Windows Updates can be run using a standard batch script. Do so using the wusa.exe is the command that runs updates that you specify. These updates are run using the wusa command, nested inside the Windows directory (%WINDIR%\SysNative to be exact). To run, specify the path to the package you’d like to install. In this case, I’ve mapped a drive to my updates, and placed each in a directory named after the update ID. To run, just run with the path to the .msu file:
To then uninstall the package (if you dare), use the /uninstall option. In this command, you don’t need to provide the path, only the kb number, along with the /kb option:
wusa.exe /uninstall /kb:2862152 /quiet /norestart
The package then completes. If needed, you will have to reboot the system. You can also indicate /warnrestart which prompts to restart or /forcerestart that automatically restarts the system without any warnings.
Packages can also be installed before a computer boots in 7 and 8 using the DISM.exe command with the /Add-Package option along with the Windows Automated Installation Kit.
krypted November 29th, 2013
Posted In: Windows Server, Windows XP
/kb, /norestart, /uninstall, add-package, disk, installers, Software Updates, unattended installer, Windows Server, windows updates, wusa.exe
When working on mail flow issues, one of the first troubleshooting steps with any mail server is to try and telnet into port 25 of the server. Exchange has an error, 530, that says that the smtp connection wasn’t authenticated. If you’re trying to relay through
an Exchange server, that’s a good thing, as you wouldn’t want an open relay. However, if you’re trying to relay to
an Exchange server, that’s not such a good thing. So let’s look at what this symptom looks like. First we try and telnet into port 25 of the server:
telnet exchange.krypted.com 25
Which shows the following:
Then we say hi:
And because the laws of robotics tell it to do so, the server says hi back:
250 exchange.krypted.com Hello
Then we try and relay to it:
And we get this error at some point in our smtp communication:
530 5.7.1 Client was not authenticated
Now, at this point we should look at the receive connector for Exchange, part of Hub Transport. To do so, open Exchange System Manager or Exchange Management Console and select Hub Transport under the Server Configuration section.
Here, locate your default receive connector (don’t do this on a send connector or you will create an open relay), right click it and then click on Properties.
At the Properties dialog, check the box for Anonymous users. This allows for another mail server to communicate with yours over smtp since that other server is basically just running through the message dialog we worked through earlier while telneted into the host. Click Apply to save the changes and for giggles go ahead and stop (disable) and start (enable) the connector.
krypted October 9th, 2013
Posted In: Microsoft Exchange Server, Windows Server
2008, 2010, 2012, 530 5.7.1 Client was not authenticated Error, exchange connector, receive connector, smtp, telnet, Windows Server
When you are creating a bunch of Server 2012 Virtual Machines (or physical machines for that matter) it is helpful to programmatically change their names. To do so, use the Rename-Computer PowerShell cmdlet followed by the name you want the computer to have, as follows (assuming a name of 2012.krypted.com):
Before you do anything else (e.g. bind to AD) you should then reboot the host, using the Restart-Computer cmdlet:
krypted October 8th, 2013
Posted In: Active Directory, Windows Server
change computer name, powershell, reboot, script, Windows Server
Scripting user creation in Windows Server is something we’ve long done using LDIF files; however, when building a system that creates users in more of a one-off capacity it’s pretty easy to script the creation process using PowerShell, piping information in from other solutions. To create a user, use the New-ADUser cmdlet.
I’ve found that we usually need to populate this with a few pieces of information, including the account name (SamAccountName), the password (AccountPassword), the full name (name) enabling the account (enabled), setting the password not to expire (PasswordNeverExpires) and forcing the user to change their password when they log on (ChangePasswordAtLogon). Respectively, the following example would create user cedge with a password of mypassword, a name of Charles Edge, enabling the account, allowing the password to expire and forcing me to change my password the first time I log in:
New-ADUser -SamAccountName cedge -AccountPassword (read-host "Set user password" -mypassword) -name "Charles Edge" -enabled $true -PasswordNeverExpires $false -ChangePasswordAtLogon $true
Once created, the account likely needs to be made a member of some groups. At this point, we’ll need to identify the user by cn (so if the user is in a specific OU, that would need to be included in the -Identity parameter. Because namespace collisions can happen, you’ll need to provide the full CN of both the user (using the Identity parameter) and the group (using the MemberOf parameter). Let’s say I’m going to add that account that I just created, which is in Users of krypted.com to the Enterprise Admins group of the same domain, that would look like this:
Add-ADPrincipalGroupMembership -Identity "CN=cedge,CN=Users,DC=corp,DC=krypted,DC=com" -MemberOf "CN=Enterprise Admins,CN=Users,DC=contoso,DC=com","CN=Domain Admins,CN=Users,DC=krypted,DC=com"
Overall, it’s pretty easy to call these cmdlets from other scripts, so for example, if you wanted to build a system that allowed an HR professional to enter a username and password for a user then create their account in AD, Google Apps and a few other solutions, this would make for the first step, piping that account name and password into each.
krypted October 4th, 2013
Posted In: Windows Server
Active Directory, cmdlet, Create Users, MemberOf, powershell, put a user in a group, scripting user account creation, Windows Server, windows server 2012
When we transfer certain amounts of data in a packet we might cause that packet to fragment. The less fragmentations without requiring a collision or a re-send of a packet, the more efficient network traffic can be. The MTU defines the packet size. Different types of data or network links respond differently. To change the MTU on a Windows Server we’re going to use the netsh command. First, we’re going to use ping to ping a host on our network, using -f and then -l which allows us to define the MTU size. In this case we’re going to use 1500:
ping krypted.com -f -l 1500
We should get an error:
Packet needs to be fragmented but DF set.
Now, let’s try
ping krypted.com -f -l 1464
Now, let’s look at the interfaces along with what the current MTU is on each:
netsh interface ipv4 show interfaces
Then, let’s make the mtu 1464 persistently using the Idx number of the interface to change from the above command in quotes:
netsh interface ipv4 set subinterface "10" mtu=1464 store=persistent
krypted September 17th, 2013
Posted In: Microsoft Exchange Server, Network Infrastructure, Windows Server
2008, 2012, change mtu size, jumbo frames, make mtu persistent, netsh, packet, ping -f -l, Windows Server
The Cipher tool can overwrite deleted data in much the same way the Secure Empty Trash or Secure Erase options work in OS X. To do so, use the cipher command along with the /w switch while all programs on the system are quit.
Then, from a command prompt use the /w switch followed by : and then the path to the location you’d like to overwrite. For example, if you deleted a folder from the c:/MYAPPDATA folder, you would use the following to remove data not allocated to files or folders:
cipher /w c:/MYAPPDATA
Note: The cipher command permanently removes data and so takes awhile according to the amount of data you’re overwriting.
krypted September 16th, 2013
Posted In: Windows Server
cipher, empty, secure delete, secure erase, server 2012, Windows Server
Installing Active Directory services is arguably one of the first things done on many a Windows Server. And for well over a decade you could unbox, update, run dcpromo and be done with much of that. While the wizards are still there, in the case of Windows Server 2012, the process has changed ever-so-slightly. To install a domain controller in Windows Server 2012, start with Server Manager. This new tool is the place where you start many a process in a Windows Server now, and Active Directory is no different.
To get started, first open Server Manager.
From Server Manager, click on the Manage menu and select Add Roles and Features. At the Before you begin screen in the Add Roles and Features Wizard, click on Next.
At the Installation Type screen, choose Role-based or feature-based installation and click Next.
At the Server Selection screen, choose the server you’d like to install the Active Directory role on and then click Next. If you only have one server then you should only have one listing here.
There are a number of Roles a domain controller can have. For many environments, a simple Domain Services role will be sufficient, especially on the first 2012 server in the environment. To select this, at the Server Roles screen, choose Active Directory Domain Services and then click on Next.
A sanity check will run to verify all the required Features and other Roles are installed. If not, you’ll be presented with a list of items that will be installed in support of the Role being deployed. Click Add Features for most environments, unless you have the tools to manage the Role installed elsewhere.
Back at the Server Roles screen, click Next, unless you’d like to install other Roles as well.
At the Features screen, click Next, unless you’d like to install other features as well.
At the AD DS screen, click Next.
At the Confirmation screen, click Install. You can also tell the server to restart automatically here, so do that as well.
Once the installation is complete, you’ll see a yellow icon indicating that something needs to happen with the server. The menu that appears contains a link to promote the server to a domain controller. Click the link to bring up the Deployment Configuration wizard.
At the Deployment Configuration screen of the wizard you can choose whether to add the domain controller to an existing domain or create a new forest. In this case, we’ll select the “Add a new forest” option. When highlighted, you will be able to provide a name for the domain. here we use krypted.com. Once the name is provided, click Next.
At the Domain Controller Options screen, choose whether the server will be an AD Integrated DNS Server, a Global Catalog server, possibly a Read only domain controller and provide a Directory Services Restore Mode (DSRM) password used to restore the environment in case it fails. Also, choose the functional level of both the domain and forest. Because this is a new environment with no 2003 to 2008 servers we will leave the levels set to Windows Server 2012. Click Next when you’re satisfied with your entries.
If you decided to enable DNS, you will have the option to also install DNS delegation which you should do if possible, in most environments. Click Next.
At the Additional Options screen, provide a NetBIOS name. This is usually a 8 character or less rendition of the same domain name, often used in legacy tools or prepended to usernames and passwords when namespace collisions occur with account names. When you’ve provided the name, click Next.
At the Paths screen, indicate where you want the directories that contain the Active Directory files stored. Most environments can leave these to the default settings and click Next.
At the Review Options screen, click Next provided that all of the options match the information you provided/desire.
At the Installation screen, click Install and watch the Progress (takes a minute or three usually to complete).
Once completed, open the Tools menu in Server Manager to see the tools formerly available in the Administrative Tools section of the Start menu, including Active Directory Domains and Trusts, Active Directory Power Shell, Active Directory Sites and Services and Active Directory Users and Computers, which mostly look like they’ve looked for a long time (but with a pretty blue frame around the screen).
Additionally, there’s an Active Directory Administrative Center, which provides quick and easy access to a number of features from other tools and allows you to change domain controllers, raise the domain/forest functional levels (useful when upgrading from previous incantations of Active Directory), etc.
krypted August 12th, 2013
Posted In: Active Directory, Windows Server
2012, Active Directory, administrative tools, configure active directory administrative center, powershell, start, Windows Server
Windows Server has a role that it can run in SMTP. Exchange and other services use this role to relay mail. There is a type of attack against a mail server that revolves around effectively performing a Denial of Service (DoS) against Exchange by sending massive quantities of mail to the server and forcing it to send Non Delivery Reports (NDRs) from the mail you’ve sent the server. This is known as an NDR Flood Attack. You can also leverage what’s known as a Directory Harvest Attack to get a server to respond to each possible combination of characters for addresses on domains running on an Exchange server. A Directory Harvest Attack then ends up giving spammers information about what email addresses they can spam on your server.
Not to get off the point, but unless you can DoS a box with one or two packets only I don’t consider a DoS attack hacking. Really, it’s just brute force. It’s lame and there’s nothing scientific or interesting about it. Unless of course, you wrote some really cool botnet and it’s your bot farm DoSing some evil something-or-other. But I digress…
So one way that Microsoft has come up with to combat these types of automated attacks against their servers is to make SMTP “sticky”. Basically, you put a few seconds worth of delay in your response to a request. At 5 seconds, legitimate mail servers won’t even notice. But if someone is trying to flood you with massive quantities of junk traffic over port 25 they’re going to have a far less interesting time of doing so.
To enable the SMTP tar pit feature in Exchange/Windows Server, back up the registry and then locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters subkey. From there, do a new DWORD value and call it TarpitTime. Enter a decimal value of 5 to make the sticky time 5 seconds (time is therefore in seconds). Once done, save and restart SMTP:
net stop smtpsvc
net start smtpsvc
And viola, you’re joining the good fight against evil spammers. Sleep better tonight!
Note: You get extra credit if you thought “it is soooooo 90s to allow SMTP traffic on any network you control! Do you worship Jeremy Piven’s character from PCU or what?!?!”
Note2: You get double extra credit if you happened to step in tar at the La Brea Tarpits while reading this article as I thought about writing it when almost stepping in some tar at the very same place.
krypted June 27th, 2013
Posted In: Microsoft Exchange Server, Windows Server
exchange server, port 25, smtp, smtpsvc, tar pit, Windows Server
Sometimes you need to boot a system into Safe Mode. But with a virtual machine you don’t have enough time to put a Windows system into Safe Mode. To put a normal system into safe mode, you can just hit the F8 key when Windows is booting. But with a virtual machine the BIOS screen is by default set to go away in 0 settings. Therefore, you need to add a boot delay to mimic a physical host. To get a virtual machine in ESX to have such a boot delay, view all the virtual machines and then right click on the virtual machine you need to configure a delay for.
Next, click on Edit Settings and then click on Option. In the options screen, click on Options and then Boot Options. At the Boot Options screen, set the Power-on Boot Delay to 5000ms, which will give you a 5 second delay. Given that 5 second delay you will be able to click on a booting virtual machine and then press the F8 key. From here, open the console window for the virtual machine and start the boot process.
krypted June 8th, 2013
Posted In: Microsoft Exchange Server
ESX, esxi, safe mode, Virtual Machines, vsphere, windows, Windows Server
« Previous Page
Out of the box a Windows Server 2012 isn’t really that helpful. But luckily, it has these things called Roles. Roles are things like Hyper-V, File Sharing, Windows Update Services, Web Server, etc. Each role then has a collection of services that it can run as well, within the Role. Roles include (borrowing from Microsoft here):
- Active Directory Certificate Services Overview
This content provides an overview of Active Directory Certificate Services (AD CS) in Windows Server 2012. AD CS is the server role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.
- Active Directory Domain Services Overview
By using the Active Directory Domain Services (AD DS) server role, you can create a scalable, secure, and manageable infrastructure for user and resource management, and provide support for directory-enabled applications such as Microsoft Exchange Server.
- Active Directory Federation Services Overview
This topic provides an overview of Active Directory Federation Services (AD FS) in Windows Server 2012.
- Active Directory Lightweight Directory Services Overview
Active Directory Lightweight Directory Services (AD LDS) is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies and domain-related restrictions of AD DS.
- Active Directory Rights Management Services Overview
This document provides an overview of Active Directory Rights Management Services (AD RMS) in Windows Server 2012. AD RMS is the server role that provides you with management and development tools that work with industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions.
- Application Server Overview
Application Server provides an integrated environment for deploying and running custom, server-based business applications.
- Failover Clustering Overview
This topic describes the Failover Clustering feature and provides links to additional guidance about creating, configuring, and managing failover clusters on up to 4,000 virtual machines or up to 64 physical nodes.
- File and Storage Services Overview
This topic discusses the File and Storage Services server role in Windows Server 2012, including what’s new, a list of role services, and where to find evaluation and deployment information.
- Group Policy Overview
This topic describes the Group Policy feature in Windows Server 2012 and Windows 8. Use this topic to find the documentation resources and other technical information you need to accomplish key Group Policy tasks, new or updated functionality in this version compared to previous versions of Group Policy, and ways to automate common Group Policy tasks using Windows PowerShell.
- Hyper-V Overview
This topic describes the Hyper-V role in Windows Server 2012—practical uses for the role, the most significant new or updated functionality in this version compared to previous versions of Hyper-V, hardware requirements, and a list of operating systems (known as guest operating systems) supported for use in a Hyper-V virtual machine.
- Networking Overview
This section contains detailed information about networking products and features for the IT professional to design, deploy, and maintain Windows Server 2012.
- Network Load Balancing Overview
By managing two or more servers as a single virtual cluster, Network Load Balancing (NLB) enhances the availability and scalability of Internet server applications such as those used on web, FTP, firewall, proxy, virtual private network (VPN), and other mission-critical servers. This topic describes the NLB feature and provides links to additional guidance about creating, configuring, and managing NLB clusters.
- Network Policy and Access Services Overview
This topic provides an overview of Network Policy and Access Services in Windows Server 2012, including the specific role services of Network Policy Server (NPS), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP). Use the Network Policy and Access Services server role to deploy and configure Network Access Protection (NAP), secure wired and wireless access points, and RADIUS servers and proxies.
- Print and Document Services Overview
This is an overview of Print and Document Services, including Print Server, Distributed Scan Server, and Fax Server in Windows Server 2012.
- Remote Desktop Services Overview
Remote Desktop Services accelerates and extends desktop and application deployments to any device, improving remote worker efficiency, while helping to keep critical intellectual property secure and simplify regulatory compliance. Remote Desktop Services enables both a virtual desktop infrastructure (VDI) and session-based desktops, allowing users to work anywhere.
- Security and Protection Overview
The table on this page provides links to available information for the IT pro about security technologies and features for Windows Server 2012 and Windows 8.
- Telemetry Overview
Find out about Windows Feedback Forwarder—a service that enables you to automatically send feedback to Microsoft by deploying a Group Policy setting to one or more organizational units. Windows Feedback Forwarder is available on all editions of Windows Server 2012.
- Volume Activation Overview
This technical overview for the IT pro describes the volume activation technologies in Windows Server 2012 and how your organization can benefit from using these technologies to deploy and manage volume licenses for a medium to large number of computers.
- Web Server (IIS) Overview
This document introduces the Web Server (IIS) role of Windows Server 2012, describes new IIS 8 features, and links to additional Microsoft and community information about IIS.
- Windows Deployment Services Overview
Windows Deployment Services enables you to deploy Windows operating systems over the network, which means that you do not have to install each operating system directly from a CD or DVD.
- Windows Server Backup Feature Overview
This section provides an overview of the Windows Server Backup feature and lists the new features in Windows Server 2012.
- Windows Server Update Services Overview
Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network. In Windows Server 2012, this feature is integrated with the operating system as a server role. This topic provides an overview of this server role and more information about how to deploy and maintain WSUS.
- Windows System Resource Manager Overview
With Windows System Resource Manager for the Windows Server 2012 operating system, you can manage server processor and memory usage with standard or custom resource policies. Managing your resources can help ensure that all the services provided by a single server are available on an equal basis or that your resources will always be available to high-priority applications, services, or users.
To add a Role is a pretty straight forward process. To get started, open Server Manager and click on the Dashboard. From the Dashboard, click on the Manage menu and click on Add Roles and Features.
At the Add Roles and Features Wizard click on Next at the Before You Begin Screen.
At the Installation Type screen, click on Role-based or Feature-based Installation, unless you are installing Remote Desktop Services (formerly called Terminal Services), then click on that radio button instead.
At the Server Selection screen, click on the server you’d like to install the role on and then click on Next.
At the Add Roles or Features screen, choose the role you’d like to install.
If there are any requirements to use the service, you’ll then be notified that those requirements exist. I usually leave the Include management tools (if applicable) box checked the first time I install a role and click on Add Features.
If any issues are encountered, you’ll then be alerted that there was a problem. If you’d like to correct the issue, click cancel, correct the issue and then rerun the tool. Or if you’d like to proceed anyway, click Continue.
Back at the Server Roles screen, the box will then be checked. Click on Next. At the Features screen, you can add a feature, although in this case we won’t be doing so. Then, click Next.
At the screen for the role you just selected, read the information, then click Next.
At the Confirmation screen, click Install. Optionally, you can also choose whether to reboot the server when the service is finished installing.
Once installed, click Close. Also, at this screen, you can export the configuration settings for the service for future use.
That’s it. You’ve now installed DNS services in Windows Server (or whatever service you are setting up). The services still need to be configured, but the initial install should now be complete!
krypted June 6th, 2013
Posted In: Windows Server
Active Directory, dns server, features, install, role services, roles, setup, Windows Server, windows server 2012
— Next Page »