microsoft | Electric Monk

Archive for microsoft

Using Trusts in Windows environments

September 20, 2013 Forest Trusts No comments

What is a Trust?

A trust is a relationship, which you establish between domains, that makes it possible for users in one domain to be authenticated by a domain controller in the other domain.

By using Windows Server 2008 domain and forest trusts, service administrators can create or extend collaborative relationships between two or more domains or forests. Windows Server 2008 domains and forests can also trust Kerberos realms and other Windows Server 2008 forests, as well as Windows Server 2003 domains, Microsoft® Windows® 2000 Server domains, and Microsoft Windows NT® Server 4.0 domains.

When a trust exists between two domains, the authentication mechanisms for each domain trust the authentications coming from the other domain. Trusts help to provide controlled access to shared resources in a resource domain (the trusting domain) by verifying that incoming authentication requests come from a trusted authority (the trusted domain). In this way, trusts act as bridges that allow only validated authentication requests to travel between domains.

How a specific trust passes authentication requests depends on how it is configured. Trust relationships can be one-way, providing access from the trusted domain to resources in the trusting domain, or two-way, providing access from each domain to resources in the other domain. Trusts are also either nontransitive, in which case a trust exists only between the two trust partner domains, or transitive, in which case a trust automatically extends to any other domains that either of the partners trusts.

In some cases, trust relationships are established automatically when domains are created. In other cases, administrators must choose a type of trust and explicitly establish the appropriate relationships. The specific types of trusts that are used and the structure of the resulting trust relationships in a given trust implementation depend on such factors as how Active Directory Domain Services (AD DS) is organized and whether different versions of Windows coexist on the network.

The key thing to remember is that the direction of trust is the opposite to the direction of access. An outgoing trust allows incoming access and an incoming trust allows outgoing access

Trust Directions

One-way: incoming

Use this option when you want to allow authentication requests to be routed from your domain or forest (referred to as “this domain” or “this forest” in the wizard) to resources residing in a second domain or forest (referred to as “specified domain” or “specified forest” in the wizard). “One-way” in One-way: incoming means that this selection will create a one-way trust that can route authentications to resources in only one direction, while user access to those resources flows in the other direction. “Incoming” in One-way: incoming refers to the direction of the trust itself, not the direction in which authentication requests will flow. In other words, as shown in the following illustration, a “one-way incoming trust” means that your domain or forest will be the domain or forest that receives access to the resources in the other domain.

One way:Outgoing

Use this option when you want to allow authentication requests to be routed to your domain or forest (referred to as “this domain” or “this forest” in the wizard) from users residing in a second domain or forest (referred to as “specified domain” or “specified forest” in the wizard). “One-way” in One-way: outgoing means that this selection will create a one-way trust that can route authentications to resources in only one direction, while user access to those resources flows in the other direction. “Outgoing” in One-way: outgoing refers to the direction of the trust itself, not the direction in which authentication requests will flow. In other words, as shown in the following illustration, a “one-way, outgoing trust” means that your domain or forest will provide access to resources that are located in your domain to users who are located in the other domain or forest.

Types of Trust

When to create an external trust

You can create an external trust to form a one-way or two-way, nontransitive trust with domains that are outside your forest. External trusts are sometimes necessary when users need access to resources in a Windows NT 4.0 domain or in a domain that is located in a separate forest that is not joined by a forest trust

When to create a shortcut trust

Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize the authentication process.

Authentication requests must first travel a trust path between domain trees. In a complex forest this can take time, which you can reduce with shortcut trusts. A trust path is the series of domain trust relationships that authentication requests must traverse between any two domains. Shortcut trusts effectively shorten the path that authentication requests travel between domains that are located in two separate domain trees

When to create a realm trust

You can establish a realm trust between any non-Windows Kerberos version 5 (V5) realm and an Active Directory domain. This trust relationship allows cross-platform interoperability with security services that are based on other versions of the Kerberos V5 protocol, for example, UNIX and MIT implementations. Realm trusts can switch from nontransitive to transitive and back. Realm trusts can also be either one-way or two-way.

When to create a forest trust

You can create a forest trust between forest root domains if the forest functional level is Windows Server 2003 or higher. Creating a forest trust between two root domains with a forest functional level of Windows Server 2003 or higher provides a one-way or two-way, transitive trust relationship between every domain in each forest. Forest trusts are useful for application service providers, organizations undergoing mergers or acquisitions, collaborative business extranets, and organizations seeking a solution for administrative autonomy.

Using one-way, forest trusts

A one-way, forest trust between two forests allows members of the trusted forest to use resources that are located in the trusting forest. However, the trust operates in only one direction. For example, when a one-way, forest trust is created between forest A (the trusted forest) and forest B (the trusting forest), members of forest A can access resources that are located in forest B, but members of forest B cannot access resources that are located in forest A, using the same trust.

Using two-way, forest trusts

A two-way, forest trust between two forests allows members from either forest to use resources that are located in the other forest, and domains in each respective forest trust domains in the other forest implicitly. For example, when a two-way, forest trust is established between forest A and forest B, members of forest A can access resources that are located in forest B, and members of forest B can access resources in forest A, using the same trust.

Checklist for creating Trusts

Ensure that DNS is set up properly.
If there is a root DNS server that can be the root DNS server for both of the forest DNS namespaces, make it the root server by ensuring that the root zone contains delegations for each of the DNS namespaces. Also, update the root hints of all DNS servers with the new root DNS server
If there is no shared root DNS server and the root DNS servers for each forest DNS namespace are running a Windows Server operating system, configure DNS conditional forwarders in each DNS namespace to route queries for names in the other namespace.
If there is no shared root DNS server and the root DNS servers for each forest DNS namespace are not running a Windows Server operating system, configure DNS secondary zones in each DNS namespace to route queries for names in the other namespace.
Create the forest trust.

Permissions

Permissions required to create trusts is domain admin or enterprise admin group.

What tool do you use to create Trusts?

You can use the Active Directory Domains and Trusts snap-in to create trust relationships between domains by going Start > All Programs > Administrative Tools > Active Directory Domains and Trusts. Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure.

Creating a Forest Trust

Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts in Windows Server® 2012, click Start , type domain.msc

In the console tree, right-click the domain that you want to administer, and then click Properties. Check your Domain and Forest Functional Level

Click Trusts

On the Trusts tab, click New trust, and then click Next

On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next

On the Trust Type page, click Forest trust, and then click Next

Choose the Direction of the trust

Next you will need to create the sides of the trust relationship

Specify the user name and password of the Active Directory domain administrator, then click Next.

Select Forest-wide authentication to authorize users to use resources in the local forest or those identified by the administrator, then click Next.

Select Forest-wide authentication to authenticate Active Directory forest users to use resources in the forest or those identified by the administrator, then click Next.

