Jesper M. Christensen

SharePoint and Security

Category Archives: Windows Server

WindowsSecurity.com – Active Directory information exposed to users?


For the time being I have not really time for blogging I’m afraid but will continue writing articles for the windowsecurity.com website.

I know many things are visible in the Microsoft Active Directory and tried a few things to investigate the things a standard user can see. If this is something for you, then take a look at the article – feedback and evaluation is welcome J

Active Directory information exposed to users?

Advertisements

Cloning Windows Server 2008 using sysprep


To make a copy/duplicate of a Windows Server 2008 you need to make sure the Security ID (SID) and all other settings that are machine-specific are unique . This is the "normal" and supported way to clone a Windows client/server and has been since Microsoft Windows NT 4.0.

The sysprep-command is by default located in C:\Windows\System32\Sysprep (in Windows Server 2003 it was hidden on the installation-CD in \Support\Tools\deploy.cab) and can be run as a GUI (Graphic User Interface) or command-line.

The GUI does not give you many options, but can do the job. To customize the sysprep with e.g. the product key you must use a configuration-file. which is now in XML (former versions of sysprep used an INF-file). To generate this file use the Windows System Image Manager for Windows Vista/Server 2008 which is a part of the Windows Automated Installation Kit (WAIK), which can be downloaded at Microsoft here: http://thesystemadministrator.com/redir?www.microsoft.com/downloads/details.aspx?FamilyID=C7D4BC6D-15F3-4284-9123-679830D629F2&displaylang=en

Simply use one of these procedures to clone your Windows Server 2008

Without pre-entered configuration

  • Run the C:\Windows\System32\Sysprep\Sysprep.exe from Windows Explorer
  • Choose OOBE, check the generalize and shutdown

Pre-entered configuration

  • Generate a XML configurationfile with the Windows System Image Manager
  • Copy the XML file to C:\Windows\System32\Sysprep
  • Run sysprep /generalize /oobe /shutdown /unattend:sysprep.xml

After the automatic shutdown the Windows Server can be cloned. When you start the servers again they will use the configuration you have made. The computername though will be auto-generated.

Quick guide to Windows Server 2008 Core


I have made a quick guide to the Windows Server 2008 Core edition. This is meant as a reference and installation-help, so you can have the basic commands in one place.

http://cid-38ca35b6277b6302.skydrive.live.com/self.aspx/Blog%20items/Quick%20guide%20to%20Windows%20Server%202008%20Core.xps

Duplex print: 1 page

Please provide feedback to make the quick guide as good as possible.

Make your file shares redundant with DFS


The situation

Every company use file-servers for storing business data and these are getting a more important role as the IT infrastructure evolves. Take a minute and think about the following scenario:

An electronic component on a main file-server has a malfunction and the server goes black 6’o’clock in the morning leaving the users without access to the files. The replacement of this component, or the whole server, takes 8 hours to be fixed and get the server up running as before.

Have you ever thought about your file-server and what have you done as an IT professional to make sure your users doesn’t lose access to important company data in a longer period of time? Many people haven’t really thought about the consequences of this and how the problem easily can be avoided. I have asked some people and the answers are typically:

  • This have never been an issue, why should it break?
  • The files isn’t that important, we can wait for the repair
  • I can restore the data from backup on another server in the meantime

The solution

The solution for redundant file shares with Distributed File System (DFS). This have been around for some time starting with the File Replication Services (FRS) in Windows 2000 Server (this is still used for DC replication), but the DFS Replication in Windows 2003 R2 and higher versions is a scalable, secure and great solution for that extra file share you need if a server comes offline.

I will point out a few advantages you get with the Distributed File System here:

  • High availability file share
    You get a files hare that is replicated between multiple servers so that your file shares are always online.
  • Replicated data
    Your company data is replicated based on a schedule and the bandwidth can be controlled if you have limited bandwidth to your branch offices. Only changed data in the files are compressed and replicated so you get the most out of your available bandwidth.
  • Centralized backup
    This can be achieved if you replicate your DFS-data to your main office and backup your data here.
  • Easy migration of file servers

    If you need to migrate to another file server you can use DFS to replicate your data and make it available to users without they experience downtime.

Simple installation

The installation is very simple, and with a few minutes work you have your DFS up and running. Of course this is only the basic configuration of DFS and for more indept configuration and explanation of the features and possibilities, you need to dig more into the DFS through the Microsoft documentation for DFS.

  1. Make a new folder on a volume with enough spaces for your files and staged/conflict data (staged data is files that are replicated to this server and conflict data is files that are changed at the same time or exist on the destination server)
  2. Do the same task for your second fileserver (this can be on the same network or a branch office)
  3. Install the Distributed File System from Add/remove Windows Components
  4. Start the DFS Management Console (Not the Distributed File System console if that exists. That is the old DFS!)

For the configuration you need to know a few basic things about DFS to set up your environment correctly for redundancy.

Namespace
This is the name your DFS gets on the network. You need multiple namespace servers defined to make sure your clients can access the file shares.

Folder
The folders are simply links to folder-targets. These links to one or multiple shares on the network. If one share is offline or put in "disable folder target" the DFS automatically chooses another target.

Tips and tricks

To get started you need to know some basic information, tips or "tricks" if you want. These are my small notes for DFS and I find them useful in the scenarios I implement the Distributed File Systems in.

  • Make at least two servers available to your clients of all the following types for high availability
      • Domain Controllers (and Global Catalog servers or activate Universal Group Membership caching for branch-DC’s)
      • DNS Servers
      • DFS namespace servers
  • For branch offices you need to consider the schedule and bandwidth needed within working hours. Plan your replication well in both areas.
  • Adjust your staging area so it fits your needs (large files requires large staging areas)
  • When large file shares are replicated remember to "disable target" until the replication is completed. If you do not the clients will only see the incomplete replica.
  • Keep in mind: Permissions on files/folders are only replicated first time the file/folder is replicated. –not if these permissions change! (Whilst this is article is written)
  • Remember to edit your settings when adding a namespace server to change the path away from C:\ and make the namespace domain-based.
  • Make a maintenance schedule to check the DFS logs, replication check and staging/conflict areas

More information

You can find lots of useful information on the Microsoft website and of course other sites aswell. Here are a couple of links to get you started:

 

 

 

Query the forest for SPN’s configured


You can query the SPN’s (used in Kerberos environment) from other computers with this Microsoft script found and documented at Microsoft’s website SPNQUERY . For other ways to query the SPN’s look into KB321044

Script command: cscript spnquery.vbs HOST/MyServerName* >check_SPN.txt

Sample output:

CN=SHARE08,OU=Sharepoint Servers,OU=Denmark,DC=domain,DC=local
Class: computer
Computer DNS: share08.extrico.local
— HOST/SHARE08
— HOST/share08.extrico.local

Supporting Microsoft Servers in a Virtual Environment


You need to consider certain issues when running your Windows Servers in a virtual environment and Microsoft have written some knowledgebase articles regarding these challenges.

Considerations when hosting Active Directory domain controller in virtual hosting environments

Running Domain Controllers in Virtual Server 2005 (Word document download)

Support policy for Microsoft software running in non-Microsoft hardware virtualization software

How to detect and recover from a USN rollback in Windows 2000 Server or Windows Server 2003

I have written a couple of tips down to help avoiding stability-issues

  • Install VMware Tools (if using VMware) on the servers as soon as possible
  • "undo", "differencing" and Snapshot are not supported for Domain Controllers
  • The following hotfix are recommended for Domain Controllers:
    • How to detect and recover from a USN rollback (Win2k: 885875, Win 2k3: 875495)