Windows

All things Windows. Server or Desktop.

Alt Methods to Fix: “The Trust Relationship Between This Workstation and the Primary Domain Failed”

 

For any Windows admin, this error is a familiar sight.

The typical fix, and Microsoft’s recommended resolution, is to log in with a local admin account, join the system to a workgroup, and then rejoin it to the domain.

However, I ran into this blog post a while back which details some cool alternative methods and saved the link in case it should come in handy some day, which it has on several occasions.

DON’T REJOIN TO FIX: The trust relationship between this workstation and the primary domain failed

Basically, he lists two distinct methods for resetting the computer password:

  1. use netdom.exe

netdom.exe resetpwd /s:<server> /ud:<user> /pd:*

<server> = a domain controller in the joined domain

< user> = DOMAIN\User format with rights to change the computer password

“Where you get netdom.exe depends on what version of Windows you’re running.”

“On Windows Vista and Windows 7 you can get it from the Remote Server Administration Tools (RSAT).”

Download RSAT for Windows 7 SP1 here

Download RSAT for Windows 8.1 here

You can read some additional notes about this method in the blog post. (link here)

  1. via Powershell

Reset-ComputerMachinePassword [-Credential <PSCredential>] [-Server <String>]

“You can use the Get-Credential cmdlet for a secure way to generate a PSCredential, which can be stored in a variable and used in a script.  You will want to generate a credential for an Active Directory user with sufficient rights to change the computer’s password.  The Server parameter is the domain controller to use when setting the machine account password.”

Here’s a TechNet article on the Reset-ComputerMachinePassword command for additional reference.

-Rick

Create a Windows Security Baseline Group Policy Object with Microsoft Security Compliance Manager (SCM)

Security Compliance Manager (SCM) is a tool that I find extremely useful, especially when preparing for a new Windows OS deployment. And best of all, it’s free!

Included in SCM are Microsoft’s recommended baseline security configurations for just about all of their current Operating Systems, including both desktop and server OSes, as well as some of their flagship applications such as Internet Explorer and Office. You can review and modify these configurations directly in SCM, export the configuration to a GPO Backup folder (as well as to a .cab or .xlsm), and then use that export to create a Group Policy Object to be applied to the appropriate systems in your domain.

I recently used this tool to create a security baseline GPO for Windows Server 2012 R2, so I’ll provide you with the basic steps that I used as a reference.

Please take note that even though the baselines included in SCM are Microsoft’s recommended configurations for security hardening, many of the settings have the potential of having a negative impact on your systems’ performance  and/or your ability to manage them. Because of this I highly recommend taking the time to carefully review and research each setting within a baseline to make sure it will not conflict with any existing policies or procedures in your environment, and making changes as needed.

  1. Download and install Security Compliance Manager 3.0.
  2. In the left pane, expand Microsoft Baselines.
  3. Expand the desired operating system or application version and then select a role. In my case I chose Windows Server 2012 and the basic Member Server Security Compliance role.

SCM1

  1. With the role selected, click on the Duplicate button in the right pane under the Baseline section.

SCM2

  1. Give the duplicate configuration a new name and modify the description if you wish and then click Save.
  2. Your duplicate configuration will show up at the top of the left pane under Custom Baselines, above Microsoft Baselines. Click on it to open the configuration.

SCM3

  1. Take some time to carefully review the configuration settings included in the baseline in the center of the window. You can make changes as needed by clicking on the setting and then modifying the options shown.

SCM4

  1. When you’re finished making any necessary changes, export the configuration by clicking on the GPO Backup (folder) link in the right pane. Be sure to save it somewhere accessible from the system where you manage your domain group policies.

SCM5

  1. Open up the Group Policy Management console and connect to your domain.
  2. Under Forest -> Domains -> MyDomain -> Group Policy Objects, create a new Group Policy Object and name it according to your organization’s GPO naming convention. If you don’t have one, I recommend basing the name off of the baseline configuration you created to distinguish it and make it easier to find, e.g. Windows Server 2012 Security Baseline.
  3. Once created, right-click on the new GPO and click Import Settings…

SCM6

  1. When the Import Settings Wizard appears click Next >.
  2. If you’re attempting to import the configuration settings into an existing GPO rather than with a newly created one, I recommend using the next screen to create a backup of the GPO first. Otherwise, since there are no existing settings to overwrite, click Next > to continue.
  3. Browse to the location of the GPO Backup folder that you exported from SCM earlier and then click Next >.

SCM7

  1. The wizard should detect the baseline in the backup folder and list it in the next window. Click on it and then click Next >.

SCM8

  1. You may get a warning that the backup contains UNC paths. Select Copying them identically from the source and then click Next >.

SCM9

  1. Click Finish to complete the import.

And there you go, you now have a Group Policy Object containing the recommended baseline security settings for your product. From here you can begin linking the GPO to your OUs as needed. I would highly recommend using security filtering and/or a WMI filter to make sure the GPO is only applied to a few select test systems until you’ve gauged how the new settings will impact your environment.

To use my recent experience as an example, I created a security group in Active Directory named Windows Server 2012 GPO Testing, added a single test server to this group, and then added the group to my baseline GPO’s Security Filtering (make sure you also remove Authenticated Users). To be extra careful, I also created a new WMI filter to only return Windows Server 2012 R2 Member Servers and added this to my GPO as well. These help to ensure that my policy will only be applied to servers which are members of my security group, are running Windows Server 2012 R2,  and are not domain controllers, regardless of the OU that I link the policy to in my Active Directory structure.

If you want to create your own custom WMI filter, the process is very simple.

  1. Open the Group Policy Management console and expand Forest -> Domains -> MyDomain -> WMI Filters.
  2. Right-click the WMI Filter container and click New.
  3. Name the new filter appropriately. In my case, I named it Windows Server 2012 Member Server ONLY. Add a description to help others know exactly what your filter does.
  4. Click the Add button to create a new query.
  5. You can leave the namespace as root\CIMv2 and then enter your custom query. To find and return only Windows Server 2012 R2 Member Servers, I used the following query:

select * from Win32_OperatingSystem where Version like “6.3%” and ProductType=”3″

  1. When finished click Save.
  2. You can now use this filter for any GPO that you wish, simply by using the drop-down at the bottom of the Scope tab (same place where you set Security Filtering)

SCM10

For some help creating your own WMI filters, check out the links below.

Create WMI Filters for the GPO

Operating System Version Numbers

-Rick

Outlook Prompts for Autodiscover Credentials Mid-Session

This one is for a very specific and probably uncommon scenario, but it drove me (and everyone else) up a wall and took a ton of man, and Microsoft Support, hours to finally resolve, so hopefully this will save some headaches.

Some background; We were in the middle of a migration to a new Exchange Server that sat on a separate domain from our Windows desktop clients with no trust relationship established (long story). We were successfully able to update our users’ Outlook clients to point to the new server address, and when launched Outlook prompted for authentication credentials to connect. This worked well enough, aside from our users being forced to use different credentials to log into their computers and to access their email, and everything functioned pretty much normally once authenticated. To help streamline the process of opening Outlook by avoiding the login prompt on launch, many of our users took to storing their secondary credentials locally using Windows Credentials Manager.

However, we started getting reports from users who used these cached credentials that they were being frequently prompted while Outlook was open, mid-session, to authenticate with an Autodiscover.domain server address. The Autodiscover address was displayed as being on the same domain as the workstation despite no Exchange Server residing there, and the prompt could be cleared by either hitting cancel or using credentials for the new Exchange Server’s domain. Regardless, the prompt would continue to reappear every few hours.

We were banging our heads against the wall for several days, trying everything we could think of and any suggestion we could find on the web, including wild-carding both domain addresses in Credentials Manager (for example *.contoso.com, to borrow from Microsoft), but absolutely nothing worked. Finally we stumbled upon the somewhat counter-intuitive solution with Microsoft Support’s help.

To prevent the Autodiscover prompt from appearing, we effectively had to bypass the use of cached credentials by forcing the prompt for logon credentials on launch via a setting in the user’s Outlook profile. Instructions for doing this are below.
 
In Outlook 2007:
1. Click Tools -> Account Settings
2. On the E-mail tab, highlight the Microsoft Exchange account and click on the Change button
3. Click the More Settings button
4. Click the Security tab
5. Check the box next to Always prompt for logon credentials
6. Click Apply and then OK
7. Click Next and then Finish

In Outlook 2010:
1. Click File -> Info -> Account Settings
2. On the E-mail tab, highlight the Microsoft Exchange account and click on the Change button
3. Click the More Settings button
4. Click the Security tab
5. Check the box next to Always prompt for logon credentials
6. Click Apply and then OK.
7. Click Next and then Finish.

So, again, this had the effect of forcing the prompt for credentials to connect to the Exchange Server when Outlook is first run, even if credentials are cached for that address. Still an inconvenience but, since most of our users would open Outlook and leave it running in the background, many found a single prompt at first was preferable to periodic prompts throughout the day.

-Rick

WSUS Best Practices

Here’s a very good blog post I came across with some WSUS best practices for anyone else looking to implement WSUS for the first time or review your patching strategies.

http://microsoftguru.com.au/2013/07/19/windows-server-patching-best-practices/

Some highlights:

Consultants should take time to test the patches in a non-production environment prior to being deployed to production. This will help to gauge the impact of such changes. Ideally you will have the following patching groups:

1. UAT (UAT1, UAT2, etc)

2. Test Environment (Test1, Test2, etc)

3. Development Environment (Dev1, Dev2 etc)

4. Production (Prod1, Prod2, etc)

If you have clustered environment like SQL, Exchange and SharePoint then create Prod1, prod2 group and place each node on each group. “

System administrators should maintain a log, written or electronic, of all changes to the operating environment, to include hardware, system security software, operating system, and applications. Prior to any changes being implemented on a system, the system administrator should receive approval of stakeholders.”

A scheduled maintenance window must be agreed with business so that application outage and server reboot can maintain a respectable Service Level Agreement (SLA). If you have a large infrastructure with thousands of servers and many regions working round the clock then you must consider application dependencies. A patching schedule can be considered in between every Friday of every month at 6:00 P.M. Friday to 6:00 A.M Monday. Setup maintenance window in system center or deadline for WSUS to make sure patches are applied when you want instead of when patch is available. In this way you will have a complete control over change windows approved by change advisory board (CAB). Do not allow end users to update patches on their client machine according to their wishes and happiness! then user will never install any patch. “

Microsoft strongly recommends that you create the following backups before you install an update rollup, service pack and patch on Exchange and SQL:

  • A full backup of all databases on the server.
  • A full backup of transaction log and log backup
  • A system state backup of the server.
  • A snapshot of virtualized exchange server. Delete snapshot after successful patching and updating. “

Here are some other useful resources for WSUS:

WSUS Role Installation Fails on Windows Server 2012 R2

I was attempting to add the WSUS role on a Windows Server 2012 R2 system earlier this week and I ran into this error during the installation.

“The request to add or remove features on the specified server failed. the operation cannot be completed because the server that you specified requires a restart.”

After several subsequent reboots and attempts to add the role I continued receiving this same error, so I started doing some research. I got several hits and this appears to be a fairly common issue with Server 2012, specifically when choosing to use the Windows Internal Database (WID).

The issue is that WID relies on the NT SERVICE\MSSQL$MICROSOFT##WID account to start the service, and this account must have Log on as a service rights on the system.

Generally I don’t think this would be an issue, and if it is you should be able to simply use the local Group Policy editor (gpedit.msc) or a domain GPO to grant this account Log on as a service rights by using the following policy setting:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a service

Open the Log on as a service setting, check the box to Define these policy settings, and then add NT SERVICE\MSSQL$MICROSOFT##WID

However, to maintain security compliance as we move to Server 2012 R2, a domain Group Policy was recently created using Microsoft’s Security Compliance Manager (I may write a separate post on SCM later) and applied. As part of the Windows Server 2012 Security Baseline, Microsoft adds NT SERVICE\ALL SERVICES to the Deny log on as a service security policy. So because ALL SERVICES is being denied, even after adding MSSQL$MICROSOFT##WID to the Allow log on as a service policy locally, the WSUS role still failed to install for me.

To finally get the WSUS role installation to complete, I had to modify this new domain Group Policy and remove the ALL SERVICES account from the Deny log on as a service policy first, then add NT SERVICE\MSSQL$MICROSOFT##WID to the Log on as a service policy setting locally on the server.

For some more details and a few screenshots of the initial troubleshooting and resolution to this issue, check out one of the blog posts that I came across during my research. WSUS Role failed on Windows server 2012 with error…

You may notice that the blog I linked as well as many others I came across recommend just adding NT SERVICE\ALL SERVICES to the Log on as a service setting. Since Microsoft’s baseline security settings for Server 212 specifically DENIES log on as a service access to ALL SERVICES, I opted to only add the account explicitly required by WID to avoid opening up any more security vulnerabilities than I had to.

I’ll need to go back and take another look at our Server 2012 security policy to see if there’s another way around this while still denying log on as a service access to unneeded service accounts. I guess the easiest (and maybe best) thing to do would be to avoid using WID all-together and instead use a SQL Server instance.

That also leads me to another interesting topic that I’ll probably write another post about down the road. I’m installing WSUS with WID for now for the sake of time, but I may migrate it over to a SQL Server once I can. For a preview of that job, check out Migrate Windows Internal Database to SQL Server.

Links in this post:

 

-Rick

Microsoft Public KMS Client Setup Keys

I always forget to bookmark this link and end up spending a few minutes Googling around for it whenever I need it, so just in case I’m not the only one…

Here is the link to Microsoft’s public KMS client setup keys. Useful for when you have an internal KMS server set up, but need to install the OS from the original installation media. Saves you from needing to scramble around for the activation key that shipped with the media when you’re prompted during setup.

http://technet.microsoft.com/en-us/library/jj612867.aspx

Recreate the Local Group Policy Cache in Windows

Happy Monday!

This is something I ran into a while back and has come in handy on several occasions.

For those who may be unaware (as I was before stumbling upon this trick), Windows maintains a local cache of all the group policy settings that are applied to that particular system. This cache can occasionally become corrupt or de-synchronized with the domain controller, which can cause a variety of issues including failure to apply new group policy settings or changes to existing policies.  When this occurs, the quickest and easiest way that I’ve found to correct it is to clear and recreate this local cache.

To clear the local GPO cache, make sure you can view hidden files and folders and perform the following:

  1. Browse to C:\ProgramData\Microsoft\Group Policy\History (Windows 7 / Server 2008)
  2. Delete all of the contents under the History folder
  3. Open the command prompt and run GPUpdate /force
  4. Reboot the system

I initially came across this while troubleshooting a Windows 7 client that was flat out refusing to apply new Group Policy settings. After ruling out the new GPO itself by checking it for content errors, verifying that it was linked up to the proper OU in Active Directory,  the link order was correct, and security filtering properly configured, I turned to the client for additional troubleshooting. A GPResult confirmed that the new GPO wasn’t being read and, other than some generic group policy errors, the Event Logs proved inconclusive. So I eventually turned to the web and come across this article on the Windows Server TechNet forums where someone mentioned attempting to clear the local GPO cache, which worked like a charm.

Rebuild the Windows WMI Repository

For my first technical post, I’ll try to keep things relatively quick and simple.

Rebuilding the WMI Repository is something that’s pretty well documented in various outlets, including Technet, but it’s been so useful to myself and many of my colleagues that I’d like to share it here.

As mentioned in the linked article: “The WMI Repository “%windir%System32\Wbem\Repository” is the database that stores meta-information and definitions for WMI classes; in some cases the repository also stores static class data as well. If the Repository becomes corrupted, then the WMI service will not be able to function correctly.”

In my personal experience, rebuilding the WMI repository has come in most handy when repairing the SCCM 2007 client after it stops working properly on Windows 7 systems, so if you’re an SCCM Admin and can’t figure out why some of your clients aren’t receiving advertisements, consider giving this a try. I imagine this could also be useful when troubleshooting issues for almost any application or service that relies on WMI. However, please keep in mind that this is generally recommended AS A LAST RESORT because, again from said article, “Deleting and rebuilding the repository can cause damage to the system or to installed applications”, so proceed with caution.

To repair the local WMI repository in Windows:

  1. Open an elevated command prompt
  2. Type net stop winmgmt and hit Enter. This stops the WMI service. (Side note: I’ve had instances where the WMI service is unable to stop after running this command. If this is the case, open the Services applet and set the Windows Management Instrumentation service Startup Type to Disabled and reboot the computer before proceeding)
  3. Use Windows Explorer to navigate to: %systemroot\system32\wbem
  4. Delete or rename the Repository folder (I usually like to add .old to the end of the folder name, so Repository.old)
  5. Return to the elevated command prompt and enter: net start winmgmt (Set the Startup Type back to Automatic for the WMI service first if you disabled it previously)
  6. Enter: cd /d %windir%\system32\wbem
  7. Re-register the dlls by entering: for %i in (*.dll) do RegSvr32 -s %i
  8. Reboot the system

These steps might differ a little bit from what you might find elsewhere, but this process has always worked well for me and my colleagues.

The Technet article that I referenced previously also lists some additional commands that you can run to verify and repair the WMI repository automatically on Windows Vista and above, but I haven’t tested them myself so I can’t vouch for their effectiveness. Those commands are:

  • winmgmt /verifyrepository  checks the WMI repository for consistency
  • Winmgmt /resetrepository – resets the WMI repository back to its initial state after the OS was first installed

So there you have it. This post didn’t turn out nearly as short and concise as I hoped, but this trick is something that I always keep well documented and close at hand, so I hope someone else is able to find it useful.

-Rick