Vanlige verktøy å bruke
Med denne kommandoen så kan du i prinsippet gjøre alt du trenger å gjøre på en windows server 2012 R2.
Kommandoene forekommer på følgende vis: Get-WindowsFeature, install-windowsfeature, set-aduser etc. Alle Get kommandoer er for å sanke informasjon. Alle Install kommandoene gjennomfører installasjoner. Man kan også benytte seg av add-windowsfeature for eksempel, og denne kommandoen gjør samme kommandoen som install.
Brukes til å gjøre initiell configurasjon på en Windows Server 2012 R2 (CORE) installasjon. Her endrer man Ip-adresse, computername, domene, aktivering etc.
Used for offline and online images. To add or remove windows features
* NETSH (Network Shell) (Denne kommandoen jobber med alt som er nettverksrelatert)
Hvordan NTDS.DIT (Filen som lagrer Active Directory) er bygget opp.
** Disse replikeres til alle domene og over hele foresten
- ** Schema (Ødelegger du denne, så har du vraka hele AD)
- Application (Har lagrer DNS sine data)
Når man splitter opp i “Child Domains” i en domenestruktur så er en av hovedgrunnene til dette følgende:
- Forskjellige lokasjoner
- Sikkerhet **
- Delegering av rettigheter ** (Aministrative role separation)
- Mindre replikering ** i mellom domene
This contains the Group Policies. It replicates domain wide, not forest wide.
Når du lager din første DC, så settes den automatisk som “Global Catalog Controller”
I den Globale katlogen så lagres alle objekter i AD
Den er fem viktige roller en server kan inneha, og det kan kun være en av disse i et domene, rollene er som følger:
Operation Master (FSMU)
- Schema Master
- Domain Naming Master (Used when domains are added or deleted)
- RID Master (Relative Identity Master) Used when Objects like users or groups are created, and it keeps and creates a record of SID’s.
- Infrastrukturemaster (Only used in multiple domain environments) Keeps a record of foreign objects, and makes sure they are valid.
- PDC Emulator (Primary Domain Controller Emulator) This does the the following roles: Keeps group policy roles, and replicates to the other domain controllers. Prevent password synchronization issues. It acts as the master browser, for example unc paths, but it’s most important role is time synchronization. If the clocks are more than five minutes apart, the user will not be able to log on, as all logons will have to be within five minutes. The PDC Emulator is the first service that the DC uses for checking passwords if the DC does not have the last password. If the clocks are five minutes apart, the user will not be able to log on.
Når man skal promotere en ny domenekontroller til et eksisterende domene, så må RID MASTER være tilgjengelig.
Roller som kan være offline, men tas opp igjen er PDC Emulator and Infrastructure Master
For å kunne administrere disse rollene over, så er et av det kraftigste verktøyene NTDSutil.exe
I tillegg til vanlige domenekontrollere med Global Catalog (GC) så kan man ha noe som heter (RODC) Read Only Domain Controller.
RODC inneholder følgende data:
Passord for brukere av den siten(Domenet) eks. sales.gustavsenit.no, hvorav hoveddomenet hk.gustavsenit.no har passord, brukernavn og alle objekter i domenet.
Fordelen ved å har en RODC er at man slipper å gå via WAN (internett) for å autentisere sin maskin for å logge seg på. Dette betyr at hvis man har en RODC, så gjør klientene en forespørsel lokalt for å logge seg på, og på denne måten så vil man ikke ha forsinkelse for å logge seg på. RODC inneholder ikke passordene for brukere, men man konfigurerer vanligvis en “password replication policy”. Her defineres bruker-passord som replikeres til RODC og caches der. RODC gjør bare en sjekk mot den vanlige DC’n for å sjekke om det er nye passord osv. Hvis WAN linken dette ned, så vil RODC gjøre en sjekk i sin lokale Cache for å autentisere brukerene.
Active Directory Domain Services
Du trenger en bruker med “Domain Admin” rettgheter for å kunne legge til en ny domenekontroller. Du kan velge å sette den opp som ekstra domene, ny forest eller child domain.
DSRM = Directory Services Restore Mode
Denne kan nås ved å trykke F8 under oppstart og velge DSRM mode. Du må da taste inn DSRM passordet som du satte opp første gang du installerte domene kontrolleren.
NTDSUTIL: Generelt verktøy for å administrere AD-database
for å legge til en ny domenekontroller på en remote site, så må man gjøre følgende.
Activate instance NTDS (Enter)
Denne lager c:\IFM
Create SYSVOL Full c:\windows\ifm
Denne lager en kopi av AD og SYSVOL hvis man ønsker.
regsvr32 schmmgmt.dll Denne kommandoen kjøres fra Elevert command-line og aktiverer Schema managmenet snap-in i Active Directory
TCP/IP Protocol Suite
Dette er de syv lagene i osi-modellen
Vi starter dagen med en liten prøve på 15 spm. Jeg vet at jeg fikk 3 feil på denne prøven, og det gjald et spmørsmålm om hvilke Roller som ikke måtte være tilgjengelig når man promoterer en domenekontroller. Altså, PDC Emulator, RID Master, Infrastrukture Master, Domain Naming Master eller Schema Master.
A little bit more about groups:
I, G, DL, A
Identities is placed within global groups, Global groups are placed within Domain Local Groups, Domain Local Groups are given acces to Resources.
I, G, U, DL, A
Identifies is places within Global Group, Global Groups are places within Universal Groups, Universal Groups is placed within Domain Local Groups, and Domain Local group are given Access to the resource.
More about FSMO
Schema Master and Domain Naming Master are Domain wide roles
PDC Emulator, RID Master and Infrastructure Master are forest wide roles
By Editing the Schema partition we can choose which attributes are stored in the Global Catalog, or using ADSIedit.
Process of getting a DHCP address:
DHCP Discover (Broadcast)
DHCP Offer (From DHCP-Server)
DHCP Request (To DHCP-Server) – tells dhcp i want your address, and sends to the other dhcp servers, i do not want yours.
DHCP Acknowledgement (Is Sent back from the DHCP -Server) – Here lies the gateway, dns, wins etc.
To forward DHCP-discover from one subnet through a router to another subnet, we use relays.
RFC2153 compliance means that you can install/enable a relay agent on the Router.
If we don’t have this, we have another tool that is developed by Microsoft that is called RAS, and within this we can install the DHCP-Agent on the server.
This points to the DHCP-Server using a Unicast address (Regular ip-address) And it ONLY listens for BOOTP broadcasts.
When we configure DHCP-Server, we configure ranges, and for documentation reasons we should include the whole range that we are using, and then exclude them from the range via the wizard.
After this we configure options:
Options can be configured on 4 different levels:
- Class –> eks, vendor, user, Computer types
- Reserved Client
Options to remember is:
- 003 Router
- 006 DNS Server
- 015 DNS Domain Name
- 033 Static Route
- 060 PXE (Defines the WDS Port)
WDS and DHCP uses Port 67 by Default
To enable DHCP Relat you go to. Routing and Remote Access->IPv4->General->New routing protocol-> new DHCP Relay Agent->
Hvis man ønsker å installere en DHCP-Server via powershell, så kjører man følgende kommandoer:
Implementing DNS (Module 7)
A Domain name space start with a . And service names like .com .gov .edu .uk .no
How the name resolution process works and the steps:
- Authorative for the Zone
- DNS Server Cache
- Confitional Forwarder
- Root Hints
When you are using the same name on the Domain name and on the external internet domain, it is called “Split-Brain-DNS”
A-Record brukes for å rette directe mot en host som har en tjeneste. Eks www.sol.no med en IP-Adresse til
Cname (Canonical Name) brukes som alias for andre adresser
MX-Pointer Peker mot selskapets Exchange server
IPv6 does not uset subnetmask, but PREFIX InStead
::1 (Loopback addresss) Hele strengen er som følgende: 0000:0000:0000:0000:0000:0000:0000:0001
For å finne antall seksjoner med når, så må man telle antall seksjoner som ikke er skrevet i adressen.
Unicast: = One 2 One communication
Multicast: does the same as in iPv4, and also replaces broadcast
Det er tre forskjellige typer Unicast adresser som eksisterer, vi har:
Global Unicast (Public addresses) 2000:: or 3000:
Unique Unicast (Private addresses) Only routable internally FC00:: or FD00::
Link Local Unicast (Non-Routable addresses) FE80::
Status for et nettverk kan være:
Hva er de forskjellige delene av en IPv6 Adresse
2001:00AB:0000:0001:00AB:0000.0000.A3AF/64 Det som er Streket under er Global prefix, så Subnet i grønt og resten er Hoster.
DHCP – IPv6
Når man reserverer scope i IPv6 så bruker man ikke mac adresser, men DUIS og IAID (DHCP UNIQUE IDENTIFIER) and (INTERFACE ASSOCIATION IDENTIFIER)
How Many Subnets/Networks do we have?
64-56 = 8
The Answer is: 256 Networks/Subnetts
Storage Pools is a new feature in Windows Server 2012
When Creating storage layout you can choose from the following options:
Single At least 1 disk
Mirror 2 disks or 5 disks. with 2 disks you can loose one disk, and with five disk you can loose 2 disks
Parity 3 disk or 7 disks. With 3 disks you can loose 1 disk, and with 7 disks you can loose 2 disks.
File And Share permissions
Powershell command for new share is: New-SmbShare
from the command use net share
You can enable printer pooling, and attach several devices. You should be using printers of the same brand and specifications.
About printer priority: If The higher the Number, the higher The priority. Så a printer with a priority of 99 would go in front of a priority of 1
Group Policies applies mainly to Users and Computers
Group Policy Example
Site – GPO1 (Deploy Red Background) – [Enforced] <- Security Filter = Deny Read, Deny Apply to user BOB
Domain – GPO2 (No Contol Panel)
OU – GPO3 (Deploy App1)
GPO4 (Deploy Blue Background)
(BOB is a member here)
The result of these policies will be that Bob get’s the Blue backround
Important to remember
DCGPOFIX.EXE are used for resetting the defulat domain policy to the default state.
GPFIXUP.exe This is used when you rename the domain
When backup up GPO’s from untrusted Forest or domain you will have to do the following.
Export the gpo from the untrusted source
Copy the files
Create a new empty GPO on the new Domain
Import it to this GPO.
There are three types of switches in HyperV that we can configure:
They are : Internal, External and Private virtual switches
Storage types in HyperV is:
Physical disks or Virtual Disks
To use a Physical Disk, it has to be set offline on the Host HyperV
Physical Disks = Pass-Through Disks
When you use this form of disk for VM, you loose the following possibilities:
Moving between between different hosts.
Virtual Disk extension
from Windows Server 2012 .vhdx
windows Server 2008 R2 and Windows server 2008 uses .vhd and can only use this.
Enable-VMResourceMetering dc1 for example.
After this use
Generation 1 and 2 is supported on Windows Server 2012 R2, but on Windows Server 2012, only Generation 1 is supported
Group Policy Commands (Important to remember)
Back to Group Policies and standard settings for managing Security!
About Read Only Domain Controllers (RODC)
There can only be one pr. site
About Restore and Backup.
You can have :
non-Authorative (NTDS.DIT AD – DataBase Corruption)
- Reboot the DC
- At reboot press F8 – Adv startup options
- DSRM (Directory Service Recovery Mode)
- Login with DSRM Password (Note. NTDSUTIL to reset this password)
- Use backup App to restore SystemState Data
Authorative (AD Object has been deleted)
- Reboot the dc
- At Reboot Press F8
- Select DSRM
- Login with DSRM Password
- Use Backup App to restore SystemState Data
- Go to NTDSUTIL.exe
- Go to the Authorative restore Prompt
- Enter the DN of the Object or Objects (DN = distinguished Name)
AD DataBase Snapshots is the third option that you can use for restoring NTDS.DIT (Note. NTDSUTIL and DSAMAIN can be used for this operation) DSAMAIN assigns a port to a mounted copy of the database.
AD-Recycle Bin (This is disabled by default) This was introduced with Windows Server 2008 R2 (AD-Optional Feature)
Once it’s turned on you cannot turn it off.
This Feature replaces the Tombstone.
The recycle bin stores all of the attributes of the deleted object (Keeps entire object). The Recycle Bin holds it 180-days by default.
The powershell is called: Install AD Optional Feature
The Container in AD is called “Deleted Objects”
Active Directory is called Restartable AD. This is because
To stop AD (NTDS.DIT)
Net stop NTDS
The powershell command is: stop-service ntds -force
to start: start-service ntds
Active Directory Administrative Center
About passwords: You can define a different set of password setting for groups and computers in ADAM
You can define the order that these password are set by using precedence. If you have the same precedence, the password setting applied closest to the user wins. These password settings override Group Policies as well.
User beets Group, and Group beets Policy when it comes to these password settings.
When it comes to Precedence, the lowest value win.
These was introduced with windows server 2008.
To clone a Virtual Domain controller on a vm do the following:
- PPTP Port 1723
- L2TP 1703
- SSTP 443
- IKEv2 several ports. 500, 4500,50 and 1701
CMAK (Connection Manager Administration Kit)
Authentication methods are
To be able to log on, there are three things that need to be in place:
Authentication, Authorization and Accounting (Logging)
Installing RAS Server
There are two tools you use.
- Routing and Remote Access
- Remote Access Management
You can use NLB to pass the request from two or more radius servers to a single NPS server with policies.
If you have Connection request policies that says for example that everyone from a widgets.com domain are authenticated by a remote radius proxy.
In this case the user would be forwarded to another network or another corporation.
Network Access Protection
System Health Validators
This is a service that can make sure that the client computer has certain conditions available before it let’s you connect.
It can force the firewall on the client computer to be tuned on, and then let you connect.
About Direct ACCESS
NRPT= Name Resolution Policy Table
This keeps a list of Domain names,DNS and IP-Addresses, The Client are able to decide if the traffic should go to your RAS server (Corporate Domain) or the ISP for resolution of addresses.
The RAS server is also your Direct Access server
RAS & NAP
Nap Agent Service
Nap Enforcement Client
And Security Center Has to be running on the laptop for Health Policies to work and enforce firewall managemnt.
This is turned on through Group Policies or Local Policies.
About DSC “Desired State Configuration”
When you create the config, it creates .mof files
The Local Configuration Manager is the service that monitors maintains the DSC configuration.
File Server Resource Manager
Used for Classification, Reports of Disk Quota, Automatic Encryption of files with certain words in it, email-reports to admins..etc…
DFSN IS DNS Namespaces
You can find this under DFS Management->Namespaces
DNSR Is DNS Replication between servers.
The NameSpace only hold references to the share it self.
Deploying and Maintaining Server Images
ADK = Assessment and Deployment ToolKit
A set of tools for storing, securing and deploying images
MDT = Microsoft Deployment Toolkit
Is a Sequencing deployment application.
By this we mean that we build the image in sequence.
= Step By Step Deployment
You can also use DISM for managing .wim files
WDS need two roles to function:
The Roles are Deployment Server (Here we vonfigure manage and customize images)
The Transport Server holds the images and brodcast the Multicast package.
Boot Image: Holds a list of the different versions you have made. For example: Windows 10 32-bit and Windows 10 64-Bit. Gives Access to install images.
Capture Image: used to capture images. For example from a running windows machine. And sysprep it to become an Install Image.
Install Image: This is the image that is being uploaded to the client. This file contains all the Default images for the different versions of the operating system.
Windows Update Services
Uses port 8530, 8531
You can define classes, OS, Groups for distribution of WSUS
You will have to Approve the updates that you want to distribute, and you can choose which groups the updates are distributed to. By doing this we can test the updates before we distribute them to the entire company.
Group Policies (AGAIN)
Ways to manipulate Group Policies
- Security Filtering
- WMI Filters
- Block Inheritance
- Loopback Processing
- Link Order
- Item Level Targeting
- Slow-Link Detection
About Slow-Link Detection:
- We can enable this on group policies that distributes applications, so that the user will not download an application over a slow WAN
About Item Level targeting:
- We apply this to drive maps in the user configuration under policies.
- We can set attributes that are met, and this will apply.
- Under Computer config, we find Slow link detection
About Look Back Processing:
- We can find this setting under the GPO object computers-> Administrative templates -> system-> Group Policy -> Configure User Group Loopback Processing
note. Slow link mode is for detection regarding offline files. If the connection drops under a certain bandwidth, the computer treats the wan as being offline, and only uses the offline files.
Loopback can replace or merge properties
IIS = Internet Information Services
IIS -> SiteOne -> Application Pools -> Application Pool Identity -> Service Account
To be Able to autenticate against a SQL server the service user needs a SPN (Service Principal Name). AD uses the Service Principal name for checking that the Service Account is trusted for delegation. By enabling this the iis can impersonate the user that is requesting access to the website.
To set Service Principal Name we can use these commands:
setspn -l user1 give the SPL for the user
setspm -S http/siteone User2 eks: setspm -S http/www.bbc.co.uk BBC_Service_User
Usually there is a problem with the password expiring, so we user
Managed Service Accounts in-stead.
This account can only be given access to one server
dependencies: .net 3.5 and Active directory Module for Windows Powershell
recommended to run with Windows Server 2008 R2 Functional level or higher.
Group Managed Service Accounts
This account can be give rights to several machines, and run scheduled administrative tasks on the machines.
The option BIND Secondaries needs to be enabled if you use unix DNS servers.
DAY Something, can’t even remember
Anyway…Clustering and failover… 😀
The first option is Split-Scope
For failover with DHCP we can set up at DHCP Failover.
We have features on a DHCP to ensure that we do not have conflicts.
One of the features are called Conflict detection Attempts
Fail over dhcp cluster is the second option we can use.
they share the same database for giving out IP-addresses.
The last one is DHCP Failover
You have to two stand-alone DHCP-Servers that share the address leases between each other. (Replicates the addresses)
This can run in two modes: Hot Standy, or Load Sharing Mode (Load Balancing).
They share a HeartBeat
If you have set up up in Hot Standy 5% of the addresses are reserved by default to the Hot Standy DHCP server.
Port 647 is used for replicating and sharing HeartBeats
IPAM Server can be used for manage these DHCP servers on a enterprise level, and Monitor
IPAM cannot be installed on a Domain Controller
There is two IPAM components:
IPAM Remote management tools
First you Provision the domain after installation of the feature
Then run the
Invoke-IpamGpoProvisioning -Domain FB.com -GpoPrefixName (Name of prfix)
The configure Server discovery.
The configure the services that you want to monitor and manage, and set the server to Managed
On the machine that want to manage, run gpupdate /force<3
In a Galaxy far, far away…
NLB (Network Load Balancing)
We can connect several nodes to a cluster. We can add or remove nodes at will.
When we load balance IIS servers we use a Heartbeat between all the servers to communicate with each other. After 5 HeartBeats the node presumes that the other node is down. The HeartBeat is sendt every second.
The Cluster is given it’s own ip, and you will have to do this, as there has to be a cluster name with members.
When we connecct using HTTPS or HTTP or any other service, we have something called Affinity options to exchange information between the servers.(The Affinity options defines how the clients reconnect)
These are the Affinity types:
- None (Round Robin)
- Single (One Machine responds on first connection, second time you connect the other machine responds)
- Class-c (First time user connects it’s Round robin, the next time the user connects, it goes to the same ip.)
Modes of operations for network cards in Load Balancing are Multicast and Unicast.
Unicast mode only responds to the cluster ip.
Multicast mode: The server responds to the network ip on the host, and the Cluster ip
When using Multicast mode, you will have to configure network correctly.
HyperV Replication And Livee Migratioon
to enable HyperV replication, we need to enable this on the receiving host, and and enable this as a replica server.
To enable live migration, we also need to enable this on the HyperV server.
to much to write, but it’s AWESOME. Specially Cluster Aware Updating CAU 🙂