Working with one of my education customers I recently had to perform some maintenance on their SQL Database server as they were running low on disk space AND had a free unused virtual disk where we could throw their tempdb onto (it was meant to go here but they didn’t place it there during installation). So I had the task of moving it over.
First step is to get an as-is of where tempdb currently is and how many fragments there are; Open up SQL Management Studio and run the following query.
-- Lists all current tempdb files and their paths
SELECT name, physical_name AS CurrentLocation
FROM sys.master_files
WHERE database_id = DB_ID (N'tempdb');
GO
Now that we have a listing (similar to our screenshot above/left), we then need to build up a query to move the database files from one drive to another. It should look something similar to the below query, changing paths and adding/removing tempdb fragments as needed (simply add more alter database statements for each file node).
USE master;
GO
ALTER DATABASE tempdb
MODIFY FILE (NAME = tempdev, FILENAME = 'F:\MSSQL14.MSSQLSERVER\MSSQL\DATA\tempdb.mdf');
GO
ALTER DATABASE tempdb
MODIFY FILE (NAME = templog, FILENAME = 'F:\MSSQL14.MSSQLSERVER\MSSQL\DATA\templog.ldf');
GO
ALTER DATABASE tempdb
MODIFY FILE (NAME = temp2, FILENAME = 'F:\MSSQL14.MSSQLSERVER\MSSQL\DATA\tempdb_mssql_2.ndf');
GO
ALTER DATABASE tempdb
MODIFY FILE (NAME = temp3, FILENAME = 'F:\MSSQL14.MSSQLSERVER\MSSQL\DATA\tempdb_mssql_3.ndf');
GO
In the above example we have specified F drive. The other thing to note is that if you have SQL Server running through a service account, that will need NTFS modify permissions to the destination. Once that is executed under the Master database context the files will then be re-created on the next SQL Server service restart.
So we’ve been deploying Firefox for quite a while pretty much everywhere we can however, only recently have we started standardising the deployments across the organisation’s that we manage. We’ve deployed Internal Root CAs using the CCK2 method to improve our user experience with Deep Packet SSL inspection however setting up configurations and extensions and having that consistent was a challenge. Recently I learnt that Mozilla begun developing Group Policy Objects not long ago and that now allows for enterprise management straight into Firefox without the fuss. In this article I’ll go through setting up uBlock Origin, HTTPS Everywhere and Privacy Badger which are our go to Extensions for end-user protection.
To deploy Firefox (or any windows application), you generally want to use an MSI based installer (for better control and management). Mozilla have now been building them for a shot while via their Enterprise Deployment Support page for beta and standard releases. If you are after the Extended Support Release (ESR), visit the FrontMotion download page (they also offer a number of other services such as a custom packager). In a managed environment you’d either use Group Policy to deploy software or System Center Configuration Manager or some other form of MDM (ala InTune). The MSI should be in a network share accessible by all machines, you would then be imported either into Policies > Software Settings > Software installation for Group Policy (then Right-Click, New > Package) or an Application under the Software Library for Config Manager and pushed out. There are much better guides than what I can fit in here so please Google if you’re unsure. In our case, I used Config Manager and since we’re upgrading and I’ve setup a Supersedence rule like below.
Once Firefox is being deployed we need to get these extensions onto the machines, so the first part is getting the URLs of the extensions you wish to deploy. Visit the add-on store and start searching for what you’re after. For our example, as mentioned we will be installing uBlock Origin, Privacy Badger and HTTPS everywhere. When you are at the add-on page, right-click on the Add to Firefox button and select Copy Link Location and save that for later. Once you have your list of Extensions it should look like something similar to the below (I’ve removed the tracking string at the end).
Next is to get the Group Policy Definitions from Mozilla and load them onto your Active Directory Group Policy. I’d highly recommend you have a Group Policy Central Store setup as it makes managing this stuff a whole lot easier. Download the latest version or ones that match your deployment of Firefox from the Mozilla GitHub Releases page, unzip and then copy across those files to the Group Policy Central Store or required location. Now the fun part.
Create a new Group Policy Object, in my case Configure – Firefox and then open it up, and navigate to the following policy branch; Computer Configuration > Policies > Administrative Templates> Mozilla > Firefox > Extensions. Here we will be enabling Extensions to Install. Using the list we compiled earlier, enter the URLs one by one into the list so it will look like something similar to the below.
The next step I’d recommend, is we want to stop or prevent our end users from being able to remove these extensions/protections. To do this we need to get the Extension IDs, so fire up Firefox and install the list of Extensions we compiled earlier (if you didn’t already for testing). Now the easiest way I’ve found of getting the Extension IDs is to use the in-built memory profiler of Firefox. In the address bar enter about:memory and once it loads under Show memory reports group, click Measure. Do a search for Extensions and you’ll get to a list of all currently running extensions. Now extract everything for the id key (in this case a GUID but can be text as well);
Extension(id={d634138d-c276-4fc8-924b-40a0ea21d284}, name="1Password X – Password Manager", baseURL=moz-extension://31872614-f67c-4cda-84e4-18c0515c8b48/
The above is an example of what you’ll find in the list (using 1Password). Below is what we’ll be entering into the Prevent Extensions from being disabled or removed based on our setup so far – with the last line belonging to Privacy Badger.
Now that we have the list of Extension IDs we want to enter these into the Prevent extensions from being disabled or removed Group Policy setting located in the same branch as Extensions to Install. Again, enter them into the list one by one until you have something similar
Once that is configured, apply the Group Policy Object to your Test Machines preferably with Mozilla Firefox installed on it, log in and do a gpupdate /force with the end result being those Extensions magically appearing as per the below image.
Over the summer holiday period, I was assisting a school with building out an SoE for the new year. One of the things we used to do with Windows 7 was tweak the Taskbar to contain only items we were after instead of the default items of Internet Explorer, Windows Explorer and Windows Media Player. To do this we implemented a VB Script that would make the changes on the fly. And since that stopped working I’ve always wanted to sit down and try get it working again for Windows 10 and I’ll now share how I did.
You’ll want to begin by building out your Taskbar layout, add in any icons that you want and when you’re ready we can use a command to extract it. Alternatively, you can use the sample below to build your own manually, simply reference the location of the shortcuts you want to place in and the order.
Now that we have our Layout template ready, it is simply a matter of importing it. We do so by using the Import-StartLayout command. This can also be used to import a Start Menu tile layout however in this case we are only importing the Taskbar layout. Execute the command below (replacing the path with your own).
A customer of ours has a large archive of files located on a NAS device (around 15TB worth) that they want to simply push off to tape and then remove from the NAS. Network drives don’t show up in Veeam whilst creating backup jobs, so we needed a way to get this working. We use Veeam with a number of customers and understand quite well how things operate with it, as such whenever Veeam is working with a local file system it does so under the Local System context, which is what we need to get our mapped drive under, but how.
PSExec from SysInternals to the rescue. We can create a command prompt in the context of local system and then map our network drive for it to appear in Veeam’s Job Wizard. Grab the latest version and place that in the System32 directory under the Windows folder. Now we open an administrative command prompt and enter;
psexec -s -i cmd.exe
This opens a new window which is now running under our Local System context, which we can double check by using the whoami command. Our next step is simply to map the network drive using a NET USE command. We need to ensure we pass through some credentials as the local system will not have access to the share.
NET USE G: \\NAS\Archive /USER:Domain\User
Now we can go into Veeam and run our Create File to Tape wizard and during our Files and Folders selection, we can now see our mapped network drive (in this case G:\ or Archive) and add folders in from this mapped drive. We then proceeded to backup the data we needed onto tape for archive.
I was at a customer site and they had a single Hyper-V host (running Server Hyper-V edition) and had done an in-place upgrade. Microsoft generally recommends you always do fresh installations and migrate, except for Configuration Manager servers where it is a supported configuration to upgrade Windows versions. They were starting to run low on disk space on the C drive, so I’ve outlined the below process for removing the windows.old directory. You can get anywhere from 6 GB to 15 GB back by removing the windows.old folder which is where everything Windows based is moved to if you decide to upgrade your Windows Server.
Download the SysInternals Junction utility which we will use to find and delete and directory symbolic links (or NTFS Junctions) that may still exist in the directory structure, expand the zip file and create a PowerShell file with the following code and save it under a C:\temp location (which is where we will work from).
The above code will iterate through the junction list we can extract with the below command. On a majority of systems this should actually come back empty indicating that the Windows upgrade has gone smoothly.
junction -s C:\Windows.old > junctions.txt
We then execute the PowerShell file we saved earlier with the text file we just created with the Junction utility. Once that is done we can begin to clean up. Firstly, take owernship by issuing;
takeown /F c:\Windows.old\* /R /A /D Y
You may find that will be all you need and can issue the rmdir otherwise, run this additional command
If you’ve got DirectAccess running in your environment for remote access you’ll know how great and seamless it is for your end users. For businesses with large segmented internal networks we need to make sure that your external users can access all of the internal resources they need.
For this to happen we need to add static routes to our DirectAccess servers so that remote users can access these other networks. Your DirectAccess server should have two NICs with one being the external and the other for your LAN, we add these static routes onto the LAN (as the Gateway has been defined on the External NIC only). We can issue the following PowerShell command to add a static route to an interface.
New-NetRoute -InterfaceAlias -DestinationPrefix -NextHop
an example is as follows New-NetRoute -InterfaceAlias LAN -DestinationPrefix 10.1.10.0/24 -NextHop 10.1.1.1
This would allow any of our DirectAccess clients to access the 10.1.10.0/24 network even though our default internal network would be 10.1.1.0/24.
If need be you can use Remove-NetRoute to remove these static routes in future.
So, I recently inherited a small client with SBS 2011 and their previous IT admin only ever used the Default Domain Policy to apply computer and users settings (such as mapped drives and printers). Microsoft has quite a strong recommendation of best practice for the two policies which goes along the lines of;
Default Domain Policy GPO should only be used to manage the default Account Policies settings, Password Policy, Account Lockout Policy, and Kerberos Policy.
Default Domain Controllers Policy GPO should only be used to set user rights and audit policies.
So I first needed to create separate GPOs to store these custom settings and then a way to clear out all of those changes and revert them back to their default state. So how do you go about reversing the damage if you don’t have backups far enough? In comes a small utility called dcgpofix which resets these two Group Policy Objects to their default settings. Launch an admin command prompt window and run the following command;
dcgpofix /target:both
Once executed it will confirm you want to restore them to their out of box defaults, which we can confirm with a couple of Y responses and then bang they should be restored, see the screen shot for an example of it running in my test lab.
I was recently setting up some Linked SQL Servers for a customer to perform queries against a database on one server through another. One of the things you need to get right when setting up linked servers when using Service accounts in Active Directory is SPNs (or Service Principal Names) and Authority to Delegate (for Kerberos authentication) which can sometimes be quite cumbersome through ADUC or ADSI edit.
I then stumbled upon a little tool from Microsoft called the Microsoft Kerberos Configuration Manager for SQL Server. Running this little tool on the two SQL servers I could quickly and more easily see the SPNs (see picture to the right) and Delegation permissions. As one server was quite old (and before my time) I could easily see that the SPNs configured for that particular service account were incorrect and the tool even allows you to fix this by generating the correct SPN. Hope that helps save some time in the future.
I was recently assisting a client with an upgrade of their Configuration Manager (SCCM) environment up to the latest release of 1702 and as part of that we’re also going over it’s currently deployed functionality and making sure it all works. They recently noted that clients were no longer receiving updates and ran the Software Update functionality of ConfigMgr, which funnily enough also relies on WSUS to sync up to Microsoft (but not push out the updates themselves).
So when troubleshooting Updating issues, you need to check both the Software Update Point and WSUS, and lowe and behold the WSUS console kept on crashing. After checking the Update Services service, I then turned to IIS and noticed the UpdatedServices Application pool had stopped, so I started it and went back into the console but soon noticed it had died again. After reading some advice on the TechNet forums they suggested raising the memory limit of the Wsus Application Pool, which is done by selecting the Application Pool Name and then clicking Advanced on the right hand side or right click menu. Scroll down to the bottom of the Advanced Settings Window until you see Private Memory Limit (KB) and increase this from the default of 1843200 (which is 1.8 GB) to 4194304 (which is 4 GB). Make sure you have enough RAM allocated to the machine, if you are feeling courageous you can also set the value to 0 which does not set a limit.
After increasing the available memory to the AppPool, WSUS synchronized successfully and clients were now receiving updates
So usually one of the first things I do after initially setting up an AD FS environment (among others) is to test the Metadata (navigate to https://your.adfs.server/ federationmetadata/2007-06/federationmetadata.xml which should return valid XML) and sign-in functionality using the IdpInitiatedSignOn.aspx method. For Server 2012/2012 R2 this page enabled by default but if we navigate to this page on Server 2016 we get the following error;
An error occurred
The resource you are trying to access is not available.
Contact your administrator for more information.
The reason being is that this is disabled on Server 2016 and there is an extra step that needs to take place to enable it.
We can check to see the current status by issuuing the following command in a PowerShell window.
Get-AdfsProperties | fl
Scrolling down you’ll eventually see enableIdPInitiaedSignonPage which should currently be set to false, to change this issue the following command
This enables the IdPSignonPage and allows us to test a login process for a SAML authentication supported application. Once this works I know I can safely begin to provision my applications to authenticate users against this AD FS server.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok
