Monday, 21 July 2014
Sunday, 20 July 2014
How to Perform Offline Domain Joins
Q: Is it possible to join a Windows client computer to an Active Directory (AD) domain when the client computer is located in a branch office that has only read-only domain controllers (DCs) or when no network connection is available to the central site holding read-write DCs?
A: Yes, both are possible starting with Windows 7 andWindows Server 2008 R2, thanks to the djoin.exe command-line utility. Administrators can use djoin.exe to provision a computer account in AD and export the account's AD security information to a text file. This text file can then be moved and imported to the client computer, where an administrator then has to run djoin.exe from an elevated command prompt to effectively join the domain. The content of the text file can also be added to an unattended setup answer file to join a computer to the domain as part of the OS installation.
For example, suppose you want to join a Windows client computer named mywindowsclient to the AD domain mydomain.com. First, you need to create the AD computer account for mywindowsclient in mydomain.com and save the domain join data to a text file named offlinejoin.txt. This can be accomplished by running the following Djoin command from an elevated command prompt on a Windows 7 (or later) or Server 2008 R2 (or later) machine that can communicate with a read-write DC:
Djoin /provision /domain mydomain.com
/machine mywindowsclient /savefile c:\offlinejoin.txt
/machine mywindowsclient /savefile c:\offlinejoin.txt
(Although this command wraps here, you'd put it on all one line in the command shell window.) Next, you need to join mywindowsclient to the mydomain.com domain by running the following Djoin command from an elevated command prompt on the mywindowsclient machine:
Djoin /requestODJ /loadfile c:\offlinejoin.txt
/windowspath %systemroot% /localos
/windowspath %systemroot% /localos
(Although this command wraps here, you'd put it on all one line in the command shell window.) You must then reboot mywindowsclient. When it comes back up, it'll be joined to the domain.
Note that you can also provision a computer's AD account against DCs running Windows Server 2008 or earlier by using the /downlevel switch in the first Djoin command. For more information about offline domain joins, see TechNet's "Offline Domain Join (Djoin.exe) Step-by-Step Guide."
Easy Way to Protect Active Directory Objects from Being Accidentally Deleted
Q: I want to better protect our Active Directory (AD) user and computer objects against an accidental bulk deletion by an administrator. How can I easily set the Protect object from accidental deletion property for all AD user and computer objects?
A: When the Protect object from accidental deletionproperty is enabled for an AD object, the object's permissions are automatically set to deny the deletion of the object by the built-in Everyone group. Microsoft introduced this property in Windows Server 2008, and by default, it's enabled only in AD organizational units (OUs). When the property is set, it doesn't propagate down to child objects in the OU—it applies to the OU object only.
You can manually enable the Protect object from accidental deletion property on an AD user or computer object from the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in or the Active Directory Administrative Center GUI. Another way you can enable the property is by running a Windows PowerShellcommand. With PowerShell, you can even simultaneously enable the property for multiple AD objects. For example, the following command enables it for all AD user and computer objects:
Get-ADObject -filter {(ObjectClass -eq "user")} |
Set-ADObject -ProtectedFromAccidentalDeletion:$true
Set-ADObject -ProtectedFromAccidentalDeletion:$true
As you can see, this command uses the Get-ADObject cmdlet to get any object with the value "user" in the ObjectClass attribute, which includes all AD user and computer objects. The command then uses the Set-ADObject cmdlet to enable the Protect object from accidental deletion property in those objects. Get-ADObject and Set-ADObject are part of the Active Directory Module for Windows PowerShell, which is installed by default on domain controllers (DCs) running Windows Server 2012 or Windows Server 2008 R2. You can also install the module on non-domain DCs running Server 2012 or Server 2008 R2, as well as on computers running Windows 8 or Windows 7.
Windows BranchCache Management Pack Joins the R2 Support
Microsoft has updated the Management Pack for Operations Manager 2012 to support the R2 wave of releases.
BranchCache is a Microsoft technology that caches content to help reduce branch office WAN saturation. Available in Windows 7 and Windows 2008 R2, the technology gives local clients the intelligence to access locally stored copies of data, even when the source resides at a remote location. In essence, the data that you specify will be stored in both places and updated between the source and the cached copy so that the mirrored copy is always up-to-date, while maintaining a secure source.
The Management Pack for BranchCache monitors and reports on potential issues, allowing admins to be proactive to ensure remote clients have accessible data. It also provides a full diagram of the BranchCache deployment, among other things.
Configuration of FTP over SSL in Microsoft IIS
Q: Does the FTP server that's included with Microsoft IIS support FTP over SSL? If it does, how can I configure it? Can I configure it to secure only the exchange of the FTP user credentials?
A: The IIS FTP server supports FTP over SSL, starting with the IIS 7.0 web server that's bundled with Windows Server 2008. To enable FTP over SSL, you should first make sure that you have a valid SSL certificate configured for your web server. You can create a self-signed certificate or obtain a certificate from your enterprise Certification Authority (CA) or from a commercial CA. You can configure an SSL certificate using the Server Certificates option that shows up in the center pane of IIS Manager when you select your web server object.
You must also allow the use of SSL when you enable the FTP protocol for your website. To enable FTP from IIS Manager, select the website and click Add FTP Publishing in the Actions pane. Next, in the Bindings and SSL Settings section, make sure that you select Allow SSL in the SSL section. Finally, in the Authentication and Authorization Information dialog box, you typically select Basic in the Authentication section, select the Specified Users option in the Allow access to drop-down list, and enter the FTP user logon account in the accompanying text box in the Authorization section.
You can then further configure FTP over SSL using IIS Manager's FTP SSL Settings feature, which you can find in the center pane, both on the web-server level and website level. This is the feature you'd use to configure IIS to secure only the FTP credential exchanges using SSL. It's important that you configure the same settings on both the web-server level and website level. If you don't do so, you'll get "conflicting TLS setting" error messages when you try to connect to your FTP site.
To change the FTP SSL Settings for your website, navigate to your website from IIS Manager and double-click FTP SSL Settings in the center pane to open the FTP SSL Settings dialog box. From the SSL Certificate list, select the certificate that you want to use for securing your FTP connections. Under SSL Policy, you can select one of the following options.
Allow SSL connections. Choose this option if you want your FTP server to support both non-SSL and SSL connections.
Require SSL connections. Select this option if you want to enforce the use of SSL encryption for all FTP communications.
Custom. Choose this option if you want to configure a different SSL policy for the FTP control and data channels. After you select it, click the Advanced button. In the Advanced SSL Policy dialog box, you can select the SSL policies. For the FTP control channel, your options are:
- Allow. Allows SSL for the control channel, meaning that SSL isn't required.
- Require. Enforces the use of SSL for the control channel.
- Require only for credentials. Requires that only the FTP user credentials have to be sent using SSL.
For the FTP data channel, your options are:
- Allow. Allows SSL for the data channel, meaning that SSL isn't required.
- Require. Enforces the use of SSL for the data channel.
- Deny. Denies the use of SSL for the data channel.
In your case, you'd select the Custom option. Then, in the Advanced SSL Policy dialog box, you'd choose Require only for credentials for the FTP control channel and Allow for the FTP data channel. Remember that after you configured these settings for your website, you must also configure the same settings for your web server.
System State Backup from the Command Line
Q: We want to include a server configuration backup of our Windows servers in our change management procedures. How can I start a Windows system state backup from the command line?
A: In Windows Server 2008 and later, you can use the Wbadmin.exe command-line utility to perform a system state backup. Wbadmin.exe is available only if you installed the Windows Server Backup feature on your Windows Server OS.
To perform a system state backup, you must use the following Wbadmin command syntax:
wbadmin start systemstatebackup
-backuptarget:<targetDrive> -quiet
-backuptarget:<targetDrive> -quiet
In this command, you need to replace <targetDrive> with either the local volume identifier or the drive letter of the physical disk drive that will store the system state backup. The -quiet parameter is optional. If you don't want to be prompted to press the letter Y when the backup starts, include this parameter.
For example, to create a system state backup with no prompts and save it to volume D, you must run:
wbadmin start systemstatebackup -backupTarget:D: -quiet
If you want to specify a local volume identifier rather than a drive letter in the above Wbadmin command, you can use the following command to get a list of your local volume identifiers:
wbadmin get disks
To view the complete syntax of the Wbadmin command, run:
wbadmin start systemstatebackup /?
To perform a system state backup with Wbadmin.exe, you must be a member of the Backup Operators group or the Administrators group. Wbadmin.exe must also be run from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt (which you can find in the Accessories folder), then clickRun as administrator.
Saturday, 19 July 2014
How to create new Hyper-V virtual machine..
Let me show you how to add new Windows Server 2008 R2 as a guest operating system on top of Hyper-V 2.0, which is part of the Windows Server 2008 R2 operating system. So, I have Windows Server 2008 R2 installed on my machine, I have Hyper-V role installed and enabled (How to install role in Windows Server 2008), and now I’ll create new virtual machine for another Windows Server 2008 R2. If you don’t have Windows Server 2008 R2 and Hyper-V, but you still want to use virtualization, then you can use Windows Virtual PC to create virtual machines. So, let’s start.
As I said, I have Hyper-V role installed and enabled, and with that I have Hyper-V Manager installed. To access it, you can either open it through Server Manager or through Start –> Administrative tools menu.
Hyper-V Manager is central place for you virtual machines, where you can see all virtual machines installed, as well as other options. In this example, I don’t have any virtual machine installed, so I’ll create new one. One the left side do right-click on the name of your PC, and then select New->Virtual Machine.
Other way to do this is to go to the top right corner of the Hyper-V Manager, and there you have the same menu.
Now you’ll get the Before You Begin window which welcomes you and introduces you to creation of virtual machine. Here you just have the option not to see this window again, you can select it if you want. Click on Next.
Now you’ll see Specify name and location window, where you need to write the name of your virtual machine (in our example it will be Windows Server 2008 R2) and to specify location where this virtual machine will be stored.
I have all my virtual machines stored on separate partition on my hard drive. Click on Next.
Next thing you have to do is to assign memory to your virtual machine. For the installation of the OS, I recommend to give little bit more RAM than needed, just to speed up the process. I have 4GB of RAM on my laptop, I’ll normally give 512MB or 1024MB to my guest machine, but only for installation you might want to use 3GB for guest OS. Of course, you can change this amount whenever you can.
Now we’ll configure networking. In most cases, you want your virtual machine to be able to communicate with other virtual machines, or with host OS, so now you can attach network adapters to it. I have two network adapters previously created, one is external, which means that using that adapter my virtual machine will be able to communicate with physical NIC and access the internet, and internal, which means my virtual machine will be able to communicate with host OS and other virtual machines, but it won’t be able to access the internet. If you don’t have manually created adapters, you’ll see only your physical NICs, you select it.
A virtual machines requires storage so that you can install an operating system. Operating systems are installed in Virtual Hard Drive (.vhd) files, and now you have to option to create new virtual hard drive, use an existing one (if you have it), or to attach a virtual hard disk later. We’ll create a new one, we’ll give it a name and location, and maximum size.
And now we get a window where we can choose what to do with the installation of the operating system. We can choose to install it later, now (you can choose to install it from CD/DVD drive or from ISO image, whatever you have prepared), from a boot floppy disk or to install operating system from a network-based installation server. I have my Windows Server 2008 R2 burned on DVD drive F: , so I chose this option.
Last window is just confirmation window, which shows you some info about your new virtual machine.
Just click on Finish, and that’s it. Now you’ll see your new virtual machine, in our example named Windows Server 2008 R2, on the list of available virtual machines.
In next post, I’ll explain you how to start newly created virtual machine and how to install Windows Server 2008 R2 in it. Stay tuned.
As I said, I have Hyper-V role installed and enabled, and with that I have Hyper-V Manager installed. To access it, you can either open it through Server Manager or through Start –> Administrative tools menu.
Now you’ll get the Before You Begin window which welcomes you and introduces you to creation of virtual machine. Here you just have the option not to see this window again, you can select it if you want. Click on Next.
Now you’ll see Specify name and location window, where you need to write the name of your virtual machine (in our example it will be Windows Server 2008 R2) and to specify location where this virtual machine will be stored.
I have all my virtual machines stored on separate partition on my hard drive. Click on Next.
Next thing you have to do is to assign memory to your virtual machine. For the installation of the OS, I recommend to give little bit more RAM than needed, just to speed up the process. I have 4GB of RAM on my laptop, I’ll normally give 512MB or 1024MB to my guest machine, but only for installation you might want to use 3GB for guest OS. Of course, you can change this amount whenever you can.
Now we’ll configure networking. In most cases, you want your virtual machine to be able to communicate with other virtual machines, or with host OS, so now you can attach network adapters to it. I have two network adapters previously created, one is external, which means that using that adapter my virtual machine will be able to communicate with physical NIC and access the internet, and internal, which means my virtual machine will be able to communicate with host OS and other virtual machines, but it won’t be able to access the internet. If you don’t have manually created adapters, you’ll see only your physical NICs, you select it.
A virtual machines requires storage so that you can install an operating system. Operating systems are installed in Virtual Hard Drive (.vhd) files, and now you have to option to create new virtual hard drive, use an existing one (if you have it), or to attach a virtual hard disk later. We’ll create a new one, we’ll give it a name and location, and maximum size.
And now we get a window where we can choose what to do with the installation of the operating system. We can choose to install it later, now (you can choose to install it from CD/DVD drive or from ISO image, whatever you have prepared), from a boot floppy disk or to install operating system from a network-based installation server. I have my Windows Server 2008 R2 burned on DVD drive F: , so I chose this option.
Last window is just confirmation window, which shows you some info about your new virtual machine.
Just click on Finish, and that’s it. Now you’ll see your new virtual machine, in our example named Windows Server 2008 R2, on the list of available virtual machines.
In next post, I’ll explain you how to start newly created virtual machine and how to install Windows Server 2008 R2 in it. Stay tuned.
How to upgrade from Windows Server 2008 to Windows Server 2008 R2 with Hyper-V......
Basically, there are three possible methods to do this:
- Perform an in-place upgrade of the parent partition from Windows Server 2008 to Windows Server 2008 R2.
- Migrate to another server: Export a virtual machine from a Windows Server 2008 server that has Hyper-V enabled, and then import it to a server that has Windows Server 2008 R2 with Hyper-V enabled.
- Backup and Restore to new server: To use backup software that uses the Hyper-V VSS Writer, back up a virtual machine that is running on Windows Server 2008, and then restore it to Windows Server 2008 R2.
How to promote Windows Server 2008 R2 machine to domain controller – step-by-step guide
Promoting Windows Server machine to domain controller is one of tasks that (almost) every system administrator had done in his life. Using dcpromo tool, promoting Windows Server 2008 R2 machine to domain controller is quite easy, and in this post I will show you how step-by-step promoting Windows Server 2008 R2 operating system to domain controller. I’m doing this in my test lab on one of my virtual machines and I’ll create local domain “virtual”. I won’t write much about the process, because I have screenshot of every step that you have to take, so don’t think you’ll have problems following the steps. Let’s start.First we’ll start program called dcpromo. Just go to Start, and in search field write dcpromo and open it.
You’ll have to wait few minutes, and then you’ll see “Welcome to the Active Directory Domain Services Installation Wizard”. Just click on Next twice.
Write the name of your domain. In my example I used virtual.local.
As I forest functional level I chose Windows Server 2008 R2. In details panel you can see the description of every forest functional level and based on that you can decide which one is the best for you.
In the beginning, my virtual machine had dynamically assigned IP address, and as I installed DNS server on it, dcpromo told me that it would be good to have static IP address for DNS server. If you have same situation, I recommend you to do the same thing.
In this step you can choose where to store Database, Log Files and SYSVOL. It’s recommended to put the database and log files to separate volumes.
Enter the password for you domain Administrator account.
At the end, you need to restart your PC.
After the restart, we can now login to the domain as the Administrator.
Subscribe to:
Posts (Atom)