Archive for Windows Server 2008 R2

Here are two ways for you to use PowerShell to raise your Forest Functional level to Server 2008 R2:

  • get-adforest | set-adforestmode -forestmode windows2008R2Forest –confirm:$false
  • set-adforestmode –identity netbiosname windows2008R2Forest –confirm:$false

Either way will work.  Enjoy

Tip of the day today is to view your Active Directory Tombstone period while using PowerShell

  1. From a PowerShell prompt, type
  2. (get-adobject "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=AdminPrep,DC=Local" -properties "tombstonelifetime").tombstonelifetime

The result shows up in days…very cool. 

Just make sure to change dc=AdminPrep,DC=Local to match your domain.

SPNs seem to get more and more use these days so I thought it be nice to give an explanation of what SPNs are.

SPNs are used for mapping a service to a user account. You will find SPNs used predominantly with Delegation and Impersonation and a lot of times this is between a web server and another server hosting a service that requires Kerberos authentication.  The key here is that Kerberos authentication is required and thus this is primarily used within an organization or a trusted company.  An example of this would be when an end user logs on to a web server which then logs on to a SQL server.  The web server is trying to authenticate against the SQL server using the web users credentials but it doesn’t have the right to do that type of delegation.  If that were the case I don’t think online banking would be…well online.  :,,)  Now this is only the case when the web and SQL instances are on separate servers.  If they were on the same server you would not need to worry about SPNs.

Kerberos is the key here.  Kerberos authentication happens all the time and is very common.  The special part of Kerberos authentication is that it requires a ticket that ensures each party is who they say they are.  This ensures that a hacker can’t impersonate another user.  The only type of delegation that Windows allows is a Kerberos connection.  In short the user knows how to contact and authenticate with the web server but has no idea who the SQL server is but needs data from it and needs to authenticate…thus delegation and impersonation needs to occur.

An SPN is a name that Kerberos clients use to identify a service for computer that is also using Kerberos.  In fact you can have multiple instances of a service running on a system and each could have its own SPN. SPNs have a specific format that they use which looks similar to this – <service class>/<host>:<port>/<service name>  The only parts that are required are the serviceclass and host.  For example, HTTP/www.adminprep.com would be an SPN registration for any page on that webpage.  You would use the port option if you wanted to specify a port with the service, like this – MSSQLSvc/sqlservername.adminprep.com:3411.  More info on the formatting of SPNs can be found here.

SPN names can use short NetBIOS names or long FQDN names.  I recommend always using FQDNs as you can have potential name conflicts in a multi-domain forest with short names.

For a more detailed looked into SPNs i’ve provided a few links below along with links to common issues.  However the first place you should go is to this TechNet article.

Service Principle Name (SPN) Resources and Issues

I’m sure you are like me when it comes to locking your desktop.  You ALWAYS do it.  Most if not all corporations today have a group policy in place that at least sets the Screen Saver on after a certain amount of time and requires a password for security reasons (User Configuration – Administrative Templates – Control Panel – Personalization – Password protect the screen saver).

You know as well as I do that there is always that one person that seems to always forget to lock their workstation.  Sure the group policy will kick in…eventually.  During that time the system is unlocked and the data vulnerable.

Since i’m such a huge fan of shortcuts I have two for the price of one today.  I will show you two methods to lock your workstation…even for those very forgetful people.

Method 1 (and what I think is the easiest)

By pressing the Windows key and L on the keyboard you effectively lock the system.  I use this one ALL the time.  It is the quickest method that I know.  However some people are not so keyboard shortcut friendly.

Method 2

For the people that prefer to use their mouse here are several steps to create a desktop shortcut.  This method is very similar to the post I had on creating a shortcut for the Network Properties in Server 2008.

1. From where ever you want the shortcut create, Right click and select New –> Shortcut  (I recommend the Desktop)

 

2. Put the following path into location rundll32.exe user32.dll,LockWorkStation

3. Click Next and type whatever you would like the name of the Shortcut Icon to appear as and click Finish.

4. Time to change the way the Icon looks – Right Click on the newly created Shortcut and select Properties

 

5. Click the Change Icon… button and change the path to %SystemRoot%system32SHELL32.dll and now pick whichever Icon you prefer.

 

6. We finally have an icon available to lock the workstation on the Desktop.

 

I personally love when people at work leave their workstations unlocked.  Like a lot of you i’m sure you like to teach that person a lesson.  Perhaps mess with the background…a nice screensaver message on how much they look up to me!

If you have been playing with the the AD PowerShell cmdlets you know that it requires a few things to run, first Windows Server 2008 R2 or Windows 7, the .NET Framework 3.5.1 and of course if you want to manage an AD domain you need Active Directory Web Services (ADWS) installed on at least one domain controller. 

By the way ADWS requires TCP port 9389

So how in the world does a Windows 7 system know how to find a DC running ADWS?  Well your client running PowerShell will use the normal DC locator process.  First the client will determine which site it is in nltest /dsgetsite and then it will determine the closest DC nltest /dsgetdc:<FQDN Domain>.  It is looking at the DC for the following flag:

DS_WEB_SERVICE_REQUIRED

More info on that flag can be found here.

Now what if you don’t have Server 2008 R2 DCs?  With Server 2003 and Server 2008 a problem occurs because the Net Logon service of those domain controllers does not recognize the DS_WEB_SERVICE_REQUIRED flag.  There are two hotfixes (one for what ever version of AD you are running) available to fix that in those environments.  Server 2003 and Server 2008

After you install this hotfix the AD PowerShell module and Active Directory Administrative Center will be able to locate DCs that have Active Directory Management Gateway Service installed, similar to Active Directory Web Services (ADWS) on a Windows Server 2008 R2-based computer.