Trust creation complete. Review your settings

Confirm Outgoing Trust

Confirm Incoming Trust

Complete the new trust wizard

Verifying the Trust

To verify that the DNS configuration is correct there are several commands you can run in a command prompt or Firewall.

nslookup
netdom
nltest

Common ports which need to be open for trusts to work

123/UDP – W32Time
135/TCP – RPC Endpoint Mapper
464 – Kerberos password change
49152-65535/TCP – RPC for LSA, SAM, Netlogon (*)
389/TCP/UDP – LDAP
636/TCP – LDAP SSL
3268/TCP – LDAP GC
3269/TCP – LDAP GC SSL
53/TCP/UDP – DNS
49152 -65535/TCP – FRS RPC (*)
88/TCP/UDP – Kerberos
445/TCP – SMB
49152-65535/TCP – DFSR RPC (*)

(*) For information about how to define RPC server ports that are used by the LSA RPC services, see the following Microsoft Knowledge Base articles:

224196: Restricting Active Directory replication traffic and client RPC traffic to a specific port
“Domain controllers and Active Directory” section in 832017: Service overview and network port requirements for the Windows Server system

Port Query Tool

Microsoft do a port query tool which is really useful for checking connectivity

http://www.microsoft.com/en-us/download/confirmation.aspx?id=24009

SQL Server 2012 Installable Features

August 29, 2013 SQL Server No comments

It’s often good to have a brief explanation of the features that are installable through the SQL 2012 Wizard so here they are below for reference

Database Engine

Includes the Database Engine, the core service for storing, processing and securing data. The Database Engine provides controlled access and rapid transaction processing and also provides rich support for sustaining high availability. The Database Engine also provides support for the utility control point in the SQL Server Utility. Only Database Engine Services and Analysis Services can be clustered.

SQL Server Replication

Includes a set of technologies for copying and distributing data and database objects from one database to another and synchronizing between the databases for consistency. You can use replication to distribute data to different locations and to remote and mobile users over local and wide area networks, dial-up connections, wireless connections and the Internet.

Full Text Search

Includes the Search engine that supports Full-Text Extraction for fast text search as well as Semantic Extraction for key phrases (likely tags) and similarity search on content stored in SQL Server. Data Quality Service: -Includes Data quality database objects.

Analysis Services

Includes Analysis Services and tools used to support online analytical processing (OLAP) and data mining. Only Database Engine Services and Analysis Services can be clustered.

Reporting Services – Native

Includes Reporting Services, a server-based application for creating, managing, and delivering reports to email, multiple file formats, and interactive Web-based formats. The Native mode server provides all processing and management functionality through Reporting Services components. Reporting Services cannot be clustered.

Shared Feature

Each shared feature is installed once within a defined scope and operates within that scope. The defined scope can span all SQL Server versions on a computer (e.g., SQL Server Browser), can be isolated to one major version of SQL Server (e.g., SQL Server Management Tools), or can be isolated to one or more minor versions.

Reporting Service – Shared

Includes Reporting Services, a server-based application for creating, managing, and delivering reports to email, multiple file formats, and interactive Web-based formats. SharePoint integrated mode integrates the report server with SharePoint products. The report viewing and report management experience are integrated with SharePoint sites and libraries. Reporting Services cannot be clustered.

Reporting Services Add in

Includes management and user interface components to integrate a SharePoint product with an SSRS report server in SharePoint integrated mode. The add-in only needs to be installed on server running a SharePoint product.

Data Quality

Includes Data quality client objects.

SQL Server Data Tools

Installs the SQL server development environment, including the tool formerly named Business Intelligence Development Studio. Also installs the business intelligence tools and references to the web installers for database development tools.

Client Tools Connectivity

Includes components for communication between clients and servers.

Integration Services

Includes the designer, runtime, and utilities that enable Integration Services to move, integrate, and transform data between data stores.

Client Tools SDK

Includes the software development kit containing resources for programmers.

Documentation Component

Installs only the components that you use to view and manage the documentation for SQL Server 2012. By default, the Help Viewer component uses the online library. After installing SQL Server, you can use the Help Library Manager component to download documentation to your local computer.

Management Tool – Basic

Includes Management Studio support for the Database Engine and SQL Server Express, SQL Server command-line utility (SQLCMD), SQL Server PowerShell provider, and Distributed Replay Administration Tool.

Management Tool – Complete

Adds the following components to the basic management tools installation: Management Studio support for Reporting Services, Analysis Services, and Integration Services technologies, SQL Server Profiler, Database Tuning Advisor, and SQL Server Utility management.

Distributed Replay Controller

Includes the Distributed Replay Controller which orchestrates the actions of the distributed replay clients.

Distributed Replay Client

Includes the Distributed Replay Client. Multiple Distributed Replay Clients work together to simulate a workload against an instance of SQL Server.

SQL Client Connectivity SDK

Includes SQL Server Native Client (ODBC / OLE DB) SDK for database application development.

Master Data Services

Includes Master Data Services, the platform for integrating data from disparate systems across an organization into a single source of master data for accuracy and auditing purposes. Installs the Master Data Services Configuration Manager, assemblies, PowerShell snap-in, and folders and files for Web applications and services.

Redistributable Features

SQL Server redistributable and shared features are installed when needed: Error and Usage Reporting, SQL Server Native Client, MSXML version 6.0, Sync Services for ADO.NET, and SQL Server Browser.

Optimising SQL Server for VMware vCenter

July 19, 2013 SQL Server, vCenter No comments

SQL Modifications

I am using Microsoft SQL Server 2008 R2 running on Microsoft Windows Server 2008 R2. It is always worth having some knowledge about your Database software whether it be Oracle, SQL or DB2 etc and worth knowing how to optimise this software to work correctly for VMware vCenter whilst maintaining backups and maintenance plans for further minimization of issues and/or performance problems

Memory

Right-click the topmost SQL Server object, usually named with the machine name or local.
Choose Properties.
Choose the Memory page.
Set “Maximum Server Memory (in MB)” to something useful for the server. Probably something like 25%-50% of the RAM on the host.
The more memory you can give it the better, as the database will cache data in RAM, but you also want to leave room in RAM for the OS (2 GB) and some file cache.

Recovery Model

Right-click the relevant Database in SQl Management Studio
Click Properties
Select Options
Set the Recovery Model to “Simple.” Click OK.

Configure Microsoft SQL Server TCP/IP for JDBC

If the Microsoft SQL Server database has TCP/IP disabled and the dynamic ports are not set, the JDBC connection remains closed. The closed connection causes the vCenter Server statistics to malfunction. You can configure the server TCP/IP for JDBC.

This task applies to remote Microsoft SQL Server database servers. You can skip this task if your database is local.

