Remote Server Administration for Windows 2012 R2

image

 

Prologue

Ace here again. This discusses remote administration. Simple, right? Maybe not!

Remote Server Administration for Windows 2012 R2

Server Manager in Windows Server® 2012 R2 can be used to perform various management tasks on remote servers. By default, remote management is enabled on Windows Server 2012 R2.You can add remote servers to the Server Manager Server pool in Windows Server 2012 R2 Server Manager.

Objectives

Discuss the following remote admin methods

  • What is Remote Management?
  • How to Enable and Disable Remote Management
  • Remote Management and Tools Commands
  • Server Manager
  • WinRM
  • PowerShell Remoting
  • Remote Desktop
  • Remote Server Administration Tools (RSAT)
  • SCONFIG

What is Remote Management?

Windows Server 2012 R2 provides the ability to remotely manage multiple servers with a number of methods. One of the newest features in Windows Server 2012 is the ability to use Server Manager for this task.

In addition to Windows Remote Management, you can also use Remote Shell and Remote Windows PowerShell to manage remote computers. This provides you the ability to locally load Windows PowerShell modules, such as Server Manager, and execute PowerShell cmdlets available in the loaded module on remote servers. This allows you the ability to run PowerShell commands and scripts. This works including when the script is only on the local server

Windows Remote Management (WinRM) is the Windows implementation of WS-Management, which is an industry standard, Web-based services based protocol. Windows runs the WinRM as a service under the same name, WinRM. WinRM provides secure local and remote communications for management applications and scripts.

In addition, Windows Remote Management is one of the components of the Windows Hardware Management features to allow secure local and remote Windows Server management across a firewall using standard Web service-based protocols.

If the server hardware has an optional, built-in Baseboard Management Controller (BMC) provided by the hardware vendor, you can also remotely manage a system even if the Windows operating system has not yet booted or has failed. This also allows access to the server’s BIOS.

A BMC is an option m provided by hardware vendors, that consists of a microcontroller and an independent network connection that you can communicate to if the server ever becomes offline.

When a server is not connected to a BMC, WinRM can still be used to connect to WMI remotely in situations where firewalls may block DCOM communications, because WinRM uses the secure web-based port, TCP 443.

Additional Reading on WinRM:

About Windows Remote Management
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384291(v=vs.85).aspx

Hardware Management Introduction (includes BMC information)
http://technet.microsoft.com/en-us/library/f550cac0-5344-41cb-8e89-6e5c93236886

.
 
How to Enable and Disable Remote Management

There are a number of methods to administer WinRM.

· Winrm.cmd – Command line tool that allows administrators to configure WinRM, get data, or manage resources. For syntax, you can run winrm /? for online help.

· Win-RM Scripting API – Allows you to create remote administration scripts that expose the WS-Management APIs and protocols.

· Winrs.exe –A command line tool to execute CMD commands on remote servers using WS-Management APIs. For example, to remotely get an ipconfig /all from a remote machine, you can run:
winrs –r:DC12.trimagna.com “ipconfig /all”;tasklist

You can also use the help command to see all possible options and syntax:
winrs –?

· IPMI and WMI Providers – The IPMI provider and drivers allow remote hardware management using BMC. These can be used programmatically.

· WMI Service – Using the WMI plug-in, WMI runs together with WinRM to provide data or control functions for remote management.

· WS-Management protocol – SOAP based protocol using XML messages. It is a web-based, firewall friendly protocol running across secure TCP 443 providing industry-standard interoperability to transfer and exchange management information.

Remote Management Tools and Commands

There are a number of ways to enable, disable and configure Remote Management.

Server Manager

To enable or disable Remote Management, in Server Manager Local Server node, click the text next to Remote Management icon.

WinRM Command

You can use the WinRM command to enable, disable, and configure Remote Management.

The syntax is:

WinRM OPERATION RESOURCE_URI [-SWITCH:VALUR [-SWITCH:VAKLUE] …] [@{KEY=VALUR [;KEP=VALUE]…}]

You can use the following to check the current Remote Management configuration and status:
winrm get winrm/config

Or you can run it remotely on another server using the WinRS command:
winrs –r:DC12-1.trimagna.com “winrm /config”;tasklist

To enable or disable Remote Management:
WinMR qc

When the WinRM qc command is run, it performs a number of steps to enable and configure the Remote Management service:

  1. Configures and changes the WinRM service from Manual to Automatic startup.
  2. Starts the WinRM service.
  3. Creates and configures a listener that will accept WinRM requests on any IP address.
  4. Creates a Windows Firewall exception for WS-Management traffic for the HTTP protocol.

If the Windows Firewall is disabled, you will see one of the following error messages:

  • WSManFault
  • Message
  • ProviderFault
  • WSManFault
  • Message = Unable to check the status of the firewall.
  • Error number: -2147023143 0x800706D9
  • There are no more endpoints available from the endpoint mapper.

To view the command syntax and options, you can run winrm -?

WinRM supports the following commands:

  • PUT
  • GET
  • ENUMERATION
  • INVOKE
WinRM Examples:

Start a service on a remote machine:
winrm invoke startservice wmicimv2/Win32_Service?name=w32time -r:DC12

Reboot a remote machine:
winrm invoke reboot wmicimv2/Win32_OperatingSystem -r:FS1

Additional Reading on the WinRM commands:

An Introduction to WinRM Basics – From the EPS Windows Server Performance Team
http://blogs.technet.com/b/askperf/archive/2010/09/24/an-introduction-to-winrm-basics.aspx

.

PowerShell Remoting

There a number of cmdlets that use WMI for remote administration. The cmdlets invoke a temporary connection the remote computer using WMI, runs the command, then closes the session.

These cmdlets do not use WS-Management based remoting, therefore the computer does not require to be configured for WS-Management nor does it have to meet the system requirement for WS-Management. Because they are not WS-Management service related, you can use the ComputerName parameter in any of these cmdlets

You can run the Invoke-Command cmdlets to run commands on other computers.

For example, to get a list of all services on a remote computer that are either running or stopped, you can run the following command
Invoke-Command –computername DC12 –scriptblock {get-service)

Or to see the status of a single service:
Invoke-Command –computername DC12 –scriptblock {get-service WinRm)

Additional Reading on Remote PowerShell:

Windows PowerShell Remoting – Complete list of commands
http://msdn.microsoft.com/en-us/library/windows/desktop/ee706585(v=vs.85).aspx

.

 

Remote Server Administration Tools (RSAT) for Windows

Remote Server Administration Tools for Windows®  includes Server Manager, Microsoft Management Console (MMC) snap-ins, consoles, Windows PowerShell® cmdlets and providers, and some command-line tools for managing roles and features that run on Windows Server 2012 R2.

.

SCONFIG

For Server Core, you can use the SCONFIG command and choosing Option #4, then choosing Option #1 to Enable Remote Management, or Option #2 to Disable Remote Management.

image

Additional Reading on WinRM tools

About Windows Remote Management
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384291(v=vs.85).aspx

.

Remote Desktop

Remote Desktop has been used for a number of years, and it is the most common method to remotely administer a remote machine. To use Remote Desktop, it must be enabled first on the remote computer. To enable Remote Desktop on the full version of Windows Server 2012, perform the following steps”

  1. Open Server Manager
  2. Click the Local Server Node
  3. Click the “Disabled” status next to Remote Desktop.
  4. The System Properties page appears and is focused on the Remote tab.
  5. Under the Remote tab, select one of the following:
  1. Don’t allow connections to this computer – Default disabled.
  2. Allow connections only from Computers running:
  1. Checkbox: Allow Remote Desktop with Network Level Authentication – If you check this box, this setting enables and only allows secure connections from Remote Desktop clients that support network-level authentication.

image

You can also enable Remote Desktop on Sever Core using the SCONFIG command.

==================================================================

 

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Delegate Permissions for an OU in Active Directory Users and Computers (ADUC) & Create a Custom MMC, or Just Use RSAT

Updated 9/20/2016

Note- this was put together and fast published and there may be errors. Check back for updates when I add RSAT info.

Prologue

Ace here again. Yep, me again. This scenario comes up time to time. Sure, you can use the RSAT tools, but here an old fashioned, truly tried method that works nicely so a delegated OU admin can only see and do what they need to do in their OU.

Scope

After you Delegate Permissions in to a limited admin in Active Directory, such as the ability to reset passwords, you may want to create a custom ADUC MMC (console or custom taskpad)  for the delegated admin to control the portion of AD (the OU) they are allowed or delegated in.

For Windows 2003 AD – but it will work in 2008 and newer

The last time I set this up for a customer, involved a snap-in for each ‘location’ OU, I allowed to retain the rt-click context, and the tree view available in the custom console (left pane and right pane), but I removed everything else including the file menu buttons and such. So under View, Customize, uncheck everything except the top one that says Console Tree. This way they can’t go up level or click any of the things in there. But they will have the right-click feature.
 
You can also choose to remove the left hand pane (tree view).

MMC v2 and v3 are the same:

  • Start/run/mmc, hit enter
  • File, Add-Remove Snap-in, Add ADUC
  • Drill down under the domain to the OU you want.
  • Right-click on that OU, choose new window from here.
  • A new window pops up with the OU in the left pane and the contents in the right pane.
  • Close the original ADUC window leaving the new window open that you’ve just created.
  • Expand the window to take up the whole console. – This will keep them in this section and they will not be able to go up levels and are ‘stuck’ in this OU.
  • Select View/Customize
  • Uncheck everything but Console Tree.
  • File/Options Choose Console Mode, then select:

User mode: Limited Access single window
Check: Do not Save Changes to this console
Uncheck: Allow the user to customize views
Save it.

  • Logon as a test user that was delegated permissions and test it.

If you want to eliminate the ability for the delegated admin to right-click on a user account, uncheck the Console Tree above, then change the console view by right-clicking on the OU, choose New Task View, and choose a vertical or horizontal list, then choose to create a new task, menu command, highlight a user account, choose reset password, or anything else in the right column, choose an icon, and finish.

Copy the .MSC file via a UNC connected to the delegated person’s XP workstation’s \Documents and Settings\username\desktop folder, or if Windows Vista or newer, in the C:\users\username\desktop folder.

Keep in mind, the Active Directory Administration Center, RSAT tools or AdminPak tools, depending on what operating system version the client side is, needs to be installed on the workstation for the ADUC binaries to be available for this task pad to work.

 

For Windows 2003/Windows XP using the AdminPak tools just for the ADUC snap-in, nothing else:

Copy over the following three DLLS from the 2003 or newer DC you are on, to their client’s system32 folder. All three of these are needed on a 2003 DC or newer, or the ADUC won’t open. However, on an XP or newer machine, you only need two. If I were to allow users to change passwords and create a custom MMC for just that OU, then all I need is adprop.dll and dsadmin.dll, otherwise you need all three.

  • adprop.dll (for object properties)
  • dsadmin.dll (ability to alter object properties)
  • dsprop.dll (for object properties related to directory services)

Then you can use PSEXEC (one of the PSTools available free at Microsoft) to remotely register the DLLs listed below on their workstation using the regsrv32.exe utility.
Download PsExec v1.98, by By Mark Russinovich, Published: April 28, 2009
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

  • psexec \\machinename regsvr32 adprop.dll
  • psexec \\machinename regsvr32 dsadmin.dll
  • psexec \\machinename regsvr32 dsprop.dll

Here are some screenshots at the following link:

Create Taskpads for Active Directory Operations:
http://www.petri.co.il/create_taskpads_for_ad_operations.htm

===============================================

For AD on Windows 2008 and newer:

You can use the ADAC & RSAT Tools, or you can use the above method.
Note: ADAC does not have a feature to break down specific tools to create a custom console as shown above.

For the Active Directory Administration Center and the RSAT tools:

For the Related links below for the new AD Admin Center. However, the Admin Center does not have the feature to break down just specific tools to create a custom console as shown above.

Active Directory Administration Center (ADAC):

Active Directory Administrative Center: Getting Started
http://technet.microsoft.com/en-us/library/dd560651(WS.10).aspx

Active Directory Administrative Center —  the New AD interface
http://techibee.com/active-directory/active-directory-administrative-center-a-new-ad-interface-for-win7-and-win-2008/290

Learn New Features in Active Directory Administrative Center
http://www.enterprisenetworkingplanet.com/windows/article.php/3887136/Learn-New-Features-in-Active-Directory-Administrative-Center.htm

Remote Server Administration Tools (RSAT) for Windows operating systems (Discusses how to install it for all versions of Windows)
https://support.microsoft.com/en-us/kb/2693643

Remote Server Administration Tools for Windows 10
https://www.microsoft.com/en-us/download/details.aspx?id=45520 

Customizing – Installing Remote Server Administration Tools (RSAT) for Windows 7
http://www.petri.co.il/remote-server-administration-tools-for-windows-7.htm

Remotely managing your Server Core using RSAT
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/04/27/remotely-managing-your-server-core-using-rsat.aspx
==================================================================

Summary

I hope this helps!

Last updated – 2/2006, updated 9/20/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image002[3] clip_image004[3] clip_image006[3] clip_image008[3] clip_image010[3] clip_image012[3] clip_image014[3] clip_image016[3]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Kerberos Authentication Sequence Across Trusts

 

Intro

Hey everyone, Ace again. This is a quick publish on how Kerb authentication works across a trust.

Here’s how it works (no shortcut trusts)

AD Trusts - Kerberos Authentication Sequence across a trust (from the PPT slide)

A user in the marketing.trimagna.com domains needs to gain access to a file share on a server called fileserver.sales.contoso.com domain. This is assuming the User has already logged on to a workstation using credentials from the marketing.trimagna.com domain. As part of the logon process, the authenticating domain controller issues the User a ticket-granting ticket (TGT). This ticket is required for User1 to be authenticated to resources.

The User attempts to access a shared resource on \\FileServer.sales.contoso.com\share.

The following Kerberos V5 authentication process occurs:

1. The User’s workstation asks for a session ticket for the FileServer server in sales.contoso.com by contacting the Kerberos Key Distribution Center (KDC) on a domain controller in its domain (ChildDC1) and requests a service ticket for the FileServer.sales.contoso.com service principal name (SPN).

2. The KDC in the user’s domain (marketing.trimagna.com) does not find the SPN for FileServer.sales.contoso.com in its domain database and queries the GC to see if any domains in the forest contain this SPN.

a. The GC checks its database about all forest trusts that exist in its forest. If a trust to the target domain is found, it compares the name suffixes listed in the forest trust trusted domain objects (TDOs) to the suffix of the target SPN to find a match.

b. Once a match is found, the global catalog sends the requested information as a referral back to the KDC in marketing.trimagna.com.

3. The KDC in the marketing.trimagna.com then issues the workstation a TGT for the contoso.com domain. This is known as a referral ticket.

4. The workstation then contacts the KDC in the trimagna.com tree root domain to request a referral to the KDC in the sales.contoso.com.

5. The KDC in the trimagna.com domain recognizes the user’s request to establish a session with a resource that exists in a foreign domain’s server.

a. The KDC then issues a TGT for the KDC in the contoso.com domain.

6. The workstation then presents the TGT for the sales.contoso.com domain to the KDC in the contoso.com domain.

7. The contoso.com KDC queries a GC to see if any domains in the forest contain this SPN. The GC checks its database about all forest trusts that exist in its forest. If a trust to the target domain is found, it compares the name suffixes listed in the forest trust trusted domain objects (TDOs) to the suffix of the target SPN to find a match.

a. Once a match is found, the global catalog sends the requested information as a referral back to the KDC in contoso.com.

8. The KDC issues a TGT for the sales.contoso.com domain.

9. The workstation then contacts the KDC of the sales.contoso.com domain and presents the referral ticket it received from its own KDC.

a. The referral ticket is encrypted with the interdomain key that is decrypted by the foreign domain’s TGS.

b. Note: When there is a trust established between two domains, an interdomain key based on the trust password becomes available for authenticating KDC functions, therefore it’s used to encrypt and decrypt tickets.

10. The workstation also presents the KDC in the sales.contoso.com the TGT it received from the KDC in contoso.com for the sales.contoso.com domain and is issued a ST (Session Ticket) for the sales.contoso.com domain.

a. The ST is populated with the domain local group memberships from the sales.contoso.com domain.

11. The user presents FileServer.sales.contoso.com the ST to the server to gain access to resources on the server in sales.contoso.com.

12. The server, FileServer.sales.contoso.com compares the SIDs include in the session ticket to the ACEs on the requested resource to determine if the user is authorized to access the resource. If there is, the user is permitted to access the resource based on the ACL permissions.

Shortcut Trust

If a shortcut trust exists from the sales.contoso.com domain to the marketing.trimagna.com domain, then the trust path will shortened, therefore the user authentication path will be direct between the two domains.

image

Additional Reading
Kerberos Explained
http://technet.microsoft.com/en-us/library/bb742516.aspx

Accessing resources across domains [and trusts]
http://technet.microsoft.com/en-us/library/cc787646(v=ws.10).aspx

============================================================

Summary

I hope this helps!

Published 9/20/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image00262 clip_image00462 clip_image00662 clip_image00862 clip_image01062 clip_image01262 clip_image01462

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.