Windows Updates can be run using a standard batch script. Do so using the wusa.exe is the command that runs updates that you specify. These updates are run using the wusa command, nested inside the Windows directory (%WINDIR%\SysNative to be exact). To run, specify the path to the package you’d like to install. In this case, I’ve mapped a drive to my updates, and placed each in a directory named after the update ID. To run, just run with the path to the .msu file:
To then uninstall the package (if you dare), use the /uninstall option. In this command, you don’t need to provide the path, only the kb number, along with the /kb option:
wusa.exe /uninstall /kb:2862152 /quiet /norestart
The package then completes. If needed, you will have to reboot the system. You can also indicate /warnrestart which prompts to restart or /forcerestart that automatically restarts the system without any warnings.
Packages can also be installed before a computer boots in 7 and 8 using the DISM.exe command with the /Add-Package option along with the Windows Automated Installation Kit.
krypted November 29th, 2013
When working on mail flow issues, one of the first troubleshooting steps with any mail server is to try and telnet into port 25 of the server. Exchange has an error, 530, that says that the smtp connection wasn’t authenticated. If you’re trying to relay through an Exchange server, that’s a good thing, as you wouldn’t want an open relay. However, if you’re trying to relay to an Exchange server, that’s not such a good thing. So let’s look at what this symptom looks like. First we try and telnet into port 25 of the server:
telnet exchange.krypted.com 25
Which shows the following:
Then we say hi:
And because the laws of robotics tell it to do so, the server says hi back:
250 exchange.krypted.com Hello
Then we try and relay to it:
And we get this error at some point in our smtp communication:
530 5.7.1 Client was not authenticated
Now, at this point we should look at the receive connector for Exchange, part of Hub Transport. To do so, open Exchange System Manager or Exchange Management Console and select Hub Transport under the Server Configuration section.
Here, locate your default receive connector (don’t do this on a send connector or you will create an open relay), right click it and then click on Properties.
At the Properties dialog, check the box for Anonymous users. This allows for another mail server to communicate with yours over smtp since that other server is basically just running through the message dialog we worked through earlier while telneted into the host. Click Apply to save the changes and for giggles go ahead and stop (disable) and start (enable) the connector.
krypted October 9th, 2013
When you are creating a bunch of Server 2012 Virtual Machines (or physical machines for that matter) it is helpful to programmatically change their names. To do so, use the Rename-Computer PowerShell cmdlet followed by the name you want the computer to have, as follows (assuming a name of 2012.krypted.com):
Before you do anything else (e.g. bind to AD) you should then reboot the host, using the Restart-Computer cmdlet:
krypted October 8th, 2013
Scripting user creation in Windows Server is something we’ve long done using LDIF files; however, when building a system that creates users in more of a one-off capacity it’s pretty easy to script the creation process using PowerShell, piping information in from other solutions. To create a user, use the New-ADUser cmdlet.
I’ve found that we usually need to populate this with a few pieces of information, including the account name (SamAccountName), the password (AccountPassword), the full name (name) enabling the account (enabled), setting the password not to expire (PasswordNeverExpires) and forcing the user to change their password when they log on (ChangePasswordAtLogon). Respectively, the following example would create user cedge with a password of mypassword, a name of Charles Edge, enabling the account, allowing the password to expire and forcing me to change my password the first time I log in:
New-ADUser -SamAccountName cedge -AccountPassword (read-host "Set user password" -mypassword) -name "Charles Edge" -enabled $true -PasswordNeverExpires $false -ChangePasswordAtLogon $true
Once created, the account likely needs to be made a member of some groups. At this point, we’ll need to identify the user by cn (so if the user is in a specific OU, that would need to be included in the -Identity parameter. Because namespace collisions can happen, you’ll need to provide the full CN of both the user (using the Identity parameter) and the group (using the MemberOf parameter). Let’s say I’m going to add that account that I just created, which is in Users of krypted.com to the Enterprise Admins group of the same domain, that would look like this:
Add-ADPrincipalGroupMembership -Identity "CN=cedge,CN=Users,DC=corp,DC=krypted,DC=com" -MemberOf "CN=Enterprise Admins,CN=Users,DC=contoso,DC=com","CN=Domain Admins,CN=Users,DC=krypted,DC=com"
Overall, it’s pretty easy to call these cmdlets from other scripts, so for example, if you wanted to build a system that allowed an HR professional to enter a username and password for a user then create their account in AD, Google Apps and a few other solutions, this would make for the first step, piping that account name and password into each.
krypted October 4th, 2013
Posted In: Windows Server
When we transfer certain amounts of data in a packet we might cause that packet to fragment. The less fragmentations without requiring a collision or a re-send of a packet, the more efficient network traffic can be. The MTU defines the packet size. Different types of data or network links respond differently. To change the MTU on a Windows Server we’re going to use the netsh command. First, we’re going to use ping to ping a host on our network, using -f and then -l which allows us to define the MTU size. In this case we’re going to use 1500:
ping krypted.com -f -l 1500
We should get an error:
Packet needs to be fragmented but DF set.
Now, let’s try
ping krypted.com -f -l 1464
Now, let’s look at the interfaces along with what the current MTU is on each:
netsh interface ipv4 show interfaces
Then, let’s make the mtu 1464 persistently using the Idx number of the interface to change from the above command in quotes:
netsh interface ipv4 set subinterface "10" mtu=1464 store=persistent
krypted September 17th, 2013
The Cipher tool can overwrite deleted data in much the same way the Secure Empty Trash or Secure Erase options work in OS X. To do so, use the cipher command along with the /w switch while all programs on the system are quit.
Then, from a command prompt use the /w switch followed by : and then the path to the location you’d like to overwrite. For example, if you deleted a folder from the c:/MYAPPDATA folder, you would use the following to remove data not allocated to files or folders:
cipher /w c:/MYAPPDATA
Note: The cipher command permanently removes data and so takes awhile according to the amount of data you’re overwriting.
krypted September 16th, 2013
Posted In: Windows Server
Installing Active Directory services is arguably one of the first things done on many a Windows Server. And for well over a decade you could unbox, update, run dcpromo and be done with much of that. While the wizards are still there, in the case of Windows Server 2012, the process has changed ever-so-slightly. To install a domain controller in Windows Server 2012, start with Server Manager. This new tool is the place where you start many a process in a Windows Server now, and Active Directory is no different.
To get started, first open Server Manager.
From Server Manager, click on the Manage menu and select Add Roles and Features. At the Before you begin screen in the Add Roles and Features Wizard, click on Next.
At the Installation Type screen, choose Role-based or feature-based installation and click Next.
At the Server Selection screen, choose the server you’d like to install the Active Directory role on and then click Next. If you only have one server then you should only have one listing here.
There are a number of Roles a domain controller can have. For many environments, a simple Domain Services role will be sufficient, especially on the first 2012 server in the environment. To select this, at the Server Roles screen, choose Active Directory Domain Services and then click on Next.
A sanity check will run to verify all the required Features and other Roles are installed. If not, you’ll be presented with a list of items that will be installed in support of the Role being deployed. Click Add Features for most environments, unless you have the tools to manage the Role installed elsewhere.
Back at the Server Roles screen, click Next, unless you’d like to install other Roles as well.
At the Features screen, click Next, unless you’d like to install other features as well.
At the AD DS screen, click Next.
At the Confirmation screen, click Install. You can also tell the server to restart automatically here, so do that as well.
Once the installation is complete, you’ll see a yellow icon indicating that something needs to happen with the server. The menu that appears contains a link to promote the server to a domain controller. Click the link to bring up the Deployment Configuration wizard.
At the Deployment Configuration screen of the wizard you can choose whether to add the domain controller to an existing domain or create a new forest. In this case, we’ll select the “Add a new forest” option. When highlighted, you will be able to provide a name for the domain. here we use krypted.com. Once the name is provided, click Next.
At the Domain Controller Options screen, choose whether the server will be an AD Integrated DNS Server, a Global Catalog server, possibly a Read only domain controller and provide a Directory Services Restore Mode (DSRM) password used to restore the environment in case it fails. Also, choose the functional level of both the domain and forest. Because this is a new environment with no 2003 to 2008 servers we will leave the levels set to Windows Server 2012. Click Next when you’re satisfied with your entries.
If you decided to enable DNS, you will have the option to also install DNS delegation which you should do if possible, in most environments. Click Next.
At the Additional Options screen, provide a NetBIOS name. This is usually a 8 character or less rendition of the same domain name, often used in legacy tools or prepended to usernames and passwords when namespace collisions occur with account names. When you’ve provided the name, click Next.
At the Paths screen, indicate where you want the directories that contain the Active Directory files stored. Most environments can leave these to the default settings and click Next.
At the Review Options screen, click Next provided that all of the options match the information you provided/desire.
At the Installation screen, click Install and watch the Progress (takes a minute or three usually to complete).
Once completed, open the Tools menu in Server Manager to see the tools formerly available in the Administrative Tools section of the Start menu, including Active Directory Domains and Trusts, Active Directory Power Shell, Active Directory Sites and Services and Active Directory Users and Computers, which mostly look like they’ve looked for a long time (but with a pretty blue frame around the screen).
Additionally, there’s an Active Directory Administrative Center, which provides quick and easy access to a number of features from other tools and allows you to change domain controllers, raise the domain/forest functional levels (useful when upgrading from previous incantations of Active Directory), etc.
krypted August 12th, 2013
Windows Server has a role that it can run in SMTP. Exchange and other services use this role to relay mail. There is a type of attack against a mail server that revolves around effectively performing a Denial of Service (DoS) against Exchange by sending massive quantities of mail to the server and forcing it to send Non Delivery Reports (NDRs) from the mail you’ve sent the server. This is known as an NDR Flood Attack. You can also leverage what’s known as a Directory Harvest Attack to get a server to respond to each possible combination of characters for addresses on domains running on an Exchange server. A Directory Harvest Attack then ends up giving spammers information about what email addresses they can spam on your server.
Not to get off the point, but unless you can DoS a box with one or two packets only I don’t consider a DoS attack hacking. Really, it’s just brute force. It’s lame and there’s nothing scientific or interesting about it. Unless of course, you wrote some really cool botnet and it’s your bot farm DoSing some evil something-or-other. But I digress…
So one way that Microsoft has come up with to combat these types of automated attacks against their servers is to make SMTP “sticky”. Basically, you put a few seconds worth of delay in your response to a request. At 5 seconds, legitimate mail servers won’t even notice. But if someone is trying to flood you with massive quantities of junk traffic over port 25 they’re going to have a far less interesting time of doing so.
To enable the SMTP tar pit feature in Exchange/Windows Server, back up the registry and then locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters subkey. From there, do a new DWORD value and call it TarpitTime. Enter a decimal value of 5 to make the sticky time 5 seconds (time is therefore in seconds). Once done, save and restart SMTP:
net stop smtpsvc
net start smtpsvc
And viola, you’re joining the good fight against evil spammers. Sleep better tonight!
Note: You get extra credit if you thought “it is soooooo 90s to allow SMTP traffic on any network you control! Do you worship Jeremy Piven’s character from PCU or what?!?!”
Note2: You get double extra credit if you happened to step in tar at the La Brea Tarpits while reading this article as I thought about writing it when almost stepping in some tar at the very same place.
krypted June 27th, 2013
Sometimes you need to boot a system into Safe Mode. But with a virtual machine you don’t have enough time to put a Windows system into Safe Mode. To put a normal system into safe mode, you can just hit the F8 key when Windows is booting. But with a virtual machine the BIOS screen is by default set to go away in 0 settings. Therefore, you need to add a boot delay to mimic a physical host. To get a virtual machine in ESX to have such a boot delay, view all the virtual machines and then right click on the virtual machine you need to configure a delay for.
Next, click on Edit Settings and then click on Option. In the options screen, click on Options and then Boot Options. At the Boot Options screen, set the Power-on Boot Delay to 5000ms, which will give you a 5 second delay. Given that 5 second delay you will be able to click on a booting virtual machine and then press the F8 key. From here, open the console window for the virtual machine and start the boot process.
krypted June 8th, 2013
Posted In: Microsoft Exchange Server
Out of the box a Windows Server 2012 isn’t really that helpful. But luckily, it has these things called Roles. Roles are things like Hyper-V, File Sharing, Windows Update Services, Web Server, etc. Each role then has a collection of services that it can run as well, within the Role. Roles include (borrowing from Microsoft here):
To add a Role is a pretty straight forward process. To get started, open Server Manager and click on the Dashboard. From the Dashboard, click on the Manage menu and click on Add Roles and Features.
At the Add Roles and Features Wizard click on Next at the Before You Begin Screen.
At the Installation Type screen, click on Role-based or Feature-based Installation, unless you are installing Remote Desktop Services (formerly called Terminal Services), then click on that radio button instead.
At the Server Selection screen, click on the server you’d like to install the role on and then click on Next.
At the Add Roles or Features screen, choose the role you’d like to install.
If there are any requirements to use the service, you’ll then be notified that those requirements exist. I usually leave the Include management tools (if applicable) box checked the first time I install a role and click on Add Features.
If any issues are encountered, you’ll then be alerted that there was a problem. If you’d like to correct the issue, click cancel, correct the issue and then rerun the tool. Or if you’d like to proceed anyway, click Continue.
Back at the Server Roles screen, the box will then be checked. Click on Next. At the Features screen, you can add a feature, although in this case we won’t be doing so. Then, click Next.
At the screen for the role you just selected, read the information, then click Next.
At the Confirmation screen, click Install. Optionally, you can also choose whether to reboot the server when the service is finished installing.
Once installed, click Close. Also, at this screen, you can export the configuration settings for the service for future use.
That’s it. You’ve now installed DNS services in Windows Server (or whatever service you are setting up). The services still need to be configured, but the initial install should now be complete!
krypted June 6th, 2013
Posted In: Windows Server