Veeam 8 - AD Restore step by step - part 1

In these others article I already explained about new Veeam 8 capabilities and AD restore feature:

Backup - Veeam Explorer for Microsoft Active Directory

Veeam 8 and relative upgrade from 7 version

You need to search about VBK Extract and go to

C:\Program Files\Veeam\Backup

Considering that DC would be unavailable and DNS too you need to copy this files to proxy target:

  1. Veeam.Backup.Extractor.exe
  2. Extract.exe

you need to launch Veeam.Backup.Extractor.exe and restore Backup to Vmware.

<-----veeam 7="" and="" considerations------="" precedents="" version="">

There is no specific recommendations regarding domain controller backups, just make sure you have application-aware image processing enabled. You may find more information here:
In case of restore, you may encounter the situation when for the first time DC boots in safe mode. It's an expected behavior, however, which is explained here:


Here they are Applicatioin-aware requirements and original article that explain step by step single object recovery from whom I copied some images:




About DC virtualization here they are some best practices

Virtualizing Active Directory Six Best Practices for Domain Controllers

Here is the procedure you should follow while restoring multiple DCs into a fresh environment where no other/existing DCs are available: 

Active Directory and DR Site
Veeam uses VSS compliant backups and when restoring a DC it will automatically perform a non-authoritative restore. It's my understanding that, because of this, you don't need to worry about having the domain controls snapshots happen all at the exact same moment.


boot the machine up in dsrm ( bcdedit /set safeboot dsrepair )

log in with ds repair mode password .\Administrator

run the bcdedit command to set and remove dsrepair mode ( bcdedit /deletevalue safeboot )

net stop ntfrs

open regedit and

Open Regedit
Browse to the following extension: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Add the following dword (32 bit) value: Repl Perform Initial Synchronizations
And leave this set to 0.

open regedit and expand: hklm\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
Set the burflags to d2 (sometimes you will have to use d4, but only do this in isolated network or it will overwrite other DC's during replication)



Veeam - Release Notes for Veeam Backup & Replication 8.0 Update 2

Before you will start to install patch you need:

Please confirm you are running version,,, or prior to installing this update. You can check this under Help | About in Veeam Backup & Replication console. After upgrading, your build will be version

Prior to installing this update please reboot the Veeam server to clear any locks on the Veeam services and when the reboot is done, please stop all the Veeam services and apply the update.

After installing the update, please start the Veeam services, open the console and allow Veeam B&R to update its components.

After upgrading to vCenter Server 6.0, due to vSphere 6 using new unique tag IDs, you must edit all existing jobs that leverage vSphere tags and re-add all required tags.

To obtain this update, please click here (you need to be logged in to download the update).

To obtain Veeam ONE v8 Update 2, please follow this link

here is release notes link:

SCOM 2012 - Microsoft System Center Operations Manager Field Experience

Microsoft System Center Operations Manager Field Experience

Danny Hermans, Uwe Stürtz, Mihai Sarbulescu; Mitch Tulloch, Series Editor
April 2015
128 pages

Learn how to enhance your Operations Manager environment and better understand the inner workings of the product – even if you are a seasoned Operations Manager administrator. If you are responsible for designing, configuring, implementing, or managing a Microsoft System Center Operations Manager environment, this ebook is for you. Download the PDF (3.27 MB)

Microsoft System Center Operations Manager Field Experience

7 - Upgrade Windows 7 Professional to Enterprise

There is a way to upgrade Windows 7 professional to Windows 7 Enterprise that is not officially supported from Microsoft.

here are steps that you should take:

1. Create a .reg file and double click on that with following text.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"ProductName"="Windows 7 Enterprise"

2. Insert 7 Enterprise DVD and launch it upgrade option.

[original article]

SCCM 2012 R2 to SCCM R2 SP1 upgrade process

Service pack 2 provides a bundle of updates and fixes that apply equally to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. The same update is applied to either product to bring your deployment the benefit of these updates while maintaining your current version.
The version of your site after upgrading to System Center 2012 Configuration Manager SP2 depends on the pre-upgrade version:

  • System Center 2012 R2 Configuration Manager: After installing service pack 2 your new site version will automatically update to System Center 2012 R2 Configuration Manager SP1.

  • System Center 2012 Configuration Manager SP1: After installing service pack 2 your new site version will be System Center 2012 Configuration Manager SP2.
Here is relative Checklist to follow:

Here they are some of them:

  1. Each site in the hierarchy must run the same version of Configuration Manager prior to beginning the upgrade. This is either System Center 2012 Configuration Manager SP1 or System Center 2012 R2 Configuration Manager.
    The version of cumulative updates for Configuration Manager that are installed a site is not evaluated, and does not affect the upgrade process or success.
  2. Before you upgrade a site, you must resolve all operational issues for the site server, the site database server, and site system roles that are installed on remote computers. A site upgrade can fail due to existing operational problems.
  3. Before you upgrade a site, install any critical updates for each applicable site system. If an update that you install requires a restart, restart the applicable computers before you start the upgrade.
  4. Disable database replicas for management points at primary sites.
    For more information, see Configure Database Replicas for Management Points.
  5. Before you upgrade a site, back up the site database to ensure that you have a successful backup to use for disaster recovery.
  6. Before you upgrade the version of a Configuration Manager site, disable any site maintenance task that might run at that site during the time the upgrade process is active. This includes but is not limited to the following:
  7. Backup Site Server
    - Delete Aged Client Operations
    - Delete Aged Discovery Data
    When a site database maintenance task runs during the upgrade process, the site upgrade can fail.
    Before you disable a task, record the schedule of the task so you can restore its configuration after the site upgrade completes.
  8. Starting at the top-level site in the hierarchy, run Setup.exe from the System Center 2012 Configuration Manager SP2 source media. After the top-level site completes the upgrade and replication is Active, you can begin the upgrade of each child site. Complete the upgrade of each site before you begin to upgrade the next site.
    Until all sites in your hierarchy upgrade to the new product version, your hierarchy operates in a mixed version mode.
  9. If you use database replicas for management points at primary sites, you must uninstall the database replicas before you upgrade the site. After you upgrade a primary site, reconfigure the database replica for management points.
  10. If you disabled database maintenance tasks at a site prior to the upgrade, reconfigure those tasks at the site using the same settings that were in place prior to the upgrade.
  11. After you upgrade a primary site, plan to upgrade clients that are assigned to that site. Although a Configuration Manager primary site or secondary site can support communication from clients that have a lower service pack version, this communication should be a temporary configuration. Clients that run a previous version of Configuration Manager cannot use the new functionality that is available with the new version of Configuration Manager.
After upgrade and manual actions to do:
  • After the site upgrades, you must manually upgrade physical media like ISO files for CDs and DVDs or USB flash drives, or prestaged media used for Windows To Go deployments or provided to hardware vendors. Although the site upgrade updates the default boot images it cannot upgrade these media files or devices used external to Configuration Manager.

  • Plan to update non-default boot images when you do not require the original (older) version of Windows PE.

Here they are resetting settings that happen after upgrade proces:

- When you upgrade to System Center 2012 R2 Configuration Manager, the following Software Center items are reset to their default values:
  • Work information is reset to business hours from 5.00am to 10.00pm Monday to Friday.
  • The value for Computer maintenance is set to Suspend Software Center activities when my computer is in presentation mode.
  • The value for Remote control is set to the value in the client settings that are assigned to the computer.
- When you upgrade to System Center 2012 Configuration Manager SP2, custom summarization schedules for software updates or software update groups are reset to the default value of 1 hour. After the upgrade finishes, reset custom summarization values to the required frequency.

SCCM 2012 - SCCM 2012 R2 SP1 released improvement list

SCCM 2012 R2 SP1 was released here they are relative improvements (there is SCCM 2012 SP2 too version):

Sites and Hierarchies

  • Improvements to automatic client upgrade:
  • You can now exclude servers from automatic client upgrade.

You can configure preferred management points for each primary site. Preferred management points are specified like content servers, associated to a boundary when you configure boundary groups. Clients identify preferred management points from their assigned site, and then when communicating with their site, use the management point associated with their network location before using other management points from the site. For more information, see Preferred Management points.

Application Management
  • When you revise an application, the new revision now inherits all dependencies from the previous revision.
  • Configuration Manager now lets you create supersedence relationships that can update dependent applications to a newer version. For more information, see How to Use Application Supersedence in Configuration Manager.

  • Remote Differential Compression (RDC) is no longer used for every file during content distribution. As a best practice, it is now only used for files larger than 16KB.
  • Pull-distribution points now have their own controls for concurrent distribution settings to multiple pull distribution points.
  • When selecting source distribution points for a pull distribution point, you can now select source distribution points that are configured to only use HTTPS. The display does not identify if the source distribution point is HTTP or HTTPS capable, however, when you select one or more HTTPS source distribution points, you will receive a notice to ensure the pull distribution point supports your PKI infrastructure. Typically, this is accomplished by installing a PKI enabled client on the computer that hosts the pull distribution point.
  • A new notification warns you when content is distributed to a pull distribution point, and no source distribution point has been configured.
  • If a failure occurs when transferring content from a source distribution point to a pull distribution point, the pull distribution point downloads only the remaining content from the next distribution point in the source distribution point list. This saves time when transferring large packages and reduces the amount of network bandwidth used.
  • If a failure occurs when transferring content from the site server to a distribution point, when the transfer resumes is begins at the point where the failure occurred. This reduces use of bandwidth and reduces time to complete the transfer of content you deploy.
For more information, see Content Management in Configuration Manager.

Operating System Deployment
  • You can now deploy Windows 10 to compatible devices in your hierarchy.
  • Configuration Manager SP2 uses the Windows Assessment and Deployment Kit (Windows ADK) to deploy an operating system. Before you run setup, you must download and install the Windows ADK on the site server and the provider computer. Whilst the prerequisite for setup is still the Windows 8.1 ADK, Configuration Manager now supports the Windows 10 ADK also.
  • New filters and workflow when importing drivers and adding drivers to boot images to improve driver management.
  • Configuration Manager notifies you before implementing you implement a task sequence OS deployment that could cause damage.
  • You can now configure retry options for when a computer unexpectedly restarts during the Install Application or Install Software Updates task sequence steps. For details, see Install Application orInstall Software Updates.
  • Role based authentication can now be used for standalone media.
  • Enhanced audit messages for operating system deployment.
  • OS Installer Package renamed to OS Upgrade Packages.
  • Task sequence USB media now supports larger than 32GB.
  • You can now specify a start and end date for the Distribution Point Usage Summary report.
  • The following new reports have been added:
    • List of noncompliant Apps and Devices for a specified user - Displays information about users and devices that have apps installed that are not compliant with a policy you specified.
    • Summary of Users who have Noncompliant Apps - Displays information about users that have apps installed that are not compliant with a policy you specified.
    • List of devices by Conditional Access State - Displays information about the current compliance and conditional access state of devices. You can use this report with conditional access policies.
  • A new help topic List of Reports in Configuration Manager has been created to help you understand which reports are available.
For more information, see Reporting in Configuration Manager.
Configuration Manager Company Portal App
The Configuration Manager Company Portal app allows users of client Windows 8, Windows 8.1 and Windows 10 devices to view and install applications that you make available. The device must be managed by System Center 2012 R2 Configuration Manager or later, and have the client installed.
managed by System Center 2012 R2 Configuration Manager or later, and have the client installed.
Configuration Manager and Microsoft Intune
The following new functionality and changes have been added to help you manage devices that are enrolled with Microsoft Intune from the Configuration Manager console:
  • You can now manage Windows 10 and Windows 10 mobile devices that are enrolled with Microsoft Intune. All existing Intune features for managing Windows 8.1 and Windows Phone 8.1 devices will work for Windows 10 and Windows 10 Mobile.
  • For System Center 2012 R2 Configuration Manager only: The following Extensions for Microsoft Intune that were released for System Center 2012 R2 Configuration Manager have been integrated into System Center 2012 R2 Configuration Manager SP1. If you previously installed any of these extensions, they will no longer be displayed in the Extensions for Microsoft Intune node of the Configuration Manager console.
    • iOS 7 and iOS 8 Security Settings Extension
    • Enterprise Mode Internet Explorer Extension
    • Windows Phone 8.1 Extension
    • Conditional Access Extension
    • Email Profiles Extension
    For more information about extensions, see Planning to Use Extensions in Configuration Manager.
  • You can deploy iOS apps that are free of charge from the app store. You can deploy this installer type as a required install to make it mandatory on managed devices, or deploy it as available to let users download it from the app store.

    For more information, see How to Create Applications in Configuration Manager.
  • New mobile device configuration item settings for Samsung KNOX devices.  This adds the same capabilities for Samsung KNOX device to Configuration Manager that exist in Intune, with the exception of kiosk mode. For details, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager.
  • Conditional access to Exchange On-premises for mobile devices. Only devices that are enrolled with Intune and compliant with device policy are allowed to access Exchange email. For details, seeConditional Access for Exchange Email in Configuration Manager.
  • Conditional access to Exchange Online and SharePoint Online for mobile devices. Only devices that are enrolled with Intune and compliant with device policy are allowed to access Exchange email, or access SharePoint Online files from OneDrive for Business. This feature also introduces new reports that help you identify devices that will be blocked. For details, see Conditional Access for Exchange Email in Configuration Manager and Conditional Access for SharePoint Online in Configuration Manager.
  • You can now manage iOS devices purchased through Apple’s Device Enrollment program. This allows for over-the-air management of corporate-owned iOS mobile devices.
  • You can now remote lock, or reset the passcode on iOS, Android, or Windows Phone 8 and later devices from the Configuration Manager console. For details, see Help protect your data with remote wipe, remote lock, or passcode reset using Configuration Manager.
  • Mobile application management (MAM) policies let you modify the functionality of compatible apps that you deploy to help bring them into line with your company compliance and security policies. For example, you can restrict cut, copy and paste operations within a managed app, or configure an app to open all web links inside a managed browser. For details, see How to Control Apps Using Mobile Application Management Policies in Configuration Manager
  • For System Center 2012 R2 Configuration Manager only: You can now associate apps to a VPN connection on devices that run iOS 7 and later. These apps will open the VPN connection when they are launched.

    Additionally, VPN profiles now support Android 4.0 and later versions.

    For more information, see VPN Profiles in Configuration Manager.
  • Windows Phone 8.1 devices can be enrolled and managed without first uploading a Symantec certificate and a signed Company Portal app. You still have to have a Symantec certificate to side load your own software, but you can send applications that are a link to a store, or a web app to Windows Phone devices using the Company Portal.
  • Custom settings are used in a mobile device configuration item and let you deploy settings to iOS devices that are not selectable from the cmshort console. You create settings in the Apple Configurator Tool, import these settings into the configuration item, then deploy these to the required devices.

    For more information, see Custom Settings for Mobile Devices in Configuration Manager.
  • Kiosk mode allows you to lock a managed iOS mobile device to only allow certain features to work. For example, you can allow a device to only run one managed app that you specify, or you can disable the volume buttons on a device. These settings might be used for a demonstration model of a device, or a device that is dedicated to performing only one function, such as a point of sale device.

    For more information, see Kiosk Mode Settings for Mobile Devices in Configuration Manager.
  • You can provision personal information exchange (.pfx) files to user’s devices including Windows 10, iOS, and Android devices. Devices can use PFX files to support encrypted data exchange.

    For more information, see How to Create PFX Certificate Profiles in Configuration Manager.
  • System Center Endpoint Protection can be used to manage endpoint protection on Windows 10 technical preview devices with Windows Defender. The endpoint protection agent is included in Windows 10 and does not need to be deployed. Be sure to include malware definitions for Windows Defender in updates for managed devices.

    For more information, see Introduction to Endpoint Protection in Configuration Manager.
  • For System Center 2012 R2 Configuration Manager only: App compliance policies let you create a list of compliant or noncompliant apps in your organization. For Windows Phone 8.1 devices, apps can be blocked from being installed or launched.

    For iOS and Android apps, you can use reports to find users and devices with noncompliant apps.

    For more information, see App Compliance for Mobile Devices in Configuration Manager
  • For System Center 2012 R2 Configuration Manager only: Configuration Manager email profiles now support Android Samsung KNOX 4.0 and later.

    For more information, see Email Profiles in Configuration Manager.

Windows 2012 R2 - DHCP cluster/failover

Windows 2012 R2 give you the ability to have DHCP role in Cluster mode.

If you want to proceed in this way you need to:

  • Two Server 2012 servers have been installed and joined to your domain as member servers
  • Both servers have installed the DHCP role
  • One of the servers has been configured with your desired DHCP scopes

After that you need to go on DHCP snapin and take a look to this screenshots.

About original Technet Microsoft articles:

Server - Commands to verify Domain Controller/Domain Status, schema version, move 5 PDC roles, export DHCP

I am indicating some commands that put output on .txt file that are useful to verify domain health/check/monitor status:

dcdiag /TEST:DNS /v >> c:\temp\step1_dns.txt

netsh dhcp show server >> c:\temp\step2_dhcp.txt

dcdiag /a /v /c >> c:\temp\step3_dc.txt

repadmin /showrepl >> c:\temp\step4_replica.txt

repadmin /replsummary >> c:\temp\step5_replica_sum.txt

repadmin /replsum /errorsonly >> c:\temp\step6_replica_err.txt

repadmin /options * >> c:\temp\step7_replica_opt.txt 

If you want to verify Schema Version on DC you must to on register:


REG_WORD Schema Version and you will find relative number

If you like to upgrade schema before installing new Windows 2012 R2 domain controller you can utilize this article:


If you want to move 5 AD roles to a different DC you can do that through GUI in different locations

Schema master
Naming master
RID master
Infrastructure master

To query which DC holds precedents roles you can utilize this command:

netdom query fsmo

Otherwise we can take a look to following article:


If you want to migrate DHCP settings you can utilize this command:

Export-DhcpServer –ComputerName dcname.domain.xxxx -Leases -File C:\temp\dhcpconfig.xml -verbose

To import DHCP settings to other Server:

Import-DhcpServer -ComputerName w12r2-dc01.nolabnoparty.local -Leases -File C:\temp\dhcpconfig.xml -BackupPath C:\temp\dhcp_backup\ -verbose Type Y to proceed with import.

Later you will need to authorize DHCP on new DC

[original article]

[update 2022.03.15]

Active Directory Health Check: Troubleshooting

WSUS - Install Internet Explorer 11 (IE11) - Windows Server Update Services (WSUS)

Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see Windows Server Update Services.

To import from Windows Update to WSUS

  1. Open your WSUS admin site. For example, http://WSUSServerName/WSUSAdmin/.
    Where WSUSServerName is the name of your WSUS server.
  2. Choose the top server node or the Updates node, and then click Import Updates.
  3. To get the updates, install the Microsoft Update Catalog ActiveX control.
  4. Search for Internet Explorer 11 and add its contents to your basket.
  5. After you're done browsing, go to your basket and click Import.
    You can also download the updates without importing them by unchecking the Import directly into Windows Server Update Services box.

To approve Internet Explorer in WSUS for installation

  1. Open your WSUS admin site and check the Review synchronization settings box from the To Do list.
  2. Click Synchronize now to sync your WSUS server with Windows Update, and then click Updates from the navigation bar.
  3. Enter Internet Explorer 11 into the Search Contains box, and then click Apply.
  4. Choose the right version of Internet Explorer 11 for your operating system, and click Approve for installation.
  5. Click each computer group you want to set up for the WSUS server, picking the right approval level, and then click OK.
Related Microsoft Article: 


In WSUS, click ALL UPDATES (top left) then REFRESH from the Actions Pane (top right)
Sort by APPROVAL or RELEASE DATE or something else you like and scroll to the items in question and approve them


Related articles:

Server - GPO For Firefox - Configuring Firefox with Active Directory Group Policy

Utilizing this .admx you will be able to manage every single aspect of Firefox with GPO.

You can find an adm file ready to be used for your GPO at the following link

At the same time, on Firefox you need to install this Addon Download:

This add-on allows to manage preferences from windows registry. You can then use Group Policies from Microsoft Active Directories to manage Firefox preferences.
To use this add-on you will need an additional adm file to define the registry keys that GPO for firefox add-on will read.
Currently the add-on will read its preferences from HKLM or HKCU \Software\Policies\Mozilla\LockPref for locked settings and HKLM or HKCU \Software\Policies\Mozilla\defaultPref for normal users preferences.

You can find an adm file ready to be used for your GPO at the following link

How this extension works: When Firefox is launched the main function reads registry and writes preferences. There is no registry observer to update preferences while Firefox is running. adm file is an administrative template that is used to build Group Policy Objects in Microsoft Active Directory. Loading this adm file allows administrator to centrally define registry setting and deploy them to groups of users and computers. Active Directory will then write the registry according to the location defined in the .adm file.
So this is a 2 step process. Use the .adm file to build a GPO that will write the registry settings for Firefox on end user computer, then use the extension to read these settings and write Firefox preferences.
The extension also contains a function that will disable the "Check for Update" menu item from Help Menu if "app.update.enabled" preference is set to false so you can keep all your computers to the same version of Firefox and make sure your environment is stable.

Since version 0.9.4 we removed the ability to hide this GPOFirefox from the extension list due to the Mozilla extension policy. Try to install this add-on at a location where the user doesn't have the rights to uninstall it (programs folder on Windows 7). Maybe we can bring this feature back in a future version, but for now we had to remove it to get a successful review by Mozilla.

The Right Thing for Windows Admins..
Perhaps some important notice:
The Plugin Itself is called When you want to distribute it to users you have to copy it to C:\Program Files (x86)\Mozilla Firefox\browser\
Than the Plugin is loaded for the user but not aktivated. To aktivate it automatically you have to set lockPref("extensions.autoDisableScopes", 0); in mozilla.cfg To tell the Browser to load the cfg you have to create a local-settings.js file with these values:
pref("general.config.obscure_value", 0);
pref("general.config.filename", "mozilla.cfg");

For more information to this look at this good documentation:

After that you can administer firefox via reg keys.. aka group policy template.. But have a look, the template has some small minor bugs..

Here is an alternative interesting article: