What are Service Principle Names (SPNs)?

SPNs seem to get more and more use these days so I thought it be nice to give an explanation of what SPNs are.

SPNs are used for mapping a service to a user account. You will find SPNs used predominantly with Delegation and Impersonation and a lot of times this is between a web server and another server hosting a service that requires Kerberos authentication.  The key here is that Kerberos authentication is required and thus this is primarily used within an organization or a trusted company.  An example of this would be when an end user logs on to a web server which then logs on to a SQL server.  The web server is trying to authenticate against the SQL server using the web users credentials but it doesn’t have the right to do that type of delegation.  If that were the case I don’t think online banking would be…well online.  :,,)  Now this is only the case when the web and SQL instances are on separate servers.  If they were on the same server you would not need to worry about SPNs.

Kerberos is the key here.  Kerberos authentication happens all the time and is very common.  The special part of Kerberos authentication is that it requires a ticket that ensures each party is who they say they are.  This ensures that a hacker can’t impersonate another user.  The only type of delegation that Windows allows is a Kerberos connection.  In short the user knows how to contact and authenticate with the web server but has no idea who the SQL server is but needs data from it and needs to authenticate…thus delegation and impersonation needs to occur.

An SPN is a name that Kerberos clients use to identify a service for computer that is also using Kerberos.  In fact you can have multiple instances of a service running on a system and each could have its own SPN. SPNs have a specific format that they use which looks similar to this – <service class>/<host>:<port>/<service name>  The only parts that are required are the serviceclass and host.  For example, HTTP/www.adminprep.com would be an SPN registration for any page on that webpage.  You would use the port option if you wanted to specify a port with the service, like this – MSSQLSvc/sqlservername.adminprep.com:3411.  More info on the formatting of SPNs can be found here.

SPN names can use short NetBIOS names or long FQDN names.  I recommend always using FQDNs as you can have potential name conflicts in a multi-domain forest with short names.

For a more detailed looked into SPNs i’ve provided a few links below along with links to common issues.  However the first place you should go is to this TechNet article.

Service Principle Name (SPN) Resources and Issues

Admin”s Guide to Server Core Commands

Repost from AdminPrep.com…I will be moving several of the articles over to this blog.



Before all this starts, credit must go where credit is due.  I did not come up with all of the info within this article.  A lot of people have felt my pain and have contributed in their own ways.  One place you should know about is the Official Server Core Blog, as it is where I learned my all time favorite command which embeds the time into the Command Prompt (read on to see that one!).  As I”ve collected my own list internally and blogged on for about a year now I see a lot of the same commands there.  The Windows Server 2008 Administrator”s Companion has a nice chapter on Server Core but by far the best resource are the scripts that accompany the book.  They allow you to very easily configure common settings.  One last area you should look into is of course Guy Teverovsky”s Server Core Configurator…if you haven”t see it check it out now!


Server Core is a version of Windows Server 2008 that has a minimal Graphical User Interface (GUI).  I say minimal when most say command-line only because there are GUI tools available such as Notepad and Task Manager.  One thing that definitely doesn”t run on Server Core is the Explorer process.  If you”re unaware of what that process does, just end the explorer.exe process in Task Manager from your client and look what happens…don”t freak out, all you need to do is then go back to Task Manager and select File -> New Task (Run…) and then type explorer.exe.


The purpose of this article is not to give you every last detail to Server Core but to provide you with what you need to know it get it up and running in your environment.


Server Core has a limited amount of roles that can be installed on it, which include:


  • Active Directory Domain Services (AD DS) and AD Lightweight Directory Services (AD LDS)
  • DNS Server
  • Internet Information Services (IIS) (No ASP.NET support)
  • DHCP Server
  • File Services
  • Print Services
  • Streaming Media Services
  • Hyper V

Now that doesn”t mean that Server Core can”t do other things.  In fact it can, but Microsoft calls those other items Features and not Roles.


  • Microsoft Failover Cluster (not available in Standard Edition)
  • Network Load Balancing
  • Subsystem for UNIX-based applications
  • Backup
  • Multipath IO
  • Removable Storage Management
  • Bitlocker Drive Encryption
  • Simple Network Management Protocol (SNMP)
  • WINS
  • Telnet

Later on in the article I will explain how to install these services.  But first its time to go over what I believe to be the most commonly requested commands for administrating a Server Core environment.


Server Core Common Networking and Firewall Commands


Here is the start of you Networking and Firewall related commands for Server Core:


Server Core Common Networking Commands


To configure the IP address we will have to remember (or learn) Netsh.


Configure a Static IP Address on Server Core:
Netsh int ipv4 set address “Local Area Connection” static 10.1.1.10 255.255.255.0 10.1.1.1
Netsh int ipv4 set dnsserver “Local Area Connection” static 10.1.1.5 primary
Netsh int ipv4 set winsserver “Local Area Connection” static 10.1.1.6 primary


Configure a Dynamic (DHCP) IP Address on Server Core:
Netsh int ipv4 set address “Local Area Connection” source=dhcp


Change the name of the network interface on Server Core:
Netsh int set interface name = “Local Area Connection” newname = “Primary Network”


Server Core Common Windows Firewall Commands:


The Windows Firewall is a blessing to some and a curse to others. Either way it is installed by default and you have to understand the commands that are needed to configure the basics and in some cases some advanced commands.


Disable firewall:
netsh firewall set opmode disable


Server Core can be managed by using MMCs from a remote server. However with the firewall being on by default you will have to allow these tools to work remotely.  The first thing to note here is how to translate the MMC Snap-in to Windows Firewall Rule Group.


MMC Snap-in – Event Viewer
Windows Firewall Rule Group - Remote Event Log Management


MMC Snap-in – Services
Windows Firewall Rule Group - Remote Services ManagementMMC Snap-in - Shared Folders
Windows Firewall Rule Group - File and Printer Sharing


MMC Snap-in – Task Scheduler
Windows Firewall Rule Group –
Remote Scheduled Tasks Management


MMC Snap-in - Reliability and Performance
Windows Firewall Rule Group - Performance Logs and Alerts
Windows Firewall Rule Group - File and Printer Sharing


MMC Snap-in - Disk Management
Windows Firewall Rule Group - Remote Volume Management


MMC Snap-in – Windows Firewall with Advanced Security
Windows Firewall Rule Group - Windows Firewall Remote Management


To enable all of these rules follow use this command:
Netsh advfirewall firewall set rule group=“remote administration” new enable=yes


To enable specific commands follow this format:
Netsh advfirewall firewall set rule group=“” new enable=yes


Server Core Common Domain Management Commands

Join a domain:
netdom join ComputerName /domain:DomainName /userd:UserName /passwordd:*
Yes, /passwordd:*
needs to have that second d at the end of it.


Remove from domain:
netdom remove


Rename a Domain Member:
netdom renamecomputer %computername% /NewName: /userd: /passwordd:*


Rename Administrator:
wmic UserAccount where Name=”Administrator” call Rename Name=”new-name”


Add User to a Local Group
net localgroup GroupName /add


Remove User from a Local Group
net localgroup GroupName /delete


Confirm Domain and/ New Computer name
Set


Update User Passwords:
Net user [/domain] *


Server Core Common Server Management Commands


Toggle Remote Desktop on and off:
Cscript windowssystem32scregedit.wsf /ar 0


Enable reduced security for RDP connections:
Cscript windowssystem32scregedit.wsf /cs 0


Active Server Core:
Local method – Slmgr.vbs –ato
Remote method – Cscript windowssystem32slmgr.vbsServerName UserName password:-ato


Rename a Stand-Alone Member:
netdom renamecomputer /NewName:


List of installed patches:
wmic qfe list


Install Updates:
wusa .msu /quiet


Configure for AutoUpdates:
cscript scregedit.wsf /AU /4


Disable AutoUpdates:
cscript scregedit.wsf /AU /1


View AutoUpdate Setting:
cscript scregedit.wsf /AU /v


Configure the Page File:
wmic pagefileset where name=”” set InitialSize=,MaximumSize=


Configure a Proxy Server: (Server Core cannot use a proxy that requires a proxy)
netsh Winhttp set proxy :


All your favorite TCP/IP commands work including the following:
IPConfig
ARP
Ping
PathPing
TraceRT
Route
NSLookup
NetStat
NBTStat


List Running Services:
sc query


Start and/or Stop a Service:
sc start
sc stop


Task Manager: (Ctrl+Shift+Esc)
taskmgr


Manage Disk Volumes:
Diskpart /?


Defrag a Volume:
defrag /?


Change Time and Time Zone:
control timedate.cpl


Change the Desktop Resolution: (requires you to log off and back on)
Regedit – HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlVideo
000DefaultSettings.XResolution
000DefaultSettings.YResolution


Display the Time in the Command Prompt:
prompt [$t]$s$p$g


Log off:
shutdown /l


Restart Now:
shutdown /r /t 0


 


 


 


To get the Roles and Features installed you are going to need to use the ocsetup.exe command.  The OC is short for Optional Components.  The most important thing to remember about this command is that IT IS CASE SENSITIVE!!! As a best practice you should always use the /w switch with ocsetup.exe as this will hold the Command Prompt from being active (when you can type again) until the setup is complete.  Below you will find a list of the commands that are required to install Roles and Features on Server Core.


DNS
start /w ocsetup DNS-Server-Core-Role


DHCP
start /w ocsetup DHCPServerCore


File Services (Server service is installed by default) but there are other role features


File Replication Service
start /w ocsetup FRS-Infrastructure


Distributed File System
start /w ocsetup DFSN-Server


Distributed File System Replication
start /w ocsetup DFSR-Infrastructure-ServerEdition


Services for Network File System (NFS)
start /w ocsetup ServerForNFS-Base
start /w ocsetup ClientForNFS-Base


Hyper V
start /w ocsetup Microsoft-Hyper-V


Print Server feature
start /w ocsetup Printing-ServerCore-Role


Line Printer Daemon (LPD) service
start /w ocsetup Printing-LPDPrintService


Active Directory Lightweight Directory Services
start /w ocsetup DirectoryServices-ADAM-ServerCore


Active Directory Domain Services
dcpromo /unattend:


Streaming Media Services
Follow directions found in Article ID 934518


IIS
start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel
To uninstall IIS use the following command
start /w pkgmgr /uu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel


NOTE: If you need to install a Role that you installed with ocsetup all you need to do is to append the commands above with /uninstall.


Now let”s take a look at how we install Features on Server Core:


Microsoft Failover Clustering
start /w ocsetup FailoverCluster-Core


Network Load Balancing
start /w ocsetup NetworkLoadBalancingHeadlessServer


Subsystem for UNIX-based applications
start /w ocsetup SUACore


Multipath IO
start /w ocsetup MultipathIo


Removable Storage
start /w ocsetup Microsoft-Windows-RemovableStorageManagementCore


Bitlocker Drive Encryption
start /w ocsetup BitLocker


Backup
start /w ocsetup WindowsServerBackup


Simple Network Management Protocol (SNMP)
start /w ocsetup SNMP-SC


Windows Internet Name Service (WINS)
start /w ocsetup WINS-SC


Telnet client
start /w ocsetup TelnetClient


NOTE: If you need to install a Feature that you installed with ocsetup all you need to do is to append the commands above with /uninstall.


Having the Role or Feature installed doesn”t do much without going in and configuring the service.  The quick and easy way to manage these Roles and Features is to have either a dedicated Terminal Server have the AdminPak or Remote Server Administrative Tools (RSAT) installed or just install those same tools on XP or Vista. 


Take a look here for more info on how to manage DNS with DNSCMD and then head over here for installing Active Directory via an answer file on Server Core.


I know this isn”t a complete listing of the commands but I really believe this should help you get started in the right direction.  One of the best resources out there is from the Windows Server 2008 Step-by-Step Guides.. For this case you will want to download the Server_Core_Installation_Option_of_Windows_Server_2008_Step-By-Step_Guide.doc guide.

Will the Real FTP Service Please Stand Up?

I”m confused…really confused.  One of Windows Server 2008”s new touted upgrades is IIS7.  Maybe it”s just me but I”ve always thought FTP was part IIS…and it is in Windows Server 2008.  So why am I so confused.  Well apparently Microsoft and the IIS team (which I”m a big fan of!) released another version of FTP as a separate download.  Oh and get this, it”s name is FTP7. 


Yes you heard correct.  FTP7 is not the same FTP service that is included with IIS7.  I saw this over at IIS.net which is the home of the IIS team.  Take a look for yourself but I snatched the main bullets below:


  • Integration with IIS 7.0: IIS 7.0 has a brand-new administration interface and configuration store, and the new FTP service is tightly integrated with this new design. The old IIS 6.0 metabase is gone, and a new configuration store that is based on the .NET XML-based *.config format has taken its place. In addition, IIS 7.0 has a new administration tool, and the new FTP server plugs seamlessly into that paradigm.
  • Support for new Internet standards: One of the most significant features in the new FTP server is support for FTP over SSL. The new FTP server also supports other Internet improvements such as UTF8 and IPv6.
  • Shared hosting improvements: By fully integrating into IIS 7.0, the new FTP server makes it possible to host FTP and Web content from the same site by simply adding an FTP binding to an existing Web site. In addition, the FTP server now has virtual host name support, making it possible to host multiple FTP sites on the same IP address. The new FTP server also has improved user isolation, now making it possible to isolate users through per-user virtual directories.
  • Extensibility and custom authentication: The new FTP server supports developer extensibility, making it possible for software vendors to write custom providers for FTP authentication. Microsoft is using this extensibility feature to implement two new methods for using non-Windows accounts for FTP authentication for IIS Managers and .NET Membership.
  • Improved logging support: FTP logging has been enhanced to include all FTP-related traffic, unique tracking for FTP sessions,FTP sub-statuses,additional detail fields in FTP logs, and much more.
  • New supportability features: IIS 7.0 has a new option to display detailed error messages for local users, and the FTP server supports this by providing detailed error responses when logging on locally to an FTP server. The FTP server also logs detailed information using Event Tracing for Windows (ETW), which provides additional detailed information for troubleshooting.

My first thought was one of confusion but then I started to think a little further.  Now that it is a separate download perhaps I could install it on Server 2003 or Vista or DOS…ok so maybe not DOS.  Well here is what you get when you try to install it on anything but Server 2008. :(


FTP


You will have to have IIS7 installed for this to work but you will have to ensure that the FTP portion is uninstalled before you install this one.  Head on over to IIS.net to download the latest revision of FTP7.

Windows Server 2008 Reviewers Guide – Reviewed

After spending a bit of time on Amazon I noticed that books, movies, and other random things you can buy all had customer reviews.  I started to think, why don”t white papers and technical documents have the same?  Today I”ve decided to take action against poorly written technical papers and ensure that those companies are held accountable to what they are publishing.  OK, maybe I”m not that gun-ho about it but I do think it would be nice to give a review here and there on stuff i”ve read through.

Today”s review is on the Windows Server 2008 Reviewers Guide.  How interesting to start my reviews on a Reviewers Guide.  From what I can gather this guide has been available since early February and is in two forms, Full and Short.  The Full version weighs in at just under 11 MB while the Short version is just over 8 MB.  Not much a difference on the size.  The Full version is a whopping 250 pages while the Short version is 116 pages.  I actually thought the Short version would have been much shorter.  This review is for the Full version.

 

Usually when I download these Guides I notice that they are 100% marketing speak and 0% technical.  I was pleasantly surprised that this Guide had only a few areas littered with  marketing junk.  If you can get past the first few pages you are presented with several tables detailing which features work on which edition of Windows Server 2008.  Since this is a new OS i”m quite fond of it since i”m trying to figure out what goes where.

Section 2: Server Virtualization – I really hoped to gather a lot out of this section and quite frankly it did not deliver.  It provides a good high-level overview of Hyper-V but not much of anything when it comes to technical details.  I”m also not sure why there is even a page on Server Core here as it is really out of place.  Feel free to skip this section if you have been working with Virtualization for some time now.

Section 3: Centralized Application Access – This section was all about Terminal Services (TS).  Since there is quite a bit of changes with this service in Windows Server 2008 I again was looking forward to this section.  For me, this one delivered.  It went over all the new features and the best part of the entire section was that it gave you Group Policy locations to configure certain TS options! 

Section 4: Branch Office – All i”ve been hearing about with Sever 2008 is branch office this and branch office that.  Because of that I expected to see a lot of stuff in this section. The Read-Only Domain Controller (RODC) part was decent.  It actually gave some info that I didn”t expect to see like detailing which Active Directory Services attributes that were added to the schema to support RODCs.  I also thought a decent job was done on the BitLocker portion as it went into commands to help install it and Group Policy settings. As for the DFS portion I really wanted to see more.  This one lacked some of the details in the other products from this section.

Section 5: Security and Policy Enforcement – At over 80 pages this was the largest of all sections and covered a wide range of features within Windows Server 2008. The first few areas go over some definitions and can be used for a good reference at a later time.  There were so many in fact that I had to skip ahead because I felt I was studying for an exam. The Routing and Remote Access Service portion was very light and only highlighted some new technologies and removed ones (thanks for finally removing OSPF…it never belonged on a server).  I wanted to see more in the next section on how some of the services would work with IPv6. There was very little detail on that.  The Firewall portion of this section did a good job explaining what changed in Server 2008 from previous versions (client and server).  The Cryptography Next Generation portion provided nothing more then an overview. 

Now we began the Active Directory portion of this section.  Starting with an excellent write up of the Active Directory Certificate Services.  I felt that it was adequately covered hitting all major points of interest.  This portion was followed up by Active Directory Domain Services and the team did another good job on this area.  There isn”t a lot of technical How-To stuff here but it will inform you on what is new.  Federation Services was covered next and there was some good reading there with a nice flow chart to follow along with.  Let”s just say that the Active Directory Lightweight Directory Services was…well…light.  Finishing up Section 5 was an area that I really wanted to read up on, Active Directory Rights Management Services.  I was disappointed but only because I wanted to read more technical information on this product. Perhaps a scenario or two here with some flow charts would have been beneficial.

Section 6: Web and Application Platform – I”ve been a big fan of IIS since all the great changes that were made with IIS6.  I haven”t had time to look into IIS7 with great detail but this was about to change.  I felt empty after readying this portion.  What about FTP being completely redone?  Nothing!  The last portion is about Transactional NTFS, I think that page and a half will only confuse people and have them wondering how do I turn this on.

Section 7: Server Management –  The first three portions of this section are a very basic introduction to Server Manager.  It is nice to have a reference of all the Roles and Features in Server Manager though. The next area goes over a brief introduction to PowerShell.  As much as I would love to see more technical info here, this is the one area that I can give that a pass on.  PowerShell is not something you want people learning from a Reviewers Guide.  To my dismay there were a total of 4 pages on Server Core and all of them marketing!  I really wish there would have been some more info here.  The same marketing theme was put into the Backup portion but that is ok with me because not many mid-to-large companies use the built in backup tool.  An area I thought would have been really nice was the Windows Reliability and Performance Monitor.  Again there really lacked any details about the feature. The only thing I would have liked to seen added to the Windows Deployment Services (WDS) portion would have been some sample scripts or commands…also any Group Policy settings that apply to WDS.  The Group Policy portion finishes this section off and saves the section in my opinion.  Great job to the people that put that area together.

Section 8: High Availability Introduction – Why is it every guide I read through lacks information on clusters and network load balanced systems?  All 7 pages are marketing and nothing to get the technical person excited about high availability. 

Section 9: Better Together & Section 10: Miscellaneous – Feel free to skip these areas now.  Section 9 is a sales pitch to put Vista and Server 2008 together and Section 10 should have been put in the first section.

It”s now time for my rating.  This is 100% totally subjective to my opinion and only my opinion.  If you feel it should be different let me know by proving feedback in the comments section.  I will rate each section on a scale of 1 – 5 with 5 being the best possible.  Then I will rate the entire guide but it will not just be the average of all the scores.  I will rate it on usefulness to the community.

Brian”s Official Rating Scale
1 = Why were calories spent on this?
2 = Save some trees and don”t print this one
3 = Some areas are good but some aren”t so good
4 = Kept my technical interest and definitely printable
5 = Excellent – Print it out and keep it as a reference in your office

 

Rating on a scale of 1 – 5
Section 1 2
Section 2 2
Section 3 5
Section 4 4
Section 5 4
Section 6 1
Section 7 3
Section 8 2
Section 9 1
Section 10 1
Windows Server 2008 Reviewers Guide 3

Windows Server 2008 Component Posters

Back in January of 2007 I posted that TechNet Magazine had a really cool poster that showed Active Directory as a Jigsaw puzzle. I noticed in my latest copy of TechNet Magazine that it included two new posters. One of them was another Active Directory poster that showed all the cool new stuff in Windows Server 2008 and the other was one of the Windows Server 2008 Components. I just saw that the both of these are now available to download from Microsoft. This is something you will want to get your hands on and if you don”t get TechNet the magazine this is a great way to print it out too.

Access Free Virtual Labs from Microsoft

I just found another gem that I”m sure everyone will love. While surfing over at IIS.net I saw that they had 5 virtual labs on IIS, three on IIS 7 and two on IIS 6. These are the real deals where you connect to an actual Virtual Machine and have free reign over it. It comes with a PDF lab manual that resembles the labs from the Official Curriculum that a CPLS would use. After digging a bit further I found that TechNet also had quite a few Virtual Labs available on Vista, SQL, Exchange, Office 2007, ISA, SharePoint, SMS, and Server 2003.


I thought it would be a good idea to put these labs all in one place for people to use. I know I”ll be taking them!!!


IIS 6 and IIS 7


IIS 6.0 – Compression
IIS 6.0 – HTTP Caching
IIS 7.0 – Core Server
IIS 7.0 – Configuration
IIS 7.0 – Diagnostics & Troubleshooting


Windows Vista


Windows Vista Security Overview
Windows Vista Management Overview
Windows Vista Windows System Image Manager Overview
Windows Vista Collaborate in Small Groups Anywhere, Anytime
Windows Vista Improve your PC”s Power Management
Windows Vista Easily Manage your Data Synchronization
Windows Vista Set Up and Connect to Networks with Simplicity
Windows Vista Improved and Automated Help Options
Windows Vista Instantly Search and Find Information
Windows Vista Built-in Diagnostics
Windows Vista Better Protection from Malware
Windows Vista Browse with Enhanced Security


More Virtual labs


What”s New in SQL Server 2005
Microsoft 2007 Office System Overview
Introduction to Microsoft Exchange Server 2007
Introduction to ISA Server 2006 Beta
Introduction to SharePoint Portal Server 2003
Microsoft Exchange Server 2003-Distribution
Introduction to Windows Server 2003 Management
SMS Hardware, Inventory and Web-Based Reports

Ok so after linking all those labs I just found out there a TON of labs online available for you. Go here for a list of all them…take a look at the bottom.

IIS7 Included in Server Core

Bob Muglia mentioned in the keynote at TechEd 2007 (really wish I could be there) that IIS7 was in fact going to be included in Server Core. I know that a lot of hosting providers have been screaming for this and rightfully so. While this sounds like outstanding news it is only the first step in what really needs to be done. This allows you to run a great webftp server on a server that has a reduced attack surface and small footprint, however it ONLY allows you to run non ASP.NET sites and applications. That is because .NET is still not supported on Server Core. I”m not sure if it will be by time it is released but I truly hope they will find a way to get .NET working on Server Core.