Blue Flower

Here we go again... Microsoft announced in late February 2020 that this exam will be retired at the end of June of the same year, together with the whole MCSA certifications! https://www.microsoft.com/en-us/learning/community-blog-post.aspx?BlogId=8&Id=375282 I found out thanks to NetworkChuck, good thing I subscribed to his videos, and it just happened that I had checked the MCSA cert exams that week before!

Anyway, we need to pass this 70-411 exam before the end of June, and is a good opportunity as well to refresh and gain for Microsoft knowledge too on the way, of course. So, let's go ahead and do this thing. The topics for the 70-411 Administering Windows Server 2012 are here:

  1. Deploy, Manage and Maintain Servers, WDS, WSUS and DCS
  2. Configure File and Print Services, DFS, FSRM, EFS and bitlocker
  3. Configure Network Services and Access, DNS zones, VPN and Direct Access
  4. Configure a Network Policy Server Infrastructure, NPS and RADIUS
  5. Configure and Manage Active Directory, AD
  6. Configure and Manage Group Policy, GPOs

Here are the bits of what I covered on this article

 

Setup you lab

To create the different servers that we are going to use for this exam, get yourself a copy of VMware Workstation 15, and create a virtual machine with Windows Server 2012 R2 called "TEMPLATE_2012", then install on it the OS and make sure is up to date before proceeding... yeap, the Windows Update might take a few hours to run...

Once all Windows Update are done, run C:\Windows\System32\sysprep\sysprep.exe > choose OOBE and shutdown.... and of course don't forget to click the option "generalise", otherwise all the VMS you create from that template will have the same SSID, not god!

You are ready now to create new Server 2012 R2 vms based on that template. Using VMware Workstation, right-click the TEMPLATE VM and go to Manage > Clone > and create a linked clone

 

That way you can create as many 2012 R2 VMs that you need without wasting time installing OS, patches, etc. The is the list of the VMs that I created for this exam

Name Role IP Address
AD01 Forest Root Domain Controller, CA, DHCP 192.168.11.10
AD02 Domain Controller, ADFS 192.168.11.11
AD03 RODC 192.168.11.13
WDS01 WDS 192.168.11.50
WSUS01 WSUS 192.168.11.60
SRV01 DFS, BitLocker 192.168.11.21
SRV02 DFS, FSRM
192.168.11.22
SRV03 DFS, Remote Access, NPS

192.168.11.23 (internal)

DHCP (external)

SRV04 (not Domain joined) Web Application Proxy

192.168.11.24

 

Download Remote Desktop Connection Manager on one of your servers to manage the lab environment from a single location https://www.microsoft.com/en-us/download/details.aspx?id=44989

 

Active Directory stuff

Remember that the good old "dcpromo" is depreciated in Windows Server 2012, but you have to use it if you want to do an unattended installation (dcpromo /unattend). It might sound like a broken record, but it is good every now and then to have a review of the amazing features included in Active Directory:

  • Active Directory Certificate Services; this is where you setup your PKI, Public Key Infrastructure certificates
  • Active Directory Rights Management Services; creates reliable information protection solutions using technologies like encryption, certificates and authentication
  • IP Address Management; customise and monitor the IP address infrastructure on a corporate network
  • Kerberos Authentication; in its version 5 is installed as a security support provider (SSP)
  • Glocal Catalog; be mindful of the size of your Universal Groups, those are the ones that pass between GCs
  • krbtgt account; the Key Distribution Center Service account is disabled and use by the operating system and cannot be used to logon to the domain

To check the GPOs that applies to a given computer run:

gpresult /r /scope:computer #display result for comptuer only
gpresult /r /scope:user

gpupdate /force /target:computer #refreshes the GPOs for the computer

Active Directory uses the concept of foreign security principals to allow permissions to be assigned to users who are not part of an Active Directory forest

Service Accounts Authentication; Local System account has more rights than Local Service and Network Service account. To create a service account for a specific service, do as follows in PS

New-Service -Name NAZAUDY -DisplayName "Nazaudy Service" -Description "Nazaudy test service"
-BinaryPathName C:\Windows\system32\notepad.exe

To run a service under its Virtual Account (virtually locally), set the username as "NT SERVICE\$SERVICE_NAME$ with a blank password (don't forget the  dollar sign at the end). Managed Service Accounts (MSA) are added by administrators as a Domain Account, but are tight to a specific machine only, which is a problem when you want to do accounts for farms or clusters; in situations where you want to use a MSA on more than one computer in a domain, create instead a Group Managed Service Account (gMSA). To create a 'manage' service account, do as follows:

New-ADServiceAccount -Name NAZAUDY3 -RestrictToSingleComputer
Add-ADComputerServiceAccount -Identity SERVER3 -ServiceAccount NAZAUDY3
Test-ADServiceAccount -Identity NAZAUDY3

#After the above, visit SERVER3 and run the following
Install-ADServiceAccount NAZAUDY3

#Finally, open services.msc in SERVER3 and link the NAZAUDY3 service to its account
Leave the password blank, it will be managed by AD

To create Group Services Accounts, the Key Distribution Service needs to be enabled, to enable it on your AD run this command:

Add-KdsRootKey -EffectiveImmediately
#Even though it says inmediately, there is actually a 10 hours delay for replication

#Create a group managed service account
New-ADServiceAccount -Name NAZAUDY4 -DNSHostName NAZAUDY4.nazaudy.local -PrincipalsAllowedToRetrieveManagedPassword "Domain Computers"

#Install AD PS module on server4 and server5
Invoke-Command -ComputerName server4,server5 -ScriptBlock { Install-WindowsFeature RSAT-AD-PowerShell }

To use these accounts, the OS must be running Window 7 or higher for clients and Server 2008 R2 or higher for servers

FSMO Roles; Flexible Single-Master Operations, to check who has the roles installed on your domain, run:

netdom /query fsmo

#If using PS, use:
Get-ADForest
Get-ADForest nazaudy.local | FT SchemMaster, DomainNamingMaster
Get-ADDomain

#For the record, these are the FSMO numbers:
PDCEmulator            0
RIDMaster              1  
InfrastructureMaster   2
SchemaMaster           3
DomainNameMaster       4
  • Schema master and domain naming master; only one DC can have this role in the whole forest
  • PDC, RIP pool manager and Infrastructure master are Domain specific, only one DC in the domain can have those roles. The PDC is a critical role, watch out for that one

To transfer roles you can use the GUI, but to 'seize' the roles you have to use the ntdsutil; the Domain-specific roles can be change using AD Users & Computers, the Domain Name Master role (being Forest-specific) have to be changed using AD Domains & Trusts and for the Schema Master you need first register the tool that will allow you to change the role

regsvr32 schmgmt.dll

Once the Schema Management console is registered, add it through MMC >> Operations Master and change the role. To seize roles using ntdsutil, run:

ntdsutil
:connections
:connect to server ad02.nazaudy.local
:transfer schema master #for example

RODC is for location not very secure, where maybe the AD can be stolen or compromise, perfect for an unmanaged branch office

Cloning a DC; this is a new feature of Windows Server 20212 R2, to do the cloning of a DC, proceed as follows:

  1. Add the DC source to the group "Clonable Domain Controllers"
2)Find out which applications/services might be incompatible with the cloning:
Get-ADDCCloningExcludeApplicationList -GenerateXml

3) Generate a config file for the target clone machine:
New-ADDCCloneConfigFile -ConeComputerName AD01 -IPv4Address 192.168.1.10 -IPv4SubnetMask 255.255.255.0 -IPDefaultGateway 192.168.1.1 -IPv4DNSResolver 192.168.1.100 -Static

#The above will check that the PDC is up in the domain, and that it runs 2012
#The config files are created in C:\Windows\NTDS

4)Finally, once the clone is completed, remove both machine from the AD group

Maintenance of AD; if a domain controller goes bust, you will need to clear the metadata, either dsa.msc or dsasite.msc; to do using the ntdsutil run the following:

ntdsutil
:metadata cleanup
:connections
:connect to server ad01.nazaudy.local
:select operation target
:list domains
:select domain 0
:list sites
:select sites 0
:list servers
:select server 2
:remove selected server

Remember that ntdsutil /snapshots are not backup, you cannot restore from them; they are use for diagnostics purposes. To restore an AD, reboot on Active Directory Restore Mode -ADRM- (F8 or much better run msconfig >> Boot >> and set the boot mode in there). Non-authoritative restore is useful when corruption or hardware failure has occurred, while authoritative restore if when you want the replication of the restored object to occur. Once you have rebooted on AD Restore Mode, open cmd and run:

wbadmin get versions
#copy the version identifer listed on the clipboard

wbadmin start systemrecovery -version: xxxx

#After the restore, run ntdsutil to make authoritative, still in ADRM, of course
ntdsutil
:activate instance ntds
:auth res
:restore subtree "OU-myDeletedOUChild,OU-myOtherDeletedOUParent,dc=nazaudy,dc=local"

Finally, run msconfig and uncheck the option to ADRM

dsamain; is the AD database mounting tool gives you a way to compare data in different snapshots

repamin; allows you to diagnose replication problems between ADs

adsiedit.msc; manage objects and attribute in AD

wbadmin; the backup utility

AD Recycle Bin; in any case, the recommended way of restoring objects from AD is to use the AD Recycled bin, so we don't have to take AD offline, etc. To do this launch Server Manager >> AD Administrative Center >>> highlight your domain and choose "Enable Recycle bin". In order to use it, your forest functional level must be 2008 R2, and once the recycle bin is on... you can't turn it off. To enable it using PS run the following:

Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSEt -target nazaudy.local

To get the Password Policy setting for the domain, run:

Get-ADDefaultDomainPasswordPolicy

Password Settings Object; the Default Domain GPO password policy applies to the whole domain, but if you want to be specific and have password policies for different OUs, users or groups, you can launch AD Administrative Center and configure PSO:

The "Precedence" setting allows you to order the priority when more than one PSO applies, the lower the value the higher the priority (1 is the best); and whichever PSO you use will override the Domain one (unless of you course you remove it, in which case the Domain setting will take over). Note that PSO can only be applied to a User or a Global Security Group, they cannot be applied to computers

 

GPO stuff

The default processing order for GPOs is: Local >>  Site Policies > Domain Policies > OU Level > other OUs, last writer always wins, so watch out for the "Link Order" when you applied more than one policies to object, they'll be applied from top to bottom with the "Link Order" value 1 being the last one to be applied and therefore the winner

When you set "Block Inheritance" on an OU, no upper policies applied to parents OUs will be applied to that OU, as it blocks inheritance... unless the the upper policies has the "Enforced" setting on, in which case.. there is no way to deny your genes

#In GPO Management console, right-click OU > Group Policy Update

#From command prompt: gpupdate

#From PS: Invoke-GPUpdate -Comptuer CLIENT1

 To see whether the policies has been applied or not, use Resultant Set of Policy (rsop) or run:

gpresult /r

rsop.msc  #sees the results in a GUI

Use the entry "Group Policy Results" at the bottom of the GPO Mgmt console

GPO Loopback processing; intended for public places, laboratories and classrooms, it applies the user policy (or merges it) no matter which computer the user logs into. You find this setting under Computer Configuration >> Policies >> Administrative Templates >> System >> Group Policy >> Configure user Group Policy loopback processing mode ; when loopback is enabled in Merge mod, user settings from the computer's GPO take precedece in GPO conflicts. Study the different settings under Administrative Templates >> System >> Group Policy, some of them are really interesting like for example if you have slow links in your network

  • To speed everything up on slow links, enable "Change Group Policy process to run asynchronously when a slow network connection is detected"
  • To apply GPOs more frequently, modify "Set Group Policy refresh interval for computers"
  • GPO caching in enable by default on the clients (the policies there just allows you to customise the settings) but disabled by default on the server side; caching speed up synchronous foreground processing, so every 90' it will not download the GPOs from the domain but read them from the cache instead, unless they change of course

Use Security Filtering to apply the policy to specific users/groups, and to prevent a certain user or group from getting the policy applied, you can visit Delegation > Advanced and deny them the access

 

WMI Filters; allows you to target GPOs based on the VMI (Windows Management Instrumentation) classes of OS properties or specific hardware

Get-WimObject win32_operatingsystem | fl *
Get-WimObject win32_computersystem | fl *  #show WMI classes info at hardware level

To create a WMI query use the syntax: SELECT *** WHERE *** LIKE ***AND; for example, to target laptops use: "SELECT * FROM Win32_Battery WHERE (BatteryStatus <> 0)" meaning that when the battery status doesn't equal zero (otherwise 1 or above), we are selecting the machines, in other words only laptops

Select * from Win32_LogicalDisk where FreeSpace > 10737418240 AND Caption = "C:"
#this WMI filter select the C:\ drive only if there is more than 10GB of free space

Start-up/Shutdown scripts; you can also use PS scripts, but in all scenarios ensure the Computer and/or Users have got access to the resources, and of course that you places the .ps1 files in the right location of the GPO, you can find that by clicking on "Show Files"

 

When you install software through GPO, import any .admx (plus the associated adml) files that might be available from the manufacture; Copy the "Policy Definition" folder from C:\Windows\ to AD01.nazaudy.local >SYSVOL > Policies, and them paste in there the adm files from the given application

To filter a GPO and find the setting your are so desperate looking for, right-click Administrative Templates >> Filter Options and tick "Enable Keyword Filters" to customise your search, such a handy feature!

 

Backup GPOs to a folder; to backup GPOs open gpmc.msc >> Right-Click the "Group Policy Objects" and select Backup All, note that GUIs on the backup repository will be backup-GUIs related, and not the actual GUIs of the GPOs; to do it on PS run:

Backup-GPO -All -Path \\backupserver.nazaudy.local\Storage\Backups

To restore a specific policy, right-click "Group Policy Objects" >> Manage backups >> pickup the policy you want to restore and start the wizard. Note that this backup process doesn't include the WMI filter, inheritances or delegations, just the GPO settings, so remember that when restoring.

Migrate GPOs to another domain; to do that, right-click 'Group Policy Objects" >> Open Migration Table Editor > Tools > Populate from GPO and select the policy that you want to migrate, then select the destination of the DC that you want

Delegation gives other the power to change and modified the delegated OU or Policy object; just refer to the "Delegation." tab and add the relevant group/user you want to modify that policy

Best practices: Use the Default Domain Policy only for the Account policies (account lockout, kerberos, etc) and use the Default Domain Controllers Policy for user rights and auditing; outside of that, please create your own GPO. In any case, if these Default policies are corrupted, etc, run this command to set them with their default settings:

dcgpofix /target:dc
dcgpofix /target:domain
dcgpofix /target:both #that will reset both, probably the best one!

Group Policies Preferences; gpp are client side extensions that pre-configure preferences for computers and users, which can be override and provide a starting point for the configuration, perfect for mapping drives (update the most flexible choice, which creates it if it doesn't exist). Item-level targeting allows you to specify and filter with great details how the setting will apply, so you can configure a GPO called "Drive Mapping" at the domain level and item-target each mapping in accordance with group membership

PKI Infrastructure; certificates add a layer of protection, and you can use GPOs to manage all of that. Enable Certificate Auto--Enrolment by visiting Computer Configuration >Policies > Windows Settings > Security Settings > Public Key Policies and edit the option in "Certificate Services Client - Auto-Enrollment"

 

 

DNS stuff

DNS is defined in RFC 1034 and 1035, the distributed database is thought as an "inverted tree", that's why the root (.) is at the top and from there the branches develop downwards through the TLDs, Top Level Domains like .com, .net, .org, etc. Only 13 root name servers are responsible for delegating TLDs. These are the types of DNS Queries:

  • Iterative queries; the DNS server receiving the query response with the best information it possesses at the time
  • Recursive queries; the DNS server receiving the request takes full responsibility for resolving the name; if it has the information it replies immediately but if it doesn't it will send referral to other DNS servers until it finds the info needed
  • Inverse queries; instead of supplying a name and then asking for an IP address, in this query the client first provides the IP address and then asks for the name. It uses the in-addr.arpa domain to resolve this query, where IP addresses are listed left to right given the fact that they are most specific from left to right

Set a low TTL only when you need to respond quickly to a changing environment; a high TTL (let's say once a week) means that if you make a change in a DNS record the clients might not see the change for up to a week. Therefore, use always a TTL that is appropriate for your environment

A secondary zone gets its database from a primary zone, and they are use for load balancing, providing fault-tolerance. Stub Zones are similar to Secondary Zones (they are non-editable copies of a primary zone) but differ in that they only contain information, usually 3 record types (NS, SOA and A records), to identify the authoritative DNS servers for the zone. Stuz Zones are used when companies merges or to connect 2 x domains across a slow link, they are NOT for redundancy or low balancing

