Windows Server Administration » Windows Server 2008

Setting Default Printers with Group Policy Preferences

Daniel Anderson — Wed, 25 Feb 2009 02:03:55 +0000

Had an interesting question from a reader in response to setting a default printer with Group Policy Preferences that I thought I would share.

Question was:
If you set a user general default printer like the main office copier but also set a location printer preference like the library copier using the loop back policy will it over ride the general default printer preference?

Do I merge or replace?

I decided to test this out as I have not come across this. Here is what I found, if you have a User Policy that is creating a printer connection and setting it as the default and you also have, using Loopback Policy Processing in Merge Mode, another User Policy being applied, this will override the first User Policy Settings. Both printers will be installed, but the default printer will be set to the one specified in the policy that has the loopback.

Note: I tested this on a client that has no printers installed

If Loopback Processing is in Replace Mode then the User Settings in that policy will “Replace” the settings in the other policy. Therefore only one printer will be installed and it will be set as default.

Hope that helps.

Using Group Policy Prefernces to Map Drives

Daniel Anderson — Wed, 25 Feb 2009 00:38:43 +0000

The other day I wrote an article on how I use Group Policy Preferences to Deploy Printers and Set the Default Printer. Today I wanted to share with you how I go about mapping network drives to particular users based on their AD DS Group Memberships. In days gone by this was don via a vbs login in script, but let me show you how this can be done via GPP.

Simple scenario, we have a group of Media students that need a drive mapped to a different “Media Backup Server”, so what I have done is put these students into and Active Directory Group called “Media Students”.

So in my Students GPO I simply went to User Configuration > Preferences > Windows Settings > Drive Maps

Right Click Drive Maps and select New > Mapped Drive Select Create from the drop down menu, enter the path to the share (eg. \\server\share ), I have created folders that relate to the students username therefore I used the %username% variable, select the Drive Letter.

Then from the Common tab up the top tick Item Level Targeting, from the New Item Menu select Security Group, make sure User In Group is selected in the bottom window and browse for the Security Group that the user must be a member of.

All Done, now all students that are a member of the Media Security Group will get an M Drive Mapped.

Cheers

Daniel Anderson
Loving Group Policy Preferences

The One Reason You Should Use Group Policy Preferences

Daniel Anderson — Wed, 18 Feb 2009 04:38:01 +0000

The job of deploying printers and setting default printers has been quite simply a pain in the butt. Well automating the default printer has been anyway. Now if you are like me and work in an educational environment where there are computer labs, left right and center, libraries, staff notebooks (separated on different campuses), student notebooks etc etc and users all wanting to print to specific printers and of course people not wanting to select the correct one from a list of printers then read on.

Use Group Policy Preferences !!!

In the past I have used the Print Management Console to deploy the printers via Group Policy, now that did work very well, but there was still the “overlooked” problem of being able to set the default printer. To get around this what I used to do was to name the computers in a certain way and then have a vbs script that would get the name of the printer and then set the default based on the computer name.

I was reading an article by GPO Guru Derek Melber about the new Group Policy Preferences that come with Windows Server 2008 and Windows Vista and thought I would explore this option.

To start off your client will need the Group Policy Preference Client Side Extensions both XP and Vista Clients need these. Now you can manually download these and install via a computer startup script via Group Policy or if you have a WSUS Server then you can make this “Feature Pack” available via Windows Updates (this is the option I took, less work!).

Now that you have the Group Policy Preference Client Side Extensions installed on the clients, you can go ahead and play with the GPO’s. If you open up the Group Policy Management snap in and edit a GPO object you will see “Preferences”

After expanding “Preferences” you will notice an options there that says PRINTERS. If you right click on Printers and select New > Shared Printer, the New Shared Printer Dialog Box will appear.

From here we can enter in the path to the shared printer and from the Action drop down menu select “Create”, but the best part is that you can place a tick in the “Set this printer as the default printer” box and it will make that printer the default. Interesting thing to note here though is that this check box is only available under a User Configuration and not the Computer Configuration. This is not what I wanted, I need to set a default printer for computers in a specific room.

So what I have done in enable User Group Policy Loop Back Processing under the Computer Configuration > Policies > Admin Templates > System > Group Policy, you can either set that to Merge or Replace. Now what that does is enable you to apply User Configurations to users that log onto those computers that this policy applies to.

This is the Good Part

Once you have created a shared printer to deploy there is a tab on the properties of that called “Common” , if you click on that and place a tick in the “Item Level Targeting” and click on the Targeting Button a whole new world opens up!

Click on the New Item and just have a look at the possibilities there. The one I was interested in was the Organisational Units option. Because what I want to happen is if a computer is in a specific OU install and make printer X the default.

With this option I was able to achieve just that. Just select the OU that the Computer should belong to by using the Browse Button and select the Computer in OU radio box.

Job Done……

For More Tips on how you can use Group Policy Preferences make sure you SUBSCRIBE to my RSS Feed so you don’t miss out on making your life as a Network Administrator an easier one !!!

Virtualize Your Exchange Edge Server

Daniel Anderson — Wed, 28 Jan 2009 04:55:55 +0000

OK Here we go back in the swing of things and the first server I am going to “Virtualize” is an Exchange 2007 Server that holds the Edge Server Role. After Reading this article it all seemed fairly straight forward. How wrong I was !!! Here is what I did that led me to this unwanted ERROR “The Exchange Server is in an inconsistant state” when I was trying to install the Edge Transport Role on the new Hyper-V Virtual Server.

The first thing that needed to be done was an export of the current server configuration using, as Microsoft calls it, “cloned configuration tasks”. There is a folder located in the install directory of Exchange, generally C:\Program Files\Microsoft\Exchange Server\ called “Scripts”. Inside there are 2 Powershell Scripts that you will need.

They are ExportEdgeConfig.ps1 and ImportEdgeConfig.ps1.

To capture the configuration we need to run the ExportEdgeConfig.ps1 script in the Exchange Management Shell like so:

./ExportEdgeConfig -CloneConfigData:”C:\CloneConfigData.xml”

NOTE: Make Sure you run the Exchange Management Shell as Administrator (right click > Run As Administrator)

Now I am going to be keeping the same computer name on the new Virtual Edge Server, so I did this next.

Shutdown the current Exchange Server and then Reset the Computer Account in Active Directory. Next was to start up the NEW Exchange Server, rename it and join it to the domain. You MUST make sure that the drive letter configuration is the same as the OLD Server.

Next Install Exchange, I did this by running trying to run this command:

Setup.com /Role:Edge

This is where it all fell apart. I got an error and decided to try again by running the setup.exe file. Sure enough it was No Good and I received this Error “The Exchange Server is in an inconsistant state”. Then I tried to run the install in Recovery Mode by using this command:

setup.com /m:RecoverServer

Guess what? Failed again. Things were looking pretty grim. Considering this was a virtual machine and only hosting the Edge Transport Role I copied across a sysprepped Windows Server 2008 VHD that I created earlier and started from scratch.

While the Server was starting up I reset the Computer Account in Active Directory and I also need to get brutal and use ADSi Edit and remove the entry in the following location:

CN=Configuration, DC= Domain Name, DC=com, CN=Services, CN=Microsoft Exchange, CN=, CN=Administrative Groups, CN= , CN=Servers, CN=

and also remove the entry in the Exchange Servers and Exchange Install Domain Servers Security Groups.

The Server was now up and running and joined to the domain so I tried again to install Exchange 2007 and the Edge Transport Role, and all seemed to go through fantastically!

After Exchange was installed I then need to run the New-EdgeSubscription CMDLET on the Edge Server:

New-EdgeSubscription -FileName “c:\EdgeServerSubscription.xml”

Then import that XML File on the Server that is running the Hub Transport Role. To to that you can use the Exchange Management Console and navigate to this spot.

Organisation Configuration > Hub Transport > and then click the Edge Subscription Tab.

