Determine & Change Tombstone Lifetime in Active Directory

Recently, I wanted to know what the tombstone lifetime was in my environment and decided to find this using PowerShell. There are a number of ways I could do this but dong it through PowerShell would be much easier. For those of you that are new to the attribute, a good explanation of it is:

The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object.

Tombstone Lifetime is used to determine how long a deleted object in the Active Directory database (NTDS.dit) is stored. When object is deleted, it does not immediately delete from the AD database. Instead, the object as deleted is marked where the is-Deleted attribute is set to true. Additions, most attributes are removed and the object will be renamed as follows: CN=<old RDN>\0ADEL:<objectGUID>

After renaming the object is moved to the hidden Deleted Objects container. At this time, the deleted object is referred to as tombstone. Then replicates these changes to all other DCs. Only when the tombstone lifetime has been exceeded, the object is permanently removed from the AD database.

The tombstone lifetime is set with the install of the first DCs in a forest for all domains. The tombstone lifetime is not configurable per domain.

Windows 2000 (all SPs) = 60 days

Windows Server 2003 without SP = 60 days

Windows Server 2003 with SP1 = 180 days

Windows Server 2003 R2 with SP1 installed with both R2 discs = 60 days

Windows Server 2003 R2 with SP1 installed only with the first R2 Disc = 180

daysWindows Server 2003 with SP2 = 180 days

Windows Server 2003 R2 with SP2 = 180 days

Windows Server 2008 = 180 days

Windows Server 2008 R2 = 180 days

Windows Server 2012 = 180 days

Windows Server 2012 R2 = 180 days

Windows Server 2016 = 180 days

Windows Server 2019 = 180 days

More info:https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc137800(v=msdn.10)

AD Recycle Bin

The AD Recycle Bin enables rapid restoration of deleted objects without a restore operation by implementing two new attributes, and using two existing attributes:

isDeleted
- Has existed since Windows 2000
- Exists on every object
- Describes if an object is deleted but restorable
isRecycled
- New to Windows Server 2008 R2
- Exists on every object once it is recycled
- Describes if an object is deleted but not restorable
msDS-deletedObjectLifetime
- New to Windows Server 2008 R2
- Is set on the “CN=Directory Service,CN=Windows NT, CN=Services, CN=Configuration, DC=COMPANY,DC=COM” container
- Describes how long a deleted object will be restorable
tombstoneLifetime
- Has existed since Windows 2000
- Is set on the “CN=Directory Service,CN=Windows NT, CN=Services, CN=Configuration, DC=COMPANY,DC=COM” container
- Describes how long a deleted object will not be restorable

Basically, I wanted to know how long I had to recover if (in my case) one of my domain controllers were down for an extended period of time. For more information on the fun that can occur if this happens and it is down beyond the tombstone lifetime, check out this article: http://technet.microsoft.com/en-us/library/cc786630(v=ws.10).aspx

Determining Tombstone Lifetime:

PowerShell Code:

Write-Output “Get Tombstone Setting `r”
#Import the AD Module
Import-Module ActiveDirectory

#Get the Domain Configuration
$ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext

#Get Schema details
$DirectoryServicesConfigPartition = Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Properties *

#Store the tombstone value
$TombstoneLifetime = $DirectoryServicesConfigPartition.tombstoneLifetime

#Result
Write-Output “Active Directory’s Tombstone Lifetime is set to $TombstoneLifetime days `r “

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

Write-Output “Get Tombstone Setting `r”

#Import the AD Module

Import-Module ActiveDirectory

#Get the Domain Configuration

$ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext

#Get Schema details

$DirectoryServicesConfigPartition = Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Properties *

#Store the tombstone value

$TombstoneLifetime = $DirectoryServicesConfigPartition.tombstoneLifetime

#Result

Write-Output “Active Directory’s Tombstone Lifetime is set to $TombstoneLifetime days `r “

Upon successful execution it should return a numeric value and that’s how many days before the DC tombstones.

Did you know...

If the attribute’s value shows blank then it is setup as ‘not set’ , the tombstone lifetime of the forest is 60 days.

This happens if your enviornment has gones throught a few generations of upgrades! 🙂

Changing Tombstone Lifetime:

PowerShell:

#Import the AD Module 
Import-Module ActiveDirectory

#Get the Domain Configuration
$ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext

#Set the TombStone Lifetime
Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Replace @{tombstonelifetime=’365′}

1

2

3

4

5

6

7

8

#Import the AD Module

Import-Module ActiveDirectory

#Get the Domain Configuration

$ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext

#Set the TombStone Lifetime

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Replace @{tombstonelifetime=’365′}

This same process can be leveraged to identify the msDS-deletedObjectLifetime value (180 days by default).

The tombstone lifetime of an AD forest can be modified using the ADSIEdit tool by following this procedure:

At an elevated command prompt, type adsiedit.msc.
Right-click ADSI Edit in the left pane and select Connect to.
In the Connection Point section, select the Select a well known Naming Context radio button and select Configuration from the dropdown list.
Expand Configuration; CN=Configuration,DC=<forest_root_domain>; CN=Services; and CN=Windows NT
Right-click CN=Directory Service and select Properties.
In the Attribute Editor tab of the properties window, locate the tombstoneLifetime attribute. The value of this attribute represents the forest’s current tombstone lifetime in days. If the attribute’s value shows <not set>, the tombstone lifetime of the forest is 60 days.
To modify the tombstone lifetime, click Edit.
Type the desired tombstone lifetime and click OK. Click OK again to close the properties window. The change takes effect immediately.

Date February 5, 2019
Author mo wasay
Comments No Comments

How to Enable or Disable Collect Activity History in Windows 10

Microsoft Windows 10 still collects activity data even when tracking is disabled., but there is a new workaround way to block it. 🙂

Starting with Windows 10 build 17040, Microsoft added settings that let you to view and manage your activity history, which Cortana uses to let you pick up where you left off. Your collected activity history allows you to jump back into what you were doing with apps, docs, or other activities, either on your PC or your phone. To resume your activities, Windows needs to collect your PC activity.

If you like, you can enable or disable letting Windows collect User Activities.

If enabled, Let Windows collect my activities will be turned on for all users, but users will still be able to turn this setting on or off for their account.
If disabled, Let Windows collect my activities will be turned off for all users, and users will not be able to turn this setting on or off for their account.

To enable or disable Activity history settings to let Windows collect User Activities for all users in Windows 10.

You must be signed in as an administrator to enable or disable online tips and help for the Settings app
Timeline requires the Windows Search service to be enabled, running, and set to Automatic (Delayed Start).

Enable or Disable Collect Activity History in Local Group Policy Editor

Local Group Policy Editor is only available in the Windows 10 Pro, Enterprise, and Education editions.

All editions can use Option TWO below.

1. Open the Local Group Policy Editor.

2. In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)

Computer Configuration\Administrative Templates\System\OS Policies

In the right pane of OS Policies in Local Group Policy Editor, double click/tap on the Allow publishing of User Activities policy to edit it. (see screenshot above)

4. Do step 5 (enable) or step 6 (disable) below for what you would like to do.

5. To Enable Collect Activity History – Select (dot) Not Configured or Enabled (recommended), click/tap on OK, and go to step 7 below. (see screenshot below)

NOTE: Not Configured is the default setting.

6. To Disable Collect Activity History – Select (dot) Disabled, click/tap on OK

Enable or Disable Collect Activity History using a REG file (Workaround) 🙂

The downloadable .reg files below will add and modify the DWORD value in the registry key below.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
PublishUserActivities DWORD
0 = Disable
1 = Enable

To Enable Collect Activity History

Download : Enable_Activity_history.reg

To Disable Collect Activity History

Download : Disable_Activity_history.reg

Save the .reg file to your desktop.
Double click/tap on the downloaded .reg file to merge it.
When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
Sign out and sign in to apply.

Date December 13, 2018
Author mo wasay
Comments No Comments

Convert a Dynamic IP to Static

Working on a project where on some servers the DHCP assigned addresses needs to be converted to static. Since there is always more than one…I needed to script it.

Here is a quick way to do it via PowerShell.

#SwitchIPtoStatic.ps1
#Get All the adapters that are on the Server
$adapters = gwmi -cl win32_networkadapterconfiguration | ? {($_.ipaddress) -and $_.dhcpEnabled -eq 'True' }

foreach ($adapter in $adapters) {
    # Get original settings
    $ipAddress = $adapter.IPAddress
    $subnetMask = $adapter.IPSubnet
    $dnsServers = $adapter.DNSServerSearchOrder
    $defaultGateway = $adapter.DefaultIPGateway

    # Set to static and set dns and gateway:
    $adapter.EnableStatic($ipAddress,$subnetMask)
    $adapter.SetDNSServerSearchOrder($dnsServers)
    $adapter.SetGateways($defaultGateway)
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

#SwitchIPtoStatic.ps1

#Get All the adapters that are on the Server

$adapters = gwmi -cl win32_networkadapterconfiguration | ? {($_.ipaddress) -and $_.dhcpEnabled -eq 'True' }

foreach ($adapter in $adapters) {

# Get original settings

$ipAddress = $adapter.IPAddress

$subnetMask = $adapter.IPSubnet

$dnsServers = $adapter.DNSServerSearchOrder

$defaultGateway = $adapter.DefaultIPGateway

# Set to static and set dns and gateway:

$adapter.EnableStatic($ipAddress,$subnetMask)

$adapter.SetDNSServerSearchOrder($dnsServers)

$adapter.SetGateways($defaultGateway)

}

Hope this helps!

Date October 18, 2018
Author mo wasay
Comments No Comments

Force Replication of all Domain Controllers on all Sites

If you want to replicate all Domain Controllers, then you have to start replication on each of them separately. This may take a while. To save time there is an easier way to force replication on all Domain Controllers of all Active Directory Sites.

Log on to one of your Domain Controllers. Start Windows PowerShell with administrative privileges. Using the Get-ADDomain cmdlet we can get the domain name and the domain partition.

function Replicate-AllDomainControllers {
(Get-ADDomainController -Filter *).Name | Foreach-Object {repadmin /syncall $_ (Get-ADDomain).DistinguishedName /e /A | Out-Null}; Start-Sleep 10; Get-ADReplicationPartnerMetadata -Target "$env:userdnsdomain" -Scope Domain | Select-Object Server, LastReplicationSuccess
}

Replicate-AllDomainControllers

1

2

3

4

5

function Replicate-AllDomainControllers {

(Get-ADDomainController -Filter *).Name | Foreach-Object {repadmin /syncall $_ (Get-ADDomain).DistinguishedName /e /A | Out-Null}; Start-Sleep 10; Get-ADReplicationPartnerMetadata -Target "$env:userdnsdomain" -Scope Domain | Select-Object Server, LastReplicationSuccess

}

Replicate-AllDomainControllers

Now depending on the size of your environment the results may take some time to appear. The final output should be something like this:

Date September 14, 2018
Author mo wasay
Comments No Comments

Oracle to charge for Java Updates & how you can disable them

Prepare for 2019

Oracle has announced that, effective January 2019, Java SE 8 public updates will no longer be available for “Business, Commercial or Production use” without a commercial license.

End of Public Updates for Oracle JDK 8

Oracle will not post further updates of Java SE 8 to its public download sites for commercial use after January 2019. Customers who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 8 or previous versions can get long term support through Oracle Java SE Advanced Desktop, or Oracle Java SE Suite. For more information, and details on how to receive longer term support for Oracle JDK 8, please see the Oracle Java SE Support Roadmap.

Is Oracle Java still free?

The current version of Java – Java SE 9 as well as Java SE 8 – is free and available for redistribution for general purpose computing. Java SE continues to be available under the Oracle Binary Code License (BCL) free of charge. Java Runtime Environment (JRE) use for embedded devices or use of commercial features may require a license fee from Oracle. Read more about embedded use of Java SE, or contact your local Oracle sales representative to obtain a license.

What releases of Java technology are currently available?

The Java Platform, Standard Edition (Java SE) and Oracle Java SE Advanced and Suite products are currently shipping from Oracle in the form of the Java Development Kit (JDK), and Java Runtime Environment (JRE). The current releases of the software and links to older versions are available from the Java SE download page.

What are the Oracle Java licensing changes?

Due to the Oracle Java license cost changes, companies will need to collect and identify every application that is running Java SE 8 before the beginning of 2019. Doing so will ensure an accurate forecast of costs and potential non-compliance risk for future software audits in upcoming years.

What about the Java license costs?

The Oracle Technology Global Price List as of May 1, 2018 provides information about current pricing (in dollars):

Products & Metrics	Named User Plus (NUP)	Software Update (License & Support)	Processor (Proc)	Software Update (License & Support)	*Note
Java SE Advanced Desktop	$40	$8.80	–	–	A
Java SE Advanced	$100	$22.00	$5,000	$1,100	B
Java SE Suite	$300	$66.00	$15,000	$3,300	B

*Note: A: The Named User Plus minimum for this program is 2,000 NUP licenses. B: The Named User Plus minimum for this program is 10 NUP per Processor.

What should you do now?

In light of Oracle’s recent announcement, companies should begin considering:

How to anticipate the situation?
How many Java installations do we have, where and why?
Are there usages embedded?
Can we replace Java with another technology?
What will the cost be in January 2019?

Oracle suggests running a tool to ﬁnd Java installations using a Java package called Java Usage Tracker. This will report information like:

The Java versions
Application name
Type (applet, command line, etc).
Location and more

However, the Oracle Java Usage Tracker requires a commercial license 🙂 – even though it’s included in the installer that comes with the free components.

Disabling Java Updates

Small to Medium sized organizations may not want to pay and should consider disabling updates altogether.

Windows Server 2008R2/2012/2012R2/2016 (x64)

There’s a registry setting in HKEY_LOCAL_MACHINE that will allow you to completely disable both update notifications and the update functionality. The full path of the key is HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy The registry entry is named EnableJavaUpdate and is a DWORD value that defaults to 1 for the update functionality to be enabled. Setting the value to 0 disables updates. When updates are enabled:

64-bit registry redirection:

There is a subkey located at HKLM\Software\Wow6432Node that contains the relevant settings for 32-bit applications, and within here, is the expected JavaSoft registry key. This is similar to the automatic system controlled C:\Windows\SysWOW64 directory for 32-bit compatiblity. To disable updates, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy\ Create a new DWORD value called EnableAutoUpdateCheck , and set it to 0. Change the key EnableJavaUpdate to 0; this stops any needing to install updates, and annoying prompts that non-admin users get for installing updates.

Windows Server 2003/2008 (x86)

Stop the update utility from running by deleting the key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched Reboot the server. In rare cases the control panel needs to be opened as administrator. To do this follow the steps below: Save this as Java32_Fix.reg and run and it will fix those javacpl.exe as Administrator/Control Panel issues once and for all:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Program Files\Java\jre6\bin\javacpl.exe"="RUNASADMIN"

1

2

3

4

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]

"C:\Program Files\Java\jre6\bin\javacpl.exe"="RUNASADMIN"

Alternately, this is for 64bit OS’s running 32bit Java:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Program Files (x86)\Java\jre6\bin\javacpl.exe"="RUNASADMIN"

1

2

3

4

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]

"C:\Program Files (x86)\Java\jre6\bin\javacpl.exe"="RUNASADMIN"

Date August 7, 2018
Author mo wasay
Comments No Comments

Windows (10 & 2016) Build 1709 & 1803 cannot connect to SMB Shares

Applies to: Windows 10, version 1803, Windows Server version 1803, Windows 10, version 1709, Windows Server Datacenter Core, and Windows Server Standard Core

As users and organizations are upgrading to Windows 10 Build 1709/1803 they should be aware that SMB 1.0 is no longer installed by default. Among other things, this is going to start a lot of problems especially for the networking and security departments where they might be trying to figure out if it is a firewall that is blocking or an AV program that is limiting the access to the share.

In Windows 10 Fall Creators Update (1709), and Windows Server, version 1709 (RS3) and later versions, the Server Message Block version 1 (SMBv1) network protocol is no longer installed by default. It was superseded by SMBv2 and later protocols starting in 2007. Microsoft publicly deprecated the SMBv1 protocol in 2014.

SMBv1 has the following behavior in Windows 10 Fall Creators Update and Windows Server, version 1709 (RS3):

SMBv1 now has both client and server sub-features that can be uninstalled separately.
Windows 10 Enterprise and Windows 10 Education no longer contain the SMBv1 client or server by default after a clean installation.
Windows Server 2016 no longer contains the SMBv1 client or server by default after a clean installation.
Windows 10 Home and Windows 10 Professional no longer contain the SMBv1 server by default after a clean installation.
Windows 10 Home and Windows 10 Professional still contain the SMBv1 client by default after a clean installation. If the SMBv1 client is not used for 15 days in total (excluding the computer being turned off), it automatically uninstalls itself.
In-place upgrades and Insider flights of Windows 10 Home and Windows 10 Professional do not automatically remove SMB1 initially. If the SMBv1 client or server is not used for 15 days in total (excluding the time during which the computer is off), they each automatically uninstall themselves.
In-place upgrades and Insider flights of Windows 10 Enterprise and Windows 10 Education do not automatically remove SMB1. An administrator must decide to uninstall SMB1 in these managed environments.
Automatic removal of SMB1 after 15 days is a one-time operation. If an administrator re-installs SMB1, no further attempts will be made to uninstall it.
The SMB version 2.02, 2.1, 3.0, 3.02, and 3.1.1 features are still fully supported and included by default as part of the SMBv2 binaries.
Because the Computer Browser service relies on SMBv1, the service is uninstalled if the SMBv1 client or server is uninstalled. This means that Explorer Network can no longer display Windows computers through the legacy NetBIOS datagram browsing method.
SMBv1 can still be reinstalled in all editions of Windows 10 and Windows Server 2016.

If you try to connect to devices that support only SMBv1, or if these devices try to connect to you, you may receive one of the following errors messages:

You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack. Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747

The specified network name is no longer available.

Unspecified error 0x80004005

System Error 64

The specified server cannot perform the requested operation.

Error 58

I don’t recommend using SMBv1 but businesses are using legacy hardware/software that might have SMBv1 as the only option. Please plan on upgrading as there are serious security vulnerabilities with SMB1

Work Around:

To work around this issue, contact the manufacturer of the product that supports only SMBv1, and request a software or firmware update that support SMBv2.02 or a later version. For a current list of known vendors and their SMBv1 requirements, see the following Windows and Windows Server Storage Engineering Team Blog article:

SMBv1 Product Clearinghouse

Leasing mode

If SMBv1 is required to provide application compatibility for legacy software behavior, such as a requirement to disable oplocks, Windows provides a new SMB share flag that’s known as Leasing mode. This flag specifies whether a share disables modern SMB semantics such as leases and oplocks.

You can specify a share without using oplocks or leasing to allow a legacy application to work with SMBv2 or a later version. To do this, use the New-SmbShare or Set-SmbShare PowerShell cmdlets together with the -LeasingMode None parameter.

Note You should use this option only on shares that are required by a third-party application for legacy support if the vendor states that it is required. Do not specify Leasing mode on user data shares or CA shares that are used by Scale-Out File Servers. This is because the removal of oplocks and leases causes instability and data corruption in most applications. Leasing mode works only in Share mode. It can be used by any client operating system.

Explorer Network Browsing

The Computer Browser service relies on the SMBv1 protocol to populate the Windows Explorer Network node (also known as “Network Neighborhood”). This legacy protocol is long deprecated, doesn’t route, and has limited security. Because the service cannot function without SMBv1, it is removed at the same time.

However, if you still have to use the Explorer Network in home and small business workgroup environments to locate Windows-based computers, you can follow these steps on your Windows-based computers that no longer use SMBv1:

Start the “Function Discovery Provider Host” and “Function Discovery Resource Publication” services, and then set them to Automatic (Delayed Start).
When you open Explorer Network, enable network discovery when you are prompted.

All Windows devices within that subnet that have these settings will now appear in Network for browsing. This uses the WS-DISCOVERY protocol. Contact your other vendors and manufacturers if their devices still don’t appear in this browse list after the Windows devices appear. It is possible they have this protocol disabled or that they support only SMBv1.

I recommend that you map drives and printers instead of enabling this feature, which still requires searching and browsing for their devices. Mapped resources are easier to locate, require less training, and are safer to use. This is especially true if these resources are provided automatically through Group Policy. An administrator can configure printers for location by methods other than the legacy Computer Browser service by using IP addresses, Active Directory Domain Services (AD DS), Bonjour, mDNS, uPnP, and so on.

If you cannot use any of these workarounds, or if the application manufacturer cannot provide supported versions of SMB, you can re-enable SMBv1 manually by following the steps in KB 2696547. I am listing the PowerShell and GUI steps below.

The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008.
The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.

Enabling/Disabling SMBv1 & SMBv2 – SMBv3

Windows Server 2012 R2 & 2016:

SMBv1

Detect: Get-WindowsFeature FS-SMB1
Enable: Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Disable: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

SMB v2/v3 (listing these just in case)

Detect: Get-SmbServerConfiguration | Select EnableSMB2Protocol
Enabled: Set-SmbServerConfiguration -EnableSMB2Protocol $true
Disable: Set-SmbServerConfiguration -EnableSMB2Protocol $false

Windows 8.1 and Windows 10:

SMBv1

Detect: Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol
Enable: Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Disable: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

SMB v2/v3 (listing these just in case)

Detect: Get-SmbServerConfiguration | Select EnableSMB2Protocol
Enable: Set-SmbServerConfiguration –EnableSMB2Protocol $true
Disable: Set-SmbServerConfiguration –EnableSMB2Protocol $false

For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

SMBv1

Detect: Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Default configuration = Enabled (No registry key is created), so no SMB1 value will be returned

Enable: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 –Force

You must restart the computer after you make these changes.

Disable: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

SMB v2/v3 (listing these just in case)

Detect: Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Enable: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 –Force

You must restart the computer after you make these changes.

Disable: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force

GUI:

Enabling SMBv1

Windows Server 2012 R2 and Windows Server 2016: Server Manager method for disabling SMB

Windows 8.1 and Windows 10: Add or Remove Programs method

Important: I strongly recommend that you do not reinstall SMBv1. This is because this older protocol has known security issues regarding ransomware and other malware.

Date August 2, 2018
Author mo wasay
Comments No Comments

All of Windows Cipher Suites

Working on a security project and I needed a reference guide as to what cipher suites are supported on what OS.

So I have documented a list of the default cipher suites and their preferred order for every Windows Server version. These were gathered from fully patched operating systems.

These are the server defaults for reference only. I do not recommend using the default cipher suites or the order listed.

Windows Server 2003

TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA

Windows Server 2008

TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA

Windows Server 2008 R2

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Windows Server 2012

TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA

Windows Server 2012 R2

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Windows Server 2016

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA SSL_CK_DES_192_EDE3_CBC_WITH_MD5 SSL_CK_RC4_128_WITH_MD5

Date May 15, 2018
Author mo wasay
Comments No Comments

Deploying the SCCM Client with VMware Client Windows Guest Customization

Since SCCM is our configuration management tool of choice, the SCCM client needs to get installed on all of our newly provisioned VMs.

I created a service account that only has read permission to the \\sccmserver\sms_sitecode\client share on the SCCM server. The client is installed from this location to ensure that we are always using the latest version and get rid of any need to manually copy files or put it in the template.

1. Make sure that you have your customization spec configured to log in once as administrator:

2. Add the following lines to you customization spec.

cmd.exe /c net use i: \\sccmserver\SMS_sitecode\Client /user:username password
cmd.exe /c i:\ccmsetup.exe <options>
timeout 60
cmd.exe /c shutdown -r -t 00

1

2

3

4

cmd.exe /c net use i: \\sccmserver\SMS_sitecode\Client /user:username password

cmd.exe /c i:\ccmsetup.exe <options>

timeout 60

cmd.exe /c shutdown -r -t 00

This maps a drive to your SCCM share using the service account, installs the client, and then reboots the virtual machine. I put a timeout (sleep) for 60 seconds in there to make sure the install has time to do what it needs to do and it is working well at this point.

3. Once the VM is created and customized and rebooted you should have a service ‘SMS Agent’ started (Automatic Delayed Start).

Date April 19, 2018
Author mo wasay
Comments No Comments

List Domain Admins & Enterprise Admins in a domain

If you want to find out how many domain/ enterprise admins are active/inactive in domain you can use the following PowerShell command to figure out:

Get the list of domain admins and check if they are enabled.

Get-ADGroupMember -Identity "Domain Admins" -Recursive | %{Get-ADUser -Identity $_.distinguishedName} | Select Name, Enabled

1	Get-ADGroupMember -Identity "Domain Admins" -Recursive \| %{Get-ADUser -Identity $_.distinguishedName} \| Select Name, Enabled

Get the list of enterprise admins and check if they are enabled.

Get-ADGroupMember -Identity "Enterprise Admins" -Recursive | %{Get-ADUser -Identity $_.distinguishedName} | Select Name, Enabled

1	Get-ADGroupMember -Identity "Enterprise Admins" -Recursive \| %{Get-ADUser -Identity $_.distinguishedName} \| Select Name, Enabled

Date April 19, 2018
Author mo wasay
Comments No Comments

What version of SQL Server do I have?

Working with so many versions of SQL a quick reference list is always helpful that shows the versions numbers and service packs.

A downloadable version of an Excel workbook that contains all the build versions together with their current support lifecycle stage for 2005 through the current version is available. Click to download this Excel file now. (File name: SQL Server Builds V3.xlsx)

This unofficial build chart lists all of the known Service Packs (SP), Cumulative Updates (CU), patches, hotfixes and other builds of MS SQL Server 2017, 2016, 2014, 2012, 2008 R2, 2008, 2005, 2000, 7.0, 6.5 and 6.0 that have been released.

Useful articles:

Quick summary:

All SQLServer service packs are cumulative, meaning that each new service pack contains all the fixes that are included with previous service packs and any new fixes.

	RTM (no SP)	SP1	SP2	SP3	SP4
SQL Server 2017 codename vNext	14.0.1000.169 *new
SQL Server 2016	13.0.1601.5	13.0.4001.0 or 13.1.4001.0
SQL Server 2014	12.0.2000.8	12.0.4100.1 or 12.1.4100.1	12.0.5000.0 or 12.2.5000.0
SQL Server 2012 codename Denali	11.0.2100.60	11.0.3000.0 or 11.1.3000.0	11.0.5058.0 or 11.2.5058.0	11.0.6020.0 or 11.3.6020.0	11.0.7001.0 or 11.4.7001.0
SQL Server 2008 R2 codename Kilimanjaro	10.50.1600.1	10.50.2500.0 or 10.51.2500.0	10.50.4000.0 or 10.52.4000.0	10.50.6000.34 or 10.53.6000.34
SQL Server 2008 codename Katmai	10.0.1600.22	10.0.2531.0 or 10.1.2531.0	10.0.4000.0 or 10.2.4000.0	10.0.5500.0 or 10.3.5500.0	10.0.6000.29 or 10.4.6000.29
SQL Server 2005 codename Yukon	9.0.1399.06	9.0.2047	9.0.3042	9.0.4035	9.0.5000
SQL Server 2000 codename Shiloh	8.0.194	8.0.384	8.0.532	8.0.760	8.0.2039
SQL Server 7.0 codename Sphinx	7.0.623	7.0.699	7.0.842	7.0.961	7.0.1063

All SQLServer service packs are cumulative, meaning that each new service pack contains all the fixes that are included with previous service packs and any new fixes.

Date April 5, 2018
Author mo wasay
Comments No Comments

mo wasay

Determine & Change Tombstone Lifetime in Active Directory

AD Recycle Bin

Determining Tombstone Lifetime:

Changing Tombstone Lifetime:

Convert a Dynamic IP to Static

Force Replication of all Domain Controllers on all Sites

What releases of Java technology are currently available?

What are the Oracle Java licensing changes?

What about the Java license costs?

What should you do now?

Work Around:

Leasing mode

Explorer Network Browsing

Enabling/Disabling SMBv1 & SMBv2 – SMBv3

Windows Server 2012 R2 & 2016:

SMBv1

SMB v2/v3 (listing these just in case)

Windows 8.1 and Windows 10:

SMBv1

SMB v2/v3 (listing these just in case)

For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

SMBv1

SMB v2/v3 (listing these just in case)

GUI:

Enabling SMBv1

Windows Server 2012 R2 and Windows Server 2016: Server Manager method for disabling SMB

Windows 8.1 and Windows 10: Add or Remove Programs method

All of Windows Cipher Suites

Deploying the SCCM Client with VMware Client Windows Guest Customization

What version of SQL Server do I have?

Quick summary:

Mohammed Wasay

Dallas based Design Technologist & Hybrid Developer

Categories

Archives

Meta