UPDATE – Microsoft appears to have taken this download down.  No word why or when it will be back up.

Looks like Microsoft just make the Windows 7 LDS (Lightweight Directory Services) client available.  You can find both 32 and 64 bit clients here.

For those that aren”t familiar with LDS, it is the Server 2008 replacement for ADAM, otherwise known as Active Directory Application Mode.  While i”m no developer LDS is a good platform that applications that require directory storage and access.  Have most of the components of Active Directory without the complete infrastructure needed for Active Directory.

Did I say free?  You bet I did.  Microsoft has done this for quite some time now and is something everyone should take advantage of.  Especially in today’s economy where training budgets are getting slashed. 

Here are three great labs that you can use to learn all about Server 2008 R2’s Active Directory. 

Windows Server 2008 R2: What”s New in Active Directory

Windows Server 2008 R2: Active Directory and Server Manager Remoting

Windows Server 2008 R2: Active Directory Recycle Bin, PowerShell V2, and Remoting

 

Do you have any cool free training resources?

With PowerShell 2.0 being released with Windows 7 and Server 2008 R2 there are plenty of fun stuff to do.  Although what I”m about to show you is not specific to PoSh 2.0 but it a great way to pull info from the Event Viewer.

When I’m presented with a problem on a server one of the first place I go is the Event Viewer.  Sure there are ways to filter it but I’d always wanted a way to dump that filter into another file to review later on another system.  PowerShell gives you a great method for displaying events as well as saving those results to a file.

The Event Log has several cmdlets available which can be seen here:

Get-EventLog
Clear-EventLog
Write-EventLog
Limit-EventLog
Show-EventLog
New-EventLog
Remove-EventLog

As you can see you can read an write to the Event Viewer here.  The Get-EventLog cmdlet is a favorite of mine.  With it you specify which Event Log to view and off you go.  Below is an example of using that command and showing how to only list the first 20 events.

Get-Eventlog -Logname System -Newest 20

Now if you want to save that you have several options.  You can save it as a text, htm or csv file.  Realize it may take awhile to build the whole file.  Below show the commands needed to output the files.

Get-Eventlog System | Out-file c:Tempsystem.txt
Get-Eventlog System | ConvertTo-html | Out-file c:Tempsystem.htm
Get-Eventlog System | ConvertTo-csv| Out-file c:Tempsystem.csv

The great thing is you don’t have to show everything.  If you want you can filter by the Event ID by using the –instanceid switch.  Below is an example.

Get-Eventlog System -instanceid 4 | Out-file c:TempEventID4.txt

As you can see PowerShell is really handy when it comes to EventLog management.  The best part is I haven’t even talked about Remoting.  You can use PowerShell to remote into other machines in your environment running PowerShell 2.  But that is another story…

I’m sure a lot of you have been playing with PowerShell.  If not you better get on it!!!  I’m not as far along as I wish I was but there is help out there.  One great place is to see what others have done.  Microsoft’s TechNet Scripting Center has a place where you can upload your own scripts and search what others have done.  This is great for a community of learning developers…did I just say developers…ewwwww.  :,,)

This link provides a shortcut to filter just the Active Directory related scripts.  From here you can find scripts on Computer Accounts, Domains, Groups, Monitoring, OUs, Searching Active Directory, Sites and Subnets and User Accounts!

If you want to just view all the PowerShell scripts just hit this URL – http://gallery.technet.microsoft.com/ScriptCenter/en-us.  Here you will scripts on Active Directory, Applications, Backup and System Restore, Databases, Desktop Management, Group Policy, Hardware, Interoperability and Migration, Local Account Management, Logs and monitoring, Messaging & Communication, Multimedia, Networking, Office, Operating System, Other Directory Services, Printing, Remote Desktop Services, Scripting Techniques, Security, Servers, Storage, System Center, Using the Internet and Windows Update.  WOW that is a wealth of info.

Enjoy and please share if you have any cool ones yourself.

There are a ton of methods to backup Active Directory.  I’m not going to get into each method with this post.  What I am going to do is share another little command that can be run to check to see if your Active Directory was backed up and when.

Before I discuss that command one point I would like to make is to be very careful about who you let backup and restore your Active Directory DB.  From a security standpoint this could be a major violation of your company’s security policy.  Think it about for a minute.  Let’s say I work in a support group in your company that provides backup and restore services for all systems, including Domain Controllers.  I could take that backup of Active Directory and restore it to a private system that I have.  Now I could use a number of tools to help try to crack into it.  Sure it may take a bit of time but I”ve got plenty of time.

If you have a group that is responsible for backups and restores on Domain Controllers then I believe you need to put some really good policies and guidelines in place to protect your most important asset…Active Directory.  I actually don’t like anyone backing up Active Directory that isn’t an Administrator and I always select the option that only and Administrator can restore the backup.  I understand that a rouge admin could do harm but at least there was some mitigation put in place.

Now, finally to the point.  Is my Active Directory backed up?  For this one we are going to run another Repadmin command.

repadmin /showbackup

This will show you when your last backup of Active Directory ran.  You don’t need to run it against a specific DC because Active Directory doesn’t care.  If you have child domains in your environment and want to run this against them all just put a  * at the end of the command and it will check all the domains.

Now go out there and make sure your Active Directory is backed up!!!