Wednesday, January 28, 2015

DHCP Server on Windows Server 2012 R2

In this post I'll write about error (warning) events I have experienced during replacement of DHCP server from Windows Server 2003 to Windows Server 2012 R2.
For DHCP database migration I was using netsh dhcp server export (import) option. Running Netsh dhcp server import command on Windows Server 2012 R2 has added the running command user account into HKLM\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl which produced Warning Events into Application Event log from VSS source with event id 8230:
Log Name:      Application
Source:        VSS
Date:          Date
Event ID:      8230
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      Computer Name
Volume Shadow Copy Service error: Failed resolving account account name with status 1376. Check connection to domain controller and VssAccessControl registry key. 
Deleting this user account from HKLM\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl has resolved these warning events, and these warning events were not logged into application event log any more.
Another issue during this DCHP replacement "project" is that during installation of DHCP role, the installation process will change permissions on following registry key HKLM\SYSTEM\CurrentControlSet\Services\VSS\Diag . This registry key has block inheritance enabled and before installation of DHCP service role SDDL for this registry key looks like this:

From D part of the sddl string D:PAI can be confirmed that block inheritance is enabled, and also Network Service has permission on this registry key from following entries (A;CIIO;GA;;;NS)(A;;CCDCLCSWRPSDRC;;;NS).
After DHCP role installation in permission entries for HKLM\SYSTEM\CurrentControlSet\Services\VSS\Diag, permission for DHCP server can be found represented as (A;CI;CCDCLCSW;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191). Also, the other permissions are not the same as before, but are inherited from the parent HKLM\SYSTEM\CurrentControlSet\Services\VSS, and the sddl now look like this:

Sddl : O:SYG:SYD:AI(A;CI;CCDCLCSW;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191)(A;ID;KR;;;AU)(A;CIIOID;GR;;;AU)(A;ID;CCDCLCSWRPSDRC;;;SO)(A;CIIOID;SDGWGR;;;SO)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)
From D part of the sddl (D:AI) can be confirmed that permissions are inherited, and Network Service does not have any permission. This situation will result in generating error event with id 8193 from VSS source in Application event log:
Log Name:      Application
Source:        VSS
Date:          Date
Event ID:      8193
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      computer name
Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr = 0x80070005, Access is denied.
This behavior was also noted with Windows Server 2008 R2 and published in following Microsoft article .
In order to resolve this situation I've delegated Network Service permissions as were before installation of DHCP server role, and the error event 8193 from VSS was not logged any more.
Here is GUI overview of the Network Service permissions for HKLM\SYSTEM\CurrentControlSet\Services\VSS\Diag:

For more info about sddl check MSDN .

Thursday, January 15, 2015

Windows 10 media briefing Jan 2015

Microsoft has announced Windows 10 media briefing for January 21, 2015 9:00AM PT or 6:00PM CET. Next preview version of Windows 10 should be available soon after the event.
For more info about this event check Windows Blog or

Thursday, January 8, 2015

How to find out all locked out accounts in Active Directory using Powershell

This one liner PowerShell for reference, is intended to show how to find out all locked out accounts in Active Directory using Search-ADAccount with LockedOut parameter (ActiveDirectory module is required):
Search-ADAccount -LockedOut
The output from this cmdlet will list all the locked out accounts. Furthermore, if you want to unlock all those accounts, the output of the Search-ADAccount can be piped to Unlock-ADAccount cmdlet (permission for unlocking ad accounts is required) for example:
Search-ADAccount -LockedOut | Unlock-ADAccount

For more info about these powerful cmdlets please check TechNet: Search-ADAccount and Unlock-ADAccount .