In the Zone Transfers tab of DNS you have the "Notify..." button, add the IPs of whichever secondary DNS sever you want to push data to whenever there is a change in your DNS

Background Zone Loading; when an AD-integrated DNS server restarts, the AD zone data populates the database in the background, allowing DNS to server clients almost immediately after the restart while the zone is still being loaded

  • RODC ;read-only domain controllers use for sites where security is a concern
  • DNS Socket Pools; allow port randomisation to protect against DNS cache-poisoning attacks
  • DNS Cache Locking; allows cached DNS records to remain safe for the duration of the TTL value, meaning cached DNS records cannot be overwritten or changed, making it more secure against hackers. The locking configuration is based on a percentage value, for example if you set the cached locking to 50% then the records will be securely locked half of the TTL
  • DNS Security Extensions; DNSEC protocol allows your DNS servers to be secured by validating DNS responses; a zone implemented with DNSSEC get all of its DNS resource records marked with a digital signature
  • Trust Anchors; they are preconfigured public keys linked to a DNS zone that allow DNS servers to validate the DNSKEY resource records. If the server is not AD integrated, the trust anchors are stored in trustanchors.dns; to view them run get-dnsservertrustachorr yourdomain.local
  • DNS Devolution removes the leftmost label of the namespace, allowing a client of a child domain to query the parent domain natively
  • Netmask Ordering ;as you know with Round Robin the client A goes to queue A then client B to queue B, then C to queue A, thus providing load balancing. With netmask ordering (which is part of the round robin process), the server detects the netmask of the querying client
  • DNSUpdateProxy group; create a user account to run the DHCP sever, then add that account to the DNSUpdateProxy group in AD, this will ensure that DHCP securely updates DNS

Note that the trailing dot (.) at the end of a CNAME means the root domain, e.g., ad01.nazaudy.local.

DNS Caching-Only Server; they are not authoritative for any doamin and the information that they contain is limited to what has been cached while resolving queries; they are configure simply by populating the root server under the Root Hints tab in DNS

DNS delegation; is when you divided your zone, for example from nazaudy.local you decided to have london.nazaudy.local, chicago.nazaudy.local, malaga,nazaudy.local and delegate to a authoritative DNS on each on these locations the zone

DNS Forwarding; it can either be external, where the query is sent to the Root Hints, or conditional forwarding, where the query is sent to another DNS server (for example your internet provider DNS) for resolving

Troubleshooting; use the good old guy nslookup to troubleshoot; DNSLint is an utility that you need to download from Microsoft https://support.microsoft.com/en-gb/help/321045/description-of-the-dnslint-utility it verifies DNS records and generates a report in HTML, e.g. dnslint /d nazaudy.local. DNScmd is a powerful tool that allows you to display and change the properties of DNS servers, zones and resource records, as well as forcing replication between two servers

If you need to replicate to BIND Unix servers, tick the option "Enable BIND Secondaries" under the Advanced tab of the DNS server

For scavenging to operate, it must be enable both at the server and zone level

 

WDS stuff

To configure Windows Update you must have local admin rights. WSUS (as well as Windows Updates) ensures that every updates is digitally signed by Microsoft, if it is not it will discarded, thus preventing hacking from happening. Gosh, just image if a trojan is distributed through Windows Update, billions of PCs infected in just a few hours!

To configure Automatic Updates through the registry, instead of GPO, visit: HLM > Software > Policies > Microsoft > Windows > WindowsUpdate > AU ;then specify the following:

  • UseWUServer ; 1 means you'll provide yours, 0 uses the public Microsoft Update Server
  • WUServer ;enter the URL of your WSUS, for example http://myWUS (note is http, not https)

To install WDS using PS, execute (not required but is recommended to reboot after installation):

Get-WindowsFeature WDS*   #shows you what is already installed
Install-WindowsFeature WDS -IncludeAllSubFeature -IncludeManagementTools
Get-Command -Module WDS   #shows you all the commands you can use with WDS
  1. After installation, insert a Windows 7 iso disk on the WDS server, then choose WDS > Boot Images > and add the /source/boot.wim from the Windows 7 DVD
  2. Copy the "install.esd" file from sources and paste locally on your machine into a folder called "WIN10_ISO", then convert it from the compressed ESD format to the WIM format by running: dism /Export-Image /SourceImageFile:D:\Win10_ISO\install.esd /SourceIndex:9 /DestinationImageFile:D:\Win10_ISO\install.wim /Compress:Max /CheckIntegrity
  3. Under "Install Images" add a group called Windows 10 (group are use as a security bounding), then Add Install Image and add the *.wim file that you have just converted. In the previous extraction we selected SourceIndex:9, but if you want to see actually how many images are included on the ESD file, run dism /Get-WimInfo /WimFile:D:\Win10_ISO\x64\Sources\install.esd
  4. If you right-click a Boot Image you can create from it 2 x types of images:
    1. Capture Image ;boot from this image to capture the status of the client and create an image from it with the needed apps, settings, etc
    2. Discovery Image ;use on secure environment, you'll boot from this image and will only communicate to the specified WDS, DHCP, etc
  5. On your DHCP server, configure option 66 (wds server name) and option 67 (boot image name) for your scope

 

WSUS stuff

To install WSUS using PS, do as follows:

Get-WindowsFeature UpdateServices*   #shows you what is already installed
Install-WindowsFeature UpdateServices,UpdateServices-DB -IncludeManagementTools
Get-Command -Module UpdateServices #shows you all the commands you can use with WDS

Out of the box, the Reports sections of WSUS does not work. You'll need to download Microsoft Report Viewer 2008 SP1 https://www.microsoft.com/en-us/download/details.aspx?id=3841 , which in turn requires that you Manage > Add Roles and Features and add .NET Framework 3.5, which will required you to insert the Windows 2012 R2 DVD and point to it as the source D:\sources\sxs... Honestly, I really don't know why M$ hasn't included the 3.5 Framework on the local copy of the OS, like many of the other features

On the WSUS console visit Options > Computers, and to start registering clients set:

  • Use the Update Services console; known as server-side targeting where you create groups manually and drag computer accordingly
  • Use Group Policy or registry settings on computers; that's the way to do it really

Edit the Domain GPO > Computer > Policies > Administrative Templates > Windows Update > and set

  • Specify intranet Microsoft update service location: Enabled, set both detection and statistics to http://mywsus.nazaudy.local:8530
  • Configure Automatic Updates: Enabled, 4-Auto download and schedule the install, every day at 6pm; I recommend you to have "disabled" the Install during automatic maintenance
  • Automatic Update Detection frequency: Enabled, set it to 3 hours so that machine will check the WSUS for update on that interval

Now edit the GPO of the OUs where you have your Computer and set the "Enable client-side targeting" to whichever group you want the machines to be on WSUS, else they'll go into Unassigned Computers. Run gpupdate /force target:computer on the affected machines. The command Windows-Update Auto-Update Client, wuauclt /detectnow and then wuauclt /reportnow on the clients will check WSUS and register if needed

 

Remote Access stuff

As part of VPNs we have the following protocols:

  • PPTP Tunnelling; pretty straightforward, it encapsulates packets using the "Encapsulation Primer" method, but then encrypt it using MPPE (Microsoft Point-to-point encryption). The encryption keys are generated dynamically for each connection
  • LT2P/IPsec Tunnelling; more flexible than PPTP but also more complicated. L2TP doesn't offer any security, but its traffic is then encrypted using IPSec using ISAKMP which does provide security
  • SSTP Tunnelling; Secure Socket Tunnelling Protocol uses port 443, https

Web Application Proxy (WAP) ; allows the users to access internal application from outside the network using BYOD.There are basically 2 ways of authentication, and on both cases ADFS (AD Federation Services) is a requirement

  • ADFS Authentication; provides SSO (Single Sign-On), multi-factor authentication and Workplace Join
  • Pass-through Authentication; the user is authenticated to the application it is going to access, not through AD

To configure a certificate for ADFS, follow this amazing guide: https://selimatmaca.com/index.php/windowsservers/adfs-active-directory-federation-services/198-part1-creating-adfs-certificate 

If you cannot complete the AD FS Web Application Configuration Wizard, go through this document: https://shanejacksonitpro.com/2017/08/04/adfs-wap-proxy-an-error-occurred-when-attempting-to-establish-a-trust-relationship-with-the-federation-service/  and /or https://www.experts-exchange.com/questions/28705557/Web-application-proxy-not-connecting-to-ADFS-box.html

Normally the Web Application Proxy server is placed in the DMZ (therefore not AD-joined)

Direct Access; is a always-on VPN; in comparison from the point of view of the user, Direct Access is much better than VPN, though from the admins point is a lot more difficult to configure. It requires IPSec, IPv6 and a Public Key Infrastructure; Windows Firewall must be enable on all devices and in the communication between the client (IPv4) and the server (IPv6) an IPv6-over-IPv4 tunnel is created using either 6to4 or Teredo

  • Direct Access Server; needs to be "multihomed", with 2 x nics one internal and the other for the Internet; it also needs to be domain-joined for the GPOs to applied, that's a requirement

Being an IPv6 technology, Direct Access uses IP-HTTPS. The Network Location Server allows the client to determine whether they are inside or outside the network, and by the way the clients needs to be "Enterprise" edition of Windows 10

Extensible Authentication Protocol; EAP doesn't provide any authentication itself, instead it relies on external third-party authentication method including smart cards, secure access tokens, ordinary passwords, etc; each authentication schema is called "EAP Type", and each EAP type is implemented as a plug-in module; EAP-TLS is the strongest authentication that you can use. Only servers running Network Policy Server (NPS)

Conditions determine if the policy if applied to a connection, while Constrains happens after a policy has already been applied to a connection

Network Access Protection (NAP); is obsolete in 2016, what it does is to check the computer for antivirus updates, health, etc, before admitting the remote computer to the network. The unhealthy clients go into a remediation area, and auto-remediation fixes some problems, like for example starting Windows Update service if stooped. Before connecting, the NAP-enabled clients need to have the service "Network Access Protection Agent" started, then run "napclcfg.msc" and enable the type connection you'd be using; lastly enable the enforce network access protection on the VPN setting connection

When creating network policies, the list conditions are use for the following purposes:

  • Day and Time Restrictions
  • Authentication Method; CHAP, EAP, MS-CHAP and MS-CHAP v2
  • Tunnel Type; either PPTP or L2TP
  • Service Type; RADIUS service type, specifies either a frames (PPP) or login such as Telnet
  • WS-Service Class; defines a DHCP scope from which the computer must have received an IP address
  • Location Group; specifies a Health Credential Authorisation Protocol (HCAP) location group
  • Allowed EAP Type; specifies when EAP is used such as EAP-TLS
  • NAS port type; specifies the type of media used to connect (ISDN, tunnel, VPN, 802.11, etc)
mbsacli.exe /hf -h AD01  #scans machine AD01 for vulnerabilities
mbsacli.exe /hf -i 192.168.0.x   #scans machine with that IP address

 

File Server Resource Manager (FSRM) stuff

To install FSRM using PS, execute:

Install-WindowsFeature -Name -FS-Resource-Manager -IncludeManagementTools

Some PS command that you can do with DFS are these

Get-WindowsFeature FS-DFS*
Install-WindowsFeature FS-DFS-Namespace -IncludeManagementTools
Get-Command -Module DFS*
Invoke-Command -ComputerName SRV01,SRV02 -Command {Install-WindowsFeature FS-DFS-Replication}
Invoke-Command -ComputerName SRV01,SRV02 -Command {Install-WindowsFeature FS-DFS-Namespace}

When configuring replication you might want to turn off the synchronisation protocol "Use remote differential compression (RDC)" if the servers affected are on the same network segment. You must have this setting on if the connection between the servers is slow

 

Watch out for the quota of the "Staging" folder, it needs to be big enough the replicate the files on your DFS Name structure, visit Event Viewer > Application & Services > DFS Replication for any errors in the logs. It is recommended to put the "Staging" folder and the actual replicated folder on different drives. For initial replication, remember that Robocopy is far more efficient than the replication protocol

 

BitLocker Drive Encryption stuff

It uses the chip Trusted Platform Module (TPM) version 1.2 or newer to store the security key; if you don't have a TPM chip on your mobo (must be an old mobo!) you can store the security key on a USB, which will be needed every time the system needs to reboot. