Thursday, June 2, 2016

LPT: Backing up your Windows 8+ computer

If you ever tried to backup a Windows machine with a more or less recent system image (as in Windows 8+), you may have noticed that there is no longer a UI for doing full system backup.

You can backup files (actually, file libraries - things like My Documents, Desktop, etc) - but if you have something in c:\src - you are now out of luck. Evidently, someone in Windows division decided that less is more.

To the PM who thought that it was acceptable to ship an OS without system backup in 2016 - screw you! I hope you get zero rewards next review period.

Luckily, there is still a way to do full backup. In an elevated PowerShell prompt, type this:

wbadmin start backup -backupTarget:D: -include:C: -allCritical -quiet

Here D: is a USB drive on which the backup will be stored, and C: is the system drive, if you have more than one volume, list them separated by commas, like so: "-include:C:,E:,F:".

Obviously, the backup drive should not be backed up.

You can even make a scheduled task of it, making sure that you machine is backed up every few hours.

LPT: Reset-ComputerMachinePassword

Have you ever restored a domain-joined machine only to discover that it is no longer connected to your domain?

Windows machines have an account in Active Directory with the name MACHINENAME$ (where MACHINENAME is obviously the name of your computer), and a randomly-generated password. This password is created when machine is joined to the domain, and then rotated every 30 days automatically.

This last part - automatic rotation - means that if you are restoring a machine from a backup (or a VM snapshot), and the backup (snapshot) is older than 30 days, the machine will no longer be able to connect to the domain, because it will have rotated the password, and the old backup has the old one.

In the past I would always disjoin and then rejoin the machine to the domain. This requires two reboots, obviously, so it is quite a time consuming action. Just recently though I was moving a virtual machine from one hypervisor to the other, and since the box was really, really big, it took a long time. The migration failed, but I booted the semi-broken machine anyway. This was a mistake - the box was broken, AND it must have been near the machine password expiration, so despite being broken, it went ahead and changed the password.

Now the original VM, while still functioning, was no longer on the domain. It was an Exchange server.

Since a lot of Exchange configuration data lives in Active Directory, I did not want to find out what will happen when I take it out of domain and rejoin it. Instead, I decided to look around for a way to reconnect the machine to the domain.

Guess what, there is actually an really easy way. PowerShell 3.0 (included with 2012 or above, a Windows Update on 2008 R2) contains this handy command: Reset-ComputerMachinePassword, which does exactly what you think it should from its name - it resets the machine password in active directory, and reconnects the box to AD.

From an elevated PowerShell 3.0 or above:

Reset-ComputerMachinePassword -Credential "DOMAIN\Administrator"

You get prompted for the admin user password (it doesn't need to be a domain admin, just a user name which has the ownership of this machine's account), and voila! Just in case, I rebooted my server, and it was back online.

Note that the command is present in PowerShell 2.0 but - alas! - it does not contain the -Credential flag, which makes it useless in this particular scenario. So you really have to upgrade the PowerShell on 2008.