Windows Server 2012

16K

Solutions

8K

Contributors

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.

Share tech news, updates, or what's on your mind.

Sign up to Post

Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
0
Free Tool: Site Down Detector
LVL 11
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
0
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade. Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
5
 
LVL 8

Expert Comment

by:Senior IT System Engineer
Comment Utility
Can the separate VSS volume drive be excluded from the VM backup ?
0
 
LVL 97

Author Comment

by:Lee W, MVP
Comment Utility
That depends on your backup software.  It's not necessary to backup.  If you restored the data drive and not the VSS backup drive, then you wouldn't have VSS copies from the past.
1
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
0
A procedure for exporting installed hotfix details of remote computers using powershell
2
 
LVL 8

Expert Comment

by:Senior IT System Engineer
Comment Utility
Thanks for sharing !
0
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
0
OfficeMate Freezing Error
OfficeMate Freezes on login or does not load after login credentials are input.
0
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
0
Resolve DNS query failed errors for Exchange
2
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
4
 
LVL 25

Expert Comment

by:Brian B
Comment Utility
Good and useful article, but a warning to users who may read this: It is not recommended to just try and delete system files. Without going into a long explanation, if you use Lee's method above and find a lot of space being taken up by a specific directory, search on how to clean up that directory. Here is an example for one common place that files build up:
https://www.experts-exchange.com/searchResults.jsp?searchTerms=WINSXS+folder+clean+up&asSubmit=true&asSelected=true
0
 
LVL 97

Author Comment

by:Lee W, MVP
Comment Utility
Brian B - EXCELLENT point - added a warning in case people read the article and not the comments.
0
Windows Server 2016: All you need to know
LVL 1
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange though but both Exchange logs are replicated.
0
 
LVL 12

Author Comment

by:Ganesh Kumar A
Comment Utility
Updated in summary, objectives, subject.
0
What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (or at least you will know what to do next).
2
 
LVL 8

Author Comment

by:Hector2016
Comment Utility
Please, dont. I had corrected it manually.
Let it just as is.
0
Searching stars
The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Windows Server search and indexing services.
0
The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring system upon planned maintenance reboots etc.
23
 
LVL 15

Author Comment

by:Raj-GT
Comment Utility
Hi Steve,

Thank you for the comment. I am using the InstanceIDs that correspond to the EventIDs I mentioned in the article as it is somewhat faster to execute.
Get-EventLog -LogName System -Source User32 -Newest 10 | ? { $_.EventID -eq "1074"}

Open in new window


Get-EventLog -LogName System -Source User32 -Newest 10 -InstanceId 2147484722

Open in new window


Both commands above will produce the same result.

Thanks,
Raj-GT
0
 
LVL 15

Author Comment

by:Raj-GT
Comment Utility
An updated version of the scripts are now on GitHub at https://github.com/Raj-GT/Windows-Boot-Event-Logging
0
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and the awful customer support. I can not tell you the countless hours i have spent on the phone with Cisco attempting to fix issues.

Well I have good and bad news for you all. Cisco has "End of Lifed" this platform and will no longer continue to support or sell it. The official timeline for this is below. But for some of you who have invested a lot of time and more importantly money into the product are probably pretty upset.

http://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/virtualization-experience-client-manager/eos-eol-notice-c51-731181.html

Well, there is a solution out there: the Dell Wyse Platform. The VXC platform was "purchased" from Wyse and simply branded by Cisco and they made a few coding changes but all in all the source code is the same. Even the asthetic look of the software is almost identical to the VXC. However, Wyse takes much better care of the software and has had out for quite some time a version of the management software that is compatible with Windows Server 2012 R2, that is something those of us with Cisco have been waiting for, for a while.

Wyse also releases patches much more quickly and has much better support, as well as an FAQ with discussion boards and forums. And the…
0
 
LVL 2

Author Comment

by:Bradley Bishop
Comment Utility
How much are the Clients? We can get Wyse clients for around 300 and they are pretty good machines.
0
 
LVL 1

Expert Comment

by:jbla9028
Comment Utility
We are looking at Wyse with Cloud Client Manager. Are you aware if it's able to manage both WyseOS and Windows Embedded TCs? We're also looking at the desktop extender LinuxOS to load on old laptops to keep them from going obsolete. Working with a rep there but haven't gotten answers yet. Looking for a way to manage all the ThinClient settings from one management interface. Switching from the Teradici zero client  model .
0
Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits your environment. In this article I will attempt to list some of the elements you need to consider before choosing which edition is most appropriate for your case.

In Windows Server 2012, there are four editions: Foundation, Essentials, Standard, and Datacenter. Don’t let the naming deceive you. While the Foundation and Datacenter editions map directly to the Foundation and Datacenter editions in Windows Server 2008, the Essentials and Standard editions do not. The Essentials edition in 2012 is equivalent to the Standard and Web editions in 2008, while the Standard edition in 2012 maps to the Enterprise edition in 2008. That being said, it should be clear what is the most likely edition you want to choose when it comes to upgrading from your Windows Server 2008 environment. Please note that all Windows Server 2012 editions are 64-bit OS versions. There is no more support for 32-bit operating systems.
 

Foundation Edition

This edition is a scaled down edition of Windows Server 2012. It is intended for small businesses requiring simple file and print services and is limited to 15 users only. It can only be installed on a physical machine; the license for this edition will not allow for a virtual machine install. …
21
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
People tend to forget that the virtual machine limitation only applies to the licence of the Microsoft Server Product. The limitation does not apply to other licensed products you could have 1000 windows 7 pro virtual machines (if you have 1000 W7P licenses) or 1000 Ubuntu virtual machines.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
Comment Utility
The description of Essentials is incorrect. Essentials is *not* analogous to standard in 2008, but is like essentials 2011. It is a unique product with special features (client backups) and unique limitations (*must* be a domain controller.)
0
This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and installed in their environment.

We will cover the following topics:
  • Installing the WSUS Role
  • Securing WSUS with SSL
  • Configuring WSUS
  • Configuring Group Policy
  • Managing Updates
  • Viewing Reports
  • Using PowerShell
  • Using wsusutil

For our test environment, we will use 3 Windows 2012 R2 servers with the following roles:
  • Domain controller
  • CA server (enterprise root)
  • WSUS

We already have a domain controller (DC1) and Certificate Authority (CA1) for mydomain.local in place.
A Windows 7 Enterprise system will also be used for this environment.
We will start with installing the WSUS role on the WSUS server.




Installing the WSUS Role


Login to the server with an account having local administrator rights.
Open Server Manager and go to Add roles and features.

WSUS-2015-06-03-20-47-32.pngClick next on the 'Before you begin' then next again on the 'Installation Type' pages.
On the Server Selection page, select the current server if it isn't already; click next.
For Server Roles, scroll to the bottom and check Windows Server Update Services.  This will bring up a dialog box to install dependent features.  Click add features.
WSUS-2015-06-03-21-08-00.pngWSUS-2015-06-03-21-08-14.png
28
 
LVL 41

Expert Comment

by:footech
Comment Utility
You may want to add the content from https://support.microsoft.com/en-us/help/3159706/update-enables-esd-decryption-provision-in-wsus-in-windows-server-2012-and-windows-server-2012-r2 to your article.

Just recently I configured a WSUS (on Server 2012 R2) for SSL and no clients could connect (not just Win10 clients) until I had edited the web.config file in "C:\Program Files\Update Services\WebServices\ClientWebService" (I hadn't made the changes when the update was installed).

I think it's also important to note that the order of steps is important when configuring WSUS for SSL.  As in the order you've shown, the IIS changes have to made before running the wsusutil configuressl <fqdn> command (if the output doesn't show the https with the 8531 port you know something isn't right).
0
 

Expert Comment

by:Knowledgeable
Comment Utility
What steps do I need to follow to set the "Enable client-side targeting" value for all Windows 7 and Windows 10 domain joined computers so that their "Target group name for this computer" value will be set to "Workstations"?

I have already followed these steps within my Server 2016 AD Domain and have given the two Server 2016 servers the "Target group name for this computer" the value of "Servers".

How can this value be added to all of the workstations within my domain through group policy without me having to manually add this value to each computer?

Enable-client-side-targeting
0
Recently, I was assigned the task of performing a hardware refresh in the datacenter. The previous Windows 2008 systems were connected to the SAN via fiber channel HBA’s and among other thing, had PowerPath installed in order to provide sufficient failover and load balancing to a VNX. When the new equipment was purchased, part of the refresh was a migration to Windows Server 2012 R2 using Emulex FCoE adapters for connectivity.

Once the operating system was installed, I went to the Emulex website to download the appropriate drivers and network teaming software. However, I could not locate a download for the teaming software for Windows Server 2012 R2. After trying various methods, I noticed a notation at the bottom of the screen indicating that for Windows Server 2012 R2, the built-in services were to be used.

cna.pngFurther research found that Microsoft has also built in multipath services into the 2012 R2 product. While there may be varying opinions on the need, it appears that PowerPath is no longer required when using the new Windows Server operating systems. However, if you still chose to use PowerPath, the minimal version needed will be PowerPath 5.7 SP2. Otherwise, the instructions below will walk you through configuring the MPIO feature in Windows Server 2012 for multipath failover in a SAN environment. 

The first step is the installation of the MPIO feature. To install this feature from the dashboard, click on the “Add Roles and Features” selection. 

dashboard.png
6

Background Information


Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure is five levels deep. All shared folder access is granted on per user basis and no groups are defined, causing the folder access control list (ACL) to become exhausted.


The file server is part of one domain and since they have acquired another company, we have to grant the second company's users (another domain) appropriate rights to the file server data. The domain level trust is already in place.

The problem:


For many folders, administrators don’t have even read access and can’t even check folder ACL. They are unable to see the folder owner and are unable to access the folder as well and hence they are unable to handle file server access.


For example:

Folder-Access-1.jpgFolder-Access-2.jpgI went to folder properties, and it shows me that folder is empty, when in reality the folder is not empty, but I don’t have permission to view folder size.

Folder-Access-3.jpgI don’t have access to view the folder NTFS permissions, but I am able to view share permissions, and share permissions are full control for everyone.


I am even unable to see folder owner:

Folder-Access-4.jpgThe administrator can take folder ownership forcefully with the replace permissions option, but this will destroy existing file server permissions, which is not desirable.

Folder-Access-5.jpgIf I click here Yes now, all existing permissions will be destroyed by granting me full control (in addition to ownership) which is not the objective here. I have to click on No by force. I immediately got the following warning messages:

Folder-Access-6.jpg 

 

Folder-Access-7.jpg  

Unless I get folder ownership, I can’t add or modify anybody or myself on the folder access control list.

 

The root cause of this problem is that multiple users have Full Control NTFS permissions on the root folder. Some smart users have removed the built-in administrators group from the access control list and from the owners tab. The Creator Owner group is listed on the ACL of folders, as a fact the person \ user who creates files and folders automatically becomes the owner of those files and folders. The permissions model became complicated. User level access is granted instead of groups, which is difficult to track.


NTFS Folder ownership


  • Every object has an owner, whether the object is in an NTFS volume or in Active Directory Domain Services (AD DS). The owners can controls how permissions are set on the object and to whom permissions are granted.
  • An administrator who needs to repair or change permissions on a file must begin by taking ownership of the file if he does not have already.
  • By default, the owner is the entity that created the object. The owner can always change permissions on an object, even when the owner is denied all access to the object.

Ownership can be taken by

  • By default, the Administrators group is granted the Take ownership of files or other objects user right.
  • Any user or group who has the Take Ownership permission on the object.
  • A user who has the Restore files and directories user right.

Ownership can be transferred in the following ways:

  • The current owner can grant the Take Ownership permission to another user. The user must actually take ownership to complete the transfer.
  • A member of local administrators group can take ownership.
  • A user who has the Restore files and directories user right can double-click Other users and groups and choose any user or group to assign ownership to.

 

CREATOR OWNER

Folder-Access-8.jpgIf you look at above diagram, there is special group called CREATOR OWNER. This group is getting inherited from drive root and because of this group, the person who creates files and folders is automatically assigned ownership of those files and folders as long as this group is listed on the ACL.

 

I have shared folders with size from 10GB to 250GB; I need some method to take ownership of all folders without destroying existing folder permissions.

There are TWO options left:

Either I take folder ownership from top to bottom without destroying existing permissions

OR

I need some user who already has got full control permissions on folder who can grant my admin account access to folder and from there I can take it ahead. There are multiple free tools available on the internet to accomplish this. Membership in the server local administrator group is the minimum prerequisite to use any tool.


Takeown – Built-in tool available in Windows-based systems for managing folder ownership


Takeown has its own limitations and can destroy existing NTFS permissions in addition to take folder ownership. In order to take ownership with the Takeown utility without destroying existing permissions, you must have read permissions at least on folder and files; otherwise you cannot take ownership. So the verdict is until you get ownership of all sub folders and files you have to run below TWO commands one by one again and again.

takeown /f <directory path> /r /a
                                        where
                                        /f stands for file \ folder
                                        /r stands for recursive
                                        /a stands for administrators group
                                        
                                        AND
                                        
                                        Icacls <Directory Path> /grant administrators:f /t
                                        /t switch will take care of sub folders and files
                                        f stands for full control permission
                                        
                                        Example:
                                        takeown /f C:\TFolders /r /a
                                        Icacls C:\Tfolders /grant administrators:f /t

Folder-Access-9.jpgIn above example Takeown has assigned ownership of the "C:\TFolders" folder root to only the administrators group, even you specify /r switch for recursive ownership because you do not have read permissions to subfolders and files. If you press Y in above command when prompted, all folder permissions will be destroyed and only your admin account would granted full control permissions. You can specify additional /D switch with Y OR N parameter to suppress every permission replacement prompt. You have only ownership of root folder; you still don’t have any ownership of subfolders, nor any permission on the root folder or subfolders.


This is the same case when you try to take folder ownership from the GUI in recursive mode:

Folder-Access-10.jpgIn the above snapshot, if you select yes, it will destroy existing folder permissions by granting you full control in addition to ownership.

 

Now that you have ownership of root folder, you need to run below command with the Icacls Windows built-in utility to grant administrators full control. This utility will grant administrators full control on root folder only because you don't have ownership of rest of subfolders and files yet.

Folder-Access-12.jpgAgain you have to run Takeown utility to take ownership of further subfiles and subfolders since you have access to the root folder.

Folder-Access-13.jpgOnce you have ownership of further folders, again you need to assign permissions with the Icacls utility as shown below.

Folder-Access-14.jpgIn above diagram still there is one access denied error.You need to run both commands multiple times until you get ownership and access of entire folder. Then you can manage all aspects of that folder.

  

Subinacl – Free utility available from Microsoft

 

SetACL and Subinacl are very powerful tools and can do much more than Takeown. I prefer these tools over Takeown utility. The major advantage of these tools is that they can take ownership of entire folder, including subfolders and files regardless of access permissions in one shot without destroying existing permissions, even if you don’t have read permissions on the folder root, subfolders and files.


Syntax of command: 

Syntax:
                                        Subinacl /noverbose /Subdirectories <Directory Path> <action parameter>
                                        
                                        Ex:
                                        To take ownership of folder root:
                                        Subinacl /noverbose /Subdirectories F:\Projects\1016120 /setowner=administrators
                                        If folder name having spaces in name:
                                        Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data" /setowner=administrators
                                        
                                        To take ownership of all sub folders and files underneath root folder:
                                        Subinacl /noverbose /Subdirectories F:\Projects\1016120\ /setowner=administrators
                                        If folder name having spaces in name:
                                        Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data\*" /setowner=administrators
                                        
                                        To grant administrators full control on folder root:
                                        Subinacl /noverbose /Subdirectories F:\Projects\1016120 /grant=administrators=f
                                        If folder name contains spaces:
                                        Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data" /grant=administrators=f
                                        
                                        To grant administrators full control on all subfolders and files underneath folder root:
                                        Subinacl /noverbose /Subdirectories F:\Projects\1016120\ /grant=administrators=f
                                        If folder name contains spaces:
                                        Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data\*" /grant=administrators=f


The example below shows how to take folder ownership and access with Subinacl tool. The tool can take ownership of all subfolders and files including root folder and can grant full control access to the built-in administrators group without destroying any existing permissions.

Folder-Access-15.jpgThe Subinacl utility gives you one additional facility that allows you to back up NTFS security along with ownership on entire folder before making any chnages. In case you make a mistake during taking folder ownership or modifying folder access control list, you can restore entire NTFS access control list.


Syntax of command:

Subinacl /noverbose <action parameter> /subdirectories <Directory path>
                                        
                                        To backup NTFS permissions of root folder:
                                        Subinacl /noverbose /output=C:\TFolders_Root.txt /subdirectories C:\TFolders
                                        If folder contain spaces:
                                        Subinacl /noverbose /output=C:\MyData_Root.txt /subdirectories "C:\My Data"
                                        
                                        To backup NTFS permissions of all sub folders and files underneath root folder:
                                        Subinacl /noverbose /output=C:\TFolders_Child.txt /subdirectories C:\TFolders\
                                        If folder contain spaces:
                                        Subinacl /noverbose /output=C:\MyData_Child.txt /subdirectories "C:\My Data\*"
                                        
                                        To restore NTFS permissions on folder root:
                                        Subinacl /noverbose /playfile C:\TFolders_Root.txt
                                        
                                        To restore NTFS permissions on sub folders:
                                        Subinacl /noverbose /playfile C:\TFolders_Child.txt
                                        
                                        The 1st command will restore security on root folder (C:\TFolders)
                                        The 2nd command will restore security on all subfolders and files underneath folder root (C:\TFolders\*)

For example:

Folder-Access-18.jpgThe Subinacl command line reference help file is attached here subinacl.zip


SetACL

The command line version is freeware. There is no need to install as it is a standalone .exe file. Download it, and use it from elevated command prompt. This utility also works great like Subinacl, capable of taking folder ownership and granting folder access without destroying existing folder permissions.


Syntax of command: 

SetAcl -on <Directory Path> -ot <object type> -actn <parameter> -rec cont_obj -silent
                                        Where
                                        -on stands for "object name",the name of directory
                                        -ot stands for "Object type"
                                        -actn stands for action to be performed, setting up owner (setowner) in our case
                                        -rec stands for recursive action, to be carried out on all sub folders and files (cont_obj)
                                        -silent no output will be printed on screen.
                                        
                                        Ex:
                                        To set owner on entire folder:
                                        SetAcl -on C:\TFolders -ot file -actn setowner -ownr n:administrators -rec cont_obj -silent
                                        If folder name contain spaces:
                                        SetAcl -on "C:\My Imp Data" -ot file -actn setowner -ownr n:administrators -rec cont_obj -silent
                                        
                                        To grant administrators group full control on entire folder:
                                        SetAcl -on C:\TFolders -ot file -actn ace -ace "n:administrators;p:full" -rec cont_obj -silent
                                        If folder name contain spaces:
                                        SetAcl -on "C:\My Imp Data" -ot file -actn ace -ace "n:administrators;p:full" -rec cont_obj -silent

For example:

Folder-Access-16.jpgThe above command will assign entire folder ownership to the built-in administrators group and will grant full control access permissions without destroying any existing folder permissions. You can refer SetAcl online command reference for more information: https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/


Some best practices about setting up standard share folders to minimize management efforts:


  1. Always share folder with everyone full control share permissions.
  2. Control user access over NTFS access control list.
  3. In order to control user access over NTFS permissions, disable inheritance from advanced NTFS security page on the root share folder.
  4. Avoid granting users full control NTFS permissions on root shares and subfolders unless absolutely necessary.
  5. Ensure that the server local administrators group has full control NTFS permissions on the root share and has root folder ownership as well. Never grant individual administrator full control NTFS permissions.
  6. Remove the Creator owner group from root share. This is the main culprit that can cause most of folder ownership and access issues. This will ensure that individual users never get subfolder and files ownership.
  7. Try to avoid granting deny permissions to users or groups on the NTFS access control list.
  8. Avoid granting permissions to individual users on shared folder access control list as far as possible.
  9. Instead of adding individual users on access control list, create global security groups and add required users to them, and grant these security groups appropriate rights on access control list.
  10. The process to setup roaming profiles is bit different than above; by default these folders are not accessible to administrators. However you can apply group policies in advance on the server where you want to store roaming profiles so that built-in administrators group can have access to roaming profile folders if necessary. The GPO setting "Add the administrator’s security group to roaming user profiles" can be found under Computer configuration => Administrative templates => System => User profiles. A great article is already published on the TechNet blog to set up Roaming Profiles \ home directories: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx
  11. Another option is to take complete roaming profile share ownership with SetACL OR Subinacl without destroying existing ACL, and then add the administrators group to the roaming profile root share. That will eventually be inherited by subsequent profile folders.
9
 
LVL 38

Author Comment

by:Mahesh
Comment Utility
Thanks

There is slight difference between authenticated users and everyone
Everyone group contains Guest, IUSR & the IWAM accounts in addition to authenticated users \ domain users in trusted domains and forests
Previously anonymous users are part of everyone group, but with 2003 AD, it is removed

The Authenticated Users group includes all users whose identities were authenticated when they logged on. This includes local user accounts as well as all domain user accounts from trusted domains and forests
Authenticated users do not contains guest, ISSR, IWAM, Anonymous, local service and network service accounts.
Normally these accounts cannot logon to any machine to access shared resources and guest account is disabled by default unless you enable it

As a fact I really do not see noticeable difference between TWO, however you may use authenticated users instead of everyone
The major permissions control remains on NTFS permissions

Probably we need to disable UAC, otherwise it will unnecessarily prompting, in some organizations they have policy to keep UAC enabled

Normally I do want to clear Creator owner from share folder root at beginning, you can remove it from drive root, however I don't think it is required.

I observed on 2012 and above servers, If you are server administrator and if you trying to open share folder for which you don't have access on NTFS ACL, and you tried to access it through local path, it will prompt you popup so that you can click on continue and you will get access.
0
 

Expert Comment

by:Gaurav Chauhan
Comment Utility
Many thanks for this detailed article this subinacl tool is just awesome far better than icacls,solved my greatest problem,  now I am surprised why this tool is mentioned nowhere this should be promoted as built in tool by Microsoft . Many thanks again.
1
[eBook] Windows Nano Server
LVL 1
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Active Directory DFSR sysvol is very robust sysvol replication engine.

It has number of benifits over conventional FRS sysvol.

Check below article for more information

http://blogs.technet.com/b/askds/archive/2010/04/22/the-case-for-migrating-sysvol-to-dfsr.aspx


The major benifit is, DFSR has a self-healing system for problems like database corruption or journal wraps. However some times due to DNS problems, replication latencies, network problems, sysvol might stop replicating on specific domain controller. You might see event ID 4012 event ID on domain controller in DFSR event logs.

DFSR0.jpgIn that case you need to restore \ refresh sysvol folder contents authoritatively \ non authoritatively depending upon situation.


I have seen many Active Directory Distributed File System Replication (DFSR) sysvol restoration articles, but most of the articles do not mention correct sequence \ restoration steps, especially for DFSR Sysvol Authoritative Restore. This process is explained in http://support.microsoft.com/kb/2218556.


However, the Microsoft article is not clear when to stop and start the DFSR service and on which server. This can lead to confusion, misunderstanding and even doing it wrong.


Hence I have set up a test lab and tried various sequences and found the correct sequence.


From Windows 2008 Domain Controllers and above domain functional levels, you can have the Active Directory Sysvol replicated with DFSR that is more robust and reliable than FRS replication techology.


Thre are TWO types of DFSR sysvol restores are available:

  1. DFSR Sysvol Authoritative Restore
  2. DFSR Sysvol Non Authoritative Restore


DFSR Sysvol Authoritative restore

If your DFSR replicated sysvol is not replicating on any domain controller in entire domain, its broken and got corrupted on all domain controllers (very rare situation), in that case you need DFSR sysvol authoritative restore.

This restore should be done on primary domain control (PDC) master server because the PDC is the server where the most recent Sysvol data resides.

 

High level approach for this restore:


  1. Disable DFSR sysvol replication on all DCs including PDC master server
  2. Then you should initiate DFSR sysvol authoritative restore on PDC
  3. Once authoritative restore gets completed successfully, then you should initiate non authoritative restore of DFSR sysvol on other ADC servers one by one.


Steps to perform an authoritative restore of DFSR SYSVOL (like "D4" for FRS)


Step 1

On the PDC master server (you can pick other application delivery controller (ADC) to make it authoritative if you prefer), open ADSIEDIT.MSC tool, load the domain directory partition and open properties of the following DN and edit two attributes mentioned below:


CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=PDC,OU=Domain Controllers,DC=domain,DC=com
(Replace PDC with name of your primary DC server)



msDFSR-Enabled= FALSE
msDFSR-options= 1

DFSR1.jpg


msDFSR-Options set to 1 is required to make that server authoritative for DFSR Sysvol replicated folder.


Step 2

Navigate to the following DN and edit single attribute on all other domain controllers one by one in that domain:


LocalSettings,CN=ADC,OU=Domain Controllers,DC=domain,DC=com
(Replace ADC with other additional DCs one by one)

msDFSR-Enabled= FALSE


DFSR2.jpgStep 3

Force Active Directory replication throughout the domain. You can run repadmin /syncall command on all DCs OR you can go through all of your AD sites and services manually for all DCs.


Step 4

Run the following command from an elevated command prompt on the PDC (the same server that you set as authoritative) and all other ADC servers


DFSRDIAG POLLAD


This command will poll configuration changes in AD immediately for that DC wrt DFSR.


Step 5

Stop the DFSR service on all domain controllers including the PDC (the server where you want to restore DFSR Sysvol authoritatively). This step is required so that DC will stop communicating with DFSR Sysvol database and cannot make changes or modifications to DFSR configuration. This step is not given in original MS KB article.


Step 6

Start the DFSR service on PDC (the server where you want to restore DFSR Sysvol authoritatively) ONLY.


On the same server, You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on PDC because "msDFSR-Enabled value is still set to FALSE".

DFSR3.jpg

Step 7

On PDC go to the Properties of same DN from Step 1 and set:


msDFSR-Enabled= TRUE


This will ensure that this PDC server is primary member for DFSR replicated folder. This will also resume DFSR replication on the PDC server only; DFSR replication on other DCs is still disabled.


