How to Reset Windows Update components

Some days ago I had an issue on a Windows 10 machine that had a high I/O on disk since many days. The problem came from the Windows Update service, so because rebooting do not solved the problem :-) I tried to reset the Windows Update service.

First stop these services:

net stop bits
net stop wuauserv
net stop appidsvc
net stop cryptsvc

Then run this command:

Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"

Last step is restarting the services:

net start bits
net start wuauserv
net start appidsvc
net start cryptsvc

Fortunately the problem was solved.

Via: https://support.microsoft.com/en-us/kb/971058

How to view WindowsUpdate.log on Windows 10

With Windows 10 Windows Update logs are now generated using ETW.

In order to read it, you can use a PowerShell cmdlet to create a readable WindowsUpdate.log.
Running…

Get-WindowsUpdateLog

You will find a WindowsUpdate.log on your desktop.

Via: http://blogs.technet.com/b/charlesa_us/archive/2015/08/06/windows-10-windowsupdate-log-and-how-to-view-it-with-powershell-or-tracefmt-exe.aspx

How to Maintain Directory Services Restore Mode (DSRM) password

Starting with Windows Server 2008 R2 (is available a hotfix for Windows 2008) a new feature was introduced to enable you to copy the password of a domain account to the DSRM password on a domain controller using NTDSUTIL. This make the maintenance of DSRM password across an entire domain much easier.

First you need to create a disabled user account in AD (just a simple user without any admins rights). For example dsrmaccount@myad.test
Then you need to run on every DCs this command:

ntdsutil.exe "Set DSRM Password" "Sync From Domain Account dsrmaccount@myad.test" Q Q

If you have multiple domains in your forest, you will need to create and maintain a user account to synchronize the DSRM password with in each domain.

This task can easily scheduled via GPP on every DCs.

Problem: Scheduled Task deployed via GP Preferences is not showing/running on Windows Server 2012 R2

I have a GPO that configure a Scheduled Task on all DCs for DSRM password change. Recently we deployed our first Windows 2012 R2 DC but unfortunately, on this new DC, the Scheduled Task deployed by GPO was not present. GPResult show that the GPO was applied correctly, but nothing was showing/created on “Task Scheduler”.

After some investigation, I discovered that the problem was the level of “Scheduled Task”; when creating a scheduled task via GPP (Group Policy Preferences) you should select:

NEW/Scheduled Task (At least Windows 7) instead of NEW/Scheduled Task.

ScheduledTask_Windows2012

As soon as I did that the GPP applied and created the task on the Windows 2012 R2.

BitLocker and VMs

One day I received an email from our CSO asking to explore how to deploy BitLocker on our DCs and RODCs.

First I started asking me some question:

What is Bitlocker, why I need it:
Bitlocker is the technology from Microsoft to encrypt Disks and Volumes. It is available from Windows Server 2008. BitLocker protects your hard drive from offline attack. This is the type of attack where a malicious user will take the hard drive from your machine and connect it to another machine so they can harvest your data.

What I need for enable BitLocker:
Hardware requirements for BitLocker Drive Encryption:
Because BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk, you must have one of the following:

  • A computer with Trusted Platform Module (TPM), which is a special microchip in some newer computers that supports advanced security features. If your computer was manufactured with TPM version 1.2 or higher, BitLocker will store its key in the TPM.
  • A removable USB memory device, such as a USB flash drive. If your computer doesn’t have TPM version 1.2 or higher, BitLocker will store its key on the flash drive

To turn on BitLocker Drive Encryption, your computer’s hard disk must:

  • Have at least two partitions. One partition must include the drive Windows is installed on. This is the drive that BitLocker will encrypt. The other partition is the active partition, which must remain unencrypted so that the computer can be started. Once you’ve encrypted the drive Windows is installed on, you can also encrypt additional data drives on the same computer.
  • Be formatted with the NTFS file system.
  • Have a BIOS that is compatible with TPM and supports USB devices during computer startup.

Where is supported (our DCs are quite all virtualized):
Bitlocker on virtual machine is not supported (https://technet.microsoft.com/en-us/library/hh831507.aspx#BKMK_VHD) except for Data Volume (not boot disk) and only on Windows Server 2012.

What I can use for unlock the encrypted disk:

  • TPM Only
  • TPM + USB Key
  • TPM + PIN

Windows Server 2012 have also a new option for unlock the encrypted volume called “Network Unlock”: the encrypted boot disk is auto unlocked (no pin needed) if the server boot on a predefined network. This option has some hardware and software requirement (UEFI DHCP Driver, Windows Deployment Services, DHCP server, AD Domain Functional Level of Windows Server 2012).
https://technet.microsoft.com/en-us/library/jj574173.aspx

Then I make some concerns:

Virtual DCs
Using Bitlocker at DCs volume is not officially supported from Microsoft; we should consider the impact of this in case we have some issue on AD and a Microsoft support is required.

On Virtual Machine (we are using ESXi) there is no chance to expose TPM and probably also USB key. The only option is to insert Unlock Password at every DC reboot which makes automated updates impossible.

Physical DCs
There is not a big advantage in terms of security improvement encrypting DCs volumes on not secure server rooms, where you can physically steal the server and / or the USB key with the encryption unlock key.

With option “TPM Only” if you steal the physical server it just boot up as usual. “TPM + PIN” required inserting Unlock PIN at every DC reboot which again hinders automated unattended update installation.

Then I explored some “alternatives”. Here my summary:

protects from
Encryption at

Loss or theft of physical disks

Host OS compromise

Guest OS compromise

Guest OS x x
Host OS (transparent for Guest) x
Storage Array/Controller (transparent for Host and Guest) x

Encryption make sense on your laptop; on server environment there are no technology/architecture at the moment (maybe Windows 2016 will change something) that are able to protect Guest Machines from Host Administrators… It’s true only the opposite :-)

Via: https://imav8n.wordpress.com/2008/07/31/rodcs-and-bitlocker/

How to – AD Forest/Domain Trust with a Silgle Label Domain (SLD)

Recently I was involved on for an AD integration with our company and a another acquired company. I discovered that the new company was using a Single Label Active Directory Domain and this make things more difficult :-)

If you are asking what is a SLD… check this: https://support.microsoft.com/en-us/kb/300684

An Active Directory domain name that contains one or more labels separated by a dot is referred to as a fully qualified domain name with two or more names and it will be referred as FQDN in this document. In contrast there is the concept of single-label domain (SLD), which refers to Active Directory domain names with only one label

The first step for setting up an AD trust is to configure conditional forwarder in DNS on both AD.
This worked as usual and I could resolve servers in both domain.

Second step was to set up the trust… and I immediately received an error. The source DC didn’t know how to find the SLD domain. To solve that problem you need to create a GPO enabling this setting:

“Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\Location of the DCs hosting a domain with single label DNS name”

This GPO should be deployed to all DCs and Servers that need to use the trust.

If you have some service that have some authentication issue within the AD trust, check is the SLD DCs are discoverable and reachable:

nltest /dsgetdc:SLDdomain