Skip navigation
John Savill'ss FAQs on IT Pro Today Hero

Savill's FAQs: System Center Endpoint Protection Manual Install

Three times a week, John Savill tackles your most pressing IT questions. Today, he shares more about removing a dead Domain Controller from Windows Server 2016, manually installing System Center Endpoint Protection on a device, and assigning limited scope administrator role in Azure Active Directory via the portal.

Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions.

Read through the FAQ archives, or send him your questions via email.

Today, he shares more about removing a dead Domain Controller from Windows Server 2016, manually installing System Center Endpoint Protection on a device, and assigning limited scope administrator role in Azure Active Directory via the portal.


Q. I need to remove a dead DC from Windows Server 2016. Do I need to use NTDSUTIL?

A. In earlier versions of Active Directory, if you had an unavailable DC that was not coming back, you would use NTDSUTIL and the metadata cleanup to remove all signs of the DC. This is not the case in newer versions of Active Directory. Instead perform the following:

  1. In AD Users and Computers, delete the computer object from the Domain Controllers OU
  2. In AD Sites and Services, delete the server object in its site
  3. While still in AD Sites and Services, expand out in DC in the sites, right click its NTDS Settings object and select All Tasks - Check Replication Topology

You can still use NTDSUTIL to check everything is cleaned up and I also like to run repadmin /syncall then repadmin /showrepl. To check with NTDSUTIL:

C:\Windows\system32>ntdsutil
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: partition management
partition management: connections
server connections: connect to server dal-dc02
Binding to dal-dc02 ...
Connected to dal-dc02 using credentials of locally logged on user.
server connections: quit
ntdsutil: metadata cleanup
metadata cleanup: select operation target
select operation target: list sites
Found 1 site(s)
0 - CN=Dallas,CN=Sites,CN=Configuration,DC=SAVILLTECH,DC=NET
select operation target: select site 0
Site - CN=Dallas,CN=Sites,CN=Configuration,DC=SAVILLTECH,DC=NET
No current domain
No current server
No current Naming Context
select operation target: list servers in site
Found 3 server(s)
0 - CN=DAL-DC01,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=SAVILLTECH,DC=NET
1 - CN=DAL-DC03,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=SAVILLTECH,DC=NET
2 - CN=DAL-DC02,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=SAVILLTECH,DC=NET
select operation target: quit
metadata cleanup: quit
ntdsutil: quit

 

Q. How can I manually install System Center Endpoint Protection on a machine?

A. System Center Configuration Manager also provides a built-in antivirus solution, System Center Endpoint Protection. Although it can be deployed easily using Configuration Manager, you can also manually install the client. To install manually perform the following:

  1. Navigate to folder C:\Program Files\Microsoft Configuration Manager\Client on the Configuration Manager server
  2. Copy the ep_defauiltpolicy.xml and scepinstall.exe files to a shared location
  3. On the target server with access to the files run:
    scepinstall.exe /policy \ep_defaultpolicy.xml

The install will complete, update then perform a scan. The anti-virus definition files will update via Windows Update.

 

Q. How do I assign a limited scope administrator role in Azure AD via the portal?

A. There are a number of different roles available in Azure AD however if you look at a user and directory roles available you only see three:

  • User
  • Global administrator
  • Limited administrator

What about other roles like Intune Administrator, Compliance Administrator etc. Simply select Limited Administrator and the additional roles will be displayed. Note if there is a role you want that is not shown, it is likely exposed via a specific portal.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish