krypted.com

Tiny Deathstars of Foulness

Windows Updates can be run using a standard batch script. Do so using the wusa.exe is the command that runs updates that you specify. These updates are run using the wusa command, nested inside the Windows directory (%WINDIR%\SysNative to be exact). To run, specify the path to the package you’d like to install. In this case, I’ve mapped a drive to my updates, and placed each in a directory named after the update ID. To run, just run with the path to the .msu file: wusa.exe U:\2862152\Windows8.0-KB2862152-x86.msu To then uninstall the package (if you dare), use the /uninstall option. In this command, you don’t need to provide the path, only the kb number, along with the /kb option: wusa.exe /uninstall /kb:2862152 /quiet /norestart The package then completes. If needed, you will have to reboot the system. You can also indicate /warnrestart which prompts to restart or /forcerestart that automatically restarts the system without any warnings. Packages can also be installed before a computer boots in 7 and 8 using the DISM.exe command with the /Add-Package option along with the Windows Automated Installation Kit.

November 29th, 2013

Posted In: Windows Server, Windows XP

Tags: , , , , , , , , , ,

When working on mail flow issues, one of the first troubleshooting steps with any mail server is to try and telnet into port 25 of the server. Exchange has an error, 530, that says that the smtp connection wasn’t authenticated. If you’re trying to relay through an Exchange server, that’s a good thing, as you wouldn’t want an open relay. However, if you’re trying to relay to an Exchange server, that’s not such a good thing. So let’s look at what this symptom looks like. First we try and telnet into port 25 of the server: telnet exchange.krypted.com 25 Which shows the following: 220 exchange.krypted.com Then we say hi: Helo And because the laws of robotics tell it to do so, the server says hi back: 250 exchange.krypted.com Hello Then we try and relay to it: mail from:krypted@me.com And we get this error at some point in our smtp communication: 530 5.7.1 Client was not authenticated Now, at this point we should look at the receive connector for Exchange, part of Hub Transport. To do so, open Exchange System Manager or Exchange Management Console and select Hub Transport under the Server Configuration section. Screen Shot 2013-10-09 at 12.44.10 PM Here, locate your default receive connector (don’t do this on a send connector or you will create an open relay), right click it and then click on Properties. Screen Shot 2013-10-09 at 12.44.27 PM At the Properties dialog, check the box for Anonymous users. This allows for another mail server to communicate with yours over smtp since that other server is basically just running through the message dialog we worked through earlier while telneted into the host. Click Apply to save the changes and for giggles go ahead and stop (disable) and start (enable) the connector.

October 9th, 2013

Posted In: Microsoft Exchange Server, Windows Server

Tags: , , , , , , , ,

When you are creating a bunch of Server 2012 Virtual Machines (or physical machines for that matter) it is helpful to programmatically change their names. To do so, use the Rename-Computer PowerShell cmdlet followed by the name you want the computer to have, as follows (assuming a name of 2012.krypted.com): Rename-Computer 2012.krypted.com Before you do anything else (e.g. bind to AD) you should then reboot the host, using the Restart-Computer cmdlet: Restart-Computer

October 8th, 2013

Posted In: Active Directory, Windows Server

Tags: , , , ,

When we transfer certain amounts of data in a packet we might cause that packet to fragment. The less fragmentations without requiring a collision or a re-send of a packet, the more efficient network traffic can be. The MTU defines the packet size. Different types of data or network links respond differently. To change the MTU on a Windows Server we’re going to use the netsh command. First, we’re going to use ping to ping a host on our network, using -f and then -l which allows us to define the MTU size. In this case we’re going to use 1500: ping krypted.com -f -l 1500 We should get an error: Packet needs to be fragmented but DF set. Now, let’s try ping krypted.com -f -l 1464 Now, let’s look at the interfaces along with what the current MTU is on each: netsh interface ipv4 show interfaces Then, let’s make the mtu 1464 persistently using the Idx number of the interface to change from the above command in quotes: netsh interface ipv4 set subinterface "10" mtu=1464 store=persistent

September 17th, 2013

Posted In: Microsoft Exchange Server, Network Infrastructure, Windows Server

Tags: , , , , , , , ,

The Cipher tool can overwrite deleted data in much the same way the Secure Empty Trash or Secure Erase options work in OS X. To do so, use the cipher command along with the /w switch while all programs on the system are quit. Then, from a command prompt use the /w switch followed by : and then the path to the location you’d like to overwrite. For example, if you deleted a folder from the c:/MYAPPDATA folder, you would use the following to remove data not allocated to files or folders: cipher /w c:/MYAPPDATA Note: The cipher command permanently removes data and so takes awhile according to the amount of data you’re overwriting.

September 16th, 2013

Posted In: Windows Server

Tags: , , , , ,

Installing Active Directory services is arguably one of the first things done on many a Windows Server. And for well over a decade you could unbox, update, run dcpromo and be done with much of that. While the wizards are still there, in the case of Windows Server 2012, the process has changed ever-so-slightly. To install a domain controller in Windows Server 2012, start with Server Manager. This new tool is the place where you start many a process in a Windows Server now, and Active Directory is no different. To get started, first open Server Manager. Screen Shot 2013-08-08 at 3.54.57 PM From Server Manager, click on the Manage menu and select Add Roles and Features. At the Before you begin screen in the Add Roles and Features Wizard, click on Next. Screen Shot 2013-08-08 at 3.55.00 PM At the Installation Type screen, choose Role-based or feature-based installation and click Next. Screen Shot 2013-08-08 at 3.55.02 PM At the Server Selection screen, choose the server you’d like to install the Active Directory role on and then click Next. If you only have one server then you should only have one listing here. Screen Shot 2013-08-08 at 3.55.06 PM There are a number of Roles a domain controller can have. For many environments, a simple Domain Services role will be sufficient, especially on the first 2012 server in the environment. To select this, at the Server Roles screen, choose Active Directory Domain Services and then click on Next. Screen Shot 2013-08-08 at 3.55.14 PM A sanity check will run to verify all the required Features and other Roles are installed. If not, you’ll be presented with a list of items that will be installed in support of the Role being deployed. Click Add Features for most environments, unless you have the tools to manage the Role installed elsewhere. Screen Shot 2013-08-08 at 3.55.17 PM Back at the Server Roles screen, click Next, unless you’d like to install other Roles as well. Screen Shot 2013-08-08 at 3.55.21 PM At the Features screen, click Next, unless you’d like to install other features as well. Screen Shot 2013-08-08 at 3.55.32 PM At the AD DS screen, click Next. Screen Shot 2013-08-08 at 3.55.57 PM At the Confirmation screen, click Install. You can also tell the server to restart automatically here, so do that as well. Screen Shot 2013-08-08 at 3.56.02 PM Once the installation is complete, you’ll see a yellow icon indicating that something needs to happen with the server. The menu that appears contains a link to promote the server to a domain controller. Click the link to bring up the Deployment Configuration wizard. Screen Shot 2013-08-08 at 4.30.05 PM At the Deployment Configuration screen of the wizard you can choose whether to add the domain controller to an existing domain or create a new forest. In this case, we’ll select the “Add a new forest” option. When highlighted, you will be able to provide a name for the domain. here we use krypted.com. Once the name is provided, click Next. Screen Shot 2013-08-08 at 4.30.42 PM At the Domain Controller Options screen, choose whether the server will be an AD Integrated DNS Server, a Global Catalog server, possibly a Read only domain controller and provide a Directory Services Restore Mode (DSRM) password used to restore the environment in case it fails. Also, choose the functional level of both the domain and forest. Because this is a new environment with no 2003 to 2008 servers we will leave the levels set to Windows Server 2012. Click Next when you’re satisfied with your entries. Screen Shot 2013-08-08 at 4.33.14 PM If you decided to enable DNS, you will have the option to also install DNS delegation which you should do if possible, in most environments. Click Next. Screen Shot 2013-08-08 at 4.33.48 PM At the Additional Options screen, provide a NetBIOS name. This is usually a 8 character or less rendition of the same domain name, often used in legacy tools or prepended to usernames and passwords when namespace collisions occur with account names. When you’ve provided the name, click Next. Screen Shot 2013-08-08 at 4.34.09 PM At the Paths screen, indicate where you want the directories that contain the Active Directory files stored. Most environments can leave these to the default settings and click Next. Screen Shot 2013-08-08 at 4.34.26 PM At the Review Options screen, click Next provided that all of the options match the information you provided/desire. Screen Shot 2013-08-08 at 4.34.29 PM At the Installation screen, click Install and watch the Progress (takes a minute or three usually to complete). Screen Shot 2013-08-08 at 4.42.53 PM Once completed, open the Tools menu in Server Manager to see the tools formerly available in the Administrative Tools section of the Start menu, including Active Directory Domains and Trusts, Active Directory Power Shell, Active Directory Sites and Services and Active Directory Users and Computers, which mostly look like they’ve looked for a long time (but with a pretty blue frame around the screen). Screen Shot 2013-08-09 at 9.14.19 AM Additionally, there’s an Active Directory Administrative Center, which provides quick and easy access to a number of features from other tools and allows you to change domain controllers, raise the domain/forest functional levels (useful when upgrading from previous incantations of Active Directory), etc. Screen Shot 2013-08-10 at 3.31.59 PM

August 12th, 2013

Posted In: Active Directory, Windows Server

Tags: , , , , , ,

Windows Server has a role that it can run in SMTP. Exchange and other services use this role to relay mail. There is a type of attack against a mail server that revolves around effectively performing a Denial of Service (DoS) against Exchange by sending massive quantities of mail to the server and forcing it to send Non Delivery Reports (NDRs) from the mail you’ve sent the server. This is known as an NDR Flood Attack. You can also leverage what’s known as a Directory Harvest Attack to get a server to respond to each possible combination of characters for addresses on domains running on an Exchange server. A Directory Harvest Attack then ends up giving spammers information about what email addresses they can spam on your server. Not to get off the point, but unless you can DoS a box with one or two packets only I don’t consider a DoS attack hacking. Really, it’s just brute force. It’s lame and there’s nothing scientific or interesting about it. Unless of course, you wrote some really cool botnet and it’s your bot farm DoSing some evil something-or-other. But I digress… So one way that Microsoft has come up with to combat these types of automated attacks against their servers is to make SMTP “sticky”. Basically, you put a few seconds worth of delay in your response to a request. At 5 seconds, legitimate mail servers won’t even notice. But if someone is trying to flood you with massive quantities of junk traffic over port 25 they’re going to have a far less interesting time of doing so. To enable the SMTP tar pit feature in Exchange/Windows Server, back up the registry and then locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters subkey. From there, do a new DWORD value and call it TarpitTime. Enter a decimal value of 5 to make the sticky time 5 seconds (time is therefore in seconds). Once done, save and restart SMTP: net stop smtpsvc net start smtpsvc And viola, you’re joining the good fight against evil spammers. Sleep better tonight! Note: You get extra credit if you thought “it is soooooo 90s to allow SMTP traffic on any network you control! Do you worship Jeremy Piven’s character from PCU or what?!?!” Note2: You get double extra credit if you happened to step in tar at the La Brea Tarpits while reading this article as I thought about writing it when almost stepping in some tar at the very same place.

June 27th, 2013

Posted In: Microsoft Exchange Server, Windows Server

Tags: , , , , ,

Sometimes you need to boot a system into Safe Mode. But with a virtual machine you don’t have enough time to put a Windows system into Safe Mode. To put a normal system into safe mode, you can just hit the F8 key when Windows is booting. But with a virtual machine the BIOS screen is by default set to go away in 0 settings. Therefore, you need to add a boot delay to mimic a physical host. To get a virtual machine in ESX to have such a boot delay, view all the virtual machines and then right click on the virtual machine you need to configure a delay for. Next, click on Edit Settings and then click on Option. In the options screen, click on Options and then Boot Options. At the Boot Options screen, set the Power-on Boot Delay to 5000ms, which will give you a 5 second delay. Given that 5 second delay you will be able to click on a booting virtual machine and then press the F8 key. From here, open the console window for the virtual machine and start the boot process.

June 8th, 2013

Posted In: Microsoft Exchange Server

Tags: , , , , , ,

Out of the box a Windows Server 2012 isn’t really that helpful. But luckily, it has these things called Roles. Roles are things like Hyper-V, File Sharing, Windows Update Services, Web Server, etc. Each role then has a collection of services that it can run as well, within the Role. Roles include (borrowing from Microsoft here):
  • Active Directory Certificate Services Overview This content provides an overview of Active Directory Certificate Services (AD CS) in Windows Server 2012. AD CS is the server role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.
  • Active Directory Domain Services Overview By using the Active Directory Domain Services (AD DS) server role, you can create a scalable, secure, and manageable infrastructure for user and resource management, and provide support for directory-enabled applications such as Microsoft Exchange Server.
  • Active Directory Federation Services Overview This topic provides an overview of Active Directory Federation Services (AD FS) in Windows Server 2012.
  • Active Directory Lightweight Directory Services Overview Active Directory Lightweight Directory Services (AD LDS) is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies and domain-related restrictions of AD DS.
  • Active Directory Rights Management Services Overview This document provides an overview of Active Directory Rights Management Services (AD RMS) in Windows Server 2012. AD RMS is the server role that provides you with management and development tools that work with industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions.
  • Application Server Overview Application Server provides an integrated environment for deploying and running custom, server-based business applications.
  • Failover Clustering Overview This topic describes the Failover Clustering feature and provides links to additional guidance about creating, configuring, and managing failover clusters on up to 4,000 virtual machines or up to 64 physical nodes.
  • File and Storage Services Overview This topic discusses the File and Storage Services server role in Windows Server 2012, including what’s new, a list of role services, and where to find evaluation and deployment information.
  • Group Policy Overview This topic describes the Group Policy feature in Windows Server 2012 and Windows 8. Use this topic to find the documentation resources and other technical information you need to accomplish key Group Policy tasks, new or updated functionality in this version compared to previous versions of Group Policy, and ways to automate common Group Policy tasks using Windows PowerShell.
  • Hyper-V Overview This topic describes the Hyper-V role in Windows Server 2012—practical uses for the role, the most significant new or updated functionality in this version compared to previous versions of Hyper-V, hardware requirements, and a list of operating systems (known as guest operating systems) supported for use in a Hyper-V virtual machine.
  • Networking Overview This section contains detailed information about networking products and features for the IT professional to design, deploy, and maintain Windows Server 2012.
  • Network Load Balancing Overview By managing two or more servers as a single virtual cluster, Network Load Balancing (NLB) enhances the availability and scalability of Internet server applications such as those used on web, FTP, firewall, proxy, virtual private network (VPN), and other mission-critical servers. This topic describes the NLB feature and provides links to additional guidance about creating, configuring, and managing NLB clusters.
  • Network Policy and Access Services Overview This topic provides an overview of Network Policy and Access Services in Windows Server 2012, including the specific role services of Network Policy Server (NPS), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP). Use the Network Policy and Access Services server role to deploy and configure Network Access Protection (NAP), secure wired and wireless access points, and RADIUS servers and proxies.
  • Print and Document Services Overview This is an overview of Print and Document Services, including Print Server, Distributed Scan Server, and Fax Server in Windows Server 2012.
  • Remote Desktop Services Overview Remote Desktop Services accelerates and extends desktop and application deployments to any device, improving remote worker efficiency, while helping to keep critical intellectual property secure and simplify regulatory compliance. Remote Desktop Services enables both a virtual desktop infrastructure (VDI) and session-based desktops, allowing users to work anywhere.
  • Security and Protection Overview The table on this page provides links to available information for the IT pro about security technologies and features for Windows Server 2012 and Windows 8.
  • Telemetry Overview Find out about Windows Feedback Forwarder—a service that enables you to automatically send feedback to Microsoft by deploying a Group Policy setting to one or more organizational units. Windows Feedback Forwarder is available on all editions of Windows Server 2012.
  • Volume Activation Overview This technical overview for the IT pro describes the volume activation technologies in Windows Server 2012 and how your organization can benefit from using these technologies to deploy and manage volume licenses for a medium to large number of computers.
  • Web Server (IIS) Overview This document introduces the Web Server (IIS) role of Windows Server 2012, describes new IIS 8 features, and links to additional Microsoft and community information about IIS.
  • Windows Deployment Services Overview Windows Deployment Services enables you to deploy Windows operating systems over the network, which means that you do not have to install each operating system directly from a CD or DVD.
  • Windows Server Backup Feature Overview This section provides an overview of the Windows Server Backup feature and lists the new features in Windows Server 2012.
  • Windows Server Update Services Overview Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network. In Windows Server 2012, this feature is integrated with the operating system as a server role. This topic provides an overview of this server role and more information about how to deploy and maintain WSUS.
  • Windows System Resource Manager Overview With Windows System Resource Manager for the Windows Server 2012 operating system, you can manage server processor and memory usage with standard or custom resource policies. Managing your resources can help ensure that all the services provided by a single server are available on an equal basis or that your resources will always be available to high-priority applications, services, or users.
To add a Role is a pretty straight forward process. To get started, open Server Manager and click on the Dashboard. From the Dashboard, click on the Manage menu and click on Add Roles and Features. Screen Shot 2013-06-04 at 3.17.44 PM At the Add Roles and Features Wizard click on Next at the Before You Begin Screen. Screen Shot 2013-06-04 at 3.19.47 PM At the Installation Type screen, click on Role-based or Feature-based Installation, unless you are installing Remote Desktop Services (formerly called Terminal Services), then click on that radio button instead. Screen Shot 2013-06-04 at 3.20.00 PM At the Server Selection screen, click on the server you’d like to install the role on and then click on Next. Screen Shot 2013-06-04 at 3.22.17 PM At the Add Roles or Features screen, choose the role you’d like to install. Screen Shot 2013-06-04 at 3.23.41 PM If there are any requirements to use the service, you’ll then be notified that those requirements exist. I usually leave the Include management tools (if applicable) box checked the first time I install a role and click on Add Features. Screen Shot 2013-06-04 at 3.25.52 PM If any issues are encountered, you’ll then be alerted that there was a problem. If you’d like to correct the issue, click cancel, correct the issue and then rerun the tool. Or if you’d like to proceed anyway, click Continue. Screen Shot 2013-06-04 at 3.27.07 PM Back at the Server Roles screen, the box will then be checked. Click on Next. At the Features screen, you can add a feature, although in this case we won’t be doing so. Then, click Next. Screen Shot 2013-06-04 at 3.30.43 PM At the screen for the role you just selected, read the information, then click Next. Screen Shot 2013-06-04 at 3.32.04 PM At the Confirmation screen, click Install. Optionally, you can also choose whether to reboot the server when the service is finished installing. Screen Shot 2013-06-04 at 3.37.36 PM Once installed, click Close. Also, at this screen, you can export the configuration settings for the service for future use. That’s it. You’ve now installed DNS services in Windows Server (or whatever service you are setting up). The services still need to be configured, but the initial install should now be complete!

June 6th, 2013

Posted In: Windows Server

Tags: , , , , , , , ,

« Previous PageNext Page »