Terminal Service / Remote Desktop Service

General Information

Windows Server 2008 Terminal Service

  • TS Easy Print, no need printer driver at server
  • Domain SSO (W2k8 server, Vista client), no need to re-enter password for RDP, allow running RemoteApp directly
  • All sessions are now equal. /admin option to replace /console option is only use to connect without consume TS CAL – Still applicable at 2012R2 RDS
  • TS Web Access not only can start a web-based Remote Connection, but can connect to a RemoteApp only
  • TS Gateway (RDP over HTTPS)
  • TS Licensing can now Revoke per-Device CAL and use on other users, only 20% CAL can be revoked, until they’re expired
  • TS Session Broker (replaces TS Session Directory), for user to find right server after disconnect

Windows Server Links

Windows Server 2012

Windows Server 2008 R2


Windows Server 2008 R2 Foundation

Windows Server 2008
Active Directory
  • Study Checklist
    • Routing Status in sites
    • multiple DC enviornment
    • full / partial (OU) recovery / non-authorative recovery / restore to another server
    • Restore System State to another server for AD recovery, what is the side effect to existing member server?
    • Forest / Domain Function Levels
    • Universal Group Caching effects
    • Forest Trust with selective authentication
    • DACL (discretionary ACL)
    • PDC Emulator is only needed if there is Windows NT PDC/BDC?
  • Windows 2000 Server SP2 or earlier use only NTLM authentication in AD?
  • In a Native or 2003 Mode domain, GC is required for users to logon because it keep Universal Group information. In Mixed Mode, GC is not required for normal user to logon.
    In some case, Universal Group Caching may not work if the caching is out-dated.
  • Unless there is only 1 DC in the domain / all DC are GC, the Infrastructure Master must not be also a GC else it won’t work
  • TombstoneLifetime
    • Locate at: tombStoneLifetime attribute on: cn=Directory Service, cn=Windows NT, cn=Services, cn=Configuration,
    • Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)
      If a domain controller does not replicate for a period of time that is longer than the tombstone lifetime and the domain controller is then reconnected to the replication topology, objects that were deleted from Active Directory while the domain controller was offline can remain on the domain controller as lingering objects.
      If backup restored contain deleted objects but the backup is older than the tombstonelifetime, then deleted objects will get added back to AD because the tombstone objects no longer exist.
    • 216993: Useful shelf life of a system-state backup of Active Directory
  • Forest Trust could not extend over the neighbour forest
  • Use ntdsutil to change the password in AD Restore Mode in a Domain Controller
  • Create Active Directory for a server from a backup: dcpromo /adv
    Further detail can refer to this article from petri.co.il
  • Using Scripts to Delegate Active Directory: Working with Property Sets
  • Difference between Local Groups, Global Groups and Universal Groups
    Universal Groups are useful in multi-domain enviornment only, as it can contain members from any domains
  • TechNet: Best Practice Active Directory Design for Managing Windows Networks
    Windows 2000 age, but still useful for multi-site AD planning
  • 315131: HOW TO: Use Ntdsutil to Manage Active Directory Files from the Command Line in Windows 2000
  • When restore a subtree in ntdsutil Authoritative mode, subject need to specify in: OU=OU Name, DC=domain, DC=lan
  • Restore an AD using System State will reset the DSRM password, please confirm the password before restore
  • Change DSRM Password
    • Win2k and Win2k3 are different
    • Win2k use setpwd, if use the wizard to create domain, default DSRM password is empty!
    • Win2k3 use: ntdsutil
    • It seems cannot change DSRM password inside DSRM mode, need to change when AD is running
    • Safe Mode password is NOT same as DSRM password, it is same as the AD administrator password!
    • Inside Safe Mode, net user administrator password seems will change the AD administrator password?
    • Inside DSRM, it is NOT possible to change the AD administrator password. net user administrator password will change the DSRM administrator password
    • Can use Linux ntpasswd to reset the DSRM password, but make sure NTFS is clean (boot into Safe Mode and do a reboot) else it will report “read-only filesystem"
  • Domain Rename
    • Only possible in 2003 Forest Level and 2003 Domain Level, with all DC using 2003 Server
    • Use rendom.exe on 2003 CD ValueAdd directory
  • DC Rename
    • Run by Domain Admins
    • Need 2003 Domain Level
    • Use netdom.exe in Support Tools
    • Rename with Full Computer Name (FQDN)
    • Both old and new names are keep to prevent service interruption, unless remove with the netdom.exe command
  • Move object between domains
    • Do at RID Master role server
    • use movetree.exe
  • PDC Emulator special function
    • If authentication failed at any DC, will forward request to PDC Emulator
  • Infrastructure Master
    • Contain latest group membership info
    • Should not mix role on a GC
  • Active Directory Schema Management
    • MMC Snap-in not activated to prevent modify wrongly
    • Activate with: regsvr32 schmmgmt.dll
    • Add Scap-in: Active Directory Schema
    • Change Schema Master role inside this MMC
  • Check Sync Status (Show USN number to each sync partner)
    repadmin / showutdvec dcname dc=domain,dc=tld
  • Find FSMO roles
    • Use MMC GUI Tools
    • replmon
    • ntdom
    • ntdsutil
  • Seize FSMO with ntdsutil
    • ntdsutil
    • roles
    • connections
    • connect to server newdcname
    • [quit to roles prompt]
    • seize schema / domain naming master / RID master / PDC / infrastructure master
    • [quit twice to quit]
  • Add additional DC do a domain / new domain
    • “An Active Directory domain controller for the domain xxx could not be contacted", although DNS was successfully queried
      It is *possible* the AD on the DC is corrupted and require other DC to provide the AD service on LDAP port (tested)
    • When add a child domain, must have an account as a Domain Admins of the parent domain (tested, seems even need the Domain Admins of root domain!)
    • If DNS server point to the parent’s DNS IP, there is no delegation and records created at the parent’s DNS server instead!
    • If DNS server point to new server’s own IP, delegation seems NOT setup automatically at parent domain.
      And only the initial AD related records are created at the parent’s domain (same as point DNS ip to parent domain’s DNS)
      The _msdcs subdomain seems created at all the child domain new servers!
  • AD Directory Service Logging debugging
    • HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\*, default value = 0, recommend increase value upto 3 for verbose logging
    • Relogon to update the Event log with new entries
    • Only increase the value on debug purpose, keep normal use at level 0
  • Study Checklist
    • netsh utility usage
    • DHCP Relay Agent
    • RFC 1542 compliant router
    • Superscope
  • Repair button on client do
    1. broadcast renew instead of unicast renew
    2. Flush ARP cache (arp -d *)
    3. Flush NBT cache (nbtstat -R)
    4. Flush DNS cache (ipconfig /flushdns)
    5. Register to WINS (nbtstat -RR)
    6. Register to DNS (ipconfig /registerdns)
  • 142042: Description of TCP/IP Node-Type Settings
    Describe DHCP 046 option node types when using 044 option WINS Server
  • DHCP error 14 is “out of address" error
    Also contain a brief list of important points on DHCP, RRAS, RIP
  • Reconcile database to fix inconsistency database error
  • getmac CLI (Support Tools) to get MAC address of a machine, even on remote subnet (I think need to in a same AD)
  • “netsh dhcp show server" display all DHCP servers in AD
  • dhcploc CLI (Support Tools) to check for DHCP servers on the network
  • Should not set DnsUpdateProxy group assign to a DC, else all records updated by DC has no ownership
    Alternative solution maybe specify the account to handle dynamic update in 2003 DHCP or specify the DHCP service account in 2000 SP2
  • use jetpack.exe to offline compact database if growth above 30M or report db error
  • DHCP manual backup include all data except credential for DNS dynamic update
  • TechNet detail on Conflict Detection
  • Exclusion has higher priority than Reservation
Routing and Remote Access (RAS)
  • By default, the username created for demand-dialin is same as the demand dial interface name for site-to-site connection
Group Policy
  • Study Checklist
    • Orders and relationship of GPO
  • Policy Management in Server 2003 No Override is renamed in GPMC, which is called Enforced
  • Group Policy Management Console
    Group Policy backup/restore, HTML report for policy
  • Group Policy Settings Reference for .adm files included with Windows XP Professional Service Pack 2
    Excel spreadsheet contain all the policies used in WinXP SP2
  • Group Policy Event Log verbose logging
    • HKEY_LOCAL_MACHINE/Software/ Microsoft/Windows NT/Current Version/Diagnostics/RunDiagnosticLoggingGroupPolicy, DWORD, value=1
    • Relogon to take the effect in Application Log
  • Group Policy Diagnostic Log
    • HKEY_LOCAL_MACHINE/Software/ Microsoft/Windows NT/Current Version/Winlogon/UserenvDebugLevel, DWORD, value=30002
    • Relogon to take the effect
    • Log file is at: %Systemroot%\Debug\Usermode\Userenv.log
    • 1M file size limit, will create bak file
  • Group Policy Software Deployment debugging
    • Change at target client computer
    • HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows NT\CurrentVersion\Diagnostics\AppMgmtDebugLevel, DWORD, 4b
    • Restart the computer / relogon user (depeneds on publish or assign)
    • Log file is at: %Systemroot%\debug\usermode\appmgmt.log
    • Remove the debugging once finished
Windows Firewall
  • Study Checklist
    • WMI, applicable area
    • Virtual Tape Drive software? (Testing ARCserve)
    • Virtual Cluster with VMware
    • Internet printer sharing
    • ds* utilities
    • csvde utility
    • diskpart utility
    • wmic utility
    • Remote Assistance
  • Reset a password for the user by Administrator will make EFS encrypted files inaccessible, need to decrypt with recovery agent!
  • Microsoft: Trust between Windows Server 2003 and Windows NT 4.0 domain
  • Disable Disable Windows XP’s builtin zip support
    regsvr32 /u %windir%\system32\zipfldr.dll
    Better rename or remove the zipfldr.dll afterward
    Then re-associate ZIP extension with your ZIP program such as WinZIP
  • Guy’s Windows Logon VBScripts
    Include printer mapping scripts
  • Windows XP Fixes, Tips and Tweaks
    Contain a lot of registry fixes for Windows XP registry crashed by virus/malwares
  • AppDeploy.com – The Application Deployment Information Center
    Contain a lot of examples on how to automate software install!
  • Copy User profile to new account
    Copy a User Profile:
    Open System in Control Panel. On the User Profiles tab, and under Profiles stored on this computer, click the user profile you want to copy, and then click Copy To.
    In the Copy To dialog box, under Copy profile to, type the location for the new profile, or click Browse to select the path.
    Click Change to open the Choose User dialog box, click a new user from the Names list, and then click Add. The new user name will appear in Add Name. Click OK to add the user as a new user profile on your computer.
    Note: You must be logged on as an administrator to the local computer to copy user profiles. To open a Control Panel item, click Start, point to Settings, click Control Panel, and then double-click the appropriate icon.
  • AdminScriptEditor
    Tool to help admin create scripts, support: Batch, PowerShell, VBScript, AutoIt, KiXtart
  • Delete Files Older Than (Tool to delete files older than n days)
Computer Browser Service
Windows Rights Management Services
Windows Deployment Services
Software Update Services (SUS) – Obsolete
Windows Server Update Services (WSUS)
Volume Shadow Copy
Application Deployment
  • Study Checklist
    • Publish & Assign MSI applications via GPO
    • Publish & Assign’s differences
  • Terminal Server will not accept assigned / published applications from GPO, need manual install
  • Published application can be added to “Add/Remove Programs" and let the user choose to install it
Wireless Network Management
  • Study Checklist
    • Wireless Monitor
    • 802.1x and certificates
    • Wireless Policy for machines in domain
  • Define 802.1X authentication for wireless networks
    PEAP fast reconnect allows roaming users to maintain continuous wireless network connectivity when traveling between different wireless access points on the same network
  • Microsoft Virtual Wifi
    Single Wifi card connect to multiple Wifi network
Load Balancing
  • Study Checklist
    • Cluster Service in Enterprise Server (setup and recovery)
    • Cluster aware services
    • Shared SCSI drive configuration
    • Network Load Balancing
    • NLB Cluster in unicast/multicast mode
    • IGMP effect for NLB
  • Use Cluster Administrator GUI or cluster.exe utility to manage all servers inside a cluster (e.g. administrator password)
Backup & Restore
  • Study Checklist
    • ASR Backup
    • Copy Backup vs Normal Backup
    • Emergency Management Services in Recovery Console
Legacy Technology
  • Study Checklist
    • WINS
    • Signed SMB
  • Study Checklist
    • secedit
    • Security Template INF files
    • compatws.inf
    • securedc.inf
    • syskey utility
    • EFS Filesystem Encryption
  • Terminal Server Security
    Talk about: System Auditing, File System Auditing, Registry Auditing, Connection Auditing
  • RDP Slow problem
    – Tuning with TcpWindowSize or
    – Vista build-in Auto-tuning TCP/IP Receive Window Size
    – Follow Citrix client to set it to 64512 (More Info)
  • Client cannot join domain
  • svchost.exe 100% CPU during Windows Update (apply for Windows XP too)
    • Some dll may need re-register
      	net stop wuauserv 
      	Repeat for the following: 
      	regsvr32 wuapi.dll 
      	regsvr32 wups.dll 
      	regsvr32 wuaueng.dll 
      	regsvr32 wuaueng1.dll 
      	regsvr32 wucltui.dll 
      	regsvr32 wuweb.dll 
      	regsvr32 MSXML3.dll 
      	regsvr32 qmgr.dll 
      	regsvr32 qmgrprxy.dll 
      	regsvr32 jscript.dll 
      	net start wuauserv 
    • Try to Disable Microsoft Update and revert to Windows Update
      In MU, click “Change settings" in the left-hand sidebar,
      then check “Disable Microsoft Update software and let me use Windows Update only",
      and click “Apply changes now".