Tag Archives: Windows Server 2012

Service Accounts

In an organization there can be lot of applications, services running to serve its user base. Some time when you setup an application services it asking you to use a service account with certain permissions.

In a computer normally we can run application as Local Service, Network Service or Local System. Also if required you can use a user account setup on the domain or local computer.

service1

Traditional Service Account

Well in past (before server 2008 R2) a service account is nothing but a user account. As you know by default a typical user account password expires (in domain it’s depend on group policies), if it’s happens to a service account, the service or application will stop running as it can’t authenticate. So what usually do is create a user account and set password “not to expire”. So it’s more vulnerable. 

service2

Managed Service Accounts

Microsoft introduce Managed Server Accounts (MSAs) with windows server 2008 R2 to address the issues with traditional service accounts.

In traditional service account its night mare to handle the password changes. But with MSA it will automatically will change the password. In AD DS it will store the MSA object as msDS-ManagedServiceAccount. However MSAs are cannot be use between multiple computers or in cluster environment. MSA uses a complex, random, 240-character password and change that automatically when it reach the domain or computer password expire date. By default its 30 days’ time.  It also can’t be locked out and can’t use for interactive logins. Mainly the benefits of MSAs are automatic password change and simplified SPN (Service Principal Name) management.

In AD DS, MSA’s will stored under CN=Managed Service Accounts, DC=<domain>, DC=<com>, Container.

service3

In order to run MSAs you need to have following in your environment,
• Windows server 2008 R2 or later domain controller
• AD module for powershell
• .NET framework 3.5

Let’s see how we can create the MSA

1) Load the powershell cmd with domain administrator privileges

service4

2) To create service account,
New-ADServiceAccount –Name <MSA_Name> –DNSHostname <DNS name of Domain_Controller>

So in my demo-
New-ADServiceAccount –Name testmsa1 –DNSHostname DCM1.canitpro.local

service5

3) Then we need to associate it with the computer object

Add-ADComputerServiceAccount –identity <Host_Computer_Name> -ServiceAccount <MSA_Name>

In my demo I associate it with computer DCM1

Add-ADComputerServiceAccount –identity DCM1 -ServiceAccount testmsa1

service6

4) Then we need to install the MSA in hostcomputer.

Install-ADServiceAccount –Identity <MSA_Name>

In my demo its

Install-ADServiceAccount –Identity testmsa1

Now we can use it to assign for service. If you go to AD now we can see the new account under MSA OU

service7

If you have any question feel free to contact me on rebeladm@live.com

STEP-BY-STEP GUIDE TO MIGRATE DHCP FROM WINDOWS SERVER 2003 TO WINDOWS SERVER 2012 R2 USING WINDOWS SERVER MIGRATION TOOLS

Microsoft has already announced that windows server 2003 / windows server 2003 R2 versions support is coming to end in 14th July 2015 (http://support2.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Microsoft+Windows+Server+2003&Filter=FilterNO ).

It’s no wonder that still organizations using windows server 2003 / windows server 2003 R2 in their infrastructure with different server roles.

With windows server 2008 R2 Microsoft has introduce new great feature called “Windows Server Migration Tools” which will  allow administrators to migrate server roles, features, configuration settings seamlessly from one system to another(ex- windows server 2003). Windows server 2012 also includes this feature and in this article I will demonstrate how we can use it to migrate DHCP role to windows server 2012 r2.

Please note, To use this method we need to install this feature in both source and destination servers.

For the demonstration I am using following setup

Server Name

Operating System

Server Roles

Networks

dhcp-2k3.canitpro.local

Windows Server 2003 R2 Enterprise x86

DHCP

Network A – 10.10.10.0

Network B – 172.16.25.0

Network C – 192.168.148.0

CANITPRO-DC2K12.canitpro.local

Windows Server 2012 R2 x64

Before start the migration process it’s important to consider on following.

1)    To migrate the roles you need to log in to source and destination servers as “Domain Administrators”.
2)    Before start the migration process make sure source and destination servers’ runs with latest updates and service packs.
3)    If the source server runs with multiple network, multiple NIC make sure the destination server also have same number of NIC so it can be server with same network setup.

dhcp-2k3.canitpro.local server currently setup with 3 additional NIC to represent network A,B and C. those have configured with static ip addresses to match with relevant network it belongs to. The DHCP server host different DHCP scopes for each network.
Before we start the process we need to install the following software in windows server 2003(dhcp-2k3.canitpro.local) if it’s not there already.

1)    .Net Framework 3.5 (http://www.microsoft.com/en-us/download/details.aspx?id=21)
2)    Windows PowerShell 2.0 (http://support2.microsoft.com/kb/968929/en-us)

Install Windows Server Migration Tools in windows server 2012

1)    Log in to the Windows server 2012 as Domain Administrator
2)    Go to Server Manager > Add Roles and Features

dmig1

3)    It will open the Add roles and features Wizard and click next to start the process
4)    In next window, for the installation type select “Role-based or feature-based installation”  then click next to continue

dmig2

5)    In next window keep the default server selection and click next to continue

dmig3

6)    Then it will give option to select server roles but we need to install only a feature. So keep the default selection and click next to continue.

dmig4

7)    Then in features selection, select “Windows Server Migration Tools”  and click next to continue

dmig5

8)    In next window it will give the confirmation window and click on install to begin the installation process

dmig6

9)    Once installation is completed click on close to exit from the wizard

Prepare windows server migration tools for windows server 2003

1)    Log in to the Windows server 2012 as Domain Administrator
2)    Go to Server Manager > Tools > Windows Server Migration Tools > Windows Server Migration Tools

dmig7

3)    It will open up the command prompt and then type cd ServerMigrationTools

dmig8

4)    Now we need to create migration deployment package for windows server 2003. To save the files I have create folder “C:\WIN2K3MIG”. Now type the command .\SmigDeploy.exe /package /architecture x86 /os ws03 /path C:\WIN2K3MIG and press enter

dmig9

5)    This creates the package as following

dmig10

6)    Now we need to copy the folder C:\WIN2K3MIG\SMT_ws03_x86 to windows server 2003 which host the DHCP role

Prepare windows server 2003 (DHCP Source) for the migration

1)    Log in to the Windows server 2003 as Domain Administrator
2)    Go to Start > All Programs > Accessories > Windows PowerShell > Windows PowerShell

dmig11

3)    Then type “Net stop “DHCP Server”” and enter

dmig12

4)    This will stop the running DHCP server. Then open the folder copied from windows server 2012 R2 and then open the file called “SmigDeploy.exe

dmig13

5)    Then it will open up the command window. Then type Get-SmigServerFeature and press enter

dmig14

6)    This will examine the roles running on this server and provide list of roles which we can migrate over to windows server 2012 R2
7)    Now it’s time export the DHCP data using the tool. Before do it we need to prepare a share folder in network which will have access from both DHCP Source Server and DHCP Destination Server. I have create folder called “DHCPShare” in windows server 2012 and share it with read and write NTFS permissions.

dmig15

8)    Type the command Export-SmigServerSetting -featureID DHCP -User All -Group -path \\Canitpro-dc2k12\DHCPShare -Verbose and press enter to export the DHCP data. In here featureID define the server role. Once enter the command it will ask a password to protect the data.

dmig16

9)    Now in the share we can see it created the backup file.

dmig17

With this step it will successfully exports the DHCP data.

Remove DHCP roles from windows server 2003 R2

Since we no longer need DHCP role running on this server we can go ahead and uninstall the DHCP service.

1)    Log in to the windows server 2003 as member of administrator group
2)    Start > Control Panel > Add or Remove Programs

dmig18

3)    Then click on “Add/Remove Windows Components

dmig19

4)    In next window select “Networking Services” and click on details

dmig20

5)    From next window de-select the DHCP option and click ok

dmig21

6)    Then click next to uninstall the DHCP service


It will uninstall the DHCP role from the windows 2003 server.

Install DHCP Role in windows 2012 R2 server

1)    Log in to the windows server 2012 as member of administrator group
2)    Open Server Manager > Add Roles and Features

dmig22

3)    It will open the wizard and click next to continue
4)    For the installation type select “Role-based or feature-based installation” and click  next

dmig23

5)    Let the default selection run on server selection and click next to continue

dmig24

6)    For the server roles select DHCP and it will prompt to add relevant features. Click on “Add features” to add them and next to continue

dmig25

7)    For the features let it run with default. Click next to continue
8)    Then it will give brief description about DHCP server role and click next to continue

dmig26

9)    Next window it will give the confirmation and click on install to continue

dmig27

This will install the DHCP server role in the new server.

Import DHCP server data in to windows server 2012 R2

1)    Log in to the Windows server 2012 as Domain Administrator
2)    Open Windows Powershell using Server manager > Tools > Windows Powershell
3)    Type “Net stop “DHCP Server”” and press enter

dmig28

4)    Then type Add-PSSnapin microsoft.windows.servermanager.migration and press enter to use the migration tools command set.

dmig29

5)    Now to import DHCP data type Import-SmigServerSetting -featureID DHCP -Force -path C:\DHCPShare -Verbose (Note: Here I didn’t import the users or groups as its domain controller I am importing to but if necessary you can do it using –Users and Group command) and press enter. Here C:\DHCPShare is the folder path where we save the DHCP data from windows server 2003. It will ask the password to enter which we have define during the export DHCP server data process.

dmig30

6)    Then type Start-Service DHCPServer and press enter to start the DHCP server

dmig31

7)    Then authorize the DHCP server with command Netsh DHCP add server CANITPRO-DC2K12.canitpro.local 38.117.80.124

dmig32

Note : If the source DHCP server had multiple NIC with Multiple networks make sure the new server also match the same config. Assign the static ip address to those interfaces to match the configuration. This also can automated during the import process. You can get more info about command option in http://technet.microsoft.com/en-us/library/dn495425.aspx

Now we completed with the restore process and I already can see its issues IP addresses.

dmig33

AppLocker Part 2

This is the Part 2 of the AppLocker series. If you still not read the Part 1 you can find it in here.

In Part 1 i have explain what is "AppLocker" and use of it. Lets look in to furthure in to this nice feature.

As explain in part 1 in group policy applocker container there are four nodes called executable rules, windows installer rules,script rules and packaged app rules. in each of these containers we can allow or block applications based on 3 criteria.

applocker1

Publisher: Using this criteria we can block or allow applications based on its digital signature publish by the software publisher.
Path : Using this criteria we can block or allow applications based on the specific folder or file path. This type of rules kind of risky as if we given a folder path, any files in that particular folder affects from this rule.
File Hash: This criteria is apply to allow or block applications which is not digitally signed. it works based on digital fingerprint of the application and it will work even name or the location of the application change.

Before AppLocker rules get to work you need to make sure "Application Identity" service is running. by default it is not. so make sure you start the service and set its startup type to "Automatic"

applocker3

Default Rules

By default Applocket will block every package, file and script except the stuff which is allowed using rules. But as we know windows system it self need files, applications, scripts etc. to run by default. it is not practicle to create rules manually for each of these. Microsoft made this easier by introdusing "Default Rules". by creating default rules in each of four containers will create the required rules which system needs it self. These rules can simply create by using following steps,

1. Right click on each container.
2. Click on option "Create Default Rules" from the list

applocker2

Automatically Generate Rules Wizard

One of the grate option of applocker is its allow you to generate rules using wizard automatically. once you specify a folder path, permission groups it will automatically analyze the selection and generate the rules. then it will give you ability to review them and change them if required before create the rules.

This wizard can open using,

1. Right click on each container.
2. Click on option "Automatically Generate Rules.."

applocker4

applocker5

applocker6

Create Rules Manually

We can also create rules manually as per our requirement. I will explain the procedure with the example. In network i have WinRAR application installed in path "C:\Program Files\WinRAR". I need to block this application using APPLocker rule.

To do that i will be using the "Executable Rules" container rules.

To start the process

1. Right click on "Executable Rules" container
2. Select "Create New Rule…" Option

applocker7

3. It will open the wizard, click next to continue

applocker8

4. In next window i need to select the rule type and permissions. since i need to "deny" access the action will be "deny" and i will apply it to everyone in network

applocker9

5. In next window i need to select the condition. here i will be using "Path" option.

applocker10

6. In next window it allows you to select the file or the folder. in here click on "Browse Folders" to select the path. once selection is done click on next to continue.

applocker11

applocker12

applocker13

7. In next window it allows to add exception but here i will not do any modifications

applocker14

8. In next window it ask for name and we can define name to it. then once you click on create it will generate the rule.

applocker15

9. Now i will try to execute the application in a pc in network which attached to the domain.
10. As soon as i double click on application shortcut it gives following error

applocker16

As we can see its done the trick.

This is the end off the Applocker series.

Step by Step guide to setup Active Directory on Windows Server 2012

This tutorial will explain how to install AD on server 2012 R2.

Requirement:

Minimum: 1.4 Ghz 64-bit processor

Minimum: 512 MB RAM

Minimum: 32 GB or greater

The first step is to get server 2012 install on a server. it is very similar to server 2008 install and in one of my previous posts i have discribe how to do the install in details.

1

Next thing we need to do is get network interfaces configured. it is obvious to use static ip address for the server. Since the server will be act as DNS server, for DNS server field you can use local host address 127.0.0.1

2

It is recommend to use meaning full name as the server name. in demo i renamed it as "DCPR1"

3

After this we are ready to start on the AD install. As per my next step i will start DNS role install first. This is not must to do, you also can install dns during the AD install. But as per best practice i always prefer to add DNS role first.
To do this we need to start "Server Manager" it can opne using shortcut on task bar or from Start > Server Manager

4

Then in Server Manager window click on option "Add roles and features" option.

5

Then it will load the "Add Role Wizard", Click next to continue

6

In next window keep "Role-based or feature-based installation" default selection and click on next.

7

In next window we can select which server to install role. in our case it will be local. so keep the default selection and click on next.

8

In next window it give option to select the roles. select the "DNS Server" and click on box to tick it.

9

Then it will prompt window to inform about the related additional features which DNS role need. click on "Add features" to continue.

10

In next window it gives option to select any additional feature, but in here i will keep it default. click on next to continue

11

Then it will give brief introduction about the DNS role, click on next button to continue

12

In next window it will give details about the selected features and click on "Install" to begin the installation

13

Then it will begin the installation and we need to wait till it completes.

14

Once its completes click on close.

15

Then you can access DNS server using server manager > tools > DNS

16

 

17

Now we have every thing ready for AD install. so lets load server manager again and click on "Add roles and features"

5

Then it will load the "Add roles and features" wizard. click on next to continue.

6

In next window keep "Role-based or feature-based installation" default selection and click on next.

7

In next window we can select which server to install role. in our case it will be local. so keep the default selection and click on next.

8

In next window it gives option to select the roles. select and click on tick box "Active Directory Domain Services"

dc1

Then it will prompt window to indicate the additional feature installations related to selected role. click on "Add Features" to continue.

dc3

Then in next window click on next to continue

dc4

In next window it will give option to select addtional feature to install. but i will keep the default selection. click next to install.

dc5

In next window it give brief description about the AD service. click on next to continue.

dc6

In next window it gives brief about the installation. click on "install" to start the installation.

dc7

In next window it will begins the service install and we have to wait till it finish.

dc8

Once it finish click on "close" to exit from the wizard. then next step is to reboot the server to complete the installation.

dc9

After that completes we need to start on the DC setup. to start that open the "Server Manager" and click Task flag on right hand corner. then it will list option as below picture. click on "promote this server to a domain controller" option ( highlighted with yellow in picture)

c1

Then it starts the DCPROMO wizard. on the first window since its going to be new forest i have selected option "Add a new forest" and i typed the domain name "contoso.com" which i will be using on the forest. once fill the info click on "next" to continue.

c2

In next window we can select the forest and domain functional levels. i will keep it default. then in domain controller capabilities its by default selected DNS server and Global Catalog as its first DC in the forest. then we need to defined password to use in DC recovery. click on next to continue.

c3

In next window it will give following error but it can be ignore. click on next to continue.

c4

c5

In next window it ask for the netbios name. we can keep it default and click on next to continue.

c6

In next window it give option to change file paths for AD database, log files and SYSVOL files. we can change the paths or keep them defaults. once changes are done click on next to continue.

c7

In next window it gives description about the installation. click on next to continue.

c8

In next window it will run system check and verify system is compatible with the selected installation. once test completes successfully click on install button to begin the installation. if its passes any critical errors those needs to be address before the installation begin.

c9

then it will start the install and we need to wait till it finishes.

c10

Once its complete the install it will automatically reboot the server.

Once server is rebooted log in to server using domain admin credentials.

In our demo it will be in format of

user : contoso\Administrator

password : XXXXXXXXX

Once login, load the "Server manager" and click on "AD DS" option in right hand list. then select and right click as showed in screenshot to start with AD configuration.

c11

Now we successfully completed with the DC setup on server 2012 R2. if you have any issue about the steps feel free to contact me on rebeladm@live.com