To Force Update of Only Computer Group Policies

In the elevated command prompt, copy and paste the command below and press Enter.

gpupdate /target:computer /force

When successfully finished, you can close the command prompt if you like.

 

How to manually create Default Domain GPO

There is a way to create Default Domain GPO. There are two GPO created when you promote a member computer or a stand-alone server to domain controller.
These two GPOs are :

• Default Domain Group Policy
• Default Domain Controller Group Policy.

These GPO are stored in the SYSVOL folder. Netlogon service creates two permanent GUID for these two GPO under SYSVOL folder:

\Windows\SYSVOL\sysvol\domain.com\policies\GUID
Domain GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}
DC GPO GUID {6AC1786C-016F-11D2-945F-00C04FB984F9}

Windows OS identifies default domain policies by its GUIDs located in SYSVOL folder. These GUIDs are unique for Default Domain Policy and Default Domain Controller Policy created by default.

You can use the following steps to create GPOs manually:

1. Open ADUC
2. Right click on Domain_name.com > Property
3. Switch to Group Policy tab
4. Create a policy named “Default Domain Policy” or you can rename it if you want. AD Tools queries default domain policies by their GUIDs located in SYSVOL folder and not by name.
5. Click this GPO > Property > note down the GUID of this GPO created.
6. Go to SYSVOL folder and change the GUID to default domain policy or default domain controller policy.
7. Next you need to use a small script using ADSI to set this unique GUID into GPT of this policy in AD database. You can also edit Schema manually to do so.

You can use the ADSI Snap-in to create the GUID in GPC of that GPO.

Source to copy:

https://support.microsoft.com/en-us/kb/556025

Best Practices for Sysvol Maintenance

The System Volume (Sysvol) is a shared directory that stores the server copy of the domain’s public files that must be shared for common access and replication throughout a domain. The Sysvol folder on a domain controller contains the following items:

• Net Logon shares. These typically host logon scripts and policy objects for network client computers.
• User logon scripts for domains where the administrator uses Active Directory Users and Computers.
• Windows Group Policy.
• File replication service (FRS) staging folder and files that must be available and synchronized between domain controllers.
• File system junctions.

File system junctions are used extensively in the Sysvol structure and are a feature of NTFS file system 3.0. You must be aware of the existence of junction points and how they operate so that you can avoid data loss or corruption that may occur if you modify the Sysvol structure.

MORE INFORMATION

Sysvol uses junction points to manage a single instance store. Junction points are also referred to as reparse points (directory junctions and volume mount points). A junction point is a physical location on a hard disk that points to data that is located elsewhere on your hard disk or on another storage device. Junction points are created when you create a mounted drive. The following diagram is an example of a typical Sysvol structure for a Windows 2000-based domain controller:

\Sysvol 
 |
 |____<Domain>
 |   |____Policies
 |   |____Scripts
 |
 |____Enterprise
 |   |____Policies
 |   |____Scripts
 |
 |____Staging
 |   |____Domain
 |   |____Enterprise
 |
 |____Staging Areas
 |   |____Enterprise                           junction> = Sysvol\Staging\Enterprise<Br/>
 |   |____<Windows2000_domain.microsoft.com>   junction> = Sysvol\Staging\Domain
 |    
 |____Sysvol
 |   |____Enterprise                          junction> = Sysvol\Enterprise
 |   |____<Windows2000_domain.microsoft.com>  junction> = Sysvol\Domain
 |

In a single instance store, the physical files only exist one time on the file system. However, in Sysvol, the physical files are located in the following locations:

• Sysvol\Domain and Sysvol\Staging\Domain

  -or-

• Sysvol\Enterprise and Sysvol\Staging\Enterprise

The additional folder structures are reparse points that redirect file input/output to the original locations. The following table lists the folders in Sysvol that contain junction points and the locations to which these junction points resolve:

Sysvol Folders	Junction Point Location
Staging Areas\Enterprise	Staging\Enterprise
Staging Areas\DNS_domain_name	Staging\Domain
Sysvol\Enterprise	Enterprise
Sysvol\Windows2000_domain.microsoft.com	Domain

This configuration maintains data consistency by making sure that a single instance of the data set exists. Additionally, this configuration permits more than one access point for the data set. For example, Sysvol\Domain or Sysvol\Sysvol\Windows2000_domain.microsoft.com, as described in the example that appears earlier in this article, allows for redundancy but does not allow for duplicate files.

Junctions graft the namespace (any bounded area in which a specific name can be resolved) of the destination file system location to an NTFS volume. An underlying reparse point permits NTFS to transparently remap an operation to the destination object. As a result, if you modify the data in the Sysvol structure, changes occur directly on these physical files. Additionally, if you perform a cut-and-paste operation or a copy-and-paste operation with these folders in the Sysvol structure that contains junction points, the cut-and-paste operation or the copy-and-paste operation occur in the junction point information.

Microsoft recommends that you avoid performing a cut-and-paste operation or a copy-and-paste operation on the Sysvol structure, especially when you perform the paste operation on the same server. If you perform a cut-and-paste operation or a copy-and-paste operation on the Sysvol structure, a copy of the junction point information is created. This does not result in a copy of the actual data. Instead, a copy of the junction point information only is created. If you modify any of the files that appear in that folder, you modify the source files directly.

Microsoft recommends that you do not modify the Sysvol structure. This recommendation also applies to backup and restore operations of the Sysvol structure. By default, if you back up Sysvol by using NTBackup.exe, the backup file includes a backup of the folder’s junction point information. If you restore a Sysvol structure from a backup file to a different location on the same server, do not restore the junction point information. To do so, use the advanced restore options.

Microsoft recommends that you do not modify any files directly to Sysvol without understanding the behavior of junction points and how these points affect Active Directory in your enterprise.

Note Under Windows Server 2003, if you copy %systemroot%\SYSVOL, you do not copy the junction points. However, under Windows 2000, if you copy %systemroot%\SYSVOL, you do copy the junction points.

More information:

https://support.microsoft.com/en-us/kb/324175

Policy Tattooing

Understanding Policy “Tattooing”

 

Commands

https://dougvitale.wordpress.com/2013/02/07/network-administration-commands-for-microsoft-windows-and-active-directory/#ipconfig

VMware ESX/ESXi: Hot add RAM and CPU

By default, virtual machines don’t support Hot Add (add RAM) and Hot Plug (add vCPU). You need to enable this capability on a per-VM basis in order to use it. To do so, you must first shut down the virtual machine since you can’t modify these settings while it’s running. Then, open the virtual machine’s properties, navigate to the Options tab and choose the Memory/CPU Hotplug option in the Advanced section. At the right-hand side of the window, note that there are two section – one for memory and one for CPU. Choose the options you like and then click OK. After this setting is changed, you can restart the VM.

Now, when you look at the VM details, notice that you’re provided with the maximum hot-add memory for the VM. In this case, that’s 64 GB.

 

When I look at the system properties for the VM, here’s what I see: 4 GB of RAM and 2 processors.

While the VM is running, I’m going to increase this to 6 GB of RAM and 3 processors.

Without a reboot, here is what I now see in the system properties.

And he’s a look at the Task Manager showing 3 CPUs and 6 GB of RAM

If you’ve successfully hot added RAM or CPU to a running virtual machine, respond to this posting (or, leave a response to my forum posting) with your operating system, edition (standard, enterprise, etc), service pack level/kernel version, and architecture (32/64-bit). If enough people respond, I’ll compile all of the results into a usable format and republish it.

Processor, Core, Logical Processor, Virtual Processor

Hi all,

Processor, Core, Logical Processor, Virtual Processor, thread, Hyper Threading : many terms that create a lot of confusion in many times, specially with Virtualization.

Today i will explain these terms and i’m sure that after a deep reading of this blog, no one will ask the question about that, again.

My reference will be always Microsoft and Hyper-V, and i will respond the following questions:

1- What is the difference between Processor, Core, Logical Processor ?

2- What’s a Virtual Processor ?c

3- How can i calculate how many Virtual Processor my physical machine supports ?

4- My application runs today in a physical machine with 1 processor and 4 cores, how much virtual processor do i need if i decide to virtualize this machine ?

So it’s time to answer :

1- What is the difference between Processor, Core, Logical Processor ?

Processor : It’s the physical components that comes with server, responsible of all processing operations, a server can have more than one processor (1, 2…), we talk so about a multiprocessor server (bi-processor in case of 2).

Core : Inside your physical processor, you can have more than one operations unit, called Core. We can say that a core is like a processor, so 1 Processor with two Cores is like 2 processors with 1 Core (I insist is like not equal). Today all processors are multi-core, and for servers, we usually find 4 or more cores processors (aka Quad Core or more).

Logical Processor : As explained before, we have processors and cores. Normally a Core can handle one thread (aka operation) in the same time (processor time slot). But when the technology Hyper-Threading is activated and supported, the Core can handle two threads in the same time than one (it’s more complicated but i’m touching the point). The number of thread in a machine is the number of logical processor. So if you want to know how much logical processor do you have, just count the total number of threads.

So how to count that:

Cores Count = Processor Count * CoresCountPerProcessor

Logical Processor Count = CoresCount * ThreadCount

Examples :

• I have a bi-Quad Core processors server with Hyper-Threading : LogicalProcessorCount = 2 * 4 * 2 = 16
• I have a server with a 12 Cores processor : LogicalProcessor Count = 1 * 12 = 12

So how where to see how much processors, cores and Logical processors my server have:

• In Windows start menu, go to System Information,make a look the first tab

• In the task manager, make a look to Performances and count the logical processor views.

2- What’s a Virtual Processor

In virtualization, when you create a virtual machine you do assign to it a processor : Yes, we need that for the virtual machine to run and to make operations. But the question is what do we really assign to it ?

Like vRAM, VHD, Virtual network interface, we can assign to a virtual machine a Virtual Processor (VP). In an easy way, it’s a physical processor TimeSlot that will be given to the virtual machine. So when i assign a Virtual Processor to a virtual Machine, is like i rent a computing time from the processor, a piece of the processor

how much VP can i assign to a virtual machine: Good question and we need to know that : The number of virtual processor we can assign to a virtual machine depends on two factors:

• Logical processor count in the physical machine : The number of VP cannot exceed the number of present logical processor. So if we have 16 logical processors in our physical machine, we can assign at max 16 VP. The rule is : 1 virtual processor from each one logical processor for a single virtual machine
• The hypervisor support : In windows server 2008 R2 (and sp1) , Hyper-V supports at max 4 virtual processor per virtual machine, so even we have more than 4 logical processor, we can assign at max 4 VP for a virtual machine. In windows Server 2012 Hyper-V, we can assign up to 64 virtual processor per virtual machine, EXELLENT!!!!

Another factor is to not exceed the host operating system limit, you can check the following table:

System	Resource	Windows Server 2008 R2 Hyper-V	Windows Server 2012 RC Hyper-V	Improvement Factor
Host	Logical Processors	64	320	5×
	Physical Memory	1TB	4TB	4×
	Virtual CPUs per Host	512	2,048	4×
VM	Virtual CPUs per VM	4	64	16×
	Memory per VM	64GB	1TB	16×
	Active VMs per Host	384	1,024	2.7×
	Guest NUMA	No	Yes	–
Cluster	Maximum Nodes	16	64	4×
	Maximum VMs	1,000	4,000	4×

3- How can i calculate how many Virtual Processor my physical machine support ?

• In Windows Server 2008 R2 (and SP1) : the ratio is : 1 Logical Processor : 8 Virtual Processor for any virtual guest. In a VDI scenario with Windows 7 guest virtual machines the ratio is 1 Logical Processor : 12 Virtual Processors. So if i have 12 logical processor, i can have up to 12 * 8  = 96 virtual processors, so 96 virtual machines with 1 vp, or 48 virtual machines with 2 vp or any combination without exceeding the total count of virtual processors
• In Windows Server 2012 : Microsoft says that you can have as many virtual processor as your hardware supports. So create your virtual machines and monitor the performance of your server.

4- My application runs today in a physical machine with 1 processor and 4 cores, how much virtual processor do i need if i decide to virtualize this machine ?

There’s no exact formula to convert from physical needs to virtual needs when talking about processors.

But the today used formula is : Physical Core = Virtual Processor

So if your application need 1 quad core processor in a physical need, you can say that it’s need 4 virtual processors as a virtual machine.

We highly recommend that you monitor the virtual machine performance and seeing if there’s a need to add more virtual processors.

Source:

https://buildwindows.wordpress.com/2012/12/13/virtualization-processor-core-logical-processor-virtual-processor-what-does-this-mean/

Note

https://www.protectedtext.com/ADDS

https://www.protectedtext.com/powershell

Domain Vs Domain controller

Active Directory is what is called a directory service, it stores objects like users and computers.
A domain controller is what the server running Active Directory is called.
You can have multiple domain controllers for many reasons, like redundancy so should one server fail, people can still login in and access things like joined computers using another domain controller while the first server is being fixed.

Just is small example of how Active Directory is to be used:
Forest (examplecorp.local)
– Domain (headoffice.examplecorp.local)
— Domain Controller A
— Domain Controller B
— Computer A, users can login to the computer using their account on using either Domain Controller A or Domain Controller B depending on different factors.
— Computer B, same
— Computer C, same
– Another Domain (seattleoffice.examplecorp.local)
— Same structure for local Seattle office

Only one Domain Controller in a domain can handle can tasks like the Global Catalog and such. This is usually called the Primary Domain Controller (PDC) and the task of things like the Global Catalog can be changed to any Domain Controller should that be needed.
Should you plan on using Active Directory then you should read up on it because it is a very complex piece of software and if you configure it wrong you will could potentially spend hours trying to figure out what went wrong.

Active Directory Audit Script

Paul Bergson wrote this brilliant script that queries active directory and gives you a wealth of information that can be used to audit active directory.

I have slightly modified this script and added a few lines to get information like the email address and the exchange home server of the user using the mail and msExchHomeServerName attributes.

You can download the modified script here.

How the script works:

It queries Active Directory using LDAP for a bunch of known user attributes and writes them to a .csv file in the same directory as the script. The file is will be named yyyymmdd_audit.csv

NOTE: I am NOT the original author of this script. Please give all credit to Paul Bergson who is an MVP for Directory