Windows Archives - Yusuf USTUNDAG

How to Certificate Authority (CA) Maintenance

March 4, 2025March 2, 2025 Yusuf Ustundag Leave a comment

You can perform Certificate Authority maintenance operations on your Certificate Authority servers in three different stages according to your needs. Regular maintenance ensures better performance and security for your Certificate Authority system.

Certificate Authority Backup
Certificate Authority Transaction Log Truncate
Certificate Authority Database Defrag

Certificate Authority Backup

If your backup application supports taking a dedicated backup for the Certificate Authority, you can proceed accordingly.

The method described here is related to backing up the Certificate Authority environment without third-party applications.

Exporting Certificate Authority Registry Values: Export the Certificate Authority registry values from both the “CertSvc” directory and the “Configuration” directory to ensure proper backup.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

The registry contains configuration information related to the Certificate Authority.

Initiating the Backup Process: After exporting the registry, start the backup process from the Certificate Authority console.

Backup Selection: Select “Private key and CA certificate” and “Certificate database and certificate log”, then specify the backup path before proceeding.

Certificate Authority Transaction Log Truncate

When you check the Certificate Authority directory, you will see log files generated by the Certificate Authority.

You can view the database and log files of the Certificate Authority by running the following command in the command prompt:

certutil -databaselocations

Depending on the usage of the Certificate Authority, these log files may accumulate in large numbers and cause disk space issues.

To truncate these log files, simply take a backup through the Certificate Authority console.

Automatic Log Truncation: Completing the backup process automatically truncates the logs.

Certificate Authority Database Defrag

Certificate Authority Database: The Certificate Authority server stores certificates and configurations in a .edb database file.

This database can grow in size depending on the status of the certificates in your environment (revoked, issued, pending, failed) and templates.

As the database size increases, the backup process will take longer. Therefore, it is important to monitor the database size.

Defragmentation Requirement: If the database size increases significantly, run a defragmentation process to optimize performance.

To perform a defrag operation, follow these steps:

Stop the CA service

You can do this through the Certificate Authority console or by running the following command in Command Prompt (Run as Administrator)

net stop certsvc

Run the defrag operation

Execute the following command in Command Prompt (Run as Administrator)

esentutl /d "FULL-PATH-TO-EDB-FILE"

The duration of the defragmentation process will vary depending on the database size.

Restart the CA service

Restarting the CA Service: After completing the defragmentation, restart the CA service to apply changes.

net start certsvc

You can check your database size after the defrag process.

This process helps optimize the database and ensures that the Certificate Authority server operates efficiently.

If you found this article helpful, feel free to share it with your team and check out my blog for more quick tips and insights!

How To : Subnet Creation Dates in Active Directory

January 21, 2025January 21, 2025 Yusuf Ustundag Leave a comment

Managing an Active Directory (AD) environment requires a clear understanding of its configuration, including its network subnets. Knowing when specific subnets were added can provide valuable insights for audits, troubleshooting, and change tracking. However, this information is not readily visible in the default Active Directory tools. To address this, I created a script that retrieves and displays the creation dates of subnets in Active Directory.

In this article, I’ll share the purpose of this script, explain how it works, and provide usage instructions. If you’ve been looking for a way to streamline your subnet management tasks, this solution might be just what you need.

Subnet creation dates can be important for:

Auditing: Keeping a record of when changes were made.
Troubleshooting: Identifying if a recent subnet addition aligns with network changes.
Change Management: Ensuring compliance with organizational policies.

While the default AD tools allow you to manage subnets, they lack detailed tracking capabilities. This script bridges that gap by retrieving and displaying the creation timestamps.

The script leverages PowerShell and Active Directory cmdlets to query the CN=Subnets container. By parsing the whenCreated attribute of each subnet object, it provides a clear list of subnets along with their creation dates. Below is a summary of its functionality:

Connects to the Active Directory environment.
Queries the CN=Subnets container.
Retrieves the whenCreated attribute for each subnet.
Outputs the data in a readable format (e.g., table or CSV).

Before running the script, ensure the following:

You have administrative privileges to access the CN=Subnets container.
PowerShell 5.1 or later is installed on your machine.
The Active Directory module for Windows PowerShell is installed.

When you execute the script, you’ll see

Active Directory Subnet History ;

# Import the Active Directory module

Import-Module ActiveDirectory

try {

# Retrieve the Configuration container

$configNC = (Get-ADRootDSE).configurationNamingContext

# Retrieve subnet information

$subnets = Get-ADObject -Filter 'objectClass -eq "subnet"' `

-SearchBase "CN=Subnets,CN=Sites,$configNC" `

-Properties Name, Description, Location, whenCreated, whenChanged, siteObject

# Process the results

$subnetInfo = $subnets | Select-Object @{

Name = "Subnet"

Expression = { $_.Name }

},

@{

Name = "Created Date"

Expression = { $_.whenCreated }

},

@{

Name = "Last Modified"

Expression = { $_.whenChanged }

},

@{

Name = "Location"

Expression = { if ($_.Location) { $_.Location } else { "Not Specified" } }

},

@{

Name = "Description"

Expression = { if ($_.Description) { $_.Description } else { "No Description" } }

},

@{

Name = "Associated Site"

Expression = {

if ($_.siteObject) {

($_.siteObject -split ',')[0] -replace 'CN='

} else {

"No Site Associated"

}

# Display the total count

Write-Host "Total Number of Subnets:" $subnets.Count -ForegroundColor Green

Write-Host "`nDetailed Subnet Information:" -ForegroundColor Yellow

Write-Host "------------------------`n"

# Print to screen

$subnetInfo | Format-Table -AutoSize

# Export to CSV

$exportPath = "AD_Subnets_Export_$(Get-Date -Format 'yyyyMMdd_HHmmss').csv"

$subnetInfo | Export-Csv -Path $exportPath -NoTypeInformation -Encoding UTF8

Write-Host "`nExported to:" $exportPath -ForegroundColor Cyan

} catch {

Write-Host "Error occurred: $_" -ForegroundColor Red

Write-Host "`nCheck if you have the following prerequisites:" -ForegroundColor Yellow

Write-Host "1. Running PowerShell as Administrator" -ForegroundColor Yellow

Write-Host "2. Domain Admin or appropriate permissions" -ForegroundColor Yellow

Write-Host "3. Active Directory PowerShell module is installed" -ForegroundColor Yellow

Write-Host "4. Running on a domain-joined machine" -ForegroundColor Yellow

}

While this script fulfills its primary purpose, there’s always room for improvement. Some potential enhancements include:

Adding filtering options to display subnets created within a specific timeframe.
Incorporating logging functionality for audit purposes.
Automating the script to run periodically and generate reports.

This script provides a straightforward way to retrieve subnet creation dates in Active Directory, making it easier to manage and audit your network environment. Feel free to try it out.

You can also check this article to check for missing subnets in your environment.

Have a nice day !

Automatically Deleting Files and Folders When Disk Space is Low

June 8, 2024January 21, 2025 Yusuf Ustundag Leave a comment

If you need to automatically delete files and folders when disk space on your drive falls below a certain threshold, you can use a PowerShell script to accomplish this task. Here’s how you can set it up.

PowerShell Script

This script will delete files and directories under a specified path when the available disk space is less than 5 GB.

# Define the path to the directory
$directoryPath = "C:\DeleteFilesFolder\

# Set the threshold for disk space (in bytes)
$threshold = 5GB

# Get the drive information
$drive = Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Root -eq "C:\" }

# Check the available free space on the drive
if ($drive.Free -lt $threshold) {
# Get all files in the specified directory and subdirectories
$files = Get-ChildItem -Path $directoryPath -Recurse -File

# Loop through and delete each file
foreach ($file in $files) {
Remove-Item -Path $file.FullName -Force
Write-Output "Deleted file: $($file.FullName)"
}

# Get all directories in the specified directory and subdirectories
$directories = Get-ChildItem -Path $directoryPath -Recurse -Directory | Sort-Object -Property FullName -Descending

# Loop through and delete each directory if it is empty
foreach ($directory in $directories) {
Remove-Item -Path $directory.FullName -Recurse -Force
Write-Output "Deleted directory: $($directory.FullName)"
}

Write-Output "All files and directories in $directoryPath and its subdirectories have been deleted due to low disk space."
} else {
Write-Output "Sufficient disk space available: $($drive.Free / 1GB) GB free."
}

Explanation of the Script

$directoryPath: Specifies the directory path where files and folders will be deleted.
$threshold: Sets the disk space threshold to 5 GB.
$drive: Checks the free space available on the C: drive.
if ($drive.Free -lt $threshold): Checks if the available free space is less than 5 GB.
Get-ChildItem -Path $directoryPath -Recurse -File: Gets all files in the specified directory and subdirectories.
Remove-Item -Path $file.FullName -Force: Deletes each file without user interaction.
Get-ChildItem -Path $directoryPath -Recurse -Directory | Sort-Object -Property FullName -Descending: Gets all directories in descending order to ensure deletion from the deepest level first.
foreach ($directory in $directories): Deletes each directory and its contents without user interaction if it’s empty.

Running the Script Manually

Open PowerShell as Administrator.
Run the Script:

C:\Scripts\ClearIncomingQueue.ps1

Automating the Script with Task Scheduler

You can use Task Scheduler to automate the script.

Open Task Scheduler: Open it by typing taskschd.msc in the Run dialog.
Create a New Task:
- Right-click and select “Create Task”.
- General tab: Name your task (e.g., “Clear Files and Folders”).
- Triggers tab: Click “New” and choose the schedule (e.g., daily).
- Actions tab: Click “New” and select “Start a program”. Enter powershell.exe as the program/script.
- In the “Add arguments (optional)” field, enter:
  -File "C:\Scripts\ClearIncomingQueue.ps1"
- Conditions tab: Check “Start the task only if the computer is on AC power”.
- Settings tab: Check “If the task fails, restart every” and set an interval.

This setup ensures that files and directories under the specified path are automatically deleted when the available disk space falls below 5 GB, without any user interaction.

Simple , Easy, Useful

Have a nice day !

How to Upgrade Failover Cluster Functional Level

March 27, 2023January 22, 2025 Yusuf Ustundag 4 Comments

When you add new nodes with a higher operating system to your Windows Failover cluster environment, you will receive warnings about "Functional Level" mismatch in your failover cluster logs.

The main reason for these warnings is that the operating systems and functional levels of the clusters connected to the nodes in your environment are different from each other.

You can follow the steps below to change the functional level compatibility;

To view the Failover Cluster Functional Level version
Get-Cluster | select ClusterFunctionalLevel
To upgrade the Failover Cluster Functional Level version
Update-ClusterFunctionalLevel
To view the upgrade process of the Failover Cluster Functional Level version
Get-Cluster | select ClusterFunctionalLevel
In Windows Server 2019 the Clustering team introduced a new PowerShell cmdlet to check how many nodes of the cluster are running on which level
"Get-ClusterNodeSupportedVersion" helps you to identify the Cluster Functional Level and the Cluster Upgrade Version.

The table below shows the values and each corresponding functional level:

For more detailed information;

Have a nice day!

How to Fix Failed While Applying Switch Port Settings ‘Ethernet Switch Port VLAN Settings’

March 24, 2023January 22, 2025 Yusuf Ustundag 4 Comments

If you get the following error when you want to make a VLAN change on your virtual server that you use on Hyperv;

"Error applying Network Adapter changes" "The operation failed. Failed while applying switch port settings 'Ethernet Switch Port VLAN Settings' on switch 'Vs': One or more arguments are invalid (0x80070057)."

The root cause of this problem is the network mode you use on your virtual server, for example F5 virtual server appliance.
Let’s continue with the example there are more than one ethernet card over the F5 virtual server appliance, some of which are trunk and some are access mode.

You will get an error when you make the VLAN change on the Trunk mode card from the Hyper V Failover Cluster gui.

To fix this problem, you can follow the steps below;

First of all, we view the cards and their modes on the virtual server.
Get-VMNetworkAdapterVlan -VMName servername
The tag is removed the network card with trunk mode.
Set-VMNetworkAdapterVlan -VMName servername -VMNetworkAdapterName NIC3 -untagged
We define access mode and VLAN ID.
Set-VMNetworkAdapterVlan -VMName servername -VMNetworkAdapterName NIC3 -Access -VlanId 715
To view the change made.
Get-VMNetworkAdapterVlan -VMName servername

Have a nice day!

How to In-Place Upgrade Windows Server 2016 to Windows Server 2019 ?

September 24, 2022September 24, 2022 Yusuf Ustundag 4 Comments

What is the in-place upgrade?
In the simplest terms, it is the process of upgrading your Windows operating system without losing your data.

If you are going to do this on a physical server, it is useful to check the hardware compatibility first.
Hardware requirements for Windows Server

You can also see the version transitions of the operating systems in the table below.

If your server is located on a virtual platform, it is useful to take a snapshot/checkpoint before doing the in-place upgrade.

After connecting the “Windows Server 2019” .iso file to your server with the “Windows Server 2016” operating system, "setup.exe" should be run.

On the next screen, we are asked whether to install the updates. The recommended action here is to make updates, and we continue by ticking this option.

Select the windows version.

Select Accept to accept the terms of your licensing agreement

Attention! Since our preference is an in-place upgrade, we continue with the "Keep personal files and apps" option.

Depending on the size of your data, the in-place upgrade process may take an average of 30 minutes to 1 hour.

If you have a server with the "Windows Server 2012 R2" operating system, you can’t upgrade directly to “Windows Server 2019”.
You will upgrade "Windows Server 2016" first, then you can upgrade to "Windows Server 2019".

Ps: Disable UAC before starting the in-place upgrade, then enable it again.

Have a nice day!