How to: enable GC on domain controller (2 ways)

There are two ways of making your DC a GC and you can read on to learn how.

But before we launch into it, just look at this “making your DC a GC” sentence for a moment. It makes me think that it is a good example of what not to do in writing for non-technical audience 🙂 I recently started to watch a very useful course on CBT Nuggets – “Essential Soft Skills for the IT Professional” by Steve Richards, and there you may learn that key things in writing tech reports to non IT audience are: avoid JATB, give MWLH and don’t SUCK 🙂

CBT Nuggets Tech Reports for Non-tech audience

Which of course means avoid Jargon, Acronyms, Techspeak, Buzzwords (JATB), give More Why Less How (MWLH) and don’t Suffer from Using Computer Knowledge (SUCK) 🙂

OK, getting back to the main topic and switching to tech writing again. First it would be nice to check which DCs are already GC-enabled, and you can do this by issuing the following PS cmdlet:

Now how to enable/disable GC:

1) PS way of enabling GC:

And you can use the same cmdlet to disable it as shown on screenshot below:

Enable or disable GC with PS

2) GUI way. Access Active Directory Sites and Services, locate domain controller and access General tab of its properties:

NTDS Settings - Global Catalog


How to: Make sure that DHCP won’t issue IP which is already in use

Assume that you replaced failed DHCP server with a new one configured with the same scope. This can possibly lead to situation when your new DHCP server can lease addresses which were earlier issued by failed server if it was configured with the same scope.

To mitigate this you can use Conflict detection attempts setting which can be found on Advanced tab of your scope properties:

DHCP Conflict detection attempts setting

By default it is set to 0 which means that your DHCP server won’t attempt to perform any conflict detection before issuing an address. As soon as you set this parameter to something higher that 0, let’s say N, your DHCP server query the network N times before it assigns an IP address to make sure that address is not already in use.

Of course this is a good option to be aware of, but real solution here is to add extra DHCP server and configure DHCP Failover which is available in Windows Server 2012 or newer versions and ensures that you won’t need to have any headache if one of your DHCP servers fails.


Comparing IPv4 and IPv6 Addressing

As I preparing for 70-410 I just realized that I HAVE TO memorize some IPv6 related things, so hence this table was taken from MSFT documentation and slightly colored by me:


You may benefit from reading entire “Chapter 3 – IP Addressing” from ” TCP/IP Fundamentals for Windows” available on TechNet if you in a mood for going into details.

It is useful to memorize common prefixes for the exam and for practical purposes:

2000::/3 prefix for a globally unique IPv6 address. It is equivalent to a public IPv4 address. Assigned by IANA. The full address will include a value representing the organization’s site, a subnet identifier, and host address.

FC00::/7 is the prefix used for a unique local unicast address. This is used in a private network like a private IPv4 address. Address values are unique only to that network and are routable only through the network. The address is not publically routable.

FE80::/64 prefix for link-local unicast address, which is equivalent to an IPv4 APIPA address. It is generated automatically when a network adapter is not configured with an IPv6 address and cannot lease an address from a DHCP server. This is not routable address.

FF00::/8 prefix for IPv6 multicast address

FEC0::/10 is a site-local address. Though still documented by many sources, the use of this prefix has been deprecated.


How to change Network Profile in Windows Server 2012/2016

Sometimes Windows picks up wrong profile for you network and there is no obvious (or even any?) way to change this via GUI. But you can easily do this with PowerShell (v4.0 or newer):

I guess looking at above and keeping in mind that you have get-help cmdlet changing Network Profile is no longer an issue for you.


How to manage non-domain joined server using Server Manager

Managing non-domain joined server is a topic included in 70-410 exam updated for Server 2012 R2. Essentially it requires you to know some extra steps involved into making Server Manager work for you when you need to manage non-domain joined server (either one resided in workgroup or in non-trusted domain).

Unfortunately book I’m using to prepare for exam (“MCSA 70-410 Cert Guide R2: Installing and Configuring Windows Server 2012“) doesn’t go beyond telling beyond teaching you how to do “Manage As…” in Server Manager (don’t get me wrong, this is a good book which covers other things nicely). So in the book they just show you that you have to know how to do this:

But it is barely enough. For example you have to know that this “Manage As…” functionality of Server Manager works almost for all roles and features except for but RDS and IPAM do not support this functionality. Next, and more importantly there are extra steps you need to perform before you can manage non-domain joined server (and no it is not only involves adding it from DNS tab as opposed to Active Directory tab in Add Server dialog). Steps are the following:

0) Add non-domain joined server to server manager. Use DNS tab in Add Server dialog to add non-domain joined server.

Once this is done, server will be added but you will likely will get Refresh Failed and also “Kerberos target resolution error” for newly added server. Which means that you are unable to communicate with this server. Sample screenshot of this error can be found below:

Server Manager - Kerberos Target Resolution Error

1) Add non-domain joined server into trusted hosts on a management server. On management server (the one from which you run Server Manager) you have to add your target non-domain joined server to Trusted Hosts list by means of issuing the following PS command:

Use this command to view your current Trusted Hosts list:

2) Configure UAC to allow elevated remote sessions on a target non-domain joined computer. By default this is not allowed on a worgroup computers. You can this by issuing this PS command:

You may check current setting with this command:

3) Enable Remote Management (HTTP-In) inbound rule on managed computer.

4) At this point you should be able to do that “Manage As” trick:

Server Manager - Manage As

Here is a nice video covering this process – “Free Tutorial: Managing Non-Domain Joined Servers

Another ting of note is that there is downwards compatibility which only allows you to manage older OS versions from newer server manager but not the other way round.

Further reading:

Add Servers to Server Manager


How to rename Windows computer using CLI

Just a quick note on renaming Windows based machine using CLI (this may be especially useful when working with Server Core).

Before renaming machine you may want to see its current name which can be achieved in three different ways:

1) ipconfig /all

Check current name - ipconfig

2) set

Check current name - set

3) hostame

Check current name - hostname

As you can see third option is best one as it gives you specifically machine name without need to search through loads of other details.

Now how to rename. You can use either NETDOM command or Rename-Computer cmdlet:

1) netdom (more details here):

2) Rename-Computer:


Internet access slowness on host after installing Windows 10 Client Hyper-V

I’ve recently switched from VMware Workstation to Windows 10 Client Hyper-V and I really pleased with capabilities I get so far. But after awhile I noticed extreme sluggishness of web browsing on my host machine which I had not linked initially with Hyper-V. Issue has not crop up immediately after I installed and started using it, but seemingly after I added Internal Virtual Switch. So I spend day and a half blaming slowness on my ISP before trying to investigate and fix the problem.

In case if you not recognize whether you have the same problem or not here is somebody’s YouTube video demonstrating it along with fix valid for Window 8/8.1 (note that adapter names may vary from case to case). Windows 10 fix can be found below.

Essentially when you create External Hyper-V switch it sorts of hijacks your physical NIC unbinds IPv4 from it and passes its IPv4 config onto External vEthernet adapter in some obscure way. But slowness crops up due to the wrong connections priority which was easy to adjust in Win 8 as described in this TechNet blog post – you just navigate to Network Connections (ncpa.cpl) > Press Alt on keyboard to access Advanced Settings as depicted below and from there just reorder your connections making sure that External vEthernet adapter is listed first.

Problem is that in Windows 10 you no longer have this GUI because as one person put it “There are no longer any components that utilize the binding order. The only known component that used the binding order was DNS ordering. By default, Windows uses the Route Metric + Interface Metric to determine which route has the highest priority by choosing the route with the lowest value.” This is explanation which I got here.

Long story short what you likely have to do to bring your browsing speed back to normal is issue Get-NetIPInterface cmdlet to get list of your interfaces along with their Index and Interface Metric values. It should return you something like this:


Now you want to make sure that your vEthernet gets highest priority by issuing the following cmdlet:

If I use example with interfaces listed above it would be something like this:

This should fix your browsing speed.


DHCP server looks unauthorized (red down arrow) after you authorized it

I’ve recently configured DHCP Failover in Load Balance mode in my Lab environment setting up two Server 2012 R2 based DHCP servers. Configuring it was rather easy (at least if your aim is get in up and running quickly and you doing “spousal mode” installation) as you just go to Configure Failover on zone level and mostly all you need to do is to select mode (Standby or NLB) and type in shared secret. But I bump into another problem in the process – my 2nd DHCP server was not authorized before I configured failover, so it showed me this red down arrow icon which definitely hints you that something is wrong.

To know what exactly these icons supposed to tell you have to read “DHCP Console Icons Reference – Server-related icons” and “DHCP Console Icons Reference – DHCP console icons added for Windows Server 2012.” MSFT documentation on these icons is a bit disjointed as first link which covers server icons is Server 2008 documentation and second is just delta of newly added icons in 2012 (icons related to newly added features like DHCP failover and DHCP policies). Why not to consolidate it into one document valid for 2012 R2?

Anyhow I know that my second DHCP server is not authorized and clicked on Authorized option, alas no errors and server keeps showing Authorize option as available. After clicking Authorize about 3 times I decided to restart DHCP console and it partially fixed things – now Authorize was grayed out so it was more clear that my DHCP server is authorized. But pesky red down arrow still persisted and I erroneously thought that it has something to do with my attempt to configure failover before authorizing second DHCP server. In the end solution turned out to be more trivial: it was necessary to restart DHCP service on 2nd server and after this DHCP console – voila, problem fixed! So once again these old consoles a bit too sluggish and often require extra refresh/restart. It is just a question of time when MMC based things will be phased out and fully replaced by PowerShell and new GUI consoles (similar to ADAC maybe?). Another example which tends to behave similarly is NLB console which is one of the oldest which still exist intact in modern versions of Windows Server).

Anyhow I now have DHCP failover configured:

DHCP Failover

Red circle with cross indicates that my 1st server is switched off, and orange arrow directed to the left means that “Failover is configured on the DHCP server.” You will see this orange arrow icon only if failover is configured and one of the servers goes down – otherwise you will see check marks in green circle everywhere with no indication of configured failover on icons level.


How to: Enable AD DS recycle bin

Sample steps illustrating how to switch on AD DS recycle bin in Windows Server 2012 R2. AD DS recycle bin has been first time introduced in Server 2008 R2 but essentially it had no UI to enable or work it (you had to mess with ADSI edit back then). In Server 2012 UI for this feature has been added making this cool feature really convenient to use.

Enabling recycle bin is a one-way (irrevocable) forest wide operation. You can enable it in Server 2012 R2 in two ways:

1) Through GUI using ADAC:

70-410 Enable AD DS Recycle Bin

2) Using PowerShell:

Once Recycle Bin feature is enabled either by method (1) or (2) the option to Enable it in ADAC will be still available but grayed out. And main improvement is that UI for restore is available now. You just need to access Deleted Objects container in ADAC, locate deleted object (let’s say user) right click on it and select “Restore”/”Restore To”:

70-410 AD DS Recycle Bin - Deleted objects container


How to: Add new DC to existing domain with PowerShell

First of all you have to install AD DS role binaries on sever using either Server Manager GUI or PowerShell:

Note that if you are executing above command on real server Core installation you may get errors when using -IncludeManagementTools parameter as some of management tools can’t be installed on Core installation.

Once role is installed you may use script similar to this one to add DC to existing domain:

This script was tested with Windows Server 2012 R2.

Also script above is a great example of using tick (“`”) symbol which greatly improves readability of your PS scripts saved into a file. Just to highlight the difference most of this script supposed to be one line (starting from “Install-ADDSDomainController” cmdlet). Here is this line:

It is very easy to see how inconvenient it is to read/scroll through this line. Using tick symbol you can make your script far more readable.