How to reduce RDS CALs using WMI privider

Credit: TP (MVP)

Taken from: Technet Forum

You may uninstall license keypacks, reduce the number of install licenses, etc, using the Remote Desktop License Server WMI Provider.  For example, if you just need to reduce the installed count of one of the packs from 30 to 25 you could use the RemoveLicensesWithIdCount method.  Below is the documentation for the Win32_TSLicenseKeyPack Class:

http://msdn.microsoft.com/en-us/library/aa383803(v=VS.85).aspx 

Here are the basic steps for this example.

1. Get a list of installed keypacks.  Open a administrator command prompt and then enter the following commands:

wmic /namespace:\\root\CIMV2 PATH Win32_TSLicenseKeyPack>keypacks.txt

notepad keypacks.txt

2. Let's say you look at the keypacks.txt file and see that the keypack you want to modify is KeyPackId 3, and that you want to uninstall 5 licenses.  In that case you would enter a command similar to this:

wmic /namespace:\\root\CIMV2 PATH Win32_TSLicenseKeyPack CALL RemoveLicensesWithIdCount 3,5

Another example, say you want to uninstall the keypack (id 3 in our example).  Instead of the command in step 2 above, you would enter a command similar to this:

wmic /namespace:\\root\CIMV2 PATH Win32_TSLicenseKeyPack CALL UninstallLicenseKeyPackWithId 3

An alternative to the above is to Deactivate the licensing server, uninstall the RD/TS Licensing Role Service/reinstall the Role Service, Activate, and install your license pack(s) again.  This wipes out the license server database and recreates it.  You may need to contact the Clearinghouse if you get an error when re-installing your license pack(s).

Kerberos event 4/Target account name is incorrect/ troubleshooting

This error is reported whenever the service provider (e.g. file server) cannot decrypt a service ticket that was sent to it. This is caused by the fact that the ticket was encrypted by one machine then sent to a different machine. In this case, the second machine doesn't have the private key to decrypt the ticket.

Troubleshooting steps

- make sure there is not duplicate SPN for the service you are trying to get. For example, if you want to access \\serverName1\sharePath and get above error; or on a file server you see kerberos event 4, you want to check if there is duplicate SPN host\serverName*. In the past, it takes a little effort to find duplicate SPNs, but started Windows7/2008, you can run setspn -X to find all duplicated SPNs in your domain

- make sure you don't have duplicate DNS entries for same server to different IPs (unless the server does have multiple IP, and all DNS entries are correct).

- if access using FQDN works but not short name (e.g. \\server.FQDN.com\sharePath works but not \\server\sharePath), and you have WINS in your environment, make sure the target server register correct 20h record (File Server) in WINS

- If your target computer has multiple names (mostly added by command netdom computername), then you should make sure you add SPNs for all the alias you have. For example, if you have a server has both names as server1 and server2, you should below spn registered in AD:

• host/server1.fqdn.com
• host/server1
• host/server2.fqdn.com
• host/server2

- make sure you don't have hosts file entries that resolve to wrong IP

- Log into the system that actually owns wrong IP, make sure it's not registering wrong name. For DNS, check NIC TCP/IP stack; for WINS, check "netdom computername localhost /enum", as well as check HKLM\CCS\Services\lanmanserver\parameters\OptionalNames

Script to reverse OU path so it can be sorted from top down - Excel macro & vb procedure

' This excel macro reverse OU path so it can be sorted from domain top to OU trees

' For example: CN=John Lan,OU=IT,OU=accounts,DC=johnlan,DC=com
' Will be reversed to: DC=com,DC=johnlan,OU=accounts,OU=IT,CN=John Lan

' if you want only a function that can reverse OU path (distinguished name), use function ReverseOU
' if you want to use it in excel, copy both ReverseOU and ReverseText as your macro

' How to use it in Excel
'
' 1. Hold down the ALT + F11 keys, and it opens the Microsoft Visual Basic for Applications window.
' 2. Click Insert > Module, and paste the following macro in the Modulewindow.
' 3. Then press F5, a dialog is displayed on the screen, and you need select a range to work with.
' 4. And then press OK, and all the text strings have been reversed.
' (c) JohnLan@gmail.com

' ReverseOU can be called from any vb script
Function ReverseOU(s)
    Dim temp
    Dim arrValue
        arrValue = Split(s, ",")
        xLen = UBound(arrValue) + 1
        'wscript.echo xLen
     
        For i = 0 To ((xLen - 1) / 2)
            'wscript.echo i
            'wscript.echo xLen-i-1
            temp = arrValue(i)
            arrValue(i) = arrValue(xLen - i - 1)
            arrValue(xLen - i - 1) = temp
            'wscript.echo "----------"
        Next
        ReverseOU = Join(arrValue, ",")
End Function

'Below is for excel
Sub ReverseText()
    Dim Rng As Range
    Dim WorkRng As Range
    On Error Resume Next
    xTitleId = "by JohnLan@gmail.com"
    Set WorkRng = Application.Selection
    Set WorkRng = Application.InputBox("Range", xTitleId, WorkRng.Address, Type:=8)
    For Each Rng In WorkRng
        xOut = ReverseOU(Rng.Value)
        Rng.Value = xOut
    Next
End Sub

Good introduction to Windows 2012 DC Claim-based Authentication

http://windowsitpro.com/windows-server-2012/enable-claims-support-windows-server-2012-active-directory

Attributes used in ANR (Ambiguous Name Resolution)

• GivenName
• Surname
• displayName
• LegacyExchangeDN
• msExchMailNickname
• RDN
• physicalDeliveryOfficeName
• proxyAddress
• sAMAccountName

How to run an ANR search:

(anr=John Doe)

(anr=J D)

(anr=J Doe) etc....

Logon Session (Console & RDP) Tracking Notes

A few notes about how Windows handles session creation/switch when I was writing an app to track user logon time. Maybe useful for somebody.

Content:
1. Observation
2. How to handle properly

=========================================
=  Observations
=========================================
disconnect from a remote session: remotedisconnect

logoff from console: logoff(user), consoledisconnect(user), consoleconnect(system)

(a system logon screen session can be identified by its "logonUI.exe" process, a subsequent logon will take over this session - meaning same session nuber. In this case, it will be only one event: sessionLogon)

lock a session: sessionLock

switch to an existing session: consoledisconnect(1st user) -> consoleconnect(system) -> consoledisconnect(system) -> consoleconnect(2nd user) -> unlock(2nd user)

unlock directly from orignal screen: consoleUnlock
if "switch user" clicked, then unlock: consoledisconnect(user)->consoleconnect(sytem takes over) -> consoledisconnect(disconnect system)-> consoleconnect(original user) -> sessionunlock(original user).

switch then a new logon: lock old user(sessionlock) -> disconnect old user(DisconnectConsole) -> System takes over(ConsoleConnect) -> new user takes over (sessionLogon)

remote disconnect: RemoteDisconnect

remote New connect:
-> remoteConnect(?)
-> sessionLogon
remote REconnect (existing logon sesseion somewhere):
-> remoteconnect(system)
-> if(existing was on console and open)
-> existingSessionDisconnect(user)
-> then system has to spawn a new session to take over (sessionConnect)
-> remoteDisconnect(system)
-> remoteconnect(user)


=========================================
=  How to handle properly
=========================================
There are many session switch that are very confusing at the first sight. For example, for a simple user switch, their may be up to 5 session switch events. The key thing to remember is whethre user has an existing session already.

- once a user obtained session #, he/she keeps that same session # unles she/he logs off. None other session switch events will change this owning relationship;
- Logically, user gets a new session # only when she/he logon
- If a user connects back on a same session or unlock a same session that he obtained prior, then only one switch envent, sessionUnlock or session logon will be fired;
- if a user takes a brand new session, or take session from others, then ConsoleDisconnect/connect will happen multiple times. Basically, TS has to break existing session from another user, connect under System, disconnect System session, then finally users takes the session

AD CA basic - study notes

1. There are 3 snapins for certificate-related management
1. on client, there is Certificates snappin, this manages the actual certificates
2. on server, you have CA snapin and Certificate Templates snapin
2. Just because you have a certificate template, doesn't mean CA is going to use it
3. In order to issue a certain type of certificate, you have to let CA know that you want to issue that type of cert:
1. In CA snapin, right click server name, New Certificate Template To Issue
2. To check the current template that your CA can issue, click on "certificate templates"
4. To manage your templates (in use/not in use), in CA snapin, expand CA server name, right click "Certificate Templates", select manage
5. After #3, you are in "Certificate Templates" snapin
1. Templates listed in here can be in use or not in use, depending on if you have perform #3 above
2. You can directly publish a built-in template, but more typically, you should clone a template, make change on clone, then publish it (not a clone any more since we have made changes)
6. For client to request:
1. on a client machine, open Certificate snapin
   Optionally you can use IIS Admin Console or certreq command line
2. Generate a request, send it to CA admin
3. CA admin approves it
4. Client enrolls the cert
7. You can automate #6 by enabling auto enrollment in group policy
8. Enterprise CA vs. Standalone CA
1. standalone CA doesn't have certificate templates
2. standalone doesn't support auto-enrollment
3. 
   

KMS, host keys, client keys, etc.

1. One KMS can host multiple host keys - for example, it can host both Windows 2012 & Office host keys at the same time
2. Host keys are confidential info for companies who bought the license; while client keys are publicly available from Microsoft's website. Client key for a product is same for all companies who chose to use KMS activation.
3. Higher host keys is inclusive in that it covers older, lower products in the same product family. For example, once you install Windows Server 2012 Enterprise Edition, you won't need separate keys to cover standard edition or Windows 2008 servers. The same key covers all.
4. Procedure that can solve vast majority of activation issues in KMS environment
1. make sure DNS is working (can resolve KMS host name correctly), or just use IP address in below commands
2. check if client is using KMS activation
1. slmgr -dlv
2. it should show in output that this is a KMS client. If it's not a KMS type client: 
1. slmgr -upk
2. slmgr -ipk "product key of the OS version/edition". 
   You can google and find the product key
3. check if your client can resolve KMS SRV record
   ping _vlmcs._TCP.yourDomain.name
   if not resolving, you can manually add this record in DNS
   if resolving, your activation should work. Go to the verification step
4. If you don't want to use SRV record, you can also manually tell OS where to find KMS host
   slmgr -skms "A record of KMS host" or
   slmgr -skms "IP of KMS host"
5. verify and active 
   slmgr -ato

Replication error'ed out with "no more endpoints"

1.       When right click “replicate now”, and the error message is “error 1753: There are no more endpoints available from the endpoint mapper”, it’s complaining the source DC not able to find a RPC endpoint from target DC. To make it more confusing, these two DCs are replicating to all their other partners - they just don’t want to replication with each other (one direction)

2.       This KB helps: http://support.microsoft.com/kb/2089874 and with good explanation too

3.       In our case, it sounds like root DC(source) was brought to a wrong child DC (target) for replication as per above KB.

4.       However when I check all related A/CNAME records, they are all CORRECT. All WINS records are correct too. Clean DNS cache on both client side and DNS server side didn’t help either

5.       It turns out it’s child’s delegated zone in root zone has incorrect glue record (right click child zone, properties, name servers tab). Windows apparently is capable of detecting such misconfiguration but chose not to auto correct, which is weird. 

Lesson learned: when a DC's CNAME or A is resolved to a wrong IP while all its references in visible zones are correct, please check the Name Servers tab of stud node (of child zone) in parent DNS server. Also, when promote/demote child DCs, or change their IPs, please make sure changes are made in the Name Servers tab too ( I mistakenly assume that dcpromo program would do that automatically)

Pin point AD object deletion in event log

Ref: Technet blog here

This has been done before object being restored.

1. Find out DN of the deleted object (using ldifde or adrestore).
   Ldifde –x –d “CN=Deleted Objects,DC=domain,DC=com” –f Deletedobj.ldf
2. Know when the object was deleted, and on which DC
   Repadmin /Showobjmeta DCname “DN of the deleted object” > Delshowmeta.txt
   In the log, find attribute isDeleted, note the time
3. Go to the source DC, in security log, find the logs at specific time. Event log IDs are
   630(2k3)/4726(2k8) for user objects
   647(2k3)/4743(2k8) for computer objects

Unable to restore deleted AD object

When follow instructions in this link to recover a deleted object, I got error message "illegal modify operation". One of the workaround in the comment worked for me (the restore-adobject method): add a -NewName argument in the restore-adobject statement.


LDAP method didn't work well as it showed only first 1000 objects under "deleted objects" container while we had way more that number.

WMI Association Class

There is a special type of WMI class called "association class". This type of class binds two normal, related classes together. A typical example is association class for NIC-related classes. For each NIC in a system, there are two WMI classes for it: Win32_NetworkAdapter & Win32_NetworkAdapterConfiguration. The former mainly includes NIC hardware info, such as speed, MAC, media connection status, etc; the later mainly includes configuration info on a NIC, such as IP, DHCP, DNS, etc. More than often, you need to obtain info from both classes, and that's where association class comes to help.

Still using NIC as our example, windows defines an association class called Win32_NetworkAdapterSetting, through which you can access info from both above-mentioned classes. An association class include two members, one called element, the other called setting. Not surprisingly, element links to a Win32_NetworkAdapter object (because it is the element) and setting links to a Win32_NetworkAdapterConfiguration object (because it is the setting stuff). Below is how you use it:

$ac = Get-WmiObject -Class win32_NetworkAdapterSetting   #gets all NIC info
$connectedAdapters = $ac | where {([wmi]$_.element).netConnectionStatus -eq 2}
$connectedAdapters | foreach {([wmi]$_.setting)|select caption, dhcpEnabled,IPaddress,dnsServerSearchOrder }

[Powershell] Try-Catch fails to catch an exception?

I was running a script that does WMI query and found that my try-catch-final statement seemed not working. The exception was still shown on console instead of handled by my catch block.

It turns out that exceptions are categorized into two groups, terminating exceptions and non-terminating exceptions. By default, try-catch intercepts only terminating exceptions. No surprisingly, get-WMIobject exceptions are non-terminating exceptions.

There are two ways to make it work. One is to make all exception terminating by below assignment:

$ErrorActionPreference = "Stop"; #Make all errors terminating


Remember to reset the preference at the end of your script as this is global.


$ErrorActionPreference = "Continue"


Or right after get-WMIobject statement, check the value of $?


if ($?){ 
        #processing block
}
else {
       throw $error[0].exception
}

Retrieving Terminal Server Configuration Settings Using Powershell

It was quite easy for Windows 2003 TS servers with Win32_TerminalServiceSetting WMI class, there are tons of documents on the Net. It took me some time, however, to find out that MS change the class considerably for Windows 2008.

It's now under a different name space root\cimv2\TerminalServices. It also requires you to specify an authentication flavour before you can gain access.

In short, you get info with below commands (w2k3 and w2k8 respectively):

gwmi Win32_TerminalServiceSetting -computername -namespace root/cimv2/TerminalServices -authentication 6

or

gwmi Win32_TerminalServiceSetting -computername [-namespace root/cimv2]

Enable LDAP over SSL Using Certificate Generated From A Different Machine

The procedure is pretty simple and well documented in KB 321051, so there is nothing special here. However the tricky part is you have to submit the request from the same DC in order to make LDAPS work because this way ensures you have the private key for the certificate.

In some cases, it could take quite a while to obtain a certificate so you want to submit the request way ahead of time - so long ahead of time that you may not have the hardware yet at the time you have to send the request.

A workaround is to submit the request from another machine - any other machine as long as you make the request right. Once you get the certifiate, install it on the requesting machine, then export it with private key, finally import onto your new DC.