Removing a non-existent domain

Recently lost a huge storage array and with that the DC for a demo child domain. I therefore had to clean up the now non-existent domain. I did this with ntdsutil. Below are the steps involved. Basically the domain controllers for the domain are removed, then the DNS naming context and finally the domain.

Note that if you receive an error that the domain cannot be remove because of a leaf object run the following to force replication.

repadmin /syncall /aped

Deploying the OMS Agent Automatically

I needed to deploy a new OMS workspace to every machine in my environment and these machines were at various states of configuration. Some had the OMS agent already installed, some had various workspaces already added and some had the new OMS workspace already configured. Additionally these machines were in different environments with differing access to file services where the agent could be stored.

Therefore I created a script that downloads the agent from the Internet if its not already installed, checks if the desired workspace is already configured and adds if its not.

Update the workspace ID and Key to that of your environment.

 

Downloading a Cumulative Update for manual installation

Recently I needed to manually install a cumulative update. It’s actually a simple process. Firstly you need to find the KB for the update. This can be found by navigating to https://support.microsoft.com/en-us/help/4000825/windows-10-windows-server-2016-update-history and select the OS build which will show a list of all the updates.

Once you know the KB head over to https://www.catalog.update.microsoft.com/ and type in the KB. You will now be able to download it and manually install as required.

Solving a strange Remote Desktop Gateway authentication problem

I recently deployed a new Remote Desktop Gateway server but when I authenticated it would tell me the logon failed even though I knew the policies were valid for the user (because I could logon from a different computer) and I knew the credential was correct.

There were no logs under TerminalServices-Gateway\Operational which meant the problem was not a policy issue as the connection was not getting this far.

To start the troubleshooting Kerberos logging was enabled on the client machine:

On connecting again I could check the System event log and examined Kerberos logs. Sure enough there were Kerberos errors. The problem seemed to be on my machine the authentication did not fallback to NTLM which it did on the machines where it worked.

The solution was to add an SPN for the public facing name which solved the problem.

Easily configure Remote Desktop Gateway firewall rules

When you install Remote Desktop Gateway which enables RDP to be encapsulated in HTTPS a number of firewall exceptions are required which are enabled automatically. This also means the RDG has a public and private IP address.

There are many other firewall exceptions that are normal for Windows functionality that by default are enabled for the Any profile which when you have a public IP address on a NIC means they are also enabled to the Internet. What you really need is for those exceptions to be bound to the domain profile, i.e. the internal NIC. This is easy to do with PowerShell. Firstly you can list all the exceptions that are enabled for Any.

This will list a lot of exceptions. Next we want to change them to a profile of Domain except for the two required for RDG, the RDG UDP and HTTPS rules. This can be done with the following:

Done!

Note, you could change the rules to be excluded for other requirements you may have for other types of server.