Select Start > All Programs > Microsoft SQL Server > Configuration Tool > SQL Server Configuration Manager
Select SQL Server Network Configuration
Protocols for Instance name
Enable TCP/IP
Open TCP/IP Properties and set the entries as per the below screen print
Click on the IP Addresses tab

Restart the SQL Server service from SQL Server Configuration Manager > SQL Server Services.
Start the SQL Server Browser service from SQL Server Configuration Manager > SQL Server Services.

Maintenance of your SQL Server Databases

Start the Microsoft SQL Server Management Studio again and log in as the sa user. Open the Management folder.

Right-click Maintenance Plans. Select Maintenance Plan Wizard.

Click Next
On the Select Plan Properties page give it the name WeeklyMaintenancePlan. Select Single schedule for the entire plan or no schedule

Click the Change button to pick when you want it to run.

Schedule the job to occur when there is little occurring on the system. E.g No backups or antivirus scanning
Click Next and choose your Maintenance Tasks

Select the order for the Maintenance Tasks to run in

For Define Database Integrity Check Select All databases, including indexes.
You have the choices below

Click OK and it will bring you back to the Define Database Integrity Check

For Define Reorganize Index select All databases, compact large objects.

For Define Rebuild Index select All Databases, reorganize pages with the default amount of free space. Also check Keep index online while reindexing. Note: The Keep index online option appears to be an Enterprise version feature, and you may see failures with it enabled on other SQL Server versions.

For Define Update Statistics select All Databases, all existing statistics, full scan

Next on the Define Backup Database (Full) Task, enter the following

Backup Type = Full
Databases = All Databases
Backup Set will expire after = 14 Days
Backup to Disk = Selected
Create a backup file for every Database = Selected
Choose a folder according to where you want to back up
Backup File Extension = bak
Set backup compression = Use the default server settings. The Compress Backup option seems like a good one but it isn’t supported on 64-bit SQL Server. It’ll let you set it, then fail on execution
Next Define Maintenance Cleanup Task

Delete files of the following type = Backup Files
Search Folder and delete files based on an extension = Choose your backup folder
File extension = bak
File age = 4 weeks or your choice
Next you are on to the Report Options Page

Check the Summaries and Click Finish

Go into the Maintenance Plans folder now, right click on this job, and choose Execute to see if it runs. Check the logs if it doesn’t.
Your location may be different but as a rough guide, the log location is c:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Log

Defragmenting VirtualCenter performance data indexes on a Microsoft SQL database

For troubleshooting or maintenance purposes it may be necessary to defragment the indexes on your Microsoft SQL database server.
Fragmentation of indexes occurs when the logical order of pages is different from the physical order on the disk. In VirtualCenter fragmentation occurs most noticeably due to the statistics collection and consolidation.

When the indexes are excessively fragmented, performance of queries to the VirtualCenter database is slow.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003990

Warning: If you do not have experienced DB administrators, shutdown the VMware VirtualCenter Server service and do a backup prior to performing any kind of database maintenance. If you have experienced DB administrators you can do the tasks online

Regular Reorganize Database Task

One of the performance suggestions buried in the VMware KB is to regularly reorganize the indexes, since the historical statistics tables get unwieldy. You can do this manually or schedule a job to do it by running the Maintenance Plan Wizard. Choose only Reorganize Indexes and set the schedule to recur every six hours, every day (or however often you want.This keeps the logical fragmentation of the indices down.

Click through the pages of the wizard until you get to “Define Reorganize Index Task.” Have it only reindex VCDB, choose “Tables and views” in the Object selection, and check “Compact large objects.” Click through until you’re done.

Understanding DNS on Windows Server 2012

June 26, 2013 DNS No comments

Installing DNS

The process of deploying a DNS server on a Windows Server 2012 computer involves installing the DNS Server role by using the Add Roles and Features Wizard in Server Manager. The actual installation requires no additional input; there are no additional pages in the wizard and no role services to select. Once you install the DNS Server role, the computer is ready to perform caching-only name resolution services for any clients that have access to it. The role also installs the DNS Manager console, which you use to configure the DNS server’s other capabilities

DNS Queries

An iterative query is one where the DNS server may provide a partial answer to the query (or give an error). DNS servers must support non-recursive queries.

A recursive query is one where the DNS server will fully answer the query (or give an error). DNS servers are not required to support recursive queries and both the resolver (or another DNS acting recursively on behalf of another resolver) negotiate use of recursive service using bits in the query headers

Types of DNS Record

Creating zones

A zone is an administrative entity you create on a DNS server to represent a discrete portion of the DNS namespace. Administrators typically divide the DNS namespace into zones to store them on different servers and to delegate their administration to different people. Zones always consist of entire domains or subdomains. You can create a zone that contains multiple domains as long as those domains are contiguous in the DNS namespace. For example, you can create a zone containing a parent domain and its child, because they are directly connected, but you cannot create a zone containing two child domains without their common parent, because the two children are not directly connected.

The DNS server in Windows Server 2012 can support as many as 200,000 zones on a single server, although it is hard to imagine a scenario that would require that many. In most cases, an administrator creates multiple zones on a server and then delegates most of them to other servers, which then become responsible for hosting them.
Every zone consists of a zone database, which contains the resource records for the domains in that zone. The DNS server in Windows Server 2012 supports three zone types, which specify where the server stores the zone database and what kind of information it contains. These zone types are as follows

Forward Lookup Zone

A forward lookup zone is a DNS zone in which hostname to IP address relations are stored. When a computer requests the IP address of a specific hostname, the forward lookup zone is queried and the result is returned.

Reverse Lookup Zone

A reverse lookup zone does just the opposite. When a computer requests the hostname of an IP address, the reverse lookup zone is queried and the result is returned.

Primary/Active Directory Integrated Zone

Zones that are integrated with Active Directory Domain Services (AD DS) use directory replication to transfer zone data between DNS servers. Zones that are not integrated with AD DS (that is, that store zone data in files) use conventional zone transfer to propagate zone changes among primary and secondary DNS server. Zones that are integrated with AD DS usually require little or no management apart from the management of the corresponding AD DS forests and domains. Active Directory–integrated zones do not ordinarily employ secondary DNS servers.

Secondary Zones

Secondary servers can be used as backups for DNS clients. This allows you to use secondary servers as a means to create fault tolerant and load balanced DNS query traffic on your network and reserve your DNS-enabled primary servers for use only by those clients that need them to perform dynamic registration and updates of their A and PTR RRs. Secondary DNS servers maintain a read-only copy of zone data that is transferred periodically from the primary DNS server for the zone. You can configure DNS clients to query secondary DNS servers instead of (or in addition to) the primary DNS server for a zone, reducing demand on the primary server and ensuring that DNS queries for the zone will be answered even if the primary server is not available.

Stub zones

Stub zones are used when you want a DNS server hosting a parent zone to remain aware of the authoritative DNS servers for one of its child zones. If the stub zone for a child zone is hosted on the same DNS server as the parent zone, the DNS server hosting the stub zone will receive a list of all new authoritative DNS servers for the child zone when it requests an update from the stub zone’s master server . This method of updating the DNS server hosting the parent zone maintains a current list of the authoritative DNS servers for the child zone as they are added and removed.

A conditional forwarder is not an efficient method of keeping a DNS server hosting a parent zone aware of the authoritative DNS servers for a child zone. If you used this method, whenever the authoritative DNS servers for the child zone changed, the conditional forwarder setting on the DNS server hosting the parent zone would have to be manually configured with the IP address for each new authoritative DNS server for the child zone.

Caching Server

Caching servers can also be arranged in a hierarchy. This makes sense in cases where the network capacity is limited and/or network latency between the DNS client and the rest of the Internet is high. When connecting a laptop to the Internet through a slow dial-up connection it makes sense to run a caching server right on the laptop. This way each click on a hyperlink on the same web-site will not cause DNS related traffic over the dial-up link. Such a local caching server is often configured to send all queries for which it does not have cached answers to the ISPs caching server in turn. Sometimes corporate networks have local caching servers that in turn send queries to a corporate caching server before they are sent out to the Internet. This way the corporate caching server can build a large cache based on queries from the whole enterprise.

Types of DNS Configuration

Interfaces

Use this tab to select the IP Addresses that the DNS Server will use to listen to queries

Forwarder

A forwarder is a Domain Name System (DNS) server on a network that you can use to forward DNS queries for external DNS names to DNS servers outside that network. You can also use conditional forwarders to forward queries according to specific domain names.

A DNS server on a network is designated as a forwarder when you configure the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet

To use forwarders to manage the DNS traffic between your network and the Internet, configure your network’s firewall to allow only a dedicated set of DNS servers to communicate with the Internet. When you configure other DNS servers in your network to forward queries that they cannot resolve locally to these designated DNS servers, they act as your forwarders. DNS servers that forward queries to the Internet should not host zones to avoid exposing your internal network namespace to external attackers.

Advanced

Use this tab to set Advanced Settings

Root Hints

Use this tab to specify the servers to be used for root hints when forwarders are not configured or do not respond. The 13 root name server names are located in a domain called root-servers.net and are named using letters of the alphabet. The servers are scattered around the world on different subnets to provide fault tolerance.

Debug Logging

Use this tab to configure packet-level logging for debugging purposes.

Event Logging

Use this tab to specify the types of events that will be recorded in the DNS event log.

Trust Anchors

Trust Anchors is the new feature in Windows Server 2008 R2 and Windows 7. We can now sign and host DNSSEC-signed (Domain Name System Security Extension) zones to provide more security in our DNS infrastructure.

Monitoring

Use this tab to perform tests to verify the correct server configuration.

Security

Use this tab to set permissions for the DNS Server

Conditional forwarders

A conditional forwarder setting configures the DNS server to forward a query it receives to a DNS server depending on the DNS name contained in the query. In situations where you want DNS clients in separate networks to resolve each others’ names without having to query DNS servers on the Internet, such as in the case of a company merger, you should configure the DNS servers in each network to forward queries for names in the other network. DNS servers in one network will forward names for clients in the other network to a specific DNS server that will build up a large cache of information about the other network. When forwarding in this way, you create a direct point of contact between two networks’ DNS servers, reducing the need for recursion.

Stub zones do not provide the same server-to-server benefit because a DNS server hosting a stub zone in one network will reply to queries for names in the other network with a list of all authoritative DNS servers for the zone with that name, instead of the specific DNS servers you have designated to handle this traffic. This configuration complicates any type of security settings that you want to establish between specific DNS servers running in each of the networks.

Zone Delegation

Domain Name System (DNS) provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. When you are deciding whether to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones:

You want to delegate management of part of your DNS namespace to another location or department in your organization.
You want to divide one large zone into smaller zones to distribute traffic loads among multiple servers, improve DNS name resolution performance, or create a more-fault-tolerant DNS environment.
You want to extend the namespace by adding numerous subdomains at once, for example, to accommodate the opening of a new branch or site.

If, for any of these reasons, you can benefit from delegating zones, it might make sense to restructure your namespace by adding additional zones. When you are deciding how to structure zones, use a plan that reflects the structure of your organization.

When you delegate zones within your namespace, remember that for each new zone that you create, you need delegation records in other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers that are being made authoritative for the new zone.

When a standard primary zone is first created, all the resource record information is stored as a text file on a single DNS server. This server acts as the primary master for the zone. Zone information can be replicated to other DNS servers to improve fault tolerance and server performance.

When you are structuring your zones, there are several good reasons to use additional DNS servers for zone replication:

Added DNS servers provide zone redundancy, which makes it possible for DNS names in the zone to be resolved for clients if a primary server for the zone stops responding.
Added DNS servers can be placed so as to reduce DNS network traffic. For example, adding a DNS server to the opposing side of a low-speed, wide area network (WAN) link can be useful in managing and reducing network traffic.
Additional secondary servers can be used to reduce loads on a primary server for a zone.

Dynamic Access Control on Server 2012

June 10, 2013 Windows Server 2012 No comments

What is Dynamic Access Control?

Controlling access and ensuring compliance are essential components of IT systems in today’s business environment. Windows Server 2012 includes enhancements that provide improved authorization for file servers to control and audit who is able to access data on them. These enhancements are described under the umbrella name of Dynamic Access Control and enable automatic and manual classification of files, central access policies for controlling access to files, central audit policies for identifying who accessed files, and the application of Rights Management Services (RMS) protection to safeguard sensitive information.

Dynamic Access Control is enabled in Windows Server 2012 through the following new features:

A new authorization and audit engine that supports central policies and can process conditional expressions
A redesigned Advanced Security Settings Editor that simplifies configuration of auditing and determination of effective access.
Kerberos authentication support for user and device claims
Enhancements to the File Classification Infrastructure (FCI) introduced previously in Windows Server 2008 R2
RMS extensibility to allow partners to provide solutions for applying Windows Server– based RMS to non-Microsoft file types

There is one good rule of thumb to remember when you’re deploying DAC into existing
Windows networks: NTFS permissions won’t give more access than a claims-based rule
allows, and a claims-based rule won’t give more permission than NTFS allows

Instructions

Step 1 – Open Active Directory Administrative Center

Click Server Manager.
Click Tools, and then click Active Directory Administrative Center.
NOTE: Active Directory Administrative Center provides functionality that is separate from, but overlapping with Active Directory Users and Computers.
Click the Tree View icon to simplify navigation

Step 2 – Configure claim types for users

In this step, you will add two existing Active Directory attributes to the list of attributes which can be used when evaluating Dynamic Access Control. The user’s country value and department value will be part of the calculation that determines if they have access to specific files.

In Active Directory Administrative Center, expand Dynamic Access Control, and then click Claim Types.
Click New, and then click Claim Type.
In the Source Attribute list, click Department, and then click OK.
NOTE: This uses the existing Active Directory attribute.

Click New, and then click Claim Type.
In the Source Attribute list, click C, and then in Display name, type Country.
NOTE: This uses the existing Active Directory attribute.
Click OK.

Step 3 – Configure resource properties for files

In this step, you will configure the properties which will be downloaded by file servers and used to classify files. Future dynamic access control rules will compare user attribute values with resource properties. The list of resource properties is predefined by Microsoft as a starter set of properties that can be used by most organizations. You can enable existing properties or create new ones. You will add a resource property to match the country claim, and then enable the existing department property to match the department claim

In Active Directory Administrative Center, click Resource Properties.
Click New, and then click Resource Property.
In Display name, type Country.

Click Add.
In Value and Display Name, type US, and then click OK.
Click Add.

In Value and Display Name, type JP, and then click OK.

Click OK
NOTE: The Country property is now listed and is enabled.

In the Resource Properties, under ID, locate the Department_MS property.
Click Department_MS, and then click Enable

NOTE: The Country property is now listed and is enabled.

Step 4 – Add resource properties to the global list

Each resource property must be added to at least one resource property list before it is downloaded by file servers. The global resource property list is downloaded by all file servers; however individual lists can be created and delivered to specific file servers using Group Policy.

In Active Directory Administrative Center, click Resource Property Lists.
Click Add resource properties.
Select Country and Department, and then click the Add button (>>).
Click OK.

Step 5 – Create a new central access rule

In this step, you will create a new central access rule. This is similar to an access control list (ACL) in that it describes which conditions must be met in order for file access to be granted. In this specific rule, you will require that the user accounts, department, and country attributes match the value of the file’s department and country attributes prior to access being granted

In Active Directory Administrative Center, click Central Access Rules.
Click New, and then click Central Access Rule.
In Name, type Department-Country-Match-Required.
Under Target Resources, click Edit.
Click Add a condition.
Add the condition Resource-Country-Exists.
Click Add a condition.
Add the condition Resource-Department-Exists.
Click OK.

In Permissions, select Use the following permissions as current permissions.
NOTE: This setting enforces dynamic access control. The default setting will only create audit log entries and is used for impact analysis prior to implementation.
In Permissions, click Edit.
Click Add.
Click Select a principal, and then type Authenticated.
NOTE: This will automatically select Authenticated Users.

Click OK.
In Permissions, check the Full Control check box.
Click Add a condition.
Add the condition User-Country-Equals-Resource-Country.
Click Add a condition.
Add the condition User-Department-Equals-Resource-Department.

IMPORTANT: In creating this rule, the list of attributes for the user is generated by the list of attributes used for claim types. The list of attributes for the resource is generated by the list of enabled resource properties.
Click OK three times to return to Active Directory Administrative Center.

Step 6 – Create a central access policy

In this step, you will take the new rule and add it to a central access policy. A central access policy is a group of rules that are enforced as a unit. A file or folder can have only one central access policy applied to it.

In Active Directory Administrative Center, click Central Access Policies.
Click New, and then click Central Access Policy.
In Name, type Contoso File Server Policy, and then click Add.
Click Department-Company-Match-Required, and then click the Add button (>>)

Click OK.
Click OK.

Step 7 – Publish the central access policy with Group Policy

In this step, you will create a new Group Policy Object (GPO) to deliver the central access policy to your file servers. This will make the policy available, but will not enforce it on individual files or folders.

Open Server Manager.
On the Tools menu, click Group Policy Management.
Under Domains, click Contoso.com.
Click Action, and then click Create a GPO in this domain and link it here.
Type Dynamic Access Control Policy, and then click OK.
Expand Contoso.com, click Dynamic Access Control Policy, and then click OK.
In Security Filtering, click Authenticated Users, click Remove, and then click OK.
Click Add.
Click Object Types, check Computers, and then click OK.
Type Server1, and then click OK.
NOTE: We are limiting this GPO to be applied only on Server1.

Right-click Dynamic Access Control Policy, and then click Edit.
Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/File System, and then click Central Access Policy.

On the Action menu, click Manage Central Access Policies.
Click Contoso File Server Policy, and then click Add.

Step 8 – Enable Kerberos armoring for domain controllers

In this step, you will enable Kerberos armoring for domain controllers, which ensures that Kerberos tickets contain the required claims information which can then be evaluated by file servers.

In Group Policy Management Console, navigate to Contoso.com, and then click Default Domain Policy.
Click OK.
On the Action menu, click Edit.
Navigate to Computer Configuration/Policies/Administrative Templates/System/KDC.
Click KDC Support for claims, compound authentication, and Kerberos armoring.
NOTE: This setting must be applied to all domain controllers in your organization to extend the Kerberos protocol to support Dynamic Access Control. You can do this in any manner which is appropriate for your organization.
Kerberos armoring addresses security concerns that dogged Kerberos authentication,
such as vulnerability to brute force attacks and spoofing. With Kerberos armoring, a
secured tunnel is created between a domain client and a domain controller

On the Action menu, click Edit. Select Enabled
Click OK.
Navigate to Computer Configuration/Policies/Administrative Templates/System/Kerberos.
Click Kerberos client support for claims, compound authentication, and Kerberos armoring.
NOTE: This setting must be applied to all clients in your organization to extend the Kerberos protocol to support Dynamic Access Control. You can do this in any manner which is appropriate for your organization.

On the Action menu, click Edit > Enabled
Click OK.
Close Group Policy Management Editor.

Step 9 – Deploying a File Server with Dynamic Access Control

In this exercise, you will install the required components for Dynamic Access Control on a file server, and then configure the resources properties of a folder.
Install the file server roles and role features
In this step, you will install the file server role and the file server resource manager role service.

Open Server Manager.
In Server Manager, click Add Roles and Features.
Click Next at each step of the wizard until you reach the Select server roles page.
Expand File and Storage Services (Installed).
Check File and iSCSI Services, and then expand File and iSCSI Services.
NOTE: File Server Resource Manager is required to manage DAC properties locally

Step 10 – Add classification data to the file share

In this step, you will classify the files in the file share by adding and configuring the resource properties you defined in Step 1

In Windows Explorer, navigate to C:\Shares on the File Server
Right-click CorpData, and then click Properties.
Click the Classification tab.
NOTE: Note that the two defined resource properties are available.
IMPORTANT: If you do not see Country and Department, run the Windows PowerShell command Update-FSRMClassificationPropertyDefinition, as this will force the update to occur. You will need to reopen the properties box after this command.

In CorpData Properties, click Country, click JP, and then click Apply.
Click Department, and then click Finance.
NOTE: The department list is present because the resource property Department is predefined by Microsoft and contains this set of default department names.

Click Apply and leave the Properties window open

Step 11 – Add the central access policy to the CorpData folder

In this step, you will configure the CorpData folder to use the central policy you created in Step 1 as part of the access control evaluation process.

Click Windows PowerShell.
Type GPUpdate /Force, and then press ENTER. Wait for Group Policy to refresh.
NOTE: This is required to ensure the central policy defined by the Dynamic Access Control Policy GPO is applied to this system. Under normal circumstances, the regular group policy refresh would perform this step.
Switch to the CorpData Properties window.
On the Security tab, click Advanced.
Click Central Policy, and then click Change.
Select Contoso File Server Policy, and then click Apply.

NOTE: You can use this screen to review the policy rules and the conditions when selecting the policy.

Testing an install of Microsoft Virtual Machine Manager 2012 SP1 on Windows 2012

June 1, 2013 Windows Server 2012 No comments

What is Microsoft Virtual Machine Manager? Virtual Machine Manager (VMM) is a management solution for the virtualized datacenter, enabling you to configure and manage your virtualization host, networking, and storage resources in order to create and deploy virtual machines and services to private clouds that you have created A deployment of VMM consists of the following: Pre-Requisites Your servers may slightly differ as to how many roles you put on one server but you will generally need the following. I am going to presume you have a Domain Controller and a Hyper V Server.

1 x Windows 2008 or Windows 2012 Domain Controller
1 x Windows 2012 Server running Microsoft Virtual Machine Manager
1 x Windows 2012 Server running Microsoft SQL Server 2008 or 2012
1 x Windows 2012 Server running Hyper V 2012 Server for testing VMM. Note: You will need to add hypervisor.cpuid.v0 = “FALSE” and mce.enable = “TRUE” and vhv.enable = “True” to the .vmx file if this server is a VM running on VMware
For System Center 2012 – Virtual Machine Manager: Windows Automated Installation Kit (AIK) for Windows 7
For VMM in System Center 2012 SP1: Windows Assessment and Deployment Kit (ADK) for Windows 8. SCVMM Management Server only requires the Deployment Tools and Windows PE components.
For System Center 2012 – Virtual Machine Manager: At least Microsoft .NET Framework 3.5 Service Pack 1 (SP1)
For VMM in System Center 2012 SP1: Microsoft .NET Framework 4, or Microsoft .NET Framework 4.
The computer on which you install the VMM management server must be a member of an Active Directory domain.
The name of the computer on which you install the VMM management server cannot exceed 15 characters.
The SCVMM machine name can’t include –SCVMM- for example My-SCVMM-Server but can be called SCVMM.
If using Dynamic memory the start-up RAM must be at least 2048 MB. This demo uses 4096 MB of RAM.
It is also recommended that the SQL Command Line Tools and Native Client Tools are also installed on the SCVMM server. See links at the end of this article. We have used the SQL 2012 versions here.
Membership in the local Administrators group, or equivalent, on the computer that you are configuring is the minimum required to complete this procedure.

Extra Notes on SQL Server In System Center 2012 Service Pack 1 (SP1) you can take advantage of the AlwaysOn feature in Microsoft SQL Server 2012 to ensure high availability of the VMM database. To configure SQL Server with the AlwaysOn feature, complete both procedures below. For more information about the AlwaysOn feature, and AlwaysOn availability groups see the followings:

Before you begin the installation of the VMM management server, ensure that you have a computer with a supported version of Microsoft SQL Server installed and running. Unlike VMM 2008 R2, System Center 2012 – Virtual Machine Manager will not automatically install an Express edition of SQL Server Instructions

Firstly make sure you have Windows Server 2012 installed on your VMM Server
Click Manage > Install Roles and Features on your VMM Server

Select Installation type as Role based or Feature based installation

Select Destination Server

Go to Roles and select Web Server (IIS)

Click Add Features > Next

Select Features

Read the Information

Add Windows Authentication

Check Install Information and tick Restart if required

Click Install

Next Install Windows Assessment and Deployment Kit which you should have downloaded and copied to your VMM Server ready to install
Note this seems to take long to install!
The Windows ADK is a collection of tools that you can use to customise, assess and deploy Windows Operating Systems to new computers, is a pre-requisite for VMM 2012 SP1 and is used for bare metal deployment of Hyper-V Servers
Specify Location

Join the Customer Improvement Program

Accept the License Agreement

Select the Features to Install. You generally need Deployment Tools and Windows Pre-Installation Environment (Windows PE)

Click Install

On the SCVMM server – install the SQL 2012 Native Client with SQL 2012 Command Line Utilities to follow
SQL Native Client contains runtime support for applications using native code APIs (ODBC, OLE DB and ADO) to connect to Microsoft SQL Server 2005, 2008, 2008 R2 and 2012. SQL Native Client is used to enhance applications that need to take advantage of new SQL Server 2012 features

Accept the License Agreement

Choose your Features in the Feature Selection Box

Install

Next Install SQL 2012 Command Line Utilities
The SQLCMD utility allows users to connect to, send Transact SQL batches from and output row set information from SQL Server 2008, 2008 R2 and 2012. It is used to enhance applications that need to take advantage of new SQL Server 2012 features

Accept License Agreement

Click Install

Next go to your SQL Server 2012 Server
Attach the SQL ISO
Run the Installer > New SQL Server stand-alone installation

Setup Support Rules will run > Click Next

Choose Specify the free edition

Accept the License Terms

Select Next to Install Product Updates if connected to the internet

You will see the status of the updating

Check Setup Support Rules

Choose SQL Server Feature Installation

Select All on the Feature Installation and choose where you want to install the Shared Feature Directories

Check Installation Rules

Just keep the Default Instance for now – MSSQLSERVER

Check Disk Space Requirements

Check SQL Server Service Accounts and add your own as required

Check Collation

Database Engine Configuration > Choose Mixed Mode and add the Domain Admin

Choose Data Directories

Check Analysis Services Settings

Reporting Services Configuration > Choose Install Only

Distributed Replay Controller > Just add the current user

Distributed Replay Client

Check Error Reporting

Installation Configuration Rules check

Ready to Install

Click Install

Don’t forget to go into SQL Server Configuration Manager > SQL Server Network Configuration > Protocols for MSSQLSERVER and enable Named Pipes and TCP/IP

Restart SQL Services once this is done and it should look like the below

I also found I had to add my Domain Admin account to the Local Administrators group on the SCVMM and SQL Server or I got a message saying “Setup cannot connect to the specified SQL Server Instance. Ensure the server name is correct etc”
I also found that I add to adjust the hosts file in c:\Windows\System32\Drivers\etc on both the SCVMM Server and SQL Server and add in a mapping for the SQL Server
Now you are ready to install Microsoft VMM
Launch the Installer
Click Install

Choose Features
Select VMM Server, VMM Administrator Console

Put in Product Registration Information > Name, Organisation and Product Key if you have one. If not it will enter Evaluation Mode

Accept the License Agreement

Choose an option for the Customer Service Program

Turn on Microsoft Update

Select Installation Location

Pre-Requisite Checking will then run. You can see I need to put more memory in my VM

Put in your Database configuration. In my case I am using a separate SQL 2012 Server called DACVSQL002
Change the Database Name if you want to and the port is usually 1433
If you find you experience connection errors, then you will need to adjust firewall ports

Put in Service Account Information
Ignore Distributed Key Management for now
DKM is used to store VMM encryption keys in Active Directory Domain Services. By default, using the Windows Data Protection API (DPAPI) VMM encrypts some data in the VMM Database (for example the Run As account credentials and passwords) and this data is tied in to the VMM server and the service account used by VMM. However with DKM, different machines can securely access the shared data. Once a HA VMM Node fails over to another node, it will start accessing the VMM database and use the encryption keys conveniently stored under a container in AD to decrypt the data in the VMM database

Check Port Configuration Information

Specify a Share for the Virtual Machine Manager Library

Check the Installation Summary

Install

Once finished it should look like the following

If there is a problem with setup completing successfully, consult the log files in the %SYSTEMDRIVE%\ProgramData\VMMLogs folder. ProgramData is a hidden folder.
Connect to VMM Console

You will now see the VMM Console

Next explore around VMM 2012.
Create a Run As account

Practice adding a host Group and a Hyper-V Host
Right click on All Host and Select Create Host Group
Right click the New Host Group and select Add Hyper V Hosts and Clusters

Specifiy credentials to run for discovery. Use your previously created Run As account

Choose the scope to search for the Hosts you want or add them manually

Choose your Hyper V Server

Choose Host Group and Virtual Machine Placement

Choose Migration Settings

Check Summary and Confirm Details

You will see the job start in the job window
Check any warnings post addition

See the articles below by Scott Lowe which walk you through VMM 2012

Links

Technet Guided Install

SQL Server 2012 Feature Pack Tools. SQL Native Client and Command Line tools

Windows Assessment and Deployment Kit (ADK) for Windows 8

Distributed Key Management – Recommended and required for failover scvmm cluster

Great YouTube Video

Scott Lowe’s Introductory articles to VMM

Windows 2012 Domain Controller Command Line Tools

May 31, 2013 Windows Server 2012 No comments

Once you install the Windows 2012 Domain Controller Role, you will find you are able to right click on the server in the console and a menu will appear showing that you are able to connect to several different command line tools. This looks like a very handy feature to have so lets have a deeper look at these tools

You can run these commands in the Active Directory Module for Windows PowerShell or cmd.exe

What does Dcdiag.exe do?

This command-line tool analyzes the state of one or all domain controllers in a forest and reports any problems to assist in troubleshooting. DCDiag.exe consists of a variety of tests that can be run individually or as part of a suite to verify domain controller health and DNS Health

What does Dsacls.exe do?

Dsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services.

What does Dsdbutil.exe do?

Dsdbutil is a command-line tool that is built into Windows Server 2008. It is available if you have the AD LDS server role installed. To use dsdbutil, you must run the dsdbutil command from an elevated command prompt It performs database maintenance of the Active Directory Domain Services (AD DS) store, facilitates configuration of Active Directory Lightweight Directory Services (AD LDS) communication ports, and views AD LDS instances that are installed on a computer

What does Dsmgmt.exe do?

Dsmgmt is a command-line tool which is available if you have the AD LDS server role installed. To use dsmgmt, you must run the dsmgmt command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. It facilitates managing Active Directory Lightweight Directory Services (AD LDS) application partitions, managing and controlling flexible single master operations (FSMO), and cleaning up metadata that is left behind by abandoned Active Directory domain controllers and AD LDS instances. (Abandoned domain controllers and AD LDS instances are those that are removed from the network without being uninstalled.)

What does Gpfixup.exe do?

This tool is used to fix domain name dependencies in Group Policy Objects (GPOs) and Group Policy links after a domain rename operation

What does ldp.exe do?

This GUI tool is a Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory. LDP is used to view objects stored in Active Directory along with their metadata, such as security descriptors and replication metadata. LDP is a GUI-based, Windows Explorer–like utility with a scope pane on the left that is used for navigating through the Active Directory namespace, and a details pane on the right that is used for displaying the results of the LDAP operations. Any text displayed in the details pane can be selected with the mouse and “copied” to the Clipboard.

Connect through PowerShell to ldp.exe
Click Connection
Put in your DC Name
You are then connected and ready to use the tool

http://technet.microsoft.com/en-us/library/cc756988%28v=ws.10%29.aspx

What does Netdom.exe do?

This command-line tool enables administrators to manage Windows Server 2003 and Windows 2000 domains and trust relationships from the command line. You can join a machine to a domain, manage computer accounts for domain member workstations and member servers, establish one-way or two-way trust relationships between domains, including certain kinds of trust relationships, verify and/or reset the secure channel for the following configurations and manage trust relationships between domains

http://technet.microsoft.com/en-us/library/cc781853%28v=ws.10%29.aspx

What does Nltest.exe do?

Nltest.exe is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT) This tool can do the following

Get a list of domain controllers
Force a remote shutdown
Query the status of trust
Test trust relationships and the state of domain controller replication in a Windows domain
Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers

http://technet.microsoft.com/en-us/library/cc731935%28v=WS.10%29.aspx

What does Ntdsutil.exe do?

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.

What does Repadmin do?

This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.

Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.

Repadmin.exe can also be used for monitoring the relative health of an Active Directory forest. The operations replsummary, showrepl, showrepl /csv, and showvector /latency can be used to check for replication problems.

http://technet.microsoft.com/en-us/library/cc736571%28v=ws.10%29.aspx

What does W32tm.exe do?