Note that while you will have enabled DFSR replication on this DC (PDC) authoritatively, you must ensure that the DFSR service has been stopped on other DCs, and that DFSR replication is in the disabled state. Otherwise it leads to DFSR database conflcits and issues. I have seen many DFSR restoration articles, however they did not mention this precaution.

DFSR4.jpgStep 8

Force Active Directory replication throughout the domain. You can run the repadmin /syncall command on all DCs OR you can do that through the AD sites and services manually for all DCs.


Step 9

Run the following command from an elevated command prompt on the PDC:


DFSRDIAG POLLAD


This command will poll the configuration changes in AD immediately for that DC wrt DFSR. On the same server, you will see Event ID 4602 in the DFSR event log indicating SYSVOL has been initialized. That domain controller (PDC) has now done a “D4” of SYSVOL successfully.

DFSR5.jpg

Step 10

Start the DFSR service on the other non-authoritative ADC servers one by one. On those servers, You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on each of them. Starting DFSR service will enable these DCs to start accessing DFSR configuration database; however still DFSR replication is not enabled.

DFSR3.jpg

Step 11

From Adsiedit.msc, go to the properties of same DN as Step 2 and edit single attribute on all other domain controllers one by one in that domain:



msDFSR-Enabled= TRUE
 


This step will enable DFSR replication across the domain controllers and they will start non-authoritatively restoring DFSR Sysvol

DFSR6.jpg

Step 12

Force Active Directory replication throughout the domain. You can run the repadmin /syncall command on all DCs OR you can do that through the AD sites and services manually for all DCs.


Step 13

Run the following command from an elevated command prompt on all ADC Servers (non-authoritative DCs) one by one:


DFSRDIAG POLLAD 


On the ADC servers, you will see Event ID 4604 in the DFSR event log indicating SYSVOL is now initialized and replicating correctly on each of them. These domain controllers have now done a “D2” of SYSVOL successfully.

DFSR7.jpg 

DFSR Sysvol Non Authoritative restore


If your DFSR replicated sysvol is not replicating on any specific domain controller, in that case you need DFSR sysvol Non authoritative restore.

This restore should be done on problematic ADC server where you want to refresh Sysvol data from other healthy DC (Probably PDC) where Sysvol is healthy and replicating correctly.

High level approach for this restore:


  1. Disable DFSR sysvol replication on problematic ADC
  2. Then you should initiate DFSR sysvol non authoritative restore on that ADC


Steps to perform a non-authoritative restore of DFSR SYSVOL (like "D2" for FRS)


Step 1

On the Problematic ADC or server where you want to initiate non authoritative restore, open ADSIEDIT.MSC tool and go to following distinguished name (DN) value and edit below attribute:

 

LocalSettings,CN=ADC,OU=Domain Controllers,DC=domain,DC=com

msDFSR-Enabled= FALSE

DFSR2.jpg

Step 2

Force Active Directory replication throughout the domain.


Step 3

Run the following command from an elevated command prompt on the same server that you set as non-authoritative:

DFSRDIAG POLLAD

On same server, You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.

DFSR3.jpg

Step 4

Restart DFSR service on same server from an elevated command prompt or from services console.


Step 5

On the same DN from Step 1, set:

 

msDFSR-Enabled= TRUE

DFSR6.jpg

Step 6

Force Active Directory replication throughout the domain.


Step 7

Run the following command from an elevated command prompt on the same server that you set as non-authoritative:

DFSRDIAG POLLAD

On the same servers, You will see Event ID 4614 followed by 4604 in the DFSR event log indicating SYSVOL has been initialized successfully. That domain controller has now done a “D2” of SYSVOL.

DFSR8.jpg

DFSR7.jpg

I have tested above process in test lab on two Windows 2008 R2 Domain Controllers with Windows 2008 domain and forest functional level.


Any comments are welcome.

Please endorse if you like the Article

8
 

Expert Comment

by:Oleg Zolotarenko
Comment Utility
Отличная статья. Very Good article! I'll mention your article as a reference here. Thanks. The clue is event 4602 in the end on all DC.
0
 
LVL 38

Author Comment

by:Mahesh
Comment Utility
Thanks @Oleg Zolotarenko and @Andrew Grant

I honor your comments

If you could please endorse the article...

Mahesh.
0
Every now and then, Microsoft does something that totally impresses me. It doesn't happen often, but in this case I must say I am thoroughly impressed with Windows Server Backup. One of the long time issues with Windows Backup has been the ability to send your backups to a location not on the local machine. In fact the limitation is still there. Many of us have gotten around this by setting up a NAS or SAN device and then connecting to the server via iSCSI. But what if I simply want to use a network share? Here's how I did it. Simply create a VHD in Disk Manager! Ok maybe not that simple, there are some issues with this method, like VHD's that do not reconnect after the system is rebooted (Really Microsoft?), so you need to create a scheduled task to reconnect the VHD, otherwise it's pretty straight forward. The first step is to create the VHD, this easy to do in Disk Management. Open Disk Management by going to the Control Panel > Administrative Tools and open Computer Management, then drill down to Disk Management:
CreateVHD

Right Click on Create VHD, then fill in the blanks. I recommend using a VHDx because you can create drives larger that 2TB on up to 64TB, the only caveat is that only Windows Server 2012 and Windows 8 can read VHDx. I also recommend using Dynamically Expanding so that the file space is not used unless it is needed. The location can be a mapped drive as shown below or a UNC path like \\SERVER\FOLDER\FILE.VHDX.
CreateVHD_Dialog
13
 
LVL 9

Author Comment

by:Frank McCourry
Comment Utility
Why are my images there when I edit the article, but missing when I submit?
0
Storage Spaces Cluster JBOD
The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
14
My GPO's made for 2008 R2 servers were not allowing me to RDP into a new 2012 server by default.  That’s why I tried to allow RDP via Powershell, because I could log into a remote shell without further configuration.
Below I will describe how I went step by step to find and change the necessary setting.

In a NON-Admin session, one of the first things I do, is to save my admin credentials.
$cred = Get-Crendetials

Open in new window

A window will open and you can enter your admin-user credentials and now they are stored in $cred and there is no need to enter them over and over again.

Now I connect to the server where I want to enable the RDP connection:
Note: IP addresses will not work here
Enter-PSSession servername -Credential $cred

Open in new window

The PSDrive cmdlet shows me the available providers I can connect to, filesystem, Registry, ActiveDirectory or Certificate Store by default for example.
Get-PSDrive

Open in new window


Output example:
Name           Used (GB)     Free (GB) Provider      Root
----           ---------     --------- --------      ----
Alias                                  Alias
C                 402,81         46,34 FileSystem    C:\ 		-> Filesystem
Cert                                   Certificate   \			-> Certificate Store 
HKCU                                   Registry      HKEY_CURRENT_USER 	-> Registry
HKLM                                   Registry      HKEY_LOCAL_MACHINE	-> Registry

Open in new window

I was interested in editing the Registry, that's why I connect to HKEY_LOCAL_MACHINE:
cd HKLM:

Open in new window

I don't remember the exact location, where to find the Registry entry that will allow the RDP connection, but it was under "Control":
cd '.\SYSTEM\CurrentControlSet\Control

Open in new window

This was the part I could remember, now I have to search for the missing pattern, because it was something like *Fdeny*:
ls -Recurse -ea SilentlyContinue | where-object {($_.property -LIKE "*fdeny*")}

Open in new window

Output:

Open in new window

3
2
Table of Contents:
Lesson 1 - Installing Windows Server 2012
Lesson 2 - Configuring Server 2012
Lesson 3 - Active Directory (this article)

Windows Server 2012 Active Directory

following the previous lessons, we installed and configured our server. now, we are going to create users and connect them on the client PCs.

NOTE:
Active Directory: is the software role to be installed on the server, which will contain users, computers, Organization Unit and other.
Domain: is the repository in which users are defined in. Each Server can have one domain

So let's proceed. log in to the server with your administrator account. if you don't see the server manager window, click on its icon in the lower left corner.  From the Server Manager Dashboard , click on Add Roles and Features . You will get the Before You Begin screen (usually basic information, you can skip it for future times)
before you beginyou will need to select the Installation Type . Since this is a standalone server, we will select the Role Based or Feature Based Installation .
installation typeselect the Destination Server . this is to define which server to install the role or feature, in case you have multiple servers. in our case we have only one server (our server name as described before in server12 with IP 192.168.174.128)
select servernow we are going to select our server role. in this tutorial we are going to select Active Directory Domain Services
5
 
LVL 10

Author Comment

by:Sam Simon Nasser
Comment Utility
one small question, i have submitted this article on June 20th, but under my name in the top of the page, it's mention (Posted on2013-05-20 at 05:06:23), which is the day which i started composing this article.

is there a way to change this date or it's common in EE that it's the date of composing?

regards.
0
 
LVL 10

Author Comment

by:Sam Simon Nasser
Comment Utility
june 12 not 20th .... sorry
0

Windows Server 2012

16K

Solutions

8K

Contributors

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.