Windows Server 2016 – Get Boot Date & Time – Uptime

October 21, 2019

How to get Windows Server 2016 Boot Date & Time – Uptime

There are several ways to get this information :

1. Command line :


systeminfo
| find “System Up Time”

image

2. Command line Tools :

– SysInternals :
psinfo.exe
| Find “uptime”

image

– SysInternals : BgInfo.exe Display as background

image

3. WMI

wmic
OS GET CSName,LastBootUpTime

image

4. PowerShell

$obj = Get-WmiObject Win32_OperatingSystem
 $obj.ConvertToDateTime($obj.LastBootUpTime)

image

Get-CimInstance -ClassName win32_operatingsystem | select lastbootuptime

image

get-eventlog System | where-object {$_.EventID -eq "6013"} | sort -desc TimeGenerated

new-timespan -Seconds 26079971 | Select Days,Hours,Seconds

image

5. Event Viewer

Filter the System events with the Event ID 6013

image

Enjoy !

Advertisements

Windows Server 2016 – Blacklist Mobile devices on WIFI network

June 21, 2019

Let’s assume you have 2 WIFI networks. 1 for the Office users and 1 for the Guests on a separate VLAN.

Now you don’t want to have all the Office users using there mobile device to log on to the local LAN.

Most challenging is that if you apply MAC address filtering on the Access Point.

It will block the device on both WIFI networks Sad smile

PREQUISITES :

On your DHCP server you need to activate the BLOCK MAC address filtering

Open the DHCP console and enable the DENY LIST using the FILTERS Tab

image

Now you can add the BLOCKED Mac ADDRESSES in the DENY section

image

Tip :

You can also use WILDCARDS like this :

image

Solution :

Windows 2008r2 :

You can use the NETSH command to block MAC addresses on your local LAN.

netsh dhcp server v4 add filter deny 00-0c-29-fe-dd-60 "Mary's PC"

If you need to automate this on a Windows 2008r2 server you need to apply some regular expressions to grab the  MAC address ,-)

Took me more then a day to figure that out how to make it work Sad smile

Windows 2012r2 and higher :

You can use the DHCP Powershell cmdlets

Get-DhcpServerv4Scope -cn YourServer

Set-DhcpServerv4FilterList -ComputerName "YourServer" -Allow $False -Deny $True

Get-DhcpServerv4FilterList

Add-DhcpServerv4Filter -List Allow -MacAddress "F0-DE-F1-7A-00-5E" -Description "Laptop 09"

Remove-DhcpServerv4Filter -MacAddress "F0-DE-F1-7A-00-5E","F0-DE-F1-7A-00-5E"

See also here how to build a Blacklist for PUBLIC IP addresses.

Enjoy !


Windows Server 2016 – How to Blacklist Public IP Addresses, Alert Event ID 20271

June 21, 2019

If you notice unauthorised attacks on you network in your event viewer Event ID 20271 Remote Access

image

image

 

SOLUTION :

Create a BLACKLIST rule using Windows Firewall

Open Windows Firewall with Advanced Security by running wf.msc

On the left, select Inbound Rules, then under the Action menu, choose New Rule

On the Rule Type page, choose Custom.

image
On Program, choose “All programs”

image
On Protocol and Ports, leave the default of Any

image
On Scope, select “These IP addresses” in the remote addresses section and add the problematic IP address in the Add dialog

image
On Action, choose “Block the connection”

image

On Profile, leave the defaults of everything checked.

image

Finally, on Name give the rule a name like “Blacklisting”, and optionally a description.

image

 

See here on how to automate this using PowerShell Event Viewer Scanning & Firewall rules

1. First check if the DENY property is set on your DHCP server

Get-DhcpServerv4FilterList

image

If not you can activate it like this

Set-DhcpServerv4FilterList -ComputerName "YourDHCPServer" -Allow $False -Deny $True

Next you can list all IP’s

Get-DhcpServerv4Filter

And check if they exist as blocked.

image

If you need to add extra you can use this Cmd

Add-DhcpServerv4Filter -List Deny -MacAddress "F0-DE-F1-7A-00-5E" -Description "iphone 09"

 

See here on how to Blacklist based on MAC Address

 

Safety First …

Done !


Windows Server 2016 – Windows Update Center closes immediately

March 10, 2019

Opening the Windows Update Center closes immediately … ?

image

The main reason is that the Windows 2016 Software Distribution has become corrupted.

SOLUTION :

Clean the C:\Wndows\SoftwareDistribution folder…

See here for the procedure

https://www.windowscentral.com/how-clear-softwaredistribution-folder-windows-10

After this cleanup everything was back to normal

image


Windows Server 2016 – ServerEssentials DesignatedActiveDirectoryServerDown Event ID 1280 Error

December 20, 2018

After removing a DC and cleaning up the metadata I still got errors relating to DesignatedActiveDirectoryServerDown ?

I rechecked all settings and had still some references in the DNS.

But even after removing all of this it was still complaining ?

image

Solution :

Open the registry and go to :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Server\ADContext

image

Key ConnectedDc was pointing to old DC server.

Correct the value and pointed the key to current  DC :

Correct the registry entry by overwriting with the proper value of the local server.

Restart the dashboard for the change to take effect.

Next go on searching for more references in the registry

image

https://support.microsoft.com/en-us/help/332199/domain-controllers-do-not-demote-gracefully-when-you-use-the-active-di

If there is an entry for Src Root Domain Srv, right-click the value and then click Delete.

This value must be deleted so that the domain controller sees itself as the only domain controller in the domain after promotion.

Remove these registry key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTDS\Parameters\Src Root Domain Srv 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTDS\Parameters\Src Root Domain Srv 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Src Root Domain Srv 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTDS\Parameters\Src Srv objectGuid 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTDS\Parameters\Src Srv objectGuid 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Src Srv objectGuid
Reboot the server and check again.

Enjoy!


Windows Server 2016 – Disk Event ID 153 Errors

December 18, 2018

I got a lot of Disk Errors Event ID 153 every day when using Windows Backup. Every day at the same time more or less.

image

Analysis :

First we need to find out which one is Disk 4 ?

Open the registry and go to : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\disk\Enum

 image

You will see that I had 4 Disk, of which the number 4 is a USB Memory card storage…

It will match up with the Server Manager Disks

image

Next start the Command Line using Admin Privileges

And run this command

set DEVMGR_SHOW_NONPRESENT_DEVICES=1

devmgmt.msc

image

Go to Portable Devices and see check the Drive letters

In my case it is G: drive ?

On the GENERAL tab you can read that the device is NOT ENABLED

image

Using WMIC to get more info on the Event ID PDO name Device\00000xxx ID

image

Use this command to get all drivers detailed information :

 

wmic /output:c:\temp\drivers.txt path Win32_PnPSignedDriver

And look for the device number in the column PDO

image

If you don’t find it, it means it is a STALE device that can be removed.

See here on how to…

Solution :

In our case we had to disable the INTERNAL SD Card Slot using the BIOS.

Use these steps on an HP server :

UEFI System Utilities and Shell Command Mobile Help for HPE ProLiant Gen9 Servers and HPE Synergy

Going to System Utilities – by pressing F9

Enabling or disabling the Internal SD Card Slot

Procedure :

1. From the System Utilities screen, select System Configuration > BIOS/Platform Configuration (RBSU) > System Options > USB Options > Internal SD Card Slot and press Enter.

2. Select a setting and press Enter:

a. Enabled—The server can access the internal SD card slot.

b. Disabled—The server cannot access the internal SD card slot.

3. Press F10.

Enjoy!


Windows Server 2016 – Remote Desktop TermDD Event ID 56 Error

December 18, 2018

On a Server running Remote Desktop Services you can encounter the TermDD Event ID 56 Error

image

Solution :

1. Open the Remote Desktop Session Host Configuration

2. Double click RDP-Tcp in the Connections block

image

3. Go to General tab change the Security layer pull down box from Negotiate to RDP Security Layer.

The issue is caused by the latest Security Update related to CredSSP encryption oracle remediation.

See here

Enjoy