How to remove protection on OU in Windows Server 2012

Message:You do not have sufficient privileges to delete OU, or this object is protected from accidental deletion.

  1. Open Active Directory Users and Computers.
  2. Click on View then click on Advanced features.
  3. Right-click on the OU and select Object ta
  4. Uncheck the option Protect object from accidental deletion
  5. Remove the OU.

Remark: If this OU has AD objects under it, you will not be able to remove it if one of the objects is protected against accidental deletion.

Is a very simple solution.

Continue Reading

How to Create a Storage Pool with PowerShell

The three things that are required are:
The storage pool name
Which disks to use to create the pool?
The storage subsystem (Storage Spaces)

The cmdlet we use to create the storage pool is New-StoragePool. While the only
The name of the storage pool will be passed through the “FriendlyName” parameter.

The disks to create the storage pool on will be passed into the New-StoragePool in the “PhysicalDisks” parameter. Which are either pooled, or can be made even easier using the “-IsPooled” parameter (which will either provide all of the disks that are already pooled, or if set to false will all return
The Get-PhysicalDisk cmdlet can be run as part of the -PhysicalDisk parameter, or can be run previously and the results stored in a variable. If creating a script that will be reused, it’s advisable to use a variable, so that it is easier to read and understand.

Code below:


$disk=Get-PhysicalDisk -FriendlyName PhysicalDisk16

New-StoragePool -FriendlyName Pool1 -StorageSubSystemUniqueId $s.UniqueId -PhysicalDisks $disk

That is all that is needed to create a basic storage pool. However, these optional parameters for New-StoragePool may provide some benefit.

Continue Reading

Windows server cannot join an Active Directory domain due to duplicate SID’s

Issue:Windows displays the following error message:

The domain join cannot be completed because the SID of the domain you attempted to join was identical to the SID of this machine. This is a symptom of an improperly cloned operating system installation. Run sysprep on this machine in order to generate a new machine SID.


Run sysprep.exe in a Command Prompt window to generate a new SID.

1. Type c:\windows\system32\sysprep\sysprep.exe /oobe /generalize /reboot and press Enter in the Command Prompt window to change the SID and run OOBE.

Run sysprep.exe in the Windows Graphical User Interface (GUI) to generate a new SID.

1. Press Windows Logo+R, type sysprep.exe and press Enter to run sysprep.exe.

2. Select Enter System Out-of-Box Experience (OOBE) in System Cleanup Action, check Generalize and select Reboot in Shutdown Options to change the SID and run OOBE. Click OK to complete the process.

This information applies to Windows Server 2012 and Windows Server 2012 R2.

Continue Reading

How to Setup and Configure DNS in Windows Server 2012

Setting up a Domain Name System (DNS) on Windows Server involves installing the DNS Server Role. This tutorial will walk you through the DNS installation and configuration process in Windows Server 2012.
Microsoft Windows Server 2012 is a powerful server operating system capable of many different roles and functions. However, to prevent overloading production servers with features and options that are never used, Windows Server provides a modular approach in which the administrator manually installs the services needed. To setup and configure DNS, one must install the DNS Server Role on Windows Server 2012. Check out: More Windows Administration Tutorials.

Install DNS Server Role in Server 2012

To add a new role to Windows Server 2012, you use Server Manager. Start Server Manager, click the Manage menu, and then select Add Roles and Features.


Click Next on the Add Roles and Features Wizard Before you begin window that pops up. (If you checked Skip this page by default sometime in the past, that page will, of course, not appear.)

Now, it’s time to select the installation type. For DNS servers, you will be selecting the Role-based or feature-based installation.


Next, you will choose which server you want to install the DNS server role on from the server pool. Select the server you want, and click next.

At this point, you will see a pop-up window informing you that some additional tools are required to manage the DNS Server. These tools do not necessarily have to be installed on the same server you are installing the DNS role on. If your organization only does remote administration, you do not have to install the DNS Server Tools.

However, in a crunch you may find yourself sitting at the server console or remotely using the console and needing to manage the DNS Server directly. In this case, you will wish you had the tools installed locally. Unless your company policy forbids it, it is typically prudent to install the management tools on the server where the DNS will be housed.


Now you should see the Features window. No need to make any changes here; just click Next.

Next is an informational window about DNS Server and what it does, although one would assume that if you’ve gotten this far, you are already aware of what it is. Click Next to move on.

This is the final confirmation screen before installation completes. You can check the box to Restart the destination server automatically, if you like. Installing the DNS Server does not require a restart, but unless you’ve planned for the downtime, keep that box unchecked, just in case.


The DNS Server role should now be installed on your server. There should be a new DNS Role tile in your Server Manager.


Configure DNS Server in Server 2012

If you are an old pro with DNS server files, Windows Server 2012 does let you edit the files directly. However, Microsoft recommends that you use the interface tools to avoid errors, especially if you are integrating DNS with Active Directory.

If you want to use the command line to configure your DNS, use the dnscmd command. For those of us who don’t memorize TechNet for fun, a few clicks is all it takes.

Within Server Manager, to configure the DNS Server, click the Tools menu and select DNS. This brings up the DNS Manager window.


We need to configure how the DNS server will work before adding any actual records. Select the DNS server to manage, then click the Action menu, and select Configure a DNS Server. This brings up the Configure a DNS Server wizard.


There are three options here. You can either: configure a forward lookup zone only, create forward and reverse lookup zone, or configure root hints only.

A forward lookup zone allows you to do the standard DNS function of taking a name and resolving it into an IP address.

A reverse lookup zone allows you to do the opposite, taking an IP address and finding its name. For example, if a user is set up to print to a printer with an IP address of, but you need to know what name that printer goes by so you can find it, a reverse lookup can help. (“Ah, hah! It’s you Third Floor Vending Room Printer #1. Why you give me so much trouble?)

Root hints only will not create a database of name records for lookups, but rather will just have the IP addresses of other DNS servers where records can be found. If you already have DNS setup on your network, you’ll probably want to continue using the same configuration you already have. If not, use forward and backward for most situations. (Backup zones typically don’t hurt anything, and they are nice to have when the need arises.)

After you’ve made your section, click Next.

Now, you choose whether this server will maintain the zone, or if this server will have a read-only copy of the DNS records from another server.


Next enter your zone name. If this is your first DNS server, then this needs to be the root zone name for your entire organization. For example, my zone name might be If however, this server will be authoritative only for a subset, and other DNS servers will be responsible for other zones, then the name will need to reflect that. For example, would be the zone name for just the American part of my vast corporate empire 🙂 Click next when you have entered the name.

Now, you need to choose the file name where the DNS records will be stored. The default filename is to add a .dns extension to the name of the zone you chose in the previous window. Unless you have a corporate policy stating otherwise, stick with the convention to make things easier on yourself down the line.

Next you select how this server will respond to Dynamic Updates. Although there are three choices here, only two should actually be used in production. Select the first option to allow only secure dynamic updates if you are integrating your DNS with Active Directory. Select do not allow dynamic updates if your DNS is not integrated with Active Directory and you don’t want to allow dynamic updates. Do not allow unsecured dynamic updates unless you really know what you are doing and have a very good reason for doing so.

Up next is the option to configure forwarders. If your DNS server ever gets a query for which it has no record, it can forward that request on to another DNS server to see if it has the answer


For example, in order to provide name resolution for internet connectivity, you can input your ISP name servers here, or use a DNS provider such as OpenDNS. You can (and should) have more than one server listed in case a DNS server is unreachable for some reason. The order forwarders are listed in is the order they are tried, so place your faster and most reliable forwarder at the top of the list.

Click Next and your DNS server is now configured and ready for use.


Continue Reading

Installing and Configuring DHCP role on Windows Server 2012

Installing DHCP role via new Server Manager

Ensure the computer has at least one static IP address assigned before starting the role installation.

Launch the Add Role Wizard from Server Manager.
Select DHCP server role and go through the steps needed for installation.

The last page of the wizard (which comes up after the role has been installed), provides a link – “Complete DHCP configuration”.

This provides some tasks that need to be performed to enable the DHCP server role to work properly after role installation.


Launch the DHCP post-install wizard and complete the steps required.

Creation of DHCP security groups (DHCP Administrators and DHCP Users). For these security groups to be effective, the DHCP server service needs to be restarted. This will need to be performed separately by the administrator.


Authorization of DHCP server in Active Directory (only in case of a domain-joint setup). In a domain joined environment, only after the DHCP server is authorized, it will start serving the DHCP client requests. Authorization of DHCP server can only be performed by a domain user that has permissions to create objects in the Net services container in Active Directory. See how to delegate permissions to do this in active directory.


Figure 3: DHCP Post-Install configuration wizard – Authorization Page


In case completing of the post-install step is missed after role installation, the administrator will continue to see a notification on the action pane and also a link on the DHCP role tile on the main Server Manager page suggesting that some configuration is required. That link would go away only after completion of the post-install task.5

The configuration of DHCP server parameters such as scope, options etc. are no longer available in the new Server Manager. The administrator can now launch DHCP MMC either via Server manager (as shown below), or via the DHCP MMC application in the Start Menu, or writing dhcpmgmt.msc on the command prompt. The administrator can now create scopes, set option values so as to be able to lease out IP addresses and provide option values to clients.


Installing via PowerShell

To install the DHCP server role via PowerShell, one needs to run the following command:
Command: Add-WindowsFeature -IncludeManagementTools dhcp
Note the extra switch (IncludeManagementTools) which is now needed, in contrast to Windows 7. Without this switch, just the DHCP server role would be installed. The DHCP server RSAT tools which includes DHCP MMC, netsh context and the new DHCP PowerShell cmdlets, is not installed by default, unless you give the above flag.

After the role is installed, there are a few other steps that the administrator needs to perform so that the server can work correctly and lease out addresses. This the post-install configuration as performed by the above mentioned post-install wizard. The administrator can either launch the Server Manager and complete the DHCP post-installation task from there (as this is UI-only task) or run the below set of commands which are an equivalent of above.
Creating DHCP security groups

Creating DHCP security groups

Command:netsh dhcp add securitygroups

You will need to restart the DHCP service for these groups to become active.
Command: Restart-service dhcpserver
Authorizing the DHCP server in Active Directory (only needed for a domain-joined setup)
Command: Add-DhcpServerInDC <hostname of the DHCP server> <IP address of the DHCP server>
Now the administrator can launch DHCP MMC either via Server manager, or via the DHCP MMC application from the start menu, or by writing dhcpmgmt.msc on the command prompt. The administrator can now also create scopes, set option values so as to be able to lease out IP addresses and provide option values to clients using DHCP MMC or the new DHCP PowerShell.
If the administrator has completed the post-install configuration using PowerShell, Server Manager may still raise a flag (alert) for its completion using the post-install configuration wizard. This alert can be suppressed by notifying the Server Manager that the post-install configuration has been completed. This can be done by the below command:

Command: Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2.

Continue Reading