Windows 10 - initial research

Where do I start?!
Gartner's "Ten Things You Need to Know About Windows 10 for a Successful PC Deployment" for IT managers or executives (PDF).

The New User Experience with Windows 10 from Microsoft Ignite in May of 2015 (1 hour video).

Minasi's Guide to Managing Windows 10: New Windows, New Tools (a hilarious 1 hour video covering a lot of ground for IT Pros)

If you have a large amount of unstructured time in your life, you may enjoy perusing the entire collection of Windows 10 videos from the May, 2015 Microsoft Ignite conference.

You've upgraded to 10, hard drive crashed, and are now reinstalling.  Where's the product key?!
According to this report, when Windows 7 or 8 is upgraded to 10, your new product key is kept in the Windows Store account associated with your Windows account, so if a complete reinstall is needed, you won't be prompted for a product key.

What's in it for the end user?
Coming from Windows 7, this is a downgrade.  The UI is ugly and WindowsBlinds isn't available yet.  Also, it has bugs...for example, as of 10/10/2015 the "Enable shortcut underlines" accessibility setting in Control Panel doesn't stay "On" when you try to change it from "Off".

Coming from Windows 8.1, this is an upgrade.  You get the "Start" menu back.

Microsoft's decision to abandon the UI options in Windows 7 (transparency, detailed and colorful icons) will result in continued loss of market share to Apple in the consumer space.

What's in it for the IT manager?

Not much...yet.  Windows 10 is laying a foundation for future growth and as such, it's not very pretty at the moment.  You could say that it's basically Windows 8.1 with a better engine, a Start Menu, and better integration with Microsoft's $16,000,000,000 Azure cloud investment.  Someday (I hope!) Windows 10 will be really nice.  Microsoft's vision of the future is that Azure + Windows 10 will offer the most secure and manageable tools for your company's digital assets.

How do you deploy this to 50 computers in a small business?
  • Here's a TechNet write-up explaining how to use the Microsoft Deployment Toolkit for that.
  • Alternatively, you could just download the ISO, mount and share it on your file server, then walk to each desktop and run an in-place upgrade that way.


EMC 2010: The attempt to connect to using "Kerberos" authentication failed.

Last weekend I couldn't launch the EMC on an SBS 2011 server:

The solution?  The MSExchangePowerShellAppPool wasn't running.  Thank you, TechNet blog.

Invalid DNS server prevents RDP connections

A headless Hyper-V core server in my lab wouldn't accept RDP connections because it couldn't authenticate the incoming username due to an invalid DNS configuration on its NIC.

Connecting a monitor and keyboard would've been too easy

A remote Powershell session (authenticated as the server's local administrator) worked...

Enter-PSSession -ComputerName COMPUTER -Credential USER

...but sconfig wouldn't run.

Fear not, you can see your entire network configuration by running netsh dump.  To set the primary DNS server to on my Server 2012 R2 host with a network interface called "vEthernet (External_Internal)":

netsh interface ip set dnsservers "vEthernet (External_Internal)" static primary


When your domain controller has been offline for > 60 days

When trying to demote a domain controller which had been powered off for several months, I ran into this error:

Also, the new domain controller that I'd just spun up couldn't access the NETLOGON share.

DCDIAG had this warning:

The DFS replication event log had this warning, with instructions that don't work:

Thankfully, this blog post explained what to do (all on one line):

wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=200


Auditing changed / deleted files on Windows 2008 R2, 2012, or 2012 R2


This is the story of using Powershell via Scheduled Task to audit files that are remotely modified, deleted, renamed, or moved on a file server running Microsoft Windows Server 2008 R2, 2012, or 2012 R2.  It's been tested via Windows 7 and 2012 R2.


Auditing (metaphorically) positions your finger closer to the pulse of a file server, helps assist users who've misplaced files, and serves up the answer when a manager asks "Who deleted it?"

There are commercial auditing solutions (Lepide, NetWrix).  That said, this project helped me:
  • Learn about Powershell
  • Build awareness of security auditing on Windows servers
  • Fill my evenings for 4 months after putting the baby to bed

Further reading

Lessons learned

  • Windows Event Logs are memory-mapped, meaning the files live in RAM for quick access.  The SysInternals' RAMmap tool (download) (introduction) lets you see memory-mapped files.

  • Get-EventLog is much faster than Get-WinEvent, but doesn't offer an easy way to convert events to XML, nor does it read offline event log files.

  • Puzzled that my script only uses 25% of my quad-core CPU, I learned that it runs in a single-thread - it's using 100% of a single core.

  • The script chewed up massive amounts of RAM until I learned to use the Powershell pipeline.

  • To count and sort the most common event IDs in a security event log:
    Get-EventLog "Security" | Group EventID | Sort Count

How to deploy

  • First, enable auditing via group policy.  Don't be distracted by the 9 legacy categories that you first see - these are legacy categories from Server 2003; using them will generate more events than you need.  Instead, use the Advanced Audit Policy Configuration.  Be aware that activating the advanced audit policy will disable any of those legacy auditing settings that you may have enabled in the past.
  • On Server 2012 R2, enable Audit File System - Success.

  • On Server 2012 and 2008 R2, you also need Audit Handle Manipulation - Success in order to get event 4656 "Handle requested".

  • Target the policy to just the selected server(s) via the GPO's Security Filtering.  In this example, a single domain controller also serves as a file server.

  • Second, enable auditing on the folder(s) of interest:

    Audit Success by Domain Users.

    Read attributes.................for renamed files/folders (to identify the new name).
    Create files / write data....for modified files.
    Delete...............................deleted files/folders.

    If you don't care about auditing renamed folders, you can dramatically reduce the quantity of logged events by creating two auditing ACLs - one which audits all three items show above for files only, and a second which audits only the second two and applies to folders only.

    You'll probably want to turn off some default auditing for high-traffic system folders.  For example, the c:\windows\system32\dhcp folder has auditing enabled by default and it'll nearly drown you in events all by itself.

  • Third, set a max size for the security event log (I use 128MB), set it to archive itself when full, and observe (or change) the folder where saved logs reside...set the script's $LogPath variable accordingly.

  • Create a folder called C:\Audit
  • Create a folder called C:\Audit\File-Audit-Reports
  • Save the script as C:\Audit\Monitor-File-Server-Activity.ps1

  • Create a scheduled task to run it every day at 11:45pm.
schtasks /create /ru SYSTEM /tn "Monitor file server activity" /sc daily /tr "Powershell.exe -nologo -noprofile -noninteractive -ExecutionPolicy Bypass -File C:\Audit\Monitor-File-Server-Activity.ps1" /ST 23:45

  • Place the command line version of 7-Zip in the same directory as the saved event logs.

Pseudo code

Backup and clear the Windows Security Event Log.
For Each (security event log that was modified today)
  Import selected events
  For Each (imported event from the log file)
    Convert the event data to XML
    If Event ID = 4656 (handle requested):
      The object still exists (not deleted).
    If Event ID = 4663 and AccessMask = "Delete":
      The object was deleted, overwritten, moved, or renamed.
    If Event ID = 4663 and AccessMask = "Modified":
      The object was modified.
    If Event ID = 4663 and AccessMask = "Read Attributes":
      An extremely common event.
      Decide if it indicates an object was moved or renamed.
    If Event ID = 4659:
      The object was deleted.
    If Event ID = 4660:
      The object was deleted.
    Review a revolving list of "maybe" deleted objects -
    decide if they were actually deleted, or just overwritten.
Create a report in CSV and HTML.
Compress the security event logs to save disk space by 95%.
Delete compressed logs older than a specified age.

Observations that the script is based on

- Double 4663 event w/ access mask "Delete" indicates a file created.
- Single 4663 event w/ access mask "Delete" indicates a file modified.
- Single 4663 event w/ access mask "0x2" indicates a file was modified.

- Single 4663 event w/ access mask "Delete", followed by event 4660 w/ the same handle ID.
- Single 4659 event.

- Single 4663 event w/ access mask "Delete" followed by another 4663 event w/ "Read Attributes" and the same handle ID.


You may download the script from the TechNet gallery:


Windows ADK

Today I was so frustrated because I couldn't get the Windows ADK to make a catalog of a Windows 8.1 install.wim - it said "Catalog creation failed to complete.  This 64-bit version of Windows SIM can only create catalogs for 64-bit Windows images."

The solution was to install the Windows ADK on Windows 8.1 (I'd been trying it on 2012 R2 and 7).


Upgrading a PowerEdge T410 from 2008 R2 to Hyper-V Server 2012 R2

This was similar to an upgrade last August (convert two RAID 1 arrays into one RAID 10 array).

Here's what I learned:

#1: Always use the /R:1 switch with ROBOCOPY.  Failure to do so today cost me 1.25 hours.

#2: This server has neither iDrac Express nor iDrac Enterprise, it also lacks the Lifecycle Controller and Unified BIOS of newer Dell servers.  So, downloaded the bootable Systems Build and Update Utility (SBUU)...and got stuck...so downloaded the 10GB Dell Server Update Utility and ran it under Windows 2008 R2 to apply firmware updates for the RAID controller, HDs, NICs, etc.

#3: On Hyper-V Server 2012 R2, to see what devices are missing a driver, use the free Portlock Device Manager.

#4: PNPUTIL -i -a was useless.  In Hyper-V Server 2012 R2, if drivers aren't available through Windows Update, forget about it.

#5: You can install the Dell Server Manager 7.4 on Hyper-V Server 2012 R2.
       Installation:  msiexec /i SysMgmtx64.msi
       Web access: https://hostname:1311/OMSALogin

#6: The Dell Server Administrator (GUI and CLI) did not show current values for the RAID rebuilding process.  Restarting the "DSM SA Data Manager" service in Windows refreshed it.  omreport storage vdisk is the command to show RAID rebuild progress.


Lastly, wanted to convert my original dynamic VHDs to fixed VHDXs for better performance thru reduced fragmentation (link, link).

First, tried New-VHD -Path c:\file.vhdx -Fixed -SourceDisk 3 -SizeBytes 50GB, but that doesn't work.  Here's what does:

Mount-VHD -Path original.vhd -Readonly (the host OS acts like it's an attached drive now)
Get-Disk  (to identify what number is assigned to the VHD mentioned above)
New-VHD -Path new.vhdx -Fixed -SourceDisk 3 (duplicates the original into a fixed VHDX)
Dismount-VHD original.vhd

Optionally reduce the size of the VHDX file:

Mount-VHD new.vhdx
  (to see which volume number to select)
  SELECT VOLUME 6  (for example)
  SHRINK QUERYMAX  (to see how much empty space there is (reference))
  SHRINK DESIRED=50000  (sets the partition size to 50GB in this example)
Dismount-VHD new.vhdx

Resize-VHD new.vhdx -ToMinimumSize

Replace the old VHD with the shiny new VHDX:

Get-VMHardDiskDrive -VMName SBS (optional)

Remove-VMHardDiskDrive -VMName SBS -ControllerLocation 0 -ControllerNumber 0 -ControllerType IDE

Add-VMHardDiskDrive -VMName SBS -ControllerLocation 0 -ControllerNumber 0 -ControllerType IDE -Path new.vhdx
Start-VM SBS

So, you ask, did I achieve the goal of improved disk I/O?  Yes, but don't die from laughter when you see the numbers - these are SATA disks on a Perc H200 RAID controller (write cache is disabled). 

For what it's worth, moving from RAID 1 to RAID 10 nearly doubled R/W performance of the Hyper-V host.  The graphs below are from inside a Hyper-V guest.

To benchmark disk performance, I used DiskSpd with a sample set of parameters from the download page: diskspd.exe -b8K -d30 -h -L -o2 -t4 -r -w30 -c50M c:\io.dat

...and I just discovered Crystal DiskMark!  Post-upgrade numbers: