Restoring an Active Directory backup to an Azure VM

When backing up Active Directory in your local data center, you usually have control of everything from power and cooling, through networking, to physical machines and hypervisors. This also gives you control of the terminal for your virtual machines. In the Azure cloud however, when installing an IaaS VM, this VM is unavailable during reboot. No console, no terminal, no nothing; until the VM starts responding to services defined by the ports you’ve opened through your endpoints, you’re in limbo.

This isn’t usually a problem, but when doing an Active Directory restore, authoritative or otherwise, console access us often used to force the computer into Directory Services restore mode.

Let me take you through an AD restore in Azure. First of all, here’s my status quo:

I’ve got an OU named BackuptestOU, which I’m deleting

Now for the restore:

  • Open System Configuration (Windows key, type System Configuration)

  • Here’s how it differs from a typical AD restore. Go to the tab Boot and make the following selections

  • Press OK and select Restart
  • Log on with your Domain Services Restore Mode username and password
  • Before starting the Restore, revert boot options. Open system configuration again, and set the options as below to avoid rebooting into Directory Services restore mode after the restore.

  • Open Windows Server Backup and press “Recover”

  • Choose the correct location for your backup (in my case local)

  • Select the point in time you’d like to restore to

  • Select “System State”

  • Select “Original Location” and tick of the checkbox “Perform an Authoritative Restore of Active Directory files

  • Read this warning and confirm this warning by pressing ok

  • Press Recover. I like to have the server reboot automatically, but if you’d like to retain control of the reboot, leave it unticked

  • Select Yes to confirm starting the recovery

  • Wait for the recovery process to complete

  • And last, I demonstrate the AD restore is successful by showing you the OU I deleted. My backup was taken before I moved the last user, which is why there is only one user present.

So I hope this gives you some input on how to manage Active Directory in the Azure cloud. Please feel free to comment any question below.

Making your (Powershell) job work for you

Jobs are a in many ways the key to Powershell multithreading. Having jobs running in the background not only allows you to keep working in your console while your script is silently churning away in the background, but it also lets you run multiple commands or scripts simultaneously executed from console.

When to use jobs

Whenever you’d like to run a command or a scriptblock without locking up your console, or when you’d like to run multiple commands simultaneously. Jobs are “fire and forget” tasks that you don’t review until they’ve completed or failed.

When not to use jobs

When running basic administration tasks where you’re reviewing output or the result of command continuously, or when working with result sets in variables where you’d like to keep reviewing the current value of the variable.

Ways to use jobs

There are two ways of using jobs in Powershell. First of all, many cmdlets have the parameter “-AsJob” to allow them run in the background directly. Alternatively you can use the cmdlet Start-Job to initiate a job with any cmdlet of combination of commands.

-AsJob

Some cmdlets that has the -AsJob parameter are:
Get-WmiObject
Invoke-Command
Invoke-WmiMethod
Remove-WmiObject
Restart-Computer
Set-WmiInstance
Stop-Computer
Test-Connection

If you like to find a more complete list, use the following command.

NB. Keep in mind that you need to load the modules your looking for commands in, in advance. Module autoloading doesn’t work when looking for parameters (Tested with Powershell 5.0 in Windows 10 Technical Preview)

Cmdlets

There are 4 cmdlets that are key to using Powershell jobs:

Start-Job

Starts a background job to execute one or more Powershell commands.

 Get-Job

Collects and lists the running and completed jobs currently in memory

 Receive-Job

Presents the result of a job to screen, or otherwise lets you collect or manipulate the result

 Remove-Job

Removes one or more jobs from memory

 Other useful cmdlets:

Suspend-Job: Pauses a job.
Resume-Job: Resumes a paused job.
Stop-Job: Stops a job.
Wait-Job: Suspends the command prompt until a job is finished, preventing you from making the input.

DHCP Failover and scope changes

The new feature DHCP failover in Windows Server 2012 eliminated the need for DHCP split scope. Awesome, right? It gives you the full scope on both servers and gives you a few other neat features, like load balancing or hot standby.

It’s not perfect though. When changing scope configuration you need to re-activate failover. Run the following command on either the DHCP primary or partner server:

It will replicate changes and activate failover again.

Powershell Port Scanner

Would you like to know what ports are open on a host? With the introduction of Powershell 4.0 there’s a new cmdlet called Test-Netconnection which in it’s simples form basically is ping. It does, however, have some more advanced features, like scanning towards ports on a host.

Here’s a quick and dirty script to scan a single host for single port, or a sequential range of ports.

I have to admit that I miss the -Source switch in “Test-Connection” that allows you to choose where the connection request should originate, but perhaps we’ll see that in Powershell/WMF 5.0?

Techtip: One-liner to get free space

Say you’d like to copy an exuberant amount of data from one server to another and you’re unsure if the target disk has sufficient space. Perhaps you’d simply like to know how much space you’ve got.  There are several way to check this, but here’s one more, and in my opinion the fastest:

Run this one-liner from any computer, and as long as you run it a user context where you have user rights on the server, you will get the amount of free space in GB.

You can also use this a basis for a script listing out renaming space on several computers or several disks on a single server, but that might be the subject for another article!

Working around number ranges limited to 32 bit integers

I head a real brain teaser when working a script earlier today. Basically I was modifying a script which lists out unused phone numbers in a range. It turns out German phone numbers (and any number greater than 2147483647) are incompatible with number ranges. Here’s why, and how to solve it.

When using number ranges, you are limited to signed 32 bit integers (-2147483646 to +2147483647). This is rarely an issue, but when working with untypical numbers, like unformatted phone numbers or the byte value of very large files, it can pose a problem.

This is an example of a range that will work:

This however, won’t work:

The high number is above the max value for a signed 32 bit integer.

Solving required a bit of a hack. To work around this limitation, use a While loop to create an array with the number series you’d like to feed into to your variable. Below is an example:

$Counter is initially set to be the starting number of your range. It will be the control parameter that the While loop uses to check if it’s done working.
$NumberStart is the starting (low) number in you range.
$NumberEnd is the end (high) number in you range
$Array is your range (or it’s equivalent). It gets fed each value from $NumberStart to $NumberEnd. This array will hold 64 bit integers.

 

Solving ReFS integrity bit issues when working with Hyper-V

I was working with Hyper-V and I got the following error:

Export failed for virtual machine ‘webtest01’ (16CED29C-F6B2-4D86-91D1-DDBD635D24C2) with error ‘The requested operation could not be completed due to a virtual disk system limitation. On NTFS, virtual hard disk files must be uncompressed and unencrypted. On ReFS, virtual hard disk files must not have the integrity bit set.’ (0xC03A001A).

The volume I’m working on was an ReFS volume on a Storage Pool located on my test environment. I tried troubleshooting this issue, but there is hardly any good help online. Googling the issue gav me a few obscure Technet references and some rather incomplete blog posts, so this article is a concatenation of the information I found.

List out the files in your “Virtual Hard Disks” folder using this command:

Change the integrity bit on files using this command:

Or, use this one-liner:

I hope this helps shed some light on this issue.

Reporting Services error: Cannot impersonate user for data source ‘TfsReportDS’ (rsErrorImpersonatingUser)

After moving a reporting services database from SQL server 2008r2 to 2012, we had a problem running reports in TFS.

The error was:

An error has occurred during report processing. (rsProcessingAborted)
Cannot impersonate user for data source ‘TfsReportDS’. (rsErrorImpersonatingUser)
Log on failed. Ensure the user name and password are correct. (rsLogonFailed)
For more information about this error navigate to the report server on the local server machine, or enable remote errors

Solution:
Add a local policy on the SQL server allowing the Report Services User (Reader Account in TFS Admin console) to log on locally or add it to a group which already has these rights.

log on locally

 

 

Using Powershell to identify Child Processes

I got a challenge yesterday on how to identify child processes, and googling it led to the conclusion that this is either not a common issue or no one knows the answer.

My issue was this: if a child process locks up or needs to be killed, how do we identify the process using powershell. The thing about finding child processes is that you need to know who their parents are. In fact, you need to use the parent process id (PID) to identify the child.

How does it work?

First choose how to identify the parent process in Powershell. You can usually use ProcessName, Description, Path etc. Then you need to find any process which has the ParentProcessId of it’s parent (obviously)!

Here’s my solution:

$procid = (Get-WmiObject win32_process | where {$_.ProcessName -eq ‘Powershell.exe’} | select processid)
Get-WmiObject win32_process | where {$_.ParentProcessId -eq $id}

This only identifies the child process, what you’d like to do with it afterwards is your call. Nonetheless, this could help you automate some of the tasks you’ve been using Process Explorer to solve until now.

Copy group memberships for AD users

This techtip handles how to copy group memberships from a single user to one or more users in your organization. In order to accomplish this we use only the Active Directory module included in RSAT or available with Windows Server 2012.

In order to copy the group membership to several users, simply add a foreach-loop in the script.

In the last example, the variable $users would typically be populated using the the cmdlet Get-ADUser to pull from AD based on specific criteria, like OU etc.

This script only adds groups, it does not replace existing group memberships.