There’s a very good list of all of the service accounts required for System Center 2012 at http://systemscentre.blogspot.co.uk/2012/05/system-cennter-2012-service-accounts.html.
Category: Uncategorized
Want to know which Active Directory Groups you are a member of ?
If you want to know which Active Directory Groups you are a member of and you do not have access to AD, simply open up a command prompt and type
whoami /groups
Nice little trick if you are doing deskside support and want to quickly check that the user is in the right groups
Use PowerShell to sync all Active Directory sites
Here’s a quick script for you to synchronise your entire domain
Import-Module ActiveDirectory
$DCs = Get-ADDomainController -Filter *
Foreach ($DC in $DCs) {
$replicate = ‘repadmin /syncall /A /d /e ‘+$DC
iex $replicate
}
Just save it as a ps1 file and run it on any machine with the AD remote server admin tools installed or even a domain controller. If you are delegating rights, delegate them at the root of the domain in Active Dircetory Users and Computers and for each context that you want to replicate in ADSI Edit (see http://www.msresource.net/knowledge_base/articles/how_to:_delegate_the_ability_to_manually_replicate_dcs_using_a_tool_such_as_dssite.msc_or_replmon.html).
if you only want to replicate part of the topology, use the code below:
Import-Module ActiveDirectory
$DCs =Get-ADDomainController -Filter *
$Char = [Char]34
$Scope = $Char + ‘DC=Domain,DC=com’ + $Char
Foreach ($DC in $DCs) {
$DC.hostname
$replicate = ‘repadmin /syncall /e ‘ + $DC + ‘ ‘ + $Scope
iex $replicate
}
Want to fully remove a feature ?
New to Windows 2012 is the ability to reduce your attack surface further by physically removing binaries from the operating system. Its really quite simple to do. Using the uninstall-windowsfeature command we append the -remove switch and that removes the install binaries from the hard drive.
If you need to add them back then, when using the install-windowsfeature command you will need to add the -source switch and make the installation source available (from a DVD or extracted ISO).
The easiest way to achieve this is to extract the sourcesSxS folder from the install DVD to a file share. The file share will need to be able to be accessed by computer accounts with Read rights. In this way, the features are available for install to any server if they have been removed.
Did I license my server with a MAK key or a KMS key ?
Enter the following command to find out:
slmgr /dli
Quick way to restart your server
Finding it a pain to navigate to the Charms | Power | Reboot command ? Want a simpler way of restarting your server ?
start a powershell session and enter Restart-Computer.
You don’t even need Windows 2012 as it works with 2008 R2 also.
Of course, if you are really lazy you can just type the word “restart” – that works just as well 🙂
Restoring the GUI in Windows Server 2012
If you want to restore the GUI in Windows Server 2012 (and you didn’t install in core mode) you can use the following command
Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra -restore
If you did install core, you need to have the CD / ISO inserted or mounted and append the -Source switch to tell it where to get the files to perform the install of the GUI from. i.e. you enter:
Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra -Source C:Source -restart
List a computers IP addresses easily
Now, we all know how to get a computers IP address, right . You enter ipconfig and press return. So far so good. But what if a computer has multiple NICs as they something’s do. Then it can be a bit of a chore sorting the wheat from the chaff. So, here’s a tip for just showing the IPV4 addresses. Enter the following instead.
Ipconfig | find “IPv4”
Creating remote powershell session
Simply enter the command
Enter-PSSession –ComputerName <computer name>
This will let you control a single computer remotely, if you want to control more than one computer simultaneously then enter a command similar to the below
Invoke-Command -ScriptBlock { Get-EventLog System -Newest 5 } -Computername compname1,compname2,compname3
Where the command between the braces is the command you would like to run against the remote servers
Don’t forget, you can still enter commands against a remote computer with WinRM enabled (it’s enabled by default in Windows 2012) by entering the command:
winrs -r:<servername> <command to run>
<command to run> could even be powershell.exe to create a remote powershell session !
How can I tell if DirectAccess thinks I am internal or external to the LAN ?
DirectAcces allows you to connect to your LAN transparently from the internet. It does this through UAG when you do not have a full IPv6 deployment.
DirectAccess checks whether or not it has access to your server identified as your network locator service, typically through the URL https://nls.domain.com. This is excluded from the NRPT table for external clients and the name is not published or made available over the internet. So, if you can connect to to this site then you must be internal, right ? That’s pretty much correct, unless you are not using IIS for your NLS web site. DirectAccess relies not only on a 200 response from the web server (connectivity) but also upon the receipt of a properly formatted page. Just opening the page in Internet Explorer may not indicate any issue with the page itself as IE may mask the issues to present the page.
The way to know whether or not the NRPT table is in use (and hence whether DirectAccess believes itself to be internal or external to the LAN) is to run the command
netsh namespace show effectivepolicy
From an administrative command prompt. If the workstation or laptop believes itself to be on the LAN then no table will be created and the output of the command will be similar to the below.
However, running the same command when the machine is internal will produce output similar to the below.
This indicates that the NRPT table is being created and, above, you can see two entries (one for the NLS server and one for the UAG device) which should not be passed to the internal network.
If you deploy DirectAccess and internal clients which are subject to the DirectAccess GPO begin to have difficulty connecting to resources while on the LAN it may be that they cannot correctly connect with the Network Location Server and therefore build their NRPT table and attempt to pass all traffic through the public interface of the UAG device. If this cannot be contacted then communications from the client will fail. If it can be contacted and large numbers of end points are affected, performance may suffer as multiple internal clients route through the external interface.
If you want to set the policy that could be applied to a client once it leaves the LAN, simply enter the command
netsh namespace show policy
Philip Flint 