W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service. W32tm.exe is the preferred command line tool for configuring, monitoring, or troubleshooting the Windows Time service. The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs and is not supported by Microsoft as such

http://technet.microsoft.com/en-us/library/cc773263%28v=WS.10%29.aspx

Installing a Windows Server 2012 Domain Controller and DNS

May 24, 2013 IT, Windows Server 2012 No comments

Installing a new DC

Install Windows Server 2012
Click Manage > Install Roles and Features
The Add Roles and Features Wizard will start

Click Next
Choose Role based or Feature installation

Select the Server

Click Next and Choose Active Directory Domain Services

A box will pop up as per below
Click Add Features

Click DNS as well

A box will pop up
Click Add Features

Click Next
Read the Notes

Read the Notes about the DNS Server

Select Restart

You will get the following message after selecting the checkbox for Restarting

Click Install
The final screen will show the progress of the install

You can also Export Configuration Settings which are in the form of PowerShell commands allowing you to install from these to another DC in the future
Click Export Configuration Settings

Once AD Domain Services has been installed, you now need to promote this server to be a Domain Controller
In Server Manager, you will see a notification triangle in the top right. Click this and you will get the following message

Click Promote this server to a Domain Controller

I am going to add this Domain Controller to my current domain dacmt.local
Click Next

Type in a Directory Services Restore Mode Password
Click Next
Click Next on the DNS Screen

Choose your replication option

Choose paths for the AD Files
Note Best Practice would advise you to separate out these services on different redundant drives but this is just a demo so they all reside on the C Drive

Check the Preparation Options

Review Options

Pre Requisites Check

Click Install
Reboot when Install is finished
Once in Server Manager and you have chosen the AD DS role scroll down and you will see a section called Best Practices Analyzer. You can then go to Tasks and choose to run the BPA scan. This BPA scan can also be run from Windows PowerShell

Microsoft Technet Further Information

http://technet.microsoft.com/library/hh472162.aspx

Changing between Windows Server 2012 Installation Types

May 20, 2013 IT, Windows Server 2012 No comments

As in Windows Server 2008 and Windows Server 2008 R2, Windows Setup in Windows Server 2012 allows you to choose one of two installation types:

Server Core Installation
Server with a GUI (also called a full installation)

One of the more interesting new features in Windows Server 2012 is the ability to convert a full installation to a Server Core Installation and vice versa. You can switch between a Server Core installation and full installation in Windows Server 2012 because the difference between these installation options is contained in two specific Windows features that can be added or removed

Features

Server Core. None of the options are selected. No GUI Interface

Graphical Management Tools and Infrastructure (Server-Gui-Mgmt-Infra) This provides a minimal server interface and server management tools such as Server Manager and the Microsoft Management Console

Server Graphical Shell (Server-Gui-Shell) It is dependent on the first feature and provides the rest of the GUI experience, including Windows Explorer

Desktop Experience is a third available GUI feature. It builds on the Server Graphical Shell feature and is not installed by default in the Server with a GUI installation of Windows Server 2012. Desktop Experience makes available Windows 8 client features such as Windows Media Player, desktop themes, and photo management.

The Different Types of Setup

Windows 2012 brings in another user interface for use; GUI, Server Core & Something in-between called Minimal Server Interface

Server Core – always installed and enabled; the baseline feature for all Windows Servers

Server Graphical Management Tools & Infrastructure – functionality for Minimal Server Interface. No Desktop, Start Screen, Windows Explorer or Internet Explorer

Server Graphical Shell – equivalent to Server with a GUI

Using PowerShell to swap between different Installations

Making Server 2012 a Server Core Installation

Making Server 2012 a Minimal Interface Installation

Making PowerShell a Full GUI Installation

sconfig in a Server Core Installation

In Windows Server 2012, you can use the Server Configuration tool (Sconfig.cmd) to configure and manage several common aspects of Server Core installations. You must be a member of the Administrators group to use the tool.

Sconfig.cmd is available in the Minimal Server Interface and in Server with a GUI mod

Reference Table

Quest ActiveRoles Management Shell for Active Directory

April 3, 2013 Active Directory, PowerShell No comments

Quest ActiveRoles Management Shell for Active Directory

The ActiveRoles Management Shell for Active Directory is a set of predefined commands for Windows PowerShell, the new command line and scripting language developed by Microsoft. These commands are designed to help administrators automate common, repetitive and bulk management tasks such as creating, removing or updating objects in Active Directory.
By using the ActiveRoles Management Shell for Active Directory to build your scripts, you can harness Quest ActiveRoles Server to leverage proven rules, roles, workflow and attestation features giving you a robust management option for Windows PowerShell and Active Directory.

The management operations are performed either via the Quest ActiveRoles Server proxy service or by directly accessing directory data on domain controllers. In both cases, the ActiveRoles Management Shell provides a flexible scripting platform that can reduce the complexity of current Microsoft Visual Basic scripts. Tasks that previously required many lines in Visual Basic scripts can now be done by using as little as one line of code in the ActiveRoles Management Shell.

Installing the ActiveRoles Management Shell

Opening the ActiveRoles Management Shell

You can open the ActiveRoles Management Shell by using either of the
following procedures. Each procedure loads the ActiveRoles Management Shell
snap-in into Windows PowerShell. If you do not load the ActiveRoles
Management Shell snap-in before you run a command (cmdlet) provided by
that snap-in, you will receive an error.

To open the ActiveRoles Management Shell from the Programs menu

Select Start | All Programs | Quest Software | ActiveRoles Management Shell for Active Directory.

To add the ActiveRoles Management Shell snap-in from Windows
PowerShell

Select Start | All Programs | Windows PowerShell 1.0 | Windows PowerShell.
At the Windows PowerShell prompt, enter the following command:
Add-PSSnapin Quest.ActiveRoles.ADManagement

Using the ActiveRoles Management Shell

Select Start | All Programs | Quest Software | ActiveRoles Management Shell for Active Directory.

Admin Guide

Quest ActiveRoles Management Shell Admin Guide

Example Command to check for inactive users in Active Directory

get-qaduser -SizeLimit 0 | Where-Object{$_.LastLogon -lt $limit -OR $lastLogon -ne $null} | Sort-Object LastLogon | Select-Object Name, SAMAccountName, LastLogon | Export-CSV C:\PATH\TO\file.csv

« Older Entries Recent Entries »

Archive for microsoft

Using Trusts in Windows environments

SQL Server 2012 Installable Features

Optimising SQL Server for VMware vCenter

Understanding DNS on Windows Server 2012

Dynamic Access Control on Server 2012

Testing an install of Microsoft Virtual Machine Manager 2012 SP1 on Windows 2012

Windows 2012 Domain Controller Command Line Tools

Installing a Windows Server 2012 Domain Controller and DNS

Changing between Windows Server 2012 Installation Types

Quest ActiveRoles Management Shell for Active Directory

Electric Monk

Don't think about what can happen in a month. Don't think what can happen in a year. Just focus on the 24 hours in front of you and do what you can to get closer to where you want to be :-)

Search

Calendar

Social Media and RSS

vExpert

Recent Posts

Archives

Categories

Fatcow Webhosting

Archive for microsoft

Electric Monk

Don't think about what can happen in a month. Don't think what can happen in a year. Just focus on the 24 hours in front of you and do what you can to get closer to where you want to be :-)

Search

Calendar

Social Media and RSS

vExpert

Recent Posts

Archives

Categories

Tags

Fatcow Webhosting