After that was completed I gave the Edge Server a Restart and the mail started flowing in again…….There seemed to be a few people that have had a similar issue so I hope this sheds some light on a procedure on how to get around this issue. Another bonus to virtualization !!!!.

Secure Your Wireless Network With WPA2-EAP

Daniel Anderson — Wed, 26 Nov 2008 00:37:04 +0000

I have been reading a bit about wireless security over the past week, as it is part of the 70-642 MCTS Exam “Configuring Windows 2008 Network Infrastructure” that I am currently studying (I will be sitting the exam in the next week or two, so subscribe to my RSS Feed so you don’t miss out on some inside tips !!!). We are curently running a wireless infrastructure with Cisco 1200 Access Points, a Windows 2003 Radius Server and using WEP 128bit (keys auto rotated every hour) encryption and Auto Enrolled Certificates from our Windows 2003 CA for authentication. This has been working pretty well, but with WPA2, an updated version of WPA and comes in two flavours WPA2-PSK and WPA2-EAP, it offers improved security and better protection from attacks. Now if all clients can support WPA2-EAP then this should be your first choice.

To kick things off you first of all need a PKI Infrustructure and enable autoenrollment so that all your wireless clients obtain the correct certificates for the authentication process.

1. Install the Active Directory Certificate Services (ADCS) Role to the server and just use the default settings here.

2. Next Open up the Group Policy Management Console and either edit a policy or create a new one to apply the wireless settings to your clients. The section we want is Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. In the details pane now you need to right click the Certificate Services Client – Autoenrollment and then select properties. In the Properties dialog box select enabled from the rop down box and then place a tick in the other boxes, which is optional.

Let’s now install and configure the Radius Server to handle the authentication. Install the Network Policy and Access Services Role. Once install you need to then navigate to the NPS Node in Server Manager, under Roles\Network Policy and Access Services.

1. In the Details Pane, from the drop down list under Standard Configuration select RADIUS server for 802.1x Wireless or Wired Connections and click Configure 802.1X Hyperlink.

2. Select the top radio button “Secure Wireless Connections” click next

3. On the Specify 802.1X Swtiches Page Add your Wireless Access Points and Radius Clients. You need to do this for each Access Point you have. When you click the add button fill out the Friendly Name, IP Address. For the Shared Seceret you can either enter one in manually or have one generated (which will then need to be entered into the AP’s), once all AP’s have been entered click next.

4. Next up Configure an authentication method. From the Drop Down list select the method you want to use. We were currently using Smart Card or Other Certificate and I wanted to change to Microsoft: Protected EAP (PEAP).

NOTE: This method requires a Computer Certificate and the Radius Server and either a computer or user certificate on the client machine. The best way to do this is to use a Domain PKI see above.

5. Select the groups you would like to give wireless access to.

6. Next configure VLAN Settings. You can use this to restrict Wireless users to specific network resources. Then click Finish.

7. You then need to Reegister the server with Active Directory. Right Click the NPS Node and select Register Server.

Configure Wirelss Clients to Connect Automatically……

1. There are a couple of Group Policy settings that you will need to adjust here to get your wireless clients to automatically connect to your network. Open up your Group Policy Management Console and navigate and right click Computer Configuration\Policies\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) and select Create A New XP Policy. If you have both XP and Vista Clients then you will need to select this option as if there is no Vista Policy, Vista Clients will use the XP one.

2. Give the Policy a Name and Description and then click the Preferred Networks Tab. Click the Add Button and select Infrastructure.

3. Enter the SSID of your Wireless Network, then from the Authentication drop down box select WPA2 and from the enryption drop down box select TKIP.

4. Then click on the IEEE 802.1X Tab leave the EAP Type and PEAP and under Authentication Mode selct Computer Only. This means that the authentication will take place prior to the Computer getting to the Login Screen. This is what I wanted.

Auto Enrolling Computer Certificates Via Group Policy

The process above regarding the PKI Infrastrucure will auto enroll the Root Cert. But we also need to auto enroll a computer certificate which can be done like this.

1. Open up your Group Policy Management Console and navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings.

2. Right Click in the details pane and select New > Automatic Certificate Request.

3. This will open up a wizard and you can select a Computer Certificate.

Now do a policy update on your client machines and they SHOULD automatically connect to your newly secured wireless network.

Hope this helps you out. Cheers

Daniel
Securing My Wireless Network

32bit Printer Drivers on an x64 Windows 2008 Print Server

Daniel Anderson — Thu, 20 Nov 2008 21:30:37 +0000

Continuing on with my Hyper-V Virtual Machine installations, I moved onto a Windows 2008 Print Server after yesterday I spoke about How To Migrate a Windows 2003 DHCP Server to a Windows 2008 Server. These virtuals are x64 based VM’s and as I found out after adding the Print Services Role to the server and then installing a printer to share and connecting to that printer from a 32bit XP Client the server didn’t have appropriate drivers installed and asked me to locate the driver files.

90% of my printers are HP ones so I went to the HP website and downloaded the most recent driver, it turns out they have a “HP Universal PCL 6″ driver. Now this driver appears to do, as the name suggests, provide the correct drivers to all HP Printers!.

To get the x86 drivers onto the x64 Windows 2008 Server you need to connect to the server from the x86 client and open up the printer and faxes share. THen from the File Menu select Server Properties, then from the Driver Tab add the x86 drivers that you downloaded, and they will then be uploaded to the server.

Another catch here is that both x86 and x64 drivers MUST have the same name. If they have the same name, they will appear automatically in additional drivers for both architectures in your printer’s sharing properties.

Windows 2008 Virtual Domain Controller

Daniel Anderson — Thu, 20 Nov 2008 01:27:27 +0000

Well I got another Hyper-V host up and running today which will house a couple of VM on it, a Domain Controller which will also have DNS and DHCP installed and also a Print Server. I have set it up with 3 Logical Drives consisting of a Mirrored OS, Hardware Raid-10 for the VHD and Hyper-V data and another single drive that will have the Shadow Copies of the Raid-10 Volume on it.

The Install of the Active Directory Domain Services went great and obviously DNS was installed along the way. I also made this one a Global Catalog Server.

How To Migrate Windows 2003 DHCP to Windows 2008 DHCP Server

Next up was migrating the DHCP from the old Windows 2003 Server to this new box, below is how I did this:

First export the DHCP Database from the 2003 Server with the following command:

netsh dhcp server export C:\dhcp.txt all

Then copy that file to the new 2008 Server. Add the DHCP Server Role on the new box via Server Manager. Then with the following command import the dhcp database:

netsh dhcp server import C:\dhcp.txt all

Now when I did this I got this error “Error while importing option “6.” “This option conflicts with the existing option “” An Internal Error Occurred.”.

This was to do with the fact that while adding the DHCP Server Role to the new machine there were entries in the Server Options that were done automatically, once I went in and removed these options “006 DNS Servers” and “015 DNS Domain Name” and then re did the import with the string above everything went fine.

Next up Print Server. Subscribe to my RSS Feed so you can see how I managed this.

By the way there is a great article and script from John Howard that enables you to Configure Hyper-V Remote Management in Seconds.

Does Windows 2008 Make a Good Desktop OS?

Daniel Anderson — Mon, 17 Nov 2008 23:39:44 +0000

I have been reading quite a lot of posts lately on how effective the performance of Windows 2008 Server is when using it as a Desktop Operating System. Tim has also written and article over at his blog with some interesting points. Now apparently it performs better than Vista SP1 which is something I am going to have to try out on my notebook.

I have a Toshiba M400 Tablet Notebook that currently has Vista SP1 installed and like many other I am not that rapt with the performance so I am going to give Windows Server 2008 a crack and see what the performance difference is like.

Stay Tuned………

Hyper-V SnapShot Files – AVHD and VHD? What The ?

Daniel Anderson — Sun, 16 Nov 2008 22:31:34 +0000

A couple of days ago I wrote about some issues I was having with one of my Hyper-V Virtual Machines and the snapshots that were associated with it causing my System Drive (C Drive) to run out of disk space. From what I was reading if you turn off the Virtual Machine in question a merging process will be conducted and the AVHD Files that are associated with the VHD File will merge together and form one file, a VHD one. This is what I was after.

I was reading and article by “The Virtual PC Guy’s” on Snapshotting under Hyper-V, and I determined that if I deleted the snapshots then the AVHD Files should be merged? But for some reason they did not merge?. Anyway the way to get these files merged to their parent VHD file (for me anyway) was to turn the VM off and just let the merge take place. Now I thought this process would take some time so I scheduled it for Friday night, my VM was a Microsoft Exchange Server, sureley no one would be checking their emails on a Friday Night !

I had 3 AVHD files that I wanted to get rid of, so I turned the VM Off and the “Merge in Progress” appeared in the Hyper-V Manager so I let it run it’s course. About 50 mins later the merge process was complete and 2 of the AVHD Files just VANISHED, great! but there was still one left? So I decided to turn the VM off again and what do you know another Merger was taking place, so again I left this happen and after it had completed the final AVHD File dissappeared and I was left with one VHD File, FANTASTIC!

One thing I learnt from this experience was that the VM writes to the AVHD Files and doesn’t appear to touch the VHD File (Parent File). I think I got myself into this situation because the Snap Shots were not deleted corectly. So now I am going to do some more testing on Hyper-V Snap Shotting and get a better understanding on how this works.

Keep Updated with this and more by SUBSCRIBING to My RSS Feed (The Big Orange Icon on the right), or via email by typing in your email address in the box and I will automatically send you my Blog Posts.

How To Migrate User Home Directories with RoboCopy

Daniel Anderson — Thu, 13 Nov 2008 03:13:38 +0000

Here is a task that most Network Administrators will face at one time or another, moving User Home Directories from one Server to another. We are in the process of organising new Servers for 2009 and these will be Windows Server 2008 and the current Servers are running on Windows 2003 Server Standard Edition. Now currently our Home Folders are individually shared as hidden shares, and I want to move to a convention of a parent shared User Folder with individual folders for each user in there that are not shared.

Now I wanted to explore the PowerShell option to copy from the source server to the destinsation server and keep the NTFS Permissions intact after the copy, as I have previosuly used PowerShell to do a bulk import of users into Active Directory and that woked a treat. I was a bit dissapointed with the PowerShell options using GET-ACL and SET-ACL because I could do individual folders one at a time but that would take forever, and I couldn’t see an easy way to iterate through them….

Enter ROBOCOPY……

Now with ROBOCOPY I can copy all the User Directories that already have the correct NTFS File Permissions set, to the New Windows 2008 Server and keep these permissions in tact. Below is the RoboCopy string that I used.

robocopy.exe \\source_server\share\ C:\Users /E /SEC /COPYALL /V /ETA /TEE /ITEM

Now the thing to consider here is the Share Permissions and the File Permissions of the Parent Folder eg. Users. The Share Permissions that I set were as follows, Domain Admins – Full Control, Staff – Full Control, Students – Read Only. The NTFS (File Permissions) were as follows, Domain Admins, Ent Admins and Staff – Full Control. This will mean that all the new User Accounts that we create after the copy process will inherit these permissions also and Active Directory will assign the user permissions automatically once the Home Directory Path is set in the Profile Tab of the User Account Object.

Eventhough Students have Read Access to the parent share the can’t access it and get the “Access Denied” Message is they try. Meaning that they can’t get into anyone elses Home Directories. The next step was to change the Home Directory path in their Account Profile and Bingo all done.

Hope this helps a few of you out when it comes time to Migrate User Home Directories from one server to another.

Make Sure you SUBSCRIBE to the RSS Feed to keep updated. ALSO I know have a “The Network Administrators Newsletter” so pop your Email Address in the box on the right and get some more great tips, tricks and how – to’s.