Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Windows Server’ Category

(2018-10-22) Cloning Windows 10 Or Windows Server 2016 May Break Hybrid Azure AD Domain Join

Posted by Jorge on 2018-10-22


When cloning Windows computers you are basically copying everything from some source computer to one or more target computers. One of the benefits is the speed in deployment and the time you same to have to configure stuff every single time. Are there downsides? Yes, there are, at least if you do not take some risk mitigating measures. One of those is the SID of the local computer. Every time you deploy a cloned version of Windows you MUST execute SYSPREP to make the clone gets its own unique SID. If you don’t at the beginning and along the way things may appear to be correct. However, at some point in time you may find yourself with a huge headache trying to understand why something does not work or shows weird behavior.

Recently I found another downside of cloning, that in the end can be mitigated with some post-deployment actions.

For more info about Hybrid Azure AD Domain Join (HAADJ) please also have a look at

I was trying to Hybrid Azure AD Domain Join (HAADJ) a AD domain joined Windows Server 2016 by logging on and waiting for the scheduled task to kick in and checking the correct Event Logs, and later on under the context of “NT AUTHORITY\SYSTEM” by running DSREGCMD.EXE /DEBUG. When running that last command I kept seeing the following error at the end:

DsrDeviceAutoJoinFederated failed with -2146893802
wmain: failed with error code 0x80090016.

After some troubleshooting I discovered that Windows was a cloned deployment. One of the thing that is also cloned is the key material. The key material is in the folder “C:\ProgramData\Microsoft\Crypto\Keys” to “C:\ProgramData\Microsoft\Crypto\Keys”. The solution therefore is to get rid of the old key material and start fresh from the beginning. You can do that by running the following PowerShell commands:

# Rename The “Keys” Folder To “KeysOLD”

Rename-Item -Path "C:\ProgramData\Microsoft\Crypto\Keys" -NewName "KeysOLD"

# Create A New “Keys” Folder

New-Item -Path "C:\ProgramData\Microsoft\Crypto\Keys" -ItemType Directory

# Copy The ACL From The “KeysOLD” Folder To The New “Keys” Folder

Get-Acl -Path "C:\ProgramData\Microsoft\Crypto\KeysOLD" | Set-Acl -Path "C:\ProgramData\Microsoft\Crypto\Keys"

Now retry HAADJ by rebooting the Windows computers and logging on, or executing DSREGCMD.EXE /DEBUG under the context of  “NT AUTHORITY\SYSTEM”. It should work now!

REMARK: If you did not know it yet, you can get into the context of “NT AUTHORITY\SYSTEM” by using PSEXEC and running the following command: PSEXEC –i –s CMD.EXE

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisements

Posted in Azure AD Join, Windows Azure Active Directory, Windows Client, Windows Server | 3 Comments »

(2018-10-21) Grant, Revoke Or Get DCOM Permissions Using PowerShell

Posted by Jorge on 2018-10-21


Have you ever needed to script granting or revoking DCOM Permissins, or maybe just retrieving DCOM Permissions? If the answer is “Yes”, then look no further! It is a pitty there is no native PowerShell way to manage stuff like this. But, it is a good thing there are MVPs like Tony who has created a PowerShell module that does some interesting things around DCOM Permissions on Windows systems. All credits for this PowerShell module of course go to Tony as he build and owns it.

The PowerShell Module to manage DCOM Permissions can be downloaded from here.

Benefits:

  • No dependency on external files
  • Can change permissions on DCOM objects where Administrator doesn’t have access
  • Does not remove callback permissions (Using the Component Services GUI often does)
  • Doesn’t write temporary files during operation
  • Pure PowerShell implementation
  • Fully documented and self contained
  • No code hidden in DLL files or other compiled libraries; fully transparent

Requirements:

  • PowerShell 4.0
  • Elevated administrative rights on local computer
  • Tested on Windows 10, Server 2012 R2, Server 2016

Available Cmdlets:

  • Get-DCOMPermission
  • Grant-DCOMPermission
  • Revoke-DCOMPermission 

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Windows Client, Windows Server | Leave a Comment »

(2018-10-20) Grant, Revoke Or Query For User Rights (Privileges) Using PowerShell

Posted by Jorge on 2018-10-20


Have you ever needed to script granting or revoking user rights, or maybe just querying for user rights? If the answer is “Yes”, most likely you have had to use NTRIGHTS from the good old Windows Server 2003 Resource Kit or do some funky magic around SECEDIT. It is a pitty there is no native PowerShell way to manage stuff like this. But, it is a good thing there are MVPs like Tony who has created a PowerShell module that does some interesting things around user rights locally and remotely on Windows systems. All credits for this PowerShell module of course go to Tony as he build and owns it.

The PowerShell Module to manage user rights can be downloaded from here.

Benefits:

  • No dependency on external files
  • Can modify any user right; is not limited to "Logon as a Service"
  • Can add/remove rights from the current process token
  • Doesn’t write temporary files during operation
  • Fully pipeline-able
  • Pure PowerShell implementation
  • Supports changing user rights on remote machines
  • Fully documented and self contained
  • No code hidden in DLL files or other compiled libraries; fully transparent

Requirements:

  • PowerShell 3.0
  • Administrative rights on target computer, or elevation on local computer
  • Tested on Windows 10, Server 2012 R2, Server 2016, Server Core 1709

Available Cmdlets:

  • Grant-UserRight
  • Revoke-UserRight
  • Get-UserRightsGrantedToAccount
  • Get-AccountsWithUserRight
  • Grant-TokenPrivilege
  • Revoke-TokenPrivilege

 

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in User Rights, User Rights, Windows Client, Windows Server | Leave a Comment »

(2016-10-14) Windows Server 2016 Now Available On MSDN

Posted by Jorge on 2016-10-14


Microsoft released Windows Server 2016 about three weeks ago. Read about it here.

Yesterday Microsoft also made the Windows Server 2016 ISOs available on MSDN. Use this link to get to those ISOs. You do need to have an account for MSDN and you need to eligible to be able to download the ISOs.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Windows Server | Leave a Comment »

(2016-09-26) Windows Server 2016 Has Been Released

Posted by Jorge on 2016-09-26


Microsoft has released Windows Server 2016!

An evaluation version of Windows Server 2016 is available through Microsoft downloads. Somewhere in October, Windows Server 2016 will be generally available (GA).

Read more about it:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Updates, Windows Server | 1 Comment »

(2015-10-15) Remote PowerShell To Servers Fails

Posted by Jorge on 2015-10-15


Imagine you want to achieve something on a list of servers, and for that you want to use remote PowerShell. Good idea! Smile

Let’s say you have some list of servers in an array, and all servers are specified with their NetBIOS name. For every server you would like to retrieve its Windows version and build number (or of course something else). You could use the following PowerShell script:

$allExistingRWDCs = @("R1FSRWDC1","R1FSRWDC2") $allExistingRWDCs | %{ $rwdc = $_ $rwdcRemotePoSHSession = New-PSSession -ComputerName $rwdc Invoke-Command -Session $rwdcRemotePoSHSession -ScriptBlock { Param( $rwdc = $rwdc ) $windowsVersion = (Get-WmiObject Win32_OperatingSystem).Version $windowsBuildNumber = (Get-WmiObject Win32_OperatingSystem).BuildNumber Write-Host "" Write-Host "Host Name................: $rwdc" -ForeGroundColor Yellow Write-Host "Windows Version..........: $windowsVersion" -ForeGroundColor Yellow Write-Host "Windows Build Number.....: $windowsBuildNumber" -ForeGroundColor Yellow } -Args $rwdc Remove-PSSession $rwdcRemotePoSHSession Write-Host "" }

You copy the script into a PowerShell command prompt window, and….., life is good!

image

Figure 1: Remote PowerShell By Using NetBIOS Style Server Names – Success

I always prefer to use FQDNs instead of NetBIOS style hostnames, therefore I adjust my script accordingly as shown below

$allExistingRWDCs = @("R1FSRWDC1.IAMTEC.NET","R1FSRWDC2.IAMTEC.NET") $allExistingRWDCs | %{ $rwdc = $_ $rwdcRemotePoSHSession = New-PSSession -ComputerName $rwdc Invoke-Command -Session $rwdcRemotePoSHSession -ScriptBlock { Param( $rwdc = $rwdc ) $windowsVersion = (Get-WmiObject Win32_OperatingSystem).Version $windowsBuildNumber = (Get-WmiObject Win32_OperatingSystem).BuildNumber Write-Host "" Write-Host "Host Name................: $rwdc" -ForeGroundColor Yellow Write-Host "Windows Version..........: $windowsVersion" -ForeGroundColor Yellow Write-Host "Windows Build Number.....: $windowsBuildNumber" -ForeGroundColor Yellow } -Args $rwdc Remove-PSSession $rwdcRemotePoSHSession Write-Host "" }

You copy the script into a PowerShell command prompt window, and….., life is suddenly not that good!

image

Figure 2: Remote PowerShell By Using FQDN Style Server Names – Failure

REMARK: depending on the situation you may see other errors messages, like for example “Access Denied”

What the heck! You try to troubleshoot this one, and it may appear to be a tough nut to crack! Although this error message may give you a hint in which direction you should look at, but in my personal case I got the “Access Denied” error. In summary, remote PowerShell while using NetBIOS names was successful and it failed while using FQDNs. At first I started to check the WinRM settings. Again, in my case there was nothing that gave me a hint what could be wrong, until I started to do some network traces, and that’s when I understand what could be wrong. In the network trace I saw, when using FQDNs, that the proxy server was being accessed. Now why the heck is remote PowerShell trying to access the server through the Proxy Server?

With this blog post, I want to save you a long period of swearing and hair pulling.

When you have configured System Wide Proxy Settings , Remote PowerShell will use its configuration accordingly. In my case, the configuration was similar to:

image

Figure 3: System Wide Proxy Settings – Proxy Server FQDN, Port and Bypass List

  • Proxy Server FQDN = GATEWAY.IAMTEC.NET
  • Proxy Server Port = 3128
  • Do not use the proxy server for the following addresses that are also available internally:
    • *.IAMTEC.NL <== FQDN of the internet domain, that’s also available internally (split DNS)
    • <Local> <== Definition for locally used names

With <local>, I first thought that would support both FQDNs and NetBIOS names. WRONG!!!

As mentioned in MS-KBQ262981, “<local>” only covers NetBIOS name style addresses, and NOT FQDNs. Therefore, any FQDN needs to be explicitly specified or be covered by some wildcard FQDN.

So, what was the solution in my case?

Answer: Add the wildcard FQDN that covers my internal AD forest. Therefore “*.IAMTEC.NET” should be added to the bypass list!

Using the following command, I was able to reconfigure the System Wide Proxy Settings:

NETSH WINHTTP SET PROXY PROXY-SERVER="GATEWAY.IAMTEC.NET:3128" BYPASS-LIST="*.iamtec.net;*.iamtec.nl;<local>"

REMARK: when configuring the System Wide Proxy Settings, services that leverage those settings may exist that need to be restarted to consume the new configuration. One of those examples is ADFS. However, this does not apply to Remote PowerShell.

image

Figure 4: Setting Proxy Server FQDN, Port and Bypass List

Now let’s retry the script that uses the FQDN of the servers. Yes, life is good again!

image

Figure 5: Remote PowerShell By Using FQDN Style Server Names – Success

YES! Smile

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in System Wide Proxy Settings, Windows Server | 1 Comment »

(2015-07-16) Support For Windows Server 2003 Has Ended!

Posted by Jorge on 2015-07-16


Still on Windows Server 2003? Be aware that as of July 14th there is no support anymore for Windows Server 2003, unless you are willing to pay Microsoft big $$$ to still receive patches/fixes.

Read more about it here.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Support, Updates, Windows Server | Leave a Comment »

(2014-07-24) Possible Issues When Running Both W2K3 And W2K12R2 DCs For The Same AD Domain

Posted by Jorge on 2014-07-24


If you are upgrading your AD from W2K3 to W2K12R2, you might be experiencing issues when running both OS versions at the same time. The guys at ASKDS have written a great blog post about this.

Click on the following link to read all about it and what you can do about it.

It turns out that weird things can happen when you mix Windows Server 2003 and Windows Server 2012 R2 domain controllers

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Windows Server | Leave a Comment »

(2014-02-25) Updates For Exchange 2007, 2010 And 2013 Released To Support W2K12R2 OS, AD, DFL/FFL

Posted by Jorge on 2014-02-25


Today Microsoft released updates for Exchange 2007, 2010 and 2013 to be supported:

  • On a W2K12R2 server
  • In an AD with W2K12R2 DCs
  • In an AD where DFL/FFL is W2K12R2

Exchange 2007

  • Technical details can be read here.
  • SP3 RU13 and later provides that support. Get RU13 from here.

Exchange 2010

  • Technical details can be read here.
  • SP3 RU5 and later provides that support. Get RU5 from here.

Exchange 2013

  • Technical details can be read here.
  • SP1 and later provides that support. Get SP1 from here.

The supportability matrix is available here.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Exchange Server, Windows Server | Leave a Comment »

 
%d bloggers like this: