e-mails from a particular sender that I need to address. The e-mail in question were mixed in with other lesser important e-mails. I will reply to the e-mail from my desk PC.

 

I get to my desk and open Outlook. NONE of the e-mail, all from one sender, are in the Inbox. Weird. I look down at my phone and POOF - the e-mail are gone from the Inbox on my phone. Again all of the e-mail in question is from one particular sender, no other e-mail is affected.

 

I search the junk e-mail, find nothing. I look in the "Deleted Items" and whamo my missing e-mail is there.

 

• I suspected rules in Outlook. I disabled all the rules in outlook, had the sender re-send the e-mail. Straight to deleted again.
• Next I suspected rules in OWA - disabled, same result
• Junk mail filter? This was not even a possibility for me because the sender was internal to my organization (and in the same domain). Additionally my junk e-mail options were not set to "permanently delete...instead of moving to the junk e-mail folder". See image 1.

Permanently delete suspected - NOT CHECKED. Doesn't matter because internal
senders are not processed by the junk e-mail filter.



• Spam filter? Again, not possible because the sender is internal. My spam filtering is done at the gateway therefore internal messages don't hit the spam filter. BTW, I am using SpamTitan - not the best, but it works.

I was just about to delve in to the transport logs and message tracking logs but I know that this will not be fruitful because, remember, I received the e-mail on my phone, and subsequently to my "deleted items", which means the e-mail was delivered. The e-mail in question only moved to deleted AFTER I opened Outlook. Something on the client, other than Junk E-mail filter and "rules" was processing the message.


After reviewing the e-mail in my deleted items, I found this gem "Ignore Conversation".





I never ever use the Ignore feature. I get it but I just don't have a need for it. Somehow this got enabled for this message. I probably pulled an end user maneuver and clicked on it instead of clicking delete. Here comes the big punch line. I never clicked on Ignore on this e-mail. Outlook thinks all messages with the SAME SENDER and the SAME SUBJECT LINE are part of the SAME CONVERSATION - even though we know this not the case. For example, if your co-worker Bill sends you a weekly e-mail, with the subject line "For your review", Outlook treats ALL of the messages as one conversation.

• Unchecking Ignore move ALL of the messages from that sender w/ the same subject line back to the Inbox.

Thanks for listening.