Monthly Archives: November 2013

Repair broken Windows trust relationship between domain controller and client machine

Repair broken trust relationship between domain controller and client machine

Trust as the word indicates “Allow without fear”, the domain controller and client trust each other using a bond. Clients accept securities, policies, authentication mechanism etc. deployed in the domain controller and domain controller accepts and agrees communications from client machine. If the trust was broken, it fails the communication between domain controller and the client machine.

There are certain conditions the security bond between clients and domain controller broke, I would like to share the method that I use to fix the issue.

Better ways to fix Windows trust relationship failure issues. I cannot tell this would be a complete solution, but like to share the knowledge and effort.

First Method

  1. Disjoin the trust broken client machine from domain.
  2. Search the Active Directory computers and delete the computer account. The computer account will not be removed immediately and will be taking some time. If we suddenly rejoin the client machine, it will be picking the existing computer account for creating the bond (SID).
  3. Add the client computer back to domain.

Second Method

  1. Ensure the client machine clock is synchronized with the domain controller time, otherwise the trust relation will be having issues. The clock cannot be slow and I don’t think it will allow more than 5 minutes.

Third Method

  1. The searches the computer account in Active directory and reset the password, the computer account password changes automatically on certain period (30 days default).

Fourth Method

  1. Never have duplicate machine names in same network and apply proper SID changes if the machine were cloned.

Fifth Command Line Method

1)      Find out the domain controller that was used by the client machine.

        Netdom query dc

2)      Test the trust relationship of the machine using PowerShell command.

Test-ComputerSecureChannel –Server *dc name* -Verbose

  • If command output returns False, proceed to 3rd step.

3)      Repair the trust relationship of the client machine using PowerShell command.

Test-ComputerSecureChannel –Server *dc name* -Repair -Verbose

  • If the command output returns error message “Cannot find the computer account for the local computer from the domain controller”, go to Active directory and create a new computer account for the client machine and rerun the PS command once again.
  • If successful repaired, the command output show “True”.

repair trust relation.techiesweb.com

 

How to install and enable Remote Server Administration Tool in Windows 8 and 8.1

How to install and enable Remote Server Administration Tool in Windows 8 and 8.1

Remote Server Administration tool have several command line utilities that helps Administrators to investigate problems with the client computers. By default it is not enabled and installed.

Download appropriate version of Remote Server Administration from Microsoft website

Remote Server Administration Tool Windows 8

Remote Server Administration Tool Windows 8.1

Steps Involved

  1. Download and install the Microsoft package.
  2. Reboot the machine.
  3. Select Control Panel, Select Programs and Features and Click Turn Windows Features on or OFF.
  4. Select Remote Server Administration Tools and check appropriate Tool and Click OK

    Example:

    Netdom command is now recognized and available for Administration purpose.

     

Windows Shadow command to interact/connect with a user Remote Desktop Session

Windows Shadow command to interact/connect with a user Remote Desktop Session

Purpose of Shadow Utility

This Window feature allows a remote (RDP) user to interact with another remote user of the same server. Shadow allows both the users to view and interact with the remote desktop session.

For example: if don’t have Gotomeeting, WebEx to call the user for a meeting and the user is having less bandwidth, to view the problem that user facing in the remote desktop session, shadow the user session, view the issue and recommend the fix.

Shadow Remote Desktop Session on the terminal server

Scenario describes with two users O and M, where O wants to shadow M Remote Desktop session.

  1. Both user need to login the terminal server using Remote Desktop Connection.
  2. User O need to open Window “Task Manager” and identify the remote Session ID used by M.

  3. User need to open command prompt with Administrator privilege and enter the command
    “Shadow rdp-tcp#0″
  4. User M is prompted with a wizard for allowing access for O, after granting the access user session of M is shadowed.

Remote desktop shadow command line in Windows 8.1

An administrator can also run the following command line on a machine with the Windows 8.1 MSTSC.EXE package.

Mstsc.exe [/shadow:sessionID [/v:Servername] [/u:[Username]] [/control] [/noConsentPrompt]]

/shadow:IDStarts shadow with the specified sessionID.

/v:servernameIf not specified, will use the current server as the default.

/u:usernameIf not specified, the currently logged on user is used.

/controlIf not specified, will only view the session.

/noConsentPromptAttempts to shadow without prompting the shadowee to grant permission.

Before running mstsc.exe /shadow, it is assumed that the administrator would have found the user’s session ID using some other mechanism, such as qwinsta.exe.

Shadow desktop of users using Windows 2012 Remote Desktop Service

Select Remote Desktop Services, Choose the user, right click and select Shadow



Query Remote Desktop Session details using Command line

query session [<SessionName> | <UserName> | <SessionID>] [/server:<ServerName>] [/mode] [/flow] [/connect] [/counter]

Parameter Description
<SessionName> Specifies the name of the session that you want to query.
<UserName> Specifies the name of the user whose sessions you want to query.
<SessionID> Specifies the ID of the session that you want to query.
/server:<ServerName> Identifies the RD Session Host server to query. The default is the current server.
/mode Displays current line settings.
/flow Displays current flow-control settings.
/connect Displays current connect settings.
/counter Displays current counters information, including the total number of sessions created, disconnected, and reconnected.
/? Displays help at the command prompt.

The User Profile Service service failed the logon, user profile cannot be loaded

The User Profile Service service failed the logon, user profile cannot be loaded

After enabling disk quota setting for one of the server, the users were unable to login. Disabling the disk quota will be enable them logon the server.

Searching for the cause, we discovered the quotas were also applied to System Accounts, which prevent the correct functioning of the system accounts. The disk usage of the system user accounts where much above the quota limit that we have implemented causing failures.

Solution is to set system accounts with Unlimited quota usage thus allow their proper workings.

Step-by-Step Remote Desktop Connection Broker installation in Windows 2012 – Page 5

Step-by-Step Remote Desktop Connection Broker installation in Windows 2012 – Page 5

Step (5), Testing the RDCB and RDW deployments

This page explains the test process for the deployment of RDCB, RWA and RDSH

Open remote desktop connection and connect to rdfarm.techiesweb.com and login with domain user accounts.

The sessions can be viewed from connections

Open RWA URL, in my case https://meow.techiesweb.com/RDWeb, login with domain account

Published remote apps are listed, selected Calculator

Connecting to RDSH server

Apps opened.

Step-by-Step Remote Desktop Connection Broker installation in Windows 2012 – Page 4

Step-by-Step Remote Desktop Connection Broker installation in Windows 2012 – Page 4

Step (4), Publish Remote Apps in RDW

This page explains the steps to publish RemoteApp in Remote Web Access.

Choose Overview of Remote Desktop Services

Select the rdfarm.techiesweb.com collections, select Tasks and select Publish RemoteApp Programs

Choose the applications to publish and click Next

Click Publish


 

Progressing…

 


Completed, Close

Step-by-Step Remote Desktop Connection Broker installation in Windows 2012 – Page 3

Step-by-Step Remote Desktop Connection Broker installation in Windows 2012 – Page 3

Step (3), Create new collection pool for the new broker farm

This page explains the creation of Collections for RDCB

Choose Overview of Remote Desktop Services

Select Create Session Collection

Click Next

Provide the details and click Next

Choose the RDSH server involved in this pool

Grant access to appropriate user groups

I have unchecked “Enable user profile disks” and Click Next

Click Create

Creation of Collections pool for “rdfarm.techiesweb.com” succeeded

Step-by-Step Remote Desktop Connection Broker installation in Windows 2012 – Page 2

Step-by-Step Remote Desktop Connection Broker installation in Windows 2012 – Page 2

Step (2) Installation of RDCB, RDSH and RDW

This page explains the installation procedure of RDCB, RDSH and RWA

Select Add Servers,

Add the 3 servers, MeoW, NeigH and WooF to server manager, this ease the management.

3 servers are added and listed in Server Groups

Select Add Roles and Features

Click Next

Select Remote Desktop Service Installation

Select Standard deployment

Select Session Based desktop deployment

Click Next

Choose RD Connection Broker server

Choose RD Web Access server

Choose RD Session Host servers

Select Restart and Click Next

Installation progressing

Completed without errors

Remote Desktop Services – Overview

 

 

 

Step-by-Step Remote Desktop Connection Broker installation in Windows 2012 – Page 1

Step-by-Step Remote Desktop Connection Broker installation in Windows 2012 – Page 1

Remote desktop connection broker helps to load balance RDP remote session connections, increase performance, disaster plan for the terminal servers, publish apps based on the permission, restrict user access to the terminal server, monitoring, server load balancing etc.

RDCB – Broker server maintains database and manages the sessions.
RDSH – Remote desktop session servers.
RDW – Published applications accessible through web URL.

Design diagram that I used for RDCB testing

Divide the entire process into 5 areas.

  • Round Robin – DNS host entry creation for RDSH.
  • Installation of RDCB, RDSH and RDW.
  • Create new collection pool for the new broker farm.
  • Publish Remote Apps in RDW.
  • Testing the RDCB and RDW deployments.

Step (1), Round Robin – DNS host entry creation for RDSH

This session explain the creation of Round Robin DNS entries for RDSH servers.

Round Robin – DNS host entry creation for RDSH

Create new DNS host A entries that points only to the RDSH hosts. Here I used the farm name “rdsfarm.techiesweb.com”, which points to NeigH and WooF.

Rdsfarm.techiesweb.com <ip address of NeigH>
Rdsfarm.techiesweb.com <ip address of WooF>

Create bulk users in Active Directory using .CSV format and PowerShell

Create bulk users in Active Directory using .CSV format and PowerShell

Bulk user creation in Active Directory can be completed using .CSV import and the steps are follows.

Create a .CSV formatted sheet with details, an example given below. This sheet is filled with test user account details to create in Active Directory.

Name = Account Name, givenName =First Name, SamAccountName = login account, Description, Department, Path = OU in which we need to create accounts, UserPassword = password


Run PowerShell as Administrator and execute the command

Import-CSV <path to the .csv file> | New-AdUser


The account password need to meet the complexity requirements, otherwise account cannot be enabled until reset with a new password.