How to know who restarted Windows Server 2012 R2

Good Day.

Today I am sharing with you the way to know who restarted your server 2012 R2. In big organizations there might be hundreds of servers that are up and running however restart jobs might be needed and maintenance windows should be scheduled. suppose that you receive a comment from an application owner saying that his server has been restarted and he needs to know who did the restart job or it was by accident.

There is something called as Shutdown event tracker. This will allow the admins to track why a user initiated shutdown or a restart. It also gathers the reason why the users restarted or shutdown the computer. More info about it is documented here.

To find out who restarted windows server, log in to the server. The below steps work on Windows Server Server 2012 R2. Launch the Event Viewer (type eventvwr in run). In the event viewer console expand Windows Logs. Click on System and in the right pane click Filter Current Log.

In the Filter Current log box, type 1074 as the event ID. This will filter the events and you will see events only with ID 1074.

We can now see the event with ID 1074.

Double click the recent event. In the event properties box, you can see who initiated the restart of server.

The process C:\Windows\Explorer.EXE (SRV00) has initiated the restart of computer SRV00 on behalf of user POP\hisham.mezher for the following reason: Hardware: Installation (Unplanned)
Reason Code: 0x4010002
Shutdown Type: restart
Comment:

Click Close.

Regards.

Hisham Mezher

How to Create Active Directory snapshots?

Good Day.

Today i have a new post for you that will help all AD administrators with issues similar to the one I faced recently which is comparing AD information between 2 time frames as some information was needed by the audit team.

The scenario is to take a scheduled active directory snapshots and restore AD database in offline mode so that you may compare the data you have.

Basically this tool creates a shadow copy of volumes that holds active directory data (Database and logs) using “Volume Shadow Copy Service (VSS)” running on server.

In order to create, view or restore AD snapshots, you need to be member of domain admin group or the enterprise administrator group.

Let’s go through the procedure for how we can create active directory snapshots.

1. Log in the domain controller as a domain administrator or enterprise administrator with appropriate permissions.
2. Right click on start button and select “Command Prompt (Admin)”. It will open up the command line interface.
3. In command prompt type ntdsutil and enter to open up the ntdsutil tool.
4. In next type activate instance ntds and press enter.
5. Then type snapshot and press enter.
6. Then type list all
7. It will list down all the snapshot created.
8. Then run command mount 2 ( this is the order number showing in list of snapshot and I needed to mount the one listed in number 2)
9. Then as it saying it successfully mounted to the C: drive with folder Snapshot {b616bdfc-6e38-482b-b150-0247155e64e7} mounted as C:\$SNAP_201807181211_VOLUMEC$\
10. Then enter quit command twice to exit from utility.
11. Now to connect with the mounted snapshot we need to execute followingdsamain –dbpath C:\$SNAP_201807181211_VOLUMEC$\Windows\WinSxS\amd64_microsoft-windows-d..rvices-domain-files_31bf3856ad364e35_6.3.9600.18476_none_8bd6131b174d5ba6\ntds.dit–ldapport 10000

    

12. “Go to server manager > tools > active directory users and computers”
13. In mmc right click on active directory users and computers option and select change domain controller option
14. In here type the domain controller name and the port. Then click ok the port should be 10000 ( the one we use with snapshot)
15. As we can see here it successfully connect with the instance.
16. now you have an offline copy of the AD database and you can look into the information you need.

Disconnect and unmount snapshot

In order to disconnect from the running instance, open the command line we left open and press CTRL+C

1. type ntdsutil to go in to ntdsutil utility
2. In next type activate instance ntds and press enter.
3. type snapshot and press enter.
4. type list all
5. This will list down all the snapshot created.
6. type unmount 2 (this is the snapshot number I mapped). This will unmount the snapshot.
7. enter quit command twice to exit.

Best Regards.

Hisham Mezher

How to reduce the size of the pagefile.sys (Virtual Memory) on Windows Server

Good Morning Folks.

Today iam sharing with you this short procedure on how to reduce to reduce the size of the pagefile.sys (Virtual Memory) on Windows 8 or Windows Server 2012.

This morning I faced an issue with very low disk space on one of my production servers and couldnt access the server to restart exchange services, i couldnt even reach the log files to delete some old files. i could only login to the system and manage to reduce the size of the huge pagefile.sys to get access to the server.

Here is how to do this.

1. On the Keyboard Press the WindowsKey + X then click System in the popup menu or right click my computer and go to advanced properties.
2. click Advanced system settings. Administrator permission required You might be asked for an admin password or to confirm your choice.
3. On the Advanced tab, under Performance, tap or click Settings.
4. click the Advanced tab, and then, under Virtual memory, tap or click Change.
5. Clear the Automatically manage paging file size for all drives check box (if you have it set by default to automatically manage)
6. Under Drive [Volume Label], click the drive that contains the paging file you want to change.
7. click Custom size, enter a new size in megabytes in the Initial size (MB) or Maximum size (MB) box, tap or click Set, and then tap or click OK.

Note

Increases in size usually don’t require a restart for the changes to take effect, but if you decrease the size, you’ll need to restart your PC.

Regards.

Hisham Mezher