Jump to content


Established Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


gordonf last won the day on January 17 2017

gordonf had the most liked content!

Community Reputation

3 Neutral

About gordonf

  • Rank
    Advanced Member

Profile Information

  • Gender
  1. Ahh, there we go. The last line in the error message from the Remote Console told me what I needed: The WMI permissions were overwritten during the OS upgrade, and after I restored the site server's SMS Admins local group to them, Remote Console non-admins could use the Remote Console again. To fix this, on the site server launch wmimgmt.msc console, then bring up the local computer's properties and Security tab. Then browse to root / SMS and root / SMS / site_[site name]. Add the SMS Admins local group back to both of these, and make sure they have Execute Methods, Provider Write, Enable
  2. Microsoft explains that an in-place OS upgrade from Server 2012 to Server 2012 R2 is supported (let's make that clear before someone pulls out the backup / reinstall / site recover copypasta, ok?) for a site server running Config Manager 2012 R2 SP1. So, I did just that, and after wrangling with some problems with WSUS, the site server is working as intended. Yes, even WSUS is working properly; I had to fix some site binding problems and edit the web.config to support Windows 10 clients, but that was it. I had to do the in-place upgrade because WSUS 3 broke after a recent Windows 10 update, an
  3. I successfully installed SCOM clients onto computers belonging to an external but trusted domain, but ran into authentication problems along the way. I had to change one trust relationship setting to make it work. Here's what I found I had to do to make cross-domain installation and monitoring work: * Changed my trust relationship from "External" to "Forest," to enable Kerberos authentication * Open needed network firewall ports, as the external domain's network is separated by a firewall router deliberately * Create an action account that matched a domain account in the external dom
  4. Haven't yet tried it on 8.1 but this method works on 8 stand-alone. Enterprise, Server and 8 Pro in a domain should use Group Policy settings for this instead. I've done it on 8.1 Enterprise when not domain-joined using gpedit. --
  5. I have one SQL server that is complaining about missing SPN principals. SCOM monitoring is saying SQL can't authenticate using Kerberos because it's missing the SPNs "MSSQLSvc/[server.domain.tld]:1433" and "MSSQLSvc/[server.domain.tld]". It's the default instance. This doesn't seem specific to SQL. I attempted to list SPNs in use with klist and setspn. klist will give me a list for the currently logged-on user, but setspn -L will fail, claiming this: C:\> setspn -L username@domain.tld FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525 Could not
  6. It's the AD DC Last Bind Monitor, in the v6.0.8228.0 version of the Active Directory Server 2008 and above (monitoring) management pack, that's complaining about the DC response time. The screen shot is a graph of the domain controller response time over the past 24 hours. The warning is that the response time is higher than the default warning level of 5 seconds. I determined why this was happening; a port scanning filter included with the Windows Firewall does this. I also found the override setting. When you bring up the Health Explorer for an alert (right click, Open, Health Explor
  7. Good to see a SCOM section here. Started using SCOM 2012 R2 to monitor a domain network. It's complaining that the DCs are lagging in AD queries: "The AD Last Bind latency is above the configured threshold." DCs talking to the PDC emulator are also complaining, "The Op Master PDC Last Bind latency is above the configured threshold." Turning off the Windows Firewall on the DCs stops the lag, but I don't consider that an acceptable solution. Further research told me that a firewall filter named, "Port Scanning Prevention Filter," is responsible. I won't go into the frustration about that
  8. I got the SCEP client working on a pair of Exchange Server installations, where one was a mailbox and public folder server, and the second held the other needed roles. I did a managed installation, via SCCM, as opposed to stand-alone. The only thing special I did was I created an antimalware policy that avoided EDB and LOG files, put the two servers into their own collection, and applied the modified policy to the collection. Even if you never get malware in e-mail, this should avoid unnecessary scanning. I did similar modified policies for domain controllers (avoided SYSVOL) and SQL s
  9. I came to SCCM from managing software deployments via Group Policy, so the Active Directory environments I work in reflect my GPO-centric approach. For instance I'll create organizational units separated out by OS or CPU architecture, followed by physical location. Here's an example: mydomain.local - Windows 32-bit --- IT Office ------ PC1 ------ PC2 --- Marketing Office ------ PC3 ------ PC4 - Windows 64-bit --- IT Office 64 ----- PC5 --- Marketing Office 64 ----- PC6 This lets me deploy GPOs and other settings from the top down; I'd have a base set of defaults followed by
  10. Our environment has some dedicated virtual machines acting as file servers only. The largest one still runs Server 2003, with three big virtual disk volumes. I'm beginning to deploy Server 2012 and one file-only server is working well, including file deduplication. I would hand-copy files from one server to the other, but sysadmins are a lazy lot and I wondered if I could just detach a volume from the 2003 server, attach it to the 2012 server, and enable 2012 deduplication on it. I would then recreate the shares on the 2012 server and hope that the file system permissions remained in tact;
  11. The only thing I can think of is putting a script in "RunOnce" Registry key for the default user's profile. You could write a script that does a "reg.exe import" or equivalent for the setting you want to change, then put it here: HKEY_USERS\[loaded hive from users\default\ntuser.dat]\Software\Microsoft\Windows\CurrentVersion\RunOnce You'd have to put this modified ntuser.dat file on all of the PCs in your charge, which you could do using SCCM by creating a configuration item (or baseline?) and deploying it, or using a GPO (ironically) to push a startup script out. I used to do some
  12. Exchange 2010 SP3 just came out last month. According to what I've read it supports Server 2012. I haven't read the installation steps yet; it might be as simple as ignoring the "this OS is unsupported" message during Setup and the applying SP3 right after. .
  13. Just a wild guess: Did you change the current domain controllers' DNS settings to use the current domain controllers and not the former ones? Forgetting to check this is a pretty common thing to overlook, and I think every AD administrator makes this mistake at least once when demoting old DCs.
  14. It's ben a while since I poked back to this thread. Applying the missing hotfix, or just applying the latest updates from WU, was enough. Thanks for the hints.
  15. Having made so far, I want to know what other admins and PC handy-folks think of it. While I originally did this with the, "Windows can't be secured you id10t," crowd in mind, the first three parts are at least noob-friendly. --
  • Create New...