If you try to RDP to a machine, but can’t because you receive the error below, you can use PSExec to remotely disable the requirement for NLA.
“The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.”
Download PSExec from TechNet. Run the code below updating the following values.
\\VMNAME – The name of the machine on which you want to disable NLA
VMNAME\ADMIN_ACCOUNT – The username of a local administrator on the machine on which you want to disable NLA, e.g. pc1\admin
psexec \\VMNAME -u VMNAME\ADMIN_ACCOUNT -p PASSWORD reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /f /v SecurityLayer /t REG_DWORD /d 0
In this post I’ll show how to resolve the issue of a VM that’s stuck in the “backing up…” state as shown by Hyper-V Manager, without having to reboot the virtual host.
If a VM is stuck in the backing up… state it’s probably due to an error with the Microsoft Hyper-V VSS Writer. Open an elevated command prompt and run “vssadmin list writers”. The output should look like it does below, with no errors listed.
The Microsoft Hyper-V VSS Writer runs within the Hyper-V Virtual Machine Management service, so in order to restart the VSS writer and clear the error, you have to restart the Hyper-V Virtual Machine Management service. I’ve restarted this service without any issues, but please test this on a test server first.
You can restart the service from the Services mmc, but if the Hyper-V VSS Writer is in an error state the service may hang on shutdown, in this case you’ll have to kill the vmms.exe process from Task Manager.
When you do this VMs will disappear from Hyper-V Manager, but will reappear when you restart the Hyper-V Virtual Machine Management service. Following the service restart the VM should no longer by in a backing up… state.
Disabling User Account Control (UAC) in Windows Server 2012 & Windows Server 2012 R2 should be simple; open Control Panel -> User Accounts, click on Change User Account Control settings, select Never notify.
The reality is somewhat different. Following the installation of some software, I needed to run a batch file to delete files from multiple drives on a server. Right-clicking the batch file and choosing “Run as Administrator” didn’t delete the files. Double clicking the batch file had the same problem. Disabling UAC through Control Panel didn’t help things.
The answer was to set the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA registry key to 0x00000000 as per the following MSDN article here. Following a reboot, UAC was completely disabled and the batch file worked correctly.
I’ve also found the registry change was required to enable the Dell 18.104.22.168 patch for Open Manage Server Administrator to install. Without the registry change I was unable to get the patch to install correctly. This included running the patch with UAC enabled and choosing the option to continue when the UAC prompt popped up, and running with UAC disabled via Control Panel.
This is a quick post to describe the process of creating a dedicated account for joining machines to an Active Directory (AD) domain. This is useful for things like System Center Configuration Manger task sequences and System Center Virtual Machine Manager templates.
First create a standard Windows user account. Next, right-click on the Computers Organisation Unit (OU) within your AD domain. From the menu choose Delegate Control…
On the next screen (Users or Groups) choose Add and select the user account you just created. Click Next. Choose “Create a custom task to delegate” on the next screen.
Next, choose to only delegate control to computer objects and tick Create and Delete selected objects in this folder. Click Next.
On the next screen choose to show general permissions and from the list select:
- Reset password
- Read and write account restrictions
- Validated write to DNS host name
- Validated write to service principal name
Click Next and finish to complete the wizard. Repeat this process for any other OUs where you’ll be joining computers to the domain.
Adding AD users to the local administrators group on multiple computers is simple using Group Policy. In this post I’ll describe the process.
Create a fresh group policy object (GPO) and link it to a test Organisation Unit (OU). Add a test server to the OU.
Open the GPO and navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups.
Right click and choose Add Group. If you want to add users to the local administrators group enter Administrators. In the next window under “Members of this group:” click Add and choose the users to add to the local administrators group. Note that any users that are currently in the local administrators group will be removed and replaced with the users you select here. If that is what you want click OK and close the GPO.
The second method allows you to add an AD security group to the local administrators group. This process is additive and users and groups that are currently in the local administrators group are untouched.
Navigate to Restricted Groups as previous, right click and choose Add Group. This time enter the name of the AD security group you wish to add to the local administrators group. Click Ok and on the next screen in the “This group is a member of:” section click Add. Enter Administrators to add the group to the local administrators group. Click OK and close the GPO to save changes. You can add additional users to the domain group and they will automatically be part of the local administrators group on servers that apply the GPO.
If you need to upgrade a server running Windows Server 2008 R2 Standard to either the Enterprise, or Datacenter editions, it’s possible to do so online, without re-installing Windows.
Open an elevated command prompt and type DISM /Online /Get-CurrentEdition. This will return the current Windows version.
Type DISM /Online /Get-TargetEditions to list the Windows editions to which this server can be upgraded.
If you type DISM /Online /Set-Edition:ServerDataCenter you’ll get the message in the screenshot below. This is because even if you’re using a KMS server for internal activation, you have to provide a product key. Fortunately, Microsoft have a page that lists the KMS client setup keys http://technet.microsoft.com/en-us/library/ff793421.aspx. On this page you can find keys for Windows Server 2008 R2 Enterprise and Datacenter.
Typing DISM /Online /Set-Edition:ServerDataCenter /ProductKey:xxxxxx will upgrade the operating system. All that’s required to complete the upgrade is a reboot.