Guide to migrate FRS to DFSR

For most users this article only applies if you have Window 2003/ 2003 R2 Domain Controller in your enviornment that you are planning to get rid off. Pretty soon I hope! 😉

SYSVOL is a folder shared by domain controller to hold its logon scripts, group policies and other items related to AD. All the domain controllers in network will replicate the content of SYSVOL folder. The default path for SYSVOL folder is %SystemRoot%\SYSVOL. This folder path can define when you install the active directory.

Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers. But Windows server 2008 and later uses Distributed File System (DFS) for the replication.  DFS is more efficient than FRS. Since windows server 2003 is going out of support, most people already done or still looking for migrate in to latest versions. However migrating FSMO roles WILL NOT migrate SYSVOL replication from FRS to DFS. Most of the engineers forget about this step when they migrate from windows 2003 to new versions.

For FRS to DFS migration we uses the Dfsrmig.exe utility. More info about it available on https://technet.microsoft.com/en-au/library/dd641227(v=ws.10).aspx

In my environment, I am using windows server 2012 R2 server and I migrated FSMO roles already from a windows server 2003 R2 server.

In order to proceed with the migration forest function level must set to windows server 2008 or later. So if your organization not done this yet first step is to get the forest and domain function level updated.

You can verify if the system uses the FRS using dfsrmig /getglobalstate , To do this

1)    Log in to domain controller as Domain admin or Enterprise Admin
2)    Launch powershell console and type dfsrmig /getglobalstate. Output explains it’s not initiated DFRS migration yet.

Before move in to the configurations we need to look into stages of the migration.

There are four stable states going along with the four migration phases.

1)    State 0 – Start
2)    State 1 – Prepared
3)    State 2 – Redirected
4)    State 3 – Eliminated

State 0 – Start

With initiating this state, FRS will replicate SYSVOL folder among the domain controllers. It is important to have up to date copy of SYSVOL before begins the migration process to avoid any conflicts.

State 1 – Prepared

In this state while FRS continues replicating SYSVOL folder, DFSR will replicate a copy of SYSVOL folder. It will be located in %SystemRoot%\SYSVOL_DFRS by default. But this SYSVOL will not response for any other domain controller service requests.

State 2 – Redirected

In this state the DFSR copy of SYSVOL starts to response for SYSVOL service requests. FRS will continue the replication of its own SYSVOL copy but will not involve with production SYSVOL replication.

State 3 – Eliminated

In this state, DFS Replication will continue its replication and servicing SYSVOL requests. Windows will delete original SYSVOL folder users by FRS replication and stop the FRS replication.

In order to migrate from FRS to DFSR its must to go from State 1 to State 3. This step cannot be reversed.

Migration Steps:

Prepared State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 1 and press enter

4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared stat

Redirected State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 2 and press enter

4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached redirected state

Eliminated State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 3 and press enter

4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached eliminated state

This completes the migration process and to confirm the SYSVOL share, type net share command and enter.

Also make sure in each domain controller FRS service is stopped and disabled. This should happen automatically, but please verify.

Additional Info:

The steps listed above are pretty straightforward.  I’d advise to make sure DFSR binaries are current on all DCs for the respective OS versions, then forge ahead 😊

https://support.microsoft.com/en-us/help/2951262/list-of-currently-available-hotfixes-for-distributed-file-system-dfs-technologies-in-windows-server-2012-and-windows-server-2012-r2 (Note: the article has both 2k12 and 2k12R2 binaries by DFS-N and DFS-R, I’m including just the DFSR below)

DFS replication

Windows Server 2012 R2

Date added Knowledge Base article Title Why we recommend this hotfix Hotfix type and availability
Aug 05, 2016 3172614 July 2016 update rollup  for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 This hotfix contains the most current version of Dfsrs.exe for Windows Server 2012 R2. To apply this update rollup, you must be running Windows Server 2012 R2, April 2014 Update 2919355 and April 2015 Update 3021910.
NA This hotfix contains the most current version of Dfsrro.sys for Windows Server 2012 R2. To install this hotfix, you must have Windows Server 2012 R2 installed.
NA This hotfix contains the most current version of Dfsrclus.dll for Windows Server 2012 R2.
August 31, 2014, Install this Hotfix 2996883 DFSR stops replication after an unexpected shutdown in a Windows 8.1 or Windows Server 2012 R2 environment This hotfix contains the most current versions of Dfsrdiag.exe, Dfsrmig.exe and Dfsrwmiv2.dll for Windows Server 2012. To apply this hotfix, you must be running Windows Server 2012 R2 and April 2014 Update 2919355.

 

For any 2008/2008R2 DCs, the parallel article to the 2k12 version above, https://support.microsoft.com/en-us/help/968429/list-of-currently-available-hotfixes-for-distributed-file-system-dfs-technologies-in-windows-server-2008-and-in-windows-server-2008-r2 :

Windows Server 2008 R2

Date added Knowledge Base article Title Why we recommend
this hotfix
Hotfix type and availability
 Oct/11/2014 3002288 DFSR service freezes when it calls a method on a Windows-based server

    Dfsrs.exe 6.1.7601.22842 or newer
This hotfix contains the most current version of Dfsrs.exe for Windows Server 2008 R2 SP1.

Note: For 2008 R2 (RTM) apply: 2725170

To install this hotfix, you must have Windows Server 2008 R2 Service Pack 1 (SP1) installed.
Jan/21/2012 2663685 Changes that are not replicated to a downstream server are lost on the upstream server after an automatic recovery process occurs in a DFS Replication environment in Windows Server 2008 R2 This hotfix adds the ability to enable or disable automatic recovery of DFSR databases via a registry value in Windows Server 2008 R2. (StopReplicationOnAutoRecovery )

 

Set regkey for autorecovery…….

 

On Windows 2012 R2 DFSR Autorecovery is enabled by default

 

To enable the DFS Replication service to automatically recover databases, modify the following registry key:

HKLM\System\CurrentControlSet\Services\DFSR\Parameters\StopReplicationOnAutoRecovery

Notes

·         If the value of the StopReplicationOnAutoRecovery registry subkey is set to 1, the DFS Replication automatic recovery is disabled.
When the error condition should occur you may note a DFS Replication warning event 2213 like the following:

Log Name: DFS Replication
Source: DFSR
Event ID: 2213
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: MyDFSRMember.contoso.com
Description:
The DFS Replication service stopped replication on volume F:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.

Additional Information:
Volume: F:
GUID: 4A5BAE4E-c19D-21E1-A4E7-007056B54182

·         If the value of the StopReplicationOnAutoRecovery registry subkey is set to 0 or if the StopReplicationOnAutoRecovery registry subkey does not exist, the DFS Replication automatic recovery is enabled.

 

To install this hotfix, you must have Windows Server 2008 R2 or Windows Server 2008 R2 Service Pack 1 (SP1) installed.
Nov/18/2009 975763 DFS Replication does not use Remote Differential Compression (RDC) when replicating very large files on a computer that is running Windows Server 2008 R2 If you have a version of dfsrs.exe installed that is newer than 975763, you do not have to install this hotfix. However, you must still enable the registry change (RpcContextHandleTimeoutMs) that is specified in 975763 for the new behavior to take effect.

 

To install this hotfix, you must have Windows Server 2008 R2 installed. This hotfix is available for individual download and is included in Windows Server 2008 R2 Service Pack 1.
May/21/2013 2851868 “0x0000003B” Stop error when you use the DFSR service on a Windows Server 2008 R2-based This hotfix contains the most current version of Dfsrro.sys for Windows Server 2008 R2 SP1.

 

Dfsrro.sys 6.1.7601.22335 or newer
To install this hotfix, you must have Windows Server 2008 R2 Service Pack 1 (SP1) installed.
Jan/19/2010 979564 The DFS Replication Management Pack shows alerts for cluster network names that are in the “healthy” status on a Windows Server 2008 R2 failover cluster This hotfix contains the most current version of Dfsrclus.dll for Windows Server 2008 R2 RTM. To install this hotfix, you must have Windows Server 2008 R2 installed. This hotfix is available for individual download and is included in Windows Server 2008 R2 Service Pack 1.
Nov/18/2012 2780453 Event ID 4114 and Event ID 4008 are logged in the DFS Replication log in Windows Server 2008 R2 This hotfix contains the most current version of Dfsmgmt.dll for Windows Server 2008 R2 and SP1.

 

Dfsmgmt.dll 6.1.7601.22167 or newer
To install this hotfix, you must have Windows Server 2008 R2 or Windows Server 2008 R2 Service Pack 1 (SP1) installed.

 

As a best practice, as there will be a parallel directory, SYSVOL_DFSR , created during the migration process, have the A-V admins ensure exclusions are set per https://support.microsoft.com/en-us/help/822158/virus-scanning-recommendations-for-enterprise-computers-that-are-running-currently-supported-versions-of-windows

 

Q&A

Q: What are the Domain Controller availability requirements during my migration?

A: There are a couple.

The PDC Emulator must be online any time the DFSRMIG tool is being invoked for a read or write operation. If the PDC Emulator is offline or inaccessible for LDAP, the user of DFSRMIG will receive:

“Unable to connect to the Primary DC’s AD.

Please make sure that the PDC is reachable and try the command later.”

All DCs must remain online until they each complete their state steps. All DCs do not need to be accessible simultaneously. But the global state will never reach the Prepared, Redirected, or Eliminated state until all DCs have been able to complete their individual phases.

The PDC Emulator requirement is because by default, administrators always edit group policy on the PDCE, so in most environments it will have the most up to date knowledge of policy. That and we need to talk to someone unique, so it might as well be him.

It is recommended that a SYSVOL migration not be attempted unless all DCs are online and available. Change control blackouts should be scheduled to prevent modification to DCs that might impact their availability. This will minimize the window of time that the migration will take.

Q: Is there some super-secret way to return to using FRS after reaching the Eliminated phase of DFSR migration?

A: Microsoft does not support returning your domain to using FRS for SYSVOL replication after a completed DFSR migration (except to rebuild the domain). This is why the steps are done in a phased approach with two checkpoints where you can revert back to FRS without any consequences. Once you trigger the ELIMINATED phase to start, there is no going back, period.

Q: When does Robocopy run during the migration and what does it do?

A: The DFSR service uses robocopy at several stages to synchronize SYSVOL directories outside of normal replication when it detects a SYSVOL migration is underway; a set of ‘pre-seeding’ and ‘save the GP admins from themselves’ operations.

When Prepared state (DFSRMIG /SETGLOBALSTATE 1) is invoked, all DC’s robocopy their FRS SYSVOL data locally into the new DFSR content set. This is equivalent to ‘pre-seeding’ data and ensures that minimal file replication occurs to converge the content set. This is triggered by the DFSR service itself when:

  • AD replication has converged between a DC and the PDCE.
  • The DFSR service on that DC has polled (this runs every 5 minutes) and picks up the state change from CN=dfsr-LocalSettings
  • When entering the Redirected state, the PDC Emulator (only) robocopies the local differences of FRS SYSVOL data into the new local DFSR content set, on itself. The other servers receive new data via replication.

If you undo the Redirected state back to Prepared, the reverse happens. The PDC Emulator robocopies its local DFSR content set data into its local FRS content set. FRS replication synchronizes all other servers… eventually. Allow more time for this than entering Redirected, as FRS is not as fast to synchronize as DFSR.

For sharp-eyed readers: we won’t run into any of the old pre-seeding issues (the file hash being changed by robocopy) here because DFSR correctly creates the SYSVOL_DFSR folder ACL, so there are no inheritance issues when the contents are copied in and replicated.

Q: Event 8004 says something about RODC’s. I don’t have any RODC’s. What the frak?

A: The following event is incorrectly written in the DFSR event log(s) on servers that are not Read-only Domain Controllers when setting elimination state using DFSRMIG.EXE:

Log Name: DFS Replication
Source: DFSR
Date: 9/28/2007 11:53:46 AM
Event ID: 8004
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: <WRITABLE DC>
Description:
The NTFRS member object for the Read-only Domain Controller <WRITABLE DC> was deleted successfully.

The text in the event log is completely cosmetic and benign. It is supposed be fixed in a later version of the OS. Just ignore it.

Q: What are all the AD and Registry state values that will be set at a given point in the migration?

A: See below:

=============

Prepared Phase – DFSRMIG /SETGLOBALSTATE 1

  • DFSRMIG contacts the PDC Emulator directly.
  • Global objects are created under:

CN=DFSR-GlobalSettings,CN=SYSTEM,DC=<domain>
CN=DOMAIN SYSTEM VOLUME
CN=SYSVOL SHARE
CN=CONTENT
CN=TOPOLOGY

  • CN=DFSR-GlobalSettings now has msDFSR-Flags attribute set to 0.
  • As DC’s pick up the globalstate change via AD replication and DFSR service polling, they create and write to registry entry:

HKLMSystemCurrentControlSetServicesDFSRParametersSysvolsMigrating Sysvols
Local State = 4 [REG_DWORD]

  • The PDC Emulator creates the:

CN=dfsr-LocalSettings,CN=<servername>,DC=<domain>

objects for all DCs and sets this attribute to:

msDFSR-Flags = 80 (if RWDCs).
msDFSR-Flags = 64 (if RODCs – the RODC itself will set it to 80 later).

  • The DFSR service has now started and created the new local SYSVOL_DFSR structure. Robocopy has made a local copy of the FRS SYSVOL. All AD topology data has been written in to support the content set. Initial sync of the data has started (since robocopy has locally pre-seeded the data this should involve minimal replication data on the network). The registry on all DC’s is:

Local State = 5 [REG_DWORD]

  • Once initial sync is done on all DCs:

Local State = 1 [DWORD]
‘msDFSR-Flags’ (on CN=dfsr-LocalSettings) = 16

  • If DFSRMIG /GETGLOBALSTATE returns that all DCs are prepared, ‘msDFSR-Flags’ on CN=dfsr- GlobalSettings has changed to 16 because all DCs are prepared. All DCs are currently replicating DFSR and FRS content sets, with FRS being shared as SYSVOL.

=============

Redirected Phase – DFSRMIG /SETGLOBALSTATE 2

  • DFSRMIG contacts the PDC Emulator directly.
  • CN=DFSR-LocalSettings now has msDFSR-Flags attribute set to 96 on all DCs and this replicates out through AD.
  • As DCs pick up the attribute from AD replication, their DFSR service sets:

Local State = 6 [REG_DWORD]

  • On the PDC Emulator only, robocopy syncs any changes between the FRS and DFSR’s content sets, and this is replicated out through DFSR.
  • Once SYSVOL data is in sync, SYSVOL content set is set to be the active SYSVOL share on all servers. FRS and DFSR are both still replicating data.
  • When this is complete, for each DC:

Local State = 2 [DWORD]
‘msDFSR-Flags’ (on CN=dfsr-LocalSettings) = 32

  • If DFSRMIG /GETGLOBALSTATE returns that all DCs are redirected, ‘msDFSR-Flags’ on CN=dfsr- GlobalSettings has changed to 32 because all DCs are prepared. All DCs are currently replicating DFSR and FRS content sets, with DFSR being shared as SYSVOL.

==============

Eliminated Phase – DFSRMIG /SETGLOBALSTATE 3

  • DFSRMIG contacts the PDC Emulator directly. At this point it is not possible to undo the changes!
  • CN=DFSR-LocalSettings now has msDFSR-Flags attribute set to 112 on all DCs and this replicates throughout AD.
  • As DCs pick up the attribute from AD replication, their DFSR service sets:

Local State = 7 [REG_DWORD]

  • On the PDC, the FRS content set information is removed and this is replicated through AD. As each DC sees this change, their FRS service stops replicating the FRS content set. The FRS service is stopped (and restarted if custom FRS sets still exist on a given server).
  • When this is complete, for each DC:

Local State = 3 [DWORD]
‘msDFSR-Flags’ (on CN=dfsr-LocalSettings) = 48

  • If DFSRMIG /GETGLOBALSTATE returns that all DCs are eliminated, ‘msDFSR-Flags’ on CN=dfsr-GlobalSettings has changed to 48 because all DCs are prepared. All DCs are currently replicating DFSR only.
  • A final cleanup task on each DC will set their ‘msDFSR-Flags’ on CN=dfsr-LocalSettings to <NOT SET>. The same will happen from the PDC to CN=dfsr-GlobalSettings.

==============

If any ‘undo’ phases are entered (where an administrator has decided to go from redirected back to prepared, redirected back to start, or prepared back to start), the flow above happens in reverse, with the exception that the following two entries exist in the ‘Local State’ registry entries:

  • (Undo Redirecting)
  • (Undo Preparing)

Q: I’m not a huge fan of Ultrasound. Are there any other ways to validate the health of SYSVOL prior to and after migration?

A: Sure thing – already discussed in a TechNet blog post here (Verifying File Replication during the Windows Server 2008 DFSR SYSVOL Migration – Down and Dirty Style).

Q: Are there any migration KBs or bugs I need to worry about?

A: One KB, with a simple solution to domains that have non-standard (and frankly, not any safer than default) security configurations: http://support.microsoft.com/kb/2567421 (Manage Audit and Security Logs user rights required)

CAUSE: The default user rights assignment “Manage Auditing and Security Log” (SeSecurityPrivilege) has been removed from the built-in Administrators group. Removal of this user right from Administrators on domain controllers is not supported, and will cause DFSR SYSVOL migration to fail. DFSR migration and must be run by a user who is a member of the built-in Administrators group in that domain. All DCs are automatically members of the built in Administrators group.

The Lazy Way To Do Active Directory Inventory

From time to time admins have to run an inventory of what is running in the AD environment. This is a good practice for audits, inventory, removing decommissioned servers, or any other good reason. The details that are required are like when was computer/ server created, when was it last logged into, what is the OS, Service Pack, and OU details if any organization was done in structuring the OU.

Luckily PowerShell can provide all of that information in a nice .csv file which can be later edited in Excel to do filtering as needed.

Open up PowerShell in Admin mode on the DC or create a session if doing this remotely.

Result:

Adding a security group to the Local Administrator Group in AD

Having a local administrator of your workstations can come in handy. Sometimes you might need to logon locally to troubleshoot or rejoin a computer to your domain. You can create a group policy that creates a local admin users and sets the local password.

Admins make a common mistake when they want to add a security group the Local Administrator group for a particular set of machines or domain wide. The mistake they make is creating a restricted access group vs. just adding to the existing Administrators Group. The result it that it wipes out any existing Local Administrator permissions or memberships.

This can be accomplished with a Simple GPO.

I will cover both methods for clarification. First I will cover the correct way to add. The Second Method is how to add a restricted group.

Correct Way

CREATE THE SECURITY GROUP

  1. Open Active Directory Users and Computers
  2. Select your Security Group OU
  3. Right Click and select New > Group
  4. Give the Group a name, I used “AUTOMATION”

CREATE THE GPO

  1. Launch Group Policy Management Console.
  2. Right click the OU that you want the GPO to apply to.
  3. Select “Create a GPO…”
  4. This will Launch Group Policy Editor.
  5. Navigate to: Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
  6. Right Click in the blank area and select New > Local Group > Administrators (Built-in)
  7. Action: Update (This is the most important part).
  8. Add the needed security group. I have added my AUTOMATION Security Group.
  9. Click Apply.
  10. Click OK.
  11. Apply the GPO to the root of the domain OR the appropriate OU.

Incorrect Way (This is how you would create a Restricted Access Group)

Reason this is incorrect: This will wipe out any existing memberships of the Local Administrator Group. 

If you want certain members to be local administrators of computers, you can do it through Group Policy. The idea here is to create a Local Admin security group and then a GPO that adds that security group to the local Administrators group of the computer.

CREATE THE SECURITY GROUP

  1. Open Active Directory Users and Computers
  2. Select your Security Group OU
  3. Right Click and select New > Group
  4. Give the Group a name, I used “SG – Local Admins”

CREATE THE GPO

  1. Open Group Policy Management Console.
  2. Right click the OU that contains the systems you want to set the local admin on
  3. Select “Create a GPO in this domain, and Link it here…”
  4. Name the GPO. I used “Set Local Administrators”
  5. Right Click the GPO and select Edit.
  6. Set the following:
    1. Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
    2. Right Click and select “Add Group…”
    3. Select browse and add the Administrators group
    4. Select OK
    5. Double click Administrators
    6. Select Add for “Members of this group:”
    7. Browse and find your security group. I added “SG – Local Admins”

That should be it. Now you can set which users of the domain are local administrators of their computers.

PKI CA – Manage certificate templates

Certificate templates are a feature available on enterprise CA. Certificates templates enable to preconfigure certificate settings for enrollment (or auto enrollment). Enrollment is the process to obtain a certificate signed by the CA. The client that has obtained a certificate by enrollment is called the enrollee.

I will show you how to create a certificate template and configure the CA to respond to enrollment request. In this example I will create a certificate template for WinRM HTTPS using.
In a multi-domain forest, you have to make an extra configuration to manage certificate templates. By default only enterprise admins account or domain admins of the root domain can manage certificate templates, but this is not a requirement. On my side I create always a group where members can manage the CA and templates.

So open an adsiedit.msc console and open a connexion to configuration partition of your domain. Navigate to CN=Public Key Services,CN=Services,CN=Configuration,DC=MY,DC=Domain. Edit properties of the container Certificate Templates and open security tab as below. Add group or user you want to manage certificate templates and add full control permissions.

Add the same permissions to the OID container as below.

Now accounts in GG-CAAdmins can manage certificate templates even if they are not member of enterprise admins or domain admins group.

Create certificate template

Many settings can be modified in certificate templates. I will show you only basic settings.

To manage certificate templates, open a certification authority console and right click on Certificate Templates and select Manage:

In the new console, all certificate templates that are stored in the domain are displayed. This is predefined certificate templates and you can’t delete them. To create a new certificate template you have to duplicate a predefined certificate template and bring modification related to your needs.

So for my example, I want to create a certificate for WinRM over HTTPS. So right click on the Web Server template and select Duplicate template.

The compatibility tab asks you to choose a version for certification authority and certificate recipient. Each version add or remove features in certificates. You should choose compatibility settings according to your certificate using. For example, Hyper-V replica certificates need these parameters set to Windows Server 2012.

Next choose a name for your template. I check the box Publish certificate in Active Directory to sequester certificates in Active Directory.

Next you have some parameters regarding the private key. You can choose the private key usage (signature, encryption or both) or for example if it is exportable. For Hyper-V replica (same example :p), the private key must be exportable to use the same certificate on each host.

On cryptography tab you can choose the minimum key size and the CSP (Cryptographic Service Provider). CSP is a library that contains algorithms to encrypt or unencrypt information.

Next I add a group to manage this template. I use again GG-CAAdmins group.

Because my certificate will be used by all computers of my domain, I add the Domain Computers group with enroll and autoenroll permissions.

On extensions tab, you can choose the certificate usage (Server authentication, client authentication etc.).

To finish, on the subject name tab you can choose how the certificate subject name is filled. You have two options: manually (Supply in the request) or automatically with Active Directory information (Build from this Active Directory information). I choose to use the DNS name as subject name. You can add also alternative subject name.

When the certificate template is set, click on Apply and it will be published in Active Directory.

Configure the CA

Now we have to say to CA that it can issue certificates from WinRM template. For that open the certification authority console and right click on Certificate Templates. Select New and Certificate Template to issue.

Select the WinRM template and click ok.

Now the CA can issue certificate requested from WinRM template.

Certificate managers

A certificate manager can approve certificate enrollment and revocation requests, issue certificates, and manage certificates. This role can be configured by assigning a user or group the Issue and Manage Certificatespermission.
When you assign this permission to a user or group, you can further refine their ability to manage certificates by group and by certificate template. For example, you might want to implement a restriction that they can only approve requests or revoke smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group.
This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA.
You must be a CA administrator or a member of Enterprise Admins, or equivalent, to complete this procedure.

To configure certificate manager restrictions for a CA

  1. Open the Certification Authority snap-in, and right-click the name of the CA.
  2. Click Properties, and then click the Security tab.
  3. Verify that the user or group that you have selected has Issue and Manage Certificates permission. If they do not yet have this permission, select the Allow check box, and then click Apply.
  4. Click the Certificate Managers tab.
  5. Click Restrict certificate managers, and verify that the name of the group or user is displayed.
  6. Under Certificate Templates, click Add, select the template for the certificates that you want this user or group to manage, and then click OK. Repeat this step until you have selected all certificate templates that you want to allow this certificate manager to manage.
  7. Under Permissions, click Add, type the name of the client for whom you want the certificate manager to manage the defined certificate types, and then click OK.
  8. If you want to block the certificate manager from managing certificates for a specific user, computer, or group, under Permissions, select this user, computer, or group, and click Deny.
  9. When you are finished configuring certificate manager restrictions, click OK or Apply.

Its Monday: Don’t get hit by WannaCry, WannaCrypt! from the weekend

An unprecedented ‘‘ransomware’’ cyberattack that has already hit tens of thousands of victims in 150 countries over the weekend could wreak greater havoc as more malicious variations appear and people return to their desks Monday and power up computers at the start of the workweek.

LIVE Map of WannaCrypt infection

WannaCrypt can leave your computer hostage

If you’re running Windows XP, 8 or Server 2003, or  you aren’t sure if you got March and April patches installed, here’s what you need to do.

IMPORTANT details about WannaCrypt:

  • It clobbered lots of sites and many computers, but it’s no longer a threat. The folks at Malwaretech.com enabled a sinkhole that’s blocking WannaCrypt. No more infections.
  • Rather than specifically rooting out WannaCrypt, you need to focus immediately on plugging the hole(s) that made WannaCrypt possible. The WannaCrypt code’s out in the wild, and a simple change would make it work again. More than that, other pieces of the Shadow Brokers trove can be used to make new, innovative malware. Get patched now.
  • As of this writing, nobody has any idea who made WannaCrypt, why they released a weapons-grade exploit to beg for chump change ($300 per infection), and how the first infection(s) appeared.
  • Microsoft released patches for Windows 10, 8.1 and 7 back in March (that’s MS17-010). Yesterday, they released patches for Windows XP, Win 8, and Server 2003 SP2.

Here’s how to see if you need patching, and how to get patched if need be.

Windows XP, Windows 8

You don’t have the patch, unless you downloaded and installed it already. Follow the links at the bottom of the Technet page to download and run the installer.

Vista

See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Look for one marked “Security Update for Windows Vista (KB4012598).” If you don’t have it, download it from the Microsoft Update Catalog, and install it.

Windows 7

See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see if you have ANY of these patches:

2017-05 Security Monthly Quality Rollup for Windows 7 (KB4019264)
April, 2017 Preview of Monthly Quality Rollup for Windows 7 (KB4015552)
April, 2017 Security Monthly Quality Rollup for Windows 7 (KB4015549)
March, 2017 Security Monthly Quality Rollup for Windows 7 (KB4012215)
March, 2017 Security Only Quality Update for Windows 7 (KB4012212)

Here are quick way to check if you have the above updates:

If you have any of those patches, you’re fine. Don’t be confused. There’s no reason to download or install anything, unless you have absolutely none of those patches. No, I’m not recommending that you install something. Just look at the list and see if you have any of the patches.

If you have none of those patches, download and install the March, 2017 Security Only Quality Update for Windows 7 (KB4012212) for 32-bit or 64-bit.

Windows 8.1

See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see if you have ANY of these patches:

2017-05 Security Monthly Quality Rollup for Windows 8.1 (KB4019215)
April, 2017 Preview of Monthly Quality Rollup for Windows 8.1 (KB4015553)
April, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4015550)
March, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4012216)
March, 2017 Security Only Quality Update for Windows 7 (KB4012213)

If you have any of those patches, you’re fine. Again, I’m not suggesting that you install anything unless all of those patches are missing.

If you have none of those patches, download and install the March, 2017 Security Only Quality Update for Windows 8.1 (KB4012213) for 32-bit or 64-bit.

See note above about Security-only patches. Again, this list is complete, I believe, and accurate.

Windows 10

Creators Update (version 1703) is OK.

Anniversary Update (version 1607) – Check your build number. If you have Build 14393.953 or later, you’re fine. If you don’t, use Windows Update to install the latest build 14393.1198. Yes, I know that violates the current MS-DEFCON 2 setting, but you need to get up to or beyond 14393.953.

Fall (er, November) Update (version 1511) – use the steps above to check your build number. You have to be at build 10586.839 or later.

RTM (“version 1507”) – same procedure, make sure you’re up to or beyond build 10240.17319.

What to do if your system cannot be patched?

Per the technet article, disabling SMB1.0/CIFS is the suggested workaround if you aren’t able to patch, but this will break file sharing on your network.

 

Easiest fixes without installing a hotfix:

In Command Prompt

For Win 7 / WS2008/r2:

For Win 8+ / WS 2012/r2+

Impact of workaround. The SMBv1 protocol will be disabled on the target system.

Warning: I do not recommend that you disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.

How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

Backups??

One of the most fundamental defenses against ransomware is the ability to reliably restore from backup. If all your things get crypto’d and you can just say “oh well, it’s not fun and I need to rebuild my machine but at least I’ve only lost time” then you’re in a fundamentally better position than having lost your files (short of paying the ransom, that is).

Many (probably most) individuals and organisations alike don’t have a satisfactory backup strategy. Typically, problems include:

  1. They’re not taking backups at all
  2. They’re backing up over existing backups and writing corrupted files over good ones
  3. They’re not backing up frequently enough (it must be fully automated)
  4. They’re only backing up to connected devices accessible by malicious software

Ideally, you want a 3-2-1 backup strategy which means at least 3 total copies of your data, 2 of which are local but on different mediums (such as external storage devices) and 1 which is offsite. There are professional cloud backup services available which will keep versioned copies of all your things and allow you to rollback to any point in time (no, Dropbox alone won’t do that). There are cheap external devices with large capacities you can physically rotate and store with a trusted relative. It’s another topic altogether, but just consider your ability to recover from these scenarios:

  1. All your files become corrupted (or encrypted) and replicated to your backup devices
  2. Everything that can communicate with your machine gets hosed
  3. A thief steals all your devices or your house burns down

Resilience against all of these isn’t hard, but it takes planning. Also, “backup” is important but what’s really important is “restore” so do test that as well.

Look at Microsoft’s site for the latest updates:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

How To Remove WannaCry

As with all tutorials, please read each step individually, and only act upon it when understood.

  1. The first thing you need to do is enter Safe Mode. Here is how to do that for Windows XP/7, 8/8.1, and 10.

Windows XP and 7: Before Windows starts Hit The F8 Key. Once the Boot Menu appears look for and select Safe Mode with Networking, followed by tapping Enter</strong.

Windows 8 and 8.1: Go to the Start Menu >> Control Panel, followed by Administrative Tools >> System Configuration. Next find and tick Safe Boot and then select Networking followed by Restart. Your computer should now boot into Safe Mode.

Windows 10: Go to Start Menu >> Settings >> Update and Security >> Recovery Next under Advanced Startup click on Restart Now and allow your computer to restart.

When the Choose Option Screen is available, go to Troubleshoot >> Advanced Options >> StartupSettings. And then Enable Safe Mode with Networking Option followed by selecting Enter to boot into Safe Mode.

Note: Depending on your computer, there’s always the chance that some key other than F8 is the Boot Key, If that is so, look for advice from the manufacturer’s literature or online.

 

Removing Processes

2. This next requires that you look for processes which may relate to the WannaCry ransomware. To start doing so, press Ctrl + Shift + Esc, this will open Task Manager. After which you should look through the Processes Tab carefully for unfamiliar entries.

Usually, a malicious process will consume large amounts of resources, such as CPU and RAM. If you discover something which looks out of the ordinary, Right Click and Open The File. Next Delete everything. Only do this if you are sure that the process is WannaCry related.

StartupPrograms

3. Now, we’re going to look in Startup Programs, to do so, type System Configuration into the Windows Search Bar. Followed by selecting the First Result, and then going to the Startup Tab and taking a look at the list of programs.

If you are a Windows 10 user, it’s Startup Programs can be seen in Task Manager. However, on all versions of Windows, if you feel that any have an unknown developer or just look wrong uncheck them and Click OK.

The Registry

4. Next we’re going to take a look at the registry, to do that you need to open the Run Window, or press WinKey + R. Followed by typing regedit and hitting enter.

When the registry editor launches, press Ctrl +-F</em and type the name of the Virus Ransom.CryptXXX or WannaCry. Now, slect Find Next and remove whatever is returned that relates to that name. This should be completed for all the search results.

Virus Files

5. Finally, you need to delete other potential Virus Files, this can be done by going to the Start Menu. And then individually typing the following: %AppData%, %LocalAppData%, %ProgramData%, %WinDir%, %Temp%.

When each opens sort their content folders By Date and Delete The Most Recent folders and files. Furthermore, when you access the Temp folder remove everything from it.

There have been reports that the SpyHunter software does indeed manage the threat effectively.Although it will require you to purchase it, the free version will only inform you if you are infected. I am not promoting or recommending the product as I have not tested it.

Lists all users last logon time

As administrators we often want to check which users have not logged in for quite a while, or what accounts recently accessed a system, etc.

The following script list all users and their last logon time. With the lastloggeduser.csv we can get fancy with excel to find differences based on age and more.

 

Resolve IP Addresses from List of Host Names

If you have a list of hostnames/servers that you need IP addresses for its cumbersome to ping each server and get the ip address.

PowerShell to the rescue!

To do this we need a file called Server.txt with each server’s hostname on each line. I am storing the file in D:\Data\Servers.txt.

Once we run the script below it resolves the ip via DNS and stores to another file called D:\Data\Addresses.txt.

All the IP addresses are getting pulled from their DNS value. 

Connecting to a remote domain controller using PowerShell

Covering one of the basic day to day task if you are a Windows Administrator; connecting to the domain controller.  I try to minimize logging onto servers as much as possible.  Your thought should be around connecting to the server remotely and doing the work as needed instead of natively logging on to it.

First step you need to do is find all of your domain controllers and allow remote connections to it.

Logon to your one of your domain controllers and open up PowerShell:

You need to do this once on each domain controller so you can remotely connect to each one of them at a later time.

You can read more about WinRM here

Once that is done you are ready to connect to your domain controller.

Make sure your system is configured to run PowerShell scripts.

Copy the content below and paste it into your PowerShell Editor. Rename your value of “yourdomaincontroller” to your actual DC Server name.

Now all command you enter will be applied to the DC.

To check if your connection is successful. Try the command below to get a list of all of your domain controllers.

A Beginner’s Guide to Checksum

Are you wondering what a checksum is? You may have noticed that when you download files from certain websites, they have a very long string of numbers and letters called a checksum or MD5 checksum or SHA-1, etc. These really long strings basically act as fingerprints for that particular file, whether it be an EXE, ISO, ZIP, etc.

Checksums are used to ensure the integrity of a file after it has been transmitted from one storage device to another. This can be across the Internet or simply between two computers on the same network. Either way, if you want to ensure that the transmitted file is exactly the same as the source file, you can use a checksum.

The checksum is calculated using a hash function and is normally posted along with the download. To verify the integrity of the file, a user calculates the checksum using a checksum calculator program and then compares the two to make sure they match.

Checksums are used not only to ensure a corrupt-free transmission, but also to ensure that the file has not been tampered with. When a good checksum algorithm is used, even a tiny change to the file will result in a completely different checksum value.

The most common checksums are MD5 and SHA-1, but both have been found to have vulnerabilities. This means that malicious tampering can lead to two different files having the same computed hash. Due to these security concerns, the newer SHA-2 is considered the best cryptographic hash function since no attack has been demonstrated on it as of yet.

About 99.9% of the time, you really don’t need to care or worry about checksums when downloading files off the Internet. However, if you are downloading something sensitive like anti-virus or privacy software like Tor, it’s probably a good idea to verify the checksum because hackers can create malware-infested versions of critical software in order to gain full access to a system.

Windows has in-built checksum utility and it is very easy to use:

It can also calculate for MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512

Download Microsoft File Checksum Integrity Verifier

The MD5 & SHA Checksum Utility is my favorite utility for working with checksums because it has all the features I need in the free version.

 

Outlook 2016: Remove Duplicate entries in Room Finder

In Outlook 2016 some users may noticed dual entries in the Room List:

The room list behavior that we see  in Outlook is by design. When we  use a Room List  for a meeting, it is stored in the  Most Recently Used entries in the registry. When we create a new meeting, we will see this MRU entry in the top of the Room Lists . The same Room List will be seen again in the drop down which is accessed from the Exchange Server/ Online.

To prevent the duplicate entries seen in the Room List, create the below registry entry with blank data to disable the  Most Recently Used  Room List in Outlook.

Path: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Preferences

Key: RoomFinderRecentRooms
Key: RoomFinderRecentRoomList

If these entry already exist just empty the values.

After Outlook Restart:

 Only single instance of the rooms list now showing! 🙂