SPNs seem to get more and more use these days so I thought it be nice to give an explanation of what SPNs are.
SPNs are used for mapping a service to a user account. You will find SPNs used predominantly with Delegation and Impersonation and a lot of times this is between a web server and another server hosting a service that requires Kerberos authentication. The key here is that Kerberos authentication is required and thus this is primarily used within an organization or a trusted company. An example of this would be when an end user logs on to a web server which then logs on to a SQL server. The web server is trying to authenticate against the SQL server using the web users credentials but it doesn’t have the right to do that type of delegation. If that were the case I don’t think online banking would be…well online. :,,) Now this is only the case when the web and SQL instances are on separate servers. If they were on the same server you would not need to worry about SPNs.
Kerberos is the key here. Kerberos authentication happens all the time and is very common. The special part of Kerberos authentication is that it requires a ticket that ensures each party is who they say they are. This ensures that a hacker can’t impersonate another user. The only type of delegation that Windows allows is a Kerberos connection. In short the user knows how to contact and authenticate with the web server but has no idea who the SQL server is but needs data from it and needs to authenticate…thus delegation and impersonation needs to occur.
An SPN is a name that Kerberos clients use to identify a service for computer that is also using Kerberos. In fact you can have multiple instances of a service running on a system and each could have its own SPN. SPNs have a specific format that they use which looks similar to this – <service class>/<host>:<port>/<service name> The only parts that are required are the serviceclass and host. For example, HTTP/www.adminprep.com would be an SPN registration for any page on that webpage. You would use the port option if you wanted to specify a port with the service, like this – MSSQLSvc/sqlservername.adminprep.com:3411. More info on the formatting of SPNs can be found here.
SPN names can use short NetBIOS names or long FQDN names. I recommend always using FQDNs as you can have potential name conflicts in a multi-domain forest with short names.
For a more detailed looked into SPNs i’ve provided a few links below along with links to common issues. However the first place you should go is to this TechNet article.
Service Principle Name (SPN) Resources and Issues
Repost from AdminPrep.com…I will be moving several of the articles over to this blog.
Before all this starts, credit must go where credit is due. I did not come up with all of the info within this article. A lot of people have felt my pain and have contributed in their own ways. One place you should know about is the Official Server Core Blog, as it is where I learned my all time favorite command which embeds the time into the Command Prompt (read on to see that one!). As I”ve collected my own list internally and blogged on for about a year now I see a lot of the same commands there. The Windows Server 2008 Administrator”s Companion has a nice chapter on Server Core but by far the best resource are the scripts that accompany the book. They allow you to very easily configure common settings. One last area you should look into is of course Guy Teverovsky”s Server Core Configurator…if you haven”t see it check it out now!
Server Core is a version of Windows Server 2008 that has a minimal Graphical User Interface (GUI). I say minimal when most say command-line only because there are GUI tools available such as Notepad and Task Manager. One thing that definitely doesn”t run on Server Core is the Explorer process. If you”re unaware of what that process does, just end the explorer.exe process in Task Manager from your client and look what happens…don”t freak out, all you need to do is then go back to Task Manager and select File -> New Task (Run…) and then type explorer.exe.
The purpose of this article is not to give you every last detail to Server Core but to provide you with what you need to know it get it up and running in your environment.
Server Core has a limited amount of roles that can be installed on it, which include:
Now that doesn”t mean that Server Core can”t do other things. In fact it can, but Microsoft calls those other items Features and not Roles.
Later on in the article I will explain how to install these services. But first its time to go over what I believe to be the most commonly requested commands for administrating a Server Core environment.
Server Core Common Networking and Firewall Commands
Here is the start of you Networking and Firewall related commands for Server Core:
To configure the IP address we will have to remember (or learn) Netsh.
Configure a Static IP Address on Server Core:
Netsh int ipv4 set address “Local Area Connection” static 10.1.1.10 255.255.255.0 10.1.1.1
Netsh int ipv4 set dnsserver “Local Area Connection” static 10.1.1.5 primary
Netsh int ipv4 set winsserver “Local Area Connection” static 10.1.1.6 primary
Configure a Dynamic (DHCP) IP Address on Server Core:
Netsh int ipv4 set address “Local Area Connection” source=dhcp
Change the name of the network interface on Server Core:
Netsh int set interface name = “Local Area Connection” newname = “Primary Network”
The Windows Firewall is a blessing to some and a curse to others. Either way it is installed by default and you have to understand the commands that are needed to configure the basics and in some cases some advanced commands.
netsh firewall set opmode disable
Server Core can be managed by using MMCs from a remote server. However with the firewall being on by default you will have to allow these tools to work remotely. The first thing to note here is how to translate the MMC Snap-in to Windows Firewall Rule Group.
MMC Snap-in – Event Viewer
Windows Firewall Rule Group – Remote Event Log Management
MMC Snap-in – Services
Windows Firewall Rule Group – Remote Services ManagementMMC Snap-in – Shared Folders
Windows Firewall Rule Group – File and Printer Sharing
MMC Snap-in – Task Scheduler
Windows Firewall Rule Group – Remote Scheduled Tasks Management
MMC Snap-in – Reliability and Performance
Windows Firewall Rule Group – Performance Logs and Alerts
Windows Firewall Rule Group – File and Printer Sharing
MMC Snap-in – Disk Management
Windows Firewall Rule Group – Remote Volume Management
MMC Snap-in – Windows Firewall with Advanced Security
Windows Firewall Rule Group – Windows Firewall Remote Management
To enable all of these rules follow use this command:
Netsh advfirewall firewall set rule group=“remote administration” new enable=yes
To enable specific commands follow this format:
Netsh advfirewall firewall set rule group=“” new enable=yes
Join a domain:
netdom join ComputerName /domain:DomainName /userd:UserName /passwordd:*
needs to have that second d at the end of it.
Remove from domain:
Rename a Domain Member:
netdom renamecomputer %computername% /NewName: /userd: /passwordd:*
wmic UserAccount where Name=”Administrator” call Rename Name=”new-name”
Add User to a Local Group
net localgroup GroupName /add
Remove User from a Local Group
net localgroup GroupName /delete
Confirm Domain and/ New Computer name
Update User Passwords:
Net user [/domain] *
Toggle Remote Desktop on and off:
Cscript windowssystem32scregedit.wsf /ar 0
Enable reduced security for RDP connections:
Cscript windowssystem32scregedit.wsf /cs 0
Active Server Core:
Local method – Slmgr.vbs –ato
Remote method – Cscript windowssystem32slmgr.vbsServerName UserName password:-ato
Rename a Stand-Alone Member:
netdom renamecomputer /NewName:
List of installed patches:
wmic qfe list
wusa .msu /quiet
Configure for AutoUpdates:
cscript scregedit.wsf /AU /4
cscript scregedit.wsf /AU /1
View AutoUpdate Setting:
cscript scregedit.wsf /AU /v
Configure the Page File:
wmic pagefileset where name=”” set InitialSize=,MaximumSize=
Configure a Proxy Server: (Server Core cannot use a proxy that requires a proxy)
netsh Winhttp set proxy :
All your favorite TCP/IP commands work including the following:
List Running Services:
Start and/or Stop a Service:
Task Manager: (Ctrl+Shift+Esc)
Manage Disk Volumes:
Defrag a Volume:
Change Time and Time Zone:
Change the Desktop Resolution: (requires you to log off and back on)
Regedit – HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlVideo
Display the Time in the Command Prompt:
shutdown /r /t 0
To get the Roles and Features installed you are going to need to use the ocsetup.exe command. The OC is short for Optional Components. The most important thing to remember about this command is that IT IS CASE SENSITIVE!!! As a best practice you should always use the /w switch with ocsetup.exe as this will hold the Command Prompt from being active (when you can type again) until the setup is complete. Below you will find a list of the commands that are required to install Roles and Features on Server Core.
start /w ocsetup DNS-Server-Core-Role
start /w ocsetup DHCPServerCore
File Services (Server service is installed by default) but there are other role features
File Replication Service
start /w ocsetup FRS-Infrastructure
Distributed File System
start /w ocsetup DFSN-Server
Distributed File System Replication
start /w ocsetup DFSR-Infrastructure-ServerEdition
Services for Network File System (NFS)
start /w ocsetup ServerForNFS-Base
start /w ocsetup ClientForNFS-Base
start /w ocsetup Microsoft-Hyper-V
Print Server feature
start /w ocsetup Printing-ServerCore-Role
Line Printer Daemon (LPD) service
start /w ocsetup Printing-LPDPrintService
Active Directory Lightweight Directory Services
start /w ocsetup DirectoryServices-ADAM-ServerCore
Active Directory Domain Services
Streaming Media Services
Follow directions found in Article ID 934518
start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel
To uninstall IIS use the following command
start /w pkgmgr /uu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel
NOTE: If you need to install a Role that you installed with ocsetup all you need to do is to append the commands above with /uninstall.
Now let”s take a look at how we install Features on Server Core:
Microsoft Failover Clustering
start /w ocsetup FailoverCluster-Core
Network Load Balancing
start /w ocsetup NetworkLoadBalancingHeadlessServer
Subsystem for UNIX-based applications
start /w ocsetup SUACore
start /w ocsetup MultipathIo
start /w ocsetup Microsoft-Windows-RemovableStorageManagementCore
Bitlocker Drive Encryption
start /w ocsetup BitLocker
start /w ocsetup WindowsServerBackup
Simple Network Management Protocol (SNMP)
start /w ocsetup SNMP-SC
Windows Internet Name Service (WINS)
start /w ocsetup WINS-SC
start /w ocsetup TelnetClient
NOTE: If you need to install a Feature that you installed with ocsetup all you need to do is to append the commands above with /uninstall.
Having the Role or Feature installed doesn”t do much without going in and configuring the service. The quick and easy way to manage these Roles and Features is to have either a dedicated Terminal Server have the AdminPak or Remote Server Administrative Tools (RSAT) installed or just install those same tools on XP or Vista.
I know this isn”t a complete listing of the commands but I really believe this should help you get started in the right direction. One of the best resources out there is from the Windows Server 2008 Step-by-Step Guides.. For this case you will want to download the Server_Core_Installation_Option_of_Windows_Server_2008_Step-By-Step_Guide.doc guide.
I”m confused…really confused. One of Windows Server 2008”s new touted upgrades is IIS7. Maybe it”s just me but I”ve always thought FTP was part IIS…and it is in Windows Server 2008. So why am I so confused. Well apparently Microsoft and the IIS team (which I”m a big fan of!) released another version of FTP as a separate download. Oh and get this, it”s name is FTP7.
Yes you heard correct. FTP7 is not the same FTP service that is included with IIS7. I saw this over at IIS.net which is the home of the IIS team. Take a look for yourself but I snatched the main bullets below:
My first thought was one of confusion but then I started to think a little further. Now that it is a separate download perhaps I could install it on Server 2003 or Vista or DOS…ok so maybe not DOS. Well here is what you get when you try to install it on anything but Server 2008. 🙁
You will have to have IIS7 installed for this to work but you will have to ensure that the FTP portion is uninstalled before you install this one. Head on over to IIS.net to download the latest revision of FTP7.
After spending a bit of time on Amazon I noticed that books, movies, and other random things you can buy all had customer reviews. I started to think, why don”t white papers and technical documents have the same? Today I”ve decided to take action against poorly written technical papers and ensure that those companies are held accountable to what they are publishing. OK, maybe I”m not that gun-ho about it but I do think it would be nice to give a review here and there on stuff i”ve read through.
Today”s review is on the Windows Server 2008 Reviewers Guide. How interesting to start my reviews on a Reviewers Guide. From what I can gather this guide has been available since early February and is in two forms, Full and Short. The Full version weighs in at just under 11 MB while the Short version is just over 8 MB. Not much a difference on the size. The Full version is a whopping 250 pages while the Short version is 116 pages. I actually thought the Short version would have been much shorter. This review is for the Full version.
Usually when I download these Guides I notice that they are 100% marketing speak and 0% technical. I was pleasantly surprised that this Guide had only a few areas littered with marketing junk. If you can get past the first few pages you are presented with several tables detailing which features work on which edition of Windows Server 2008. Since this is a new OS i”m quite fond of it since i”m trying to figure out what goes where.
Section 2: Server Virtualization – I really hoped to gather a lot out of this section and quite frankly it did not deliver. It provides a good high-level overview of Hyper-V but not much of anything when it comes to technical details. I”m also not sure why there is even a page on Server Core here as it is really out of place. Feel free to skip this section if you have been working with Virtualization for some time now.
Section 3: Centralized Application Access – This section was all about Terminal Services (TS). Since there is quite a bit of changes with this service in Windows Server 2008 I again was looking forward to this section. For me, this one delivered. It went over all the new features and the best part of the entire section was that it gave you Group Policy locations to configure certain TS options!
Section 4: Branch Office – All i”ve been hearing about with Sever 2008 is branch office this and branch office that. Because of that I expected to see a lot of stuff in this section. The Read-Only Domain Controller (RODC) part was decent. It actually gave some info that I didn”t expect to see like detailing which Active Directory Services attributes that were added to the schema to support RODCs. I also thought a decent job was done on the BitLocker portion as it went into commands to help install it and Group Policy settings. As for the DFS portion I really wanted to see more. This one lacked some of the details in the other products from this section.
Section 5: Security and Policy Enforcement – At over 80 pages this was the largest of all sections and covered a wide range of features within Windows Server 2008. The first few areas go over some definitions and can be used for a good reference at a later time. There were so many in fact that I had to skip ahead because I felt I was studying for an exam. The Routing and Remote Access Service portion was very light and only highlighted some new technologies and removed ones (thanks for finally removing OSPF…it never belonged on a server). I wanted to see more in the next section on how some of the services would work with IPv6. There was very little detail on that. The Firewall portion of this section did a good job explaining what changed in Server 2008 from previous versions (client and server). The Cryptography Next Generation portion provided nothing more then an overview.
Now we began the Active Directory portion of this section. Starting with an excellent write up of the Active Directory Certificate Services. I felt that it was adequately covered hitting all major points of interest. This portion was followed up by Active Directory Domain Services and the team did another good job on this area. There isn”t a lot of technical How-To stuff here but it will inform you on what is new. Federation Services was covered next and there was some good reading there with a nice flow chart to follow along with. Let”s just say that the Active Directory Lightweight Directory Services was…well…light. Finishing up Section 5 was an area that I really wanted to read up on, Active Directory Rights Management Services. I was disappointed but only because I wanted to read more technical information on this product. Perhaps a scenario or two here with some flow charts would have been beneficial.
Section 6: Web and Application Platform – I”ve been a big fan of IIS since all the great changes that were made with IIS6. I haven”t had time to look into IIS7 with great detail but this was about to change. I felt empty after readying this portion. What about FTP being completely redone? Nothing! The last portion is about Transactional NTFS, I think that page and a half will only confuse people and have them wondering how do I turn this on.
Section 7: Server Management – The first three portions of this section are a very basic introduction to Server Manager. It is nice to have a reference of all the Roles and Features in Server Manager though. The next area goes over a brief introduction to PowerShell. As much as I would love to see more technical info here, this is the one area that I can give that a pass on. PowerShell is not something you want people learning from a Reviewers Guide. To my dismay there were a total of 4 pages on Server Core and all of them marketing! I really wish there would have been some more info here. The same marketing theme was put into the Backup portion but that is ok with me because not many mid-to-large companies use the built in backup tool. An area I thought would have been really nice was the Windows Reliability and Performance Monitor. Again there really lacked any details about the feature. The only thing I would have liked to seen added to the Windows Deployment Services (WDS) portion would have been some sample scripts or commands…also any Group Policy settings that apply to WDS. The Group Policy portion finishes this section off and saves the section in my opinion. Great job to the people that put that area together.
Section 8: High Availability Introduction – Why is it every guide I read through lacks information on clusters and network load balanced systems? All 7 pages are marketing and nothing to get the technical person excited about high availability.
Section 9: Better Together & Section 10: Miscellaneous – Feel free to skip these areas now. Section 9 is a sales pitch to put Vista and Server 2008 together and Section 10 should have been put in the first section.
It”s now time for my rating. This is 100% totally subjective to my opinion and only my opinion. If you feel it should be different let me know by proving feedback in the comments section. I will rate each section on a scale of 1 – 5 with 5 being the best possible. Then I will rate the entire guide but it will not just be the average of all the scores. I will rate it on usefulness to the community.
Brian”s Official Rating Scale
1 = Why were calories spent on this?
2 = Save some trees and don”t print this one
3 = Some areas are good but some aren”t so good
4 = Kept my technical interest and definitely printable
5 = Excellent – Print it out and keep it as a reference in your office
|Rating on a scale of 1 – 5|
|Windows Server 2008 Reviewers Guide||3|
Back in January of 2007 I posted that TechNet Magazine had a really cool poster that showed Active Directory as a Jigsaw puzzle. I noticed in my latest copy of TechNet Magazine that it included two new posters. One of them was another Active Directory poster that showed all the cool new stuff in Windows Server 2008 and the other was one of the Windows Server 2008 Components. I just saw that the both of these are now available to download from Microsoft. This is something you will want to get your hands on and if you don”t get TechNet the magazine this is a great way to print it out too.
I just found another gem that I”m sure everyone will love. While surfing over at IIS.net I saw that they had 5 virtual labs on IIS, three on IIS 7 and two on IIS 6. These are the real deals where you connect to an actual Virtual Machine and have free reign over it. It comes with a PDF lab manual that resembles the labs from the Official Curriculum that a CPLS would use. After digging a bit further I found that TechNet also had quite a few Virtual Labs available on Vista, SQL, Exchange, Office 2007, ISA, SharePoint, SMS, and Server 2003.
I thought it would be a good idea to put these labs all in one place for people to use. I know I”ll be taking them!!!
IIS 6 and IIS 7
• Windows Vista Security Overview
• Windows Vista Management Overview
• Windows Vista Windows System Image Manager Overview
• Windows Vista Collaborate in Small Groups Anywhere, Anytime
• Windows Vista Improve your PC”s Power Management
• Windows Vista Easily Manage your Data Synchronization
• Windows Vista Set Up and Connect to Networks with Simplicity
• Windows Vista Improved and Automated Help Options
• Windows Vista Instantly Search and Find Information
• Windows Vista Built-in Diagnostics
• Windows Vista Better Protection from Malware
• Windows Vista Browse with Enhanced Security
More Virtual labs
• What”s New in SQL Server 2005
• Microsoft 2007 Office System Overview
• Introduction to Microsoft Exchange Server 2007
• Introduction to ISA Server 2006 Beta
• Introduction to SharePoint Portal Server 2003
• Microsoft Exchange Server 2003-Distribution
• Introduction to Windows Server 2003 Management
• SMS Hardware, Inventory and Web-Based Reports
Bob Muglia mentioned in the keynote at TechEd 2007 (really wish I could be there) that IIS7 was in fact going to be included in Server Core. I know that a lot of hosting providers have been screaming for this and rightfully so. While this sounds like outstanding news it is only the first step in what really needs to be done. This allows you to run a great webftp server on a server that has a reduced attack surface and small footprint, however it ONLY allows you to run non ASP.NET sites and applications. That is because .NET is still not supported on Server Core. I”m not sure if it will be by time it is released but I truly hope they will find a way to get .NET working on Server Core.