Run Command to open SCCM client 'Configuration Manager Properties'

I had always checked online to find a Run command to open the 'Configuration Manager Properties' window from a SCCM client machine's Control Panel. Most of the time i had to create a shortcut of the Configuration Manager Properties window on the desktop for easy access.

Recently i found a post by Chris Nackers who has successfully achieved in getting the command line (which i hope is not available from Microsoft site itself). Thanks Chris for sharing the info.

Start - Run - “control smscfgrc”

Update to the above post:

• This command works for SCCM 2007 and SCCM 2012 clients. I haven't checked on SMS2003. 
• And it works pretty fine on Windows 7/8/2003/2008/2012 as well as Server Core operating systems.

Ref.: http://social.technet.microsoft.com/Forums/en-US/configmgrgeneral/thread/7b8b8e2a-0756-4be5-add0-a0a3f0808c7a/

ConfigMgr Patch Installer Tool/Script

   The ConfigMgr Patch Installer is a tool (vbscript) which can be used for installing updates which are advertised from SCCM. If the updates are advertised without a deadline. Especially it is useful for Windows Server 2008 Core edition as they do not have a GUI and so the updates can't be installed. This tool will query SCCM for each Update which is advertised to the System and will install it. The result can be displayed in a output logfile.

The Tool can be downloaded at:

• systemcentercentral.com - http://www.systemcentercentral.com/tabid/144/indexId/64192/Default.aspx

• winoneclick.com - http://www.winoneclick.com/

Ref: http://pleasepressanykey.blogspot.com/2010/08/configmgr-patch-installer.html

Teredo - Windows

   Teredo is an IPv6 transition technology that allows automatic IPv6 tunneling between hosts that are located across one or more IPv4 NATs. To traverse IPv4 NATs, IPv6 packets are sent as IPv4 User Datagram Protocol (UDP) messages. If the NAT supports UDP port translation, then the NAT supports Teredo. The exception is a symmetric NAT.

   Teredo allows nodes located behind an IPv4 NAT to obtain IPv6 unicast connectivity by tunneling packets over UDP/IPv4. This service has 3 entities: the "Teredo Server", the "Teredo Relay" and the "Teredo client". A Teredo Server is stateless whereas the Teredo Relay keeps a state of each peer.

   Teredo is designed as a last resort transition technology for IPv6 connectivity. If native IPv6, 6to4, or Intrasite Automatic Tunnel Addressing Protocol (ISATAP) connectivity is present, the host does not act as a Teredo client. As more IPv4 edge devices are upgraded to support 6to4 and IPv6 connectivity becomes ubiquitous, Teredo will be used less and less until finally it is not used at all.

   Note: Teredo interface is primarily supported by Windows Vista & Windows Server 2008. Limited functionality of Teredo Interface supported (solicited traffic can be received) by Windows XP SP2 & Windows Server 2003.

Ref: http://technet.microsoft.com/en-us/library/bb457011.aspx

Active Directory Certificate Services - Command Reference

Applies To: Windows Server 2008

   Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies. The following commands allow you to issue and manage public key certificates used in software security systems that employ public key technologies.

Certreq

Certreq can be used to:

1. Request certificates from a certification authority (CA).
2. Retrieve a response to a previous request from a CA.
3. Create a new request from an .inf file.
4. Accept and install a response to a request.
5. Construct a cross-certification or qualified subordination request from an existing CA certificate or request.
6. Sign a cross-certification or qualified subordination request.

Certutil

Displays certification configuration information, and configures Certificate Services.

Ref: http://technet.microsoft.com/en-us/library/cc772497%28WS.10%29.aspx

Active Directory Domain Services - Command Reference

Applies To: Windows Server 2008

   Active Directory Domain Services (AD DS) command-line tools are built into Windows Server 2008. They are available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

• Adprep - Extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 operating system.
• Csvde - Imports and exports data from Active Directory using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard.
• Dcdiag - Analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting.
• Dcpromo - Installs and removes Active Directory Domain Services (AD DS).
• Dsacls - Displays and changes permissions (access control entries) in the access control list (ACL) of objects in AD DS.
• Dsadd - Adds specific types of objects to the directory.
• Dsamain - Exposes Active Directory data that is stored in a snapshot or backup as a Lightweight Directory Access Protocol (LDAP) server.
• Dsdbutil - Provides database utilities for Active Directory Lightweight Directory Services (AD LDS).
• Dsget - Displays the selected properties of a specific object in the directory.
• Dsmgmt - Provides management facilities for Active Directory Lightweight Directory Services (AD LDS).
• Dsmod - Modifies an existing object of a specific type in the directory.
• Dsmove - Moves a single object in a domain from its current location in the directory to a new location or renames a single object without moving it in the directory tree.
• Dsquery - Queries AD DS according to specified criteria.
• Dsrm - Deletes an object of a specific type or any general object from the directory.
• Ldifde - Creates, modifies, and deletes directory objects on computers running Windows Server 2003 or Windows XP Professional operating systems.
• Ldp - Makes it possible for users to perform operations against an LDAP-compatible directory, such as AD DS. These operations include connect, bind, search, modify, add, and delete.
• Netdom - Makes it possible for administrators to manage Windows Server 2003 and Windows 2000 domains and trust relationships from a command prompt.
• Net computer - Adds or deletes a computer from a domain database.
• Net group - Adds, displays, or modifies global groups in domains.
• Net user - Adds or modifies user accounts, or displays user account information.
• Nltest - Performs network administrative tasks.
• Ntdsutil - Provides management facilities for AD DS.
• Redircmp - Redirects the default container for newly created computers to a specified target organizational unit (OU) so that newly created computer objects are created in the specific target OU instead of in CN=Computers.
• Redirusr - Redirects the default container for newly created users to a specified target OU so that newly created user objects are created in the specific target OU instead of in CN=Users.
• Repadmin - Makes it possible for administrators to diagnose Active Directory replication problems between domain controllers running Windows operating systems.
• Setspn - Makes it possible for administrators to read, modify, and delete the Service Principal Names (SPN) directory property for an Active Directory service account.

Ref: http://technet.microsoft.com/en-us/library/cc771131%28WS.10%29.aspx

Windows Server Backup - Command Reference

   The following sub-commands for wbadmin provide backup and recovery functionality from a command prompt.

   To configure a backup schedule, you must be a member of the Administrators group. To perform all other tasks with this command, you must be a member of the Backup Operators or the Administrators group, or you must have been delegated the appropriate permissions.

   You must run wbadmin from an elevated command prompt. (To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.)

• Wbadmin enable backup - Configures and enables a daily backup schedule. (This sub-command applies only to Windows Server 2008.)
• Wbadmin disable backup - Disables your daily backups. (This sub-command applies only to Windows Server 2008.)
• Wbadmin start backup - Runs a one-time backup. If used with no parameters, uses the settings from the daily backup schedule.
• Wbadmin stop job - Stops the currently running backup or recovery operation.
• Wbadmin get versions - Lists details of backups recoverable from the local computer or, if another location is specified, from another computer.
• Wbadmin get items - Lists the items included in a specific backup.
• Wbadmin start recovery - Runs a recovery of the volumes, applications, files, or folders specified. (This sub-command applies only to Windows Server 2008.)
• Wbadmin get status - Shows the status of the currently running backup or recovery operation.
• Wbadmin get disks - Lists disks that are currently online. (This sub-command applies only to Windows Server 2008.)
• Wbadmin start systemstaterecovery - Runs a system state recovery. (This sub-command applies only to Windows Server 2008.)
• Wbadmin start systemstatebackup - Runs a system state backup. (This sub-command applies only to Windows Server 2008.)
• Wbadmin delete systemstatebackup - Deletes one or more system state backups. (This sub-command applies only to Windows Server 2008.)
• Wbadmin start sysrecovery - Runs a recovery of the full system (at least all the volumes that contain the operating system's state). (This sub-command applies only to Windows Server 2008, and it is only available if you are using the Windows Recovery Environment.)
• Wbadmin restore catalog - Recovers a backup catalog from a specified storage location in the case where the backup catalog on the local computer has been corrupted. (This sub-command applies only to Windows Server 2008.)
• Wbadmin delete catalog - Deletes the backup catalog on the local computer. Use this command only if the backup catalog on this computer is corrupted and you have no backups stored at another location that you can use to restore the catalog. (This sub-command applies only to Windows Server 2008.)

Ref: http://technet.microsoft.com/en-us/library/cc770340%28WS.10%29.aspx

WBAdmin

   WBAdmin is a command-line utility built into Microsoft’s latest Windows operating systems: Windows Vista and Windows Server 2008 as well as Windows 7 and Windows Server 2008 R2. The command is used to perform backups and restores of operating systems, drive volumes, files, folders, and applications from a command-line interface.

   WBAdmin replaces the previous Microsoft Windows Backup command-line utility, NTBackup, which came built into earlier versions of Microsoft Windows: Windows NT, 2000, XP, and 2003. WBAdmin is essentially the command-line version of the backup applications that come with the new versions of Microsoft Windows: Complete PC Backup on Windows Vista and Windows Server Backup on Windows Server 2008.

   System administrators use WBAdmin in scripts to schedule and automate backup and restore operations, as well as to overcome some of the limitations inherent in Complete PC Backup and Windows Server Backup.

   WBAdmin includes several command-line switches, but a number of these commands have been disabled in Windows Vista, and are only available in Windows Server 2008.

Note: You must run wbadmin from an elevated command prompt. (To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.)

Features

   With WBAdmin’s block-level backup technology, Microsoft provides users with a high performance, flexible and integrated backup utility that is more scalable than Microsoft’s previous command-line backup utility, NTBackup.

Subcommands: http://technet.microsoft.com/en-us/library/cc754015%28WS.10%29.aspx

RODC : Frequently Asked Questions

   In our office branches, it is often not easy to provide sufficient physical security for servers. It is not a big deal to manipulate a Windows system if you can get physical access to it. Since Domain controllers store security sensitive data, they are particularly endangered. RODCs can help with this problem in four ways:

RODC essentials

• Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
• DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.
• Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.
• Administrator Role Separation: You can delegate a local Administrator role to a domain user.

Read-only Domain Controller

• An RODC holds all Active Directory objects and attributes.
• RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC).
• If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.

DNS Protection

• A DNS server running on an RODC doesn’t support dynamic updates.
• If a client wants to update its DNS record, the RODC will send a referral for a writeable DNS server.
• The client can then update against this DNS server.
• This single record will then be replicated from the writable DNS server to the RODC DNS server.

Password Protection

• By default, an RODC doesn’t store user or computer credentials. (The only exception is the computer account of the RODC itself and a special krbtgt account.)
• However, an RODC can cache passwords.
• If a password isn’t cached, the RODC will forward the authentication request to a writeable DC.
• The Password Replication Policy determines the user groups for which passwords caching will be allowed (more about this in my next post).

Administrator Role Separation:

• A domain user having the Administrator role on an RODC doesn’t have to be a domain admin.
• A domain user having the Administrator role can do maintenance work on the RODC such as installing software.
• If an intruder gains access to the credentials of this local administrator account, he will not be able to make changes on other domain controllers.

Prerequisites for Deploying an RODC

• Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-value replication (LVR) is available. This provides a higher level of replication consistency. The domain functional level must be Windows Server 2003 or higher, so that Kerberos constrained delegation is available. If the forest functional level is Windows Server 2003, the domain functional level of all domains in the forest is Windows Server 2003 or higher.
• Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that run Windows Server 2008 or Windows Server 2008 R2. The adprep commands extend the Active Directory schema and update security descriptors so that you can add the new domain controllers.
• Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the same domain as the RODC and ensure that the writable domain controller is also a DNS server that has registered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate domain updates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.

FAQ Answers: http://technet.microsoft.com/en-us/library/cc754956%28WS.10%29.aspx

RODC Frequently Asked Questions:

1. What new attributes support the RODC Password Replication Policy?
2. How can you clear a password that is cached on an RODC?
3. Can an RODC replicate to other RODCs?
4. What operations fail if the WAN is offline, but the RODC is online in the branch office?
5. What operations succeed if the WAN is offline, but the RODC is online in the branch office?
6. Will RODC support my Active Directory–integrated application?
7. Does an RODC contain all of the objects and attributes that a writable domain controller contains?
8. Why does the RODC not have a relative ID (RID) pool?
9. Can I list the krbtgt account that is used by each RODC in the domain?
10. How does the client DNS update referral mechanism work?
11. Why doesn't the KCC on writable domain controllers try to build connections from an RODC?
12. How does the KCC build inbound connections locally on an RODC when the RODC is supposed to be read-only?
13. Why does an RODC have two inbound connection objects?
14. How does RODC connection failover work?
15. How can an administrator delete a connection object locally on an RODC?
16. How can an administrator trigger replication to an RODC?
17. How are writable directory partitions differentiated from read-only directory partitions?
18. Why can an RODC only replicate the domain directory partition from a domain controller running Windows Server 2008 in the same domain?
19. How does the KCC differentiate between domain controllers running Windows Server 2003 and domain controllers running Windows Server 2008?
20. Why are built-in groups such as Account Operators and Server Operators specified separately in the Denied List attribute, but not in the Denied RODC Password Replication Group?
21. What actually happens when you add a user to an Administrator Role Separation role?
22. How can an administrator determine the closest site for any given site?
23. Why does %logonserver% have the name of a domain controller in my hub site rather than the RODC in my site?
24. What relevant RODC event log entries are there?
25. Password changes are not always "chained" by an RODC. Why?
26. How does a hub domain controller recognize that a request to replicate a password is coming from an RODC?
27. Why does an RODC replicate in a cached password both by RSO (Replicate Single Object) operation and normal replication?
28. Does an RODC perform password validation forwarding even when it has a password for a user?
29. Can you remove the last domain controller in a domain if there are unoccupied (or disabled) RODC accounts in the domain?

FAQ Answers: http://technet.microsoft.com/en-us/library/cc754956%28WS.10%29.aspx

Migrating AD from W2K3 to W2K8

The safest and simplest way to migrate is to start by adding a Windows 2008 Domain controller to your existing domain

First you need to Adprep your 2003 Domain by running

adprep /forestprep and

adprep /domainprep and

adprep /gpprep

Do this by placing the from 2008 DVD in the Windows 2003 DC - ADPREP is in the SOURCES folder on the DVD.

Once done you can run the setup program from the 2008 DVD and do an upgrade, or you can do a clean install on a new box and join the 2008 machine to the domain – the latter is my preferred option.

If you take the latter route you need to assign the 2008 new computer an IP address and subnet mask on the existing network. Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new 2008 machine to the existing domain as a member server

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select “Additional Domain Controller in an existing Domain”

Once Active Directory is installed then to make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the”Global Catalog” checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If necessary install DNS on the new server. Assuming that you were using Active Directory Integrated DNS on the first Domain Controller, DNS will automatically replicate to the new domain controller along with Active Directory.