Page 1
Standard

Loopback processing of Group Policy

Group policy has two main configurations, user and computer. Accordingly, the computer policy is applied to the computer despite of the logged user and the user configuration is applied to the user despite of the computer he is logged on.
We have a Domain, this Domain has two different organizational units (OU) Green and Red, Green OU contains a Computer account and Red OU contains User account.
The Green policy, which has settings “Computer Configuration 2” and “User Configuration 2” is applied to the OU with the computer account.
The Red policy, which has settings “Computer Configuration 1” and “User Configuration 1”, is applied to the OU with the User account.

LOOPBACK1

If Loopback processing of Group Policy is not enabled and our User logs on to our Computer, the following is true:

LOOPBACK2

The User gets Computer Configuration 2 and User Configuration 1. This is absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1 accordingly.

Enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on to the Computer, the policies applied in the following way:

LOOPBACK3

The User is getting User Configuration 2 despite of the fact that he belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User Configuration 2, i.e. with the configuration applied to the Computer account.

The enabled “Loopback in replace mode”. The Loopback processing of Group Policy has two different modes, Replace and Merge. Replace mode replaces User Configuration with the one applied to the Computer, whereas Merge mode merges two User Configurations.

LOOPBACK4

 

Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in this scenario, in case of the conflict the User Configuration 2 would be enforced.

To enable Loopback Processing navigate to: Computer Configuration/Administrative Templates/System/Group Policy/Configure user Group Policy loopback processing mode

LOOPBACK5

 

Standard

ESX Host Shows Disconnected

ESX communicates with virtual center through what is described as, “management agents”. : vpxa, hostd, and vpxd

Vpxa lives on the ESX host (on the service console), it communicates with hostd. It’s mostly a listener service, and is very rarely an issue.
Hostd lives on the ESX host (on the service console). This is the lion, the vast majority of “disconnects” indicate a problem with hostd, and vpxd lives on your virtual center server.
These 3 services form a communications chain, and failure of one or more of these services, tends to produce “disconnects”.
ESX1

Login as root to the server console

Restart the VC agent (vmware-vpxa) using the following command

service vmware-vpxa restart

ESX2

If the problem still persists remove and reinstall the VC agent on the ESX host.

Remove the ESX Host from VC

In the VCenter right click the ESX host and select Remove
This should remove the agent, if not you can remove it manually.

Manually remove the VC Agent from the ESX host using the following commands on the ESX console.
Find current VC Agent version

rpm –qa |grep vpxa

If nothing is returned the agent was removed successfully.

Stop the Host Agent (mgmt-vmware)

service mgmt-vmware stop

Stop the VC Agent

service vmware-vpxa stop

or

/etc/init.d/vmware-vpxa stop

Uninstall the VC agent by version returned earlier

rpm –e VMware-vpxa-2.5.0-104215

Expect the following:

warning: /etc/vmware/vpxa.cfg saved as /etc/vmware/vpxa.cfg.rpmsave

Verify the VC agent has uninstalled

rpm –qa |grep vpxa

Add the ESX host back into the VirtualCenter Server.

Standard

DHCP database transfer

Login to the DHCP server with appropriate credentials

Click start – run – type cmd and press enter

DHCP1

In the command console

Type:
netsh dhcp server export c:\dhcp.txt all

Then press enter. You can change the path and filename to suit your needs.

DHCP2

You should see confirmation after a short bit

The amount of time to backup your database will be dependent upon the size. You should get a confirmation that it was completed successfully.

DHCP3

Login to your target server

Login with the appropriate credentials on your target server for importing. If you haven’t installed the DHCP role yet open the server manager console and click on Add Roles.

DHCP4

click the DHCP Server box to add the role

then click Next, then Next again

DHCP5

Make sure the correct IP is selected for binding

then click Next

DHCP6

Configure DNS

Set parent domain, Primary and Secondary DNS server IPs and click Next (in this instance the primary is the loopback for the DC that is being used as an example)

DHCP7

If WINS is in use…

click the radio button for “WINS is required…” and configure your Primary and Secondary server IPs then click Next, if you don’t use WINS, leave the default setting and click Next

DHCP8

Since we are importing a database, just click Next on this screen

DHCP9

Usually you can disable DHCPv6 stateless mode

If you aren’t sure you I can’t tell you if you need it or not so either accept the default or change it and click Next

DHCP10

You should get a confirmation message saying the install succeeded.

I wouldn’t import the database onto the new server until you have gone to your old DHCP server and either disabled the DHCP Server service, deactivated the scopes or Unauthorized it.

DHCP11

Open a command prompt on the new server

DHCP12

In the command console

type:
netsh dhcp server import c:\dhcp.txt all

Then press enter. You can change the path and filename to whatever you are using. This how to skips the step of copying the file you exported to the root of C: on the new server.

DHCP13

Authorize the DHCP server

Click Start, point to All Programs, point to Administrative Tools, and then click DHCP.

In the console tree of the DHCP snap-in, expand the new DHCP server. If there is a red arrow in the lower-right corner of the server object, the server has not yet been authorized.
Right-click the server object, and then click Authorize.
After several moments, right-click the server again, and then click Refresh. A green arrow indicates that the DHCP server is authorized.

DHCP14

Standard

How to exclude individual users or computers from a Group Policy Object

 

Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button.

GPMC1

Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied.

GPMC2

Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission.

GPMC3

Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied. Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects.

Standard

Transferring FSMO Roles

Schema Master:

Go to WS 2008 R2 DC, Run below command

regsvr32 schmmgmt.dll

FSMO1

Open MMC & add Active Directory Schema

FSMO2

OK

FSMO3

Change Active Directory Domain Controller

FSMO4

Select WS2012 server

FSMO5

OK

FSMO6

Select Operational Master

FSMO7

Change

FSMO8

Yes

FSMO9

PDC, RID, Infrastructure Master:

Go to Active Directory Users & Computers in WS 2012 DC

FSMO10

Operations Masters

FSMO11

Change

FSMO12

Yes

FSMO13

OK,

FSMO14

Go to PDC

FSMO18

Change

FSMO16

Yes

FSMO17

OK

FSMO18

Go to Infrastructure

FSMO19

Change

FSMO20

Yes

FSMO21

OK

FSMO22

Domain Naming Master:

Open ADSI Edit in WS2012 DC

FSMO23

Connect To

FSMO24

OK

FSMO25

IN WS 2008 R2 Server, Go to Active directory Domains & Trusts

FSMO26

Select Operations Master

FSMO27

Change

FSMO28

Yes

FSMO29

OK

FSMO30

Close

All FSMO roles are moved to New WS2012 DC

FSMO31

 

Standard

Creating the Group Policy Central Store

Updated for Windows 8.1/2012R2

Managing windows 8.1 group policies within a Server 2008R2 domain functional forest level

Open an explorer window and navigate to \\DOMAINNAME\sysvol\. Open up any subfolders until you are inside the policies folder. We are now looking the GUID of every Group Policy Object (GPO) in our domain.  Open up any policy and you should see a few subfolders. The most common are: ADM, Machine, and User.

GPO

By default, your ADM folder will contain five ADM files. Each client will also have a copy of these files. Every policy that you create will automatically include this ADM folder.

Three Steps to Create the Group Policy Central Store
Creating your Central Store, browse back to your Policies folder within Sysvol and create a new folder named “PolicyDefinitions”.
Download the following ADMX templates to populate your Central Store.

Windows 8.1 and Windows Server 2012 R2 ADMX Templates
Office 2013 ADMX Templates
Office 2010 ADMX Templates

Extract the files into your .\Policies\PolicyDefinitions Folder. The ADMX files should be put into the root of this folder. The language folder (ex: en-us) should also be in the root. All ADML files should be within the language folder.

GPO2

Close any opened GPMC windows on your management machine. Open GPMC again and create a new policy. Navigate to Computer Configuration\Policies\Administrative Templates. Left click on Administrative Templates. In the center of the screen, you should now see: “Administrative Templates: Policy Definitions (ADMX files) retrieved from the Central Store”

GPO3

And that is it! You’ve created a central store, loaded the latest ADMX files.