Friday, December 20, 2019

How to migrate from FRS to DFS on a domain

Ensure the health of AD and FRS on all domain controllers is known to be healthy. Ensure SYSVOL and NETLOGON are shared on all DCs.

Migrate to Prepared State - You will migrate to the Prepared state, where both FRS and DFSR are replicating their own individual copies of SYSVOL, but the FRS copy mounts the SYSVOL and Netlogon shares. On the PDC Emulator domain controller, run (as an elevated domain admin):
Dfsrmig /setglobalstate 1

Run the following to force AD to sync.
dfsrdiag pollad
repadmin /syncall /AdeP
Dfsrmig /setglobalstate 1

Wait for this AD value on the PDCE to converge on all domain controllers, Use the following command to see progress:
Dfsrmig /getmigrationstate

Migrate to Redirected State - You will migrate to the Redirected state, where both FRS and DFSR are replicating their own individual copies of SYSVOL, but the DFSR copy mounts the SYSVOL and Netlogon shares. On the PDC Emulator domain controller, run (as an elevated domain admin): 
Dfsrmig /setglobalstate 2

Wait for this AD value on the PDCE to converge on all domain controllers. Use the following command to see progress: 
Dfsrmig /getmigrationstate

You will migrate to the Eliminated state, where DFSR is replicating SYSVOL and FRS is removed. Unlike the Prepared and Redirected states, there is no way to go backwards from this step - once executed, FRS is permanently stopped and cannot be configured again. On the PDC Emulator domain controller, run (as an elevated domain admin): 
Dfsrmig /setglobalstate 3

Wait for this AD value on the PDCE to converge on all domain controllers, then for DFSR to switch to Eliminated state on each domain controller and update AD, and finally for that value to replicate back to the PDCE. Use the following command to see progress: 
Dfsrmig /getmigrationstate

Posted by at 1 comment:

Wednesday, December 11, 2019

WSUS Troubleshooting

gpupdate /force

Check GPO-
gpresult /r
gpresult /h gpreport.html

Check Windows Update Server-
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate


Posted by at No comments:

Thursday, October 3, 2019

Reset password or unlock account on VMware appliances

Reboot, press e.

Add- rw init=/bin/bash to the Linux command, press F10
mount -o remount, rw /

To reset pw-
passwd

To unlock-
/sbin/pam_tally2 -r -u root

umount /
reboot -f


Posted by at No comments:

Wednesday, July 3, 2019

Cisco Anyconnect, users intermittently do not have DNS Resolution

Cisco Anyconnect, users intermittently do not have DNS Resolution-

This is the bug, CSCtf20226 and CSCtz86314.  You can work around it by bypassing IPv6.

Under the group policy for the VPN-
client-bypass-protocol enable

Posted by at No comments:

Wednesday, May 15, 2019

Cisco ASA ASDM IDM Launcher Won't Run on Windows 10 "this app can't run on your pc"

Go to Start, Cisco ASDM-IDM Launcher, right click the launcher and go to Open file location.

Right Click on the Shortcut and go to Properties.  In the Target Field, you'll see a long path to  wscript.exe.  Change this to C:\Windows\System32\wscript.exe note - leave everything else alone including the invisible.vbs run.bat on the end as these scripts are used to open up ASDM.).


Posted by at 11 comments:

Tuesday, April 2, 2019

How to disable TLS 1.0 and TLS 1.1 on ASA 

ssl server-version tlsv1.2
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256"
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA"
ssl dh-group group14

 Then go to https://www.ssllabs.com/ssltest to test.
Posted by at No comments:

Friday, March 22, 2019

Web Management Service (WMSVC) Won't Start, Exchange Update Fails, Event ID 1007

You may notice this installing and Exchange 2013/2016 CU, you get-

 Error:
The following error was generated when "$error.Clear(); 
          $keyPath = "HKLM:\Software\Microsoft\WebManagement\Server";
          if (!(Get-Item $keyPath -ErrorAction SilentlyContinue))
          {
            New-Item $keyPath -Force
          }
          Set-ItemProperty -path $keyPath -name "EnableRemoteManagement" -value 0x1 -Type DWORD -Force;

           if (Get-Service WMSVC* | ?{$_.Name -eq 'WMSVC'})
          {
            Set-Service WMSVC -StartupType Automatic
            Stop-SetupService -ServiceName WMSVC;
            Start-SetupService -ServiceName WMSVC
          }
        " was run: "Microsoft.Exchange.Configuration.Tasks.ServiceDidNotReachStatusException: Service 'WMSVC' failed to reach status 'Running' on this server.
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)


You may see Event ID 1007 in the Event Log-
The description for Event ID 1007 from source Microsoft-Windows-IIS-IISManager cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

 If the event originated on another computer, the display information had to be saved with the event.

 The following information was included with the event: 

 IISWMSVC_STARTUP_UNABLE_TO_READ_CERTIFICATE

 Unable to read the certificate with thumbprint 'a86cfd8dfd664487ae20e3a5fbcc5e762cf6f1ea'.  Please make sure the SSL certificate exists and that is correctly configured in the Management Service page.

This may be because you are missing the WMSVC Certificate. 

To resolve, open IIS, click on the server name on the left, click "Server Certificates"-



Click "Create Self-Signed Certificate", Specify the name "WMSVC", Hit OK.


Click on Management Service.



Change the "SSL Certificate" to WMSVC.  Click Apply.  Start the Web Management Service.





Posted by at No comments:
Subscribe to: Posts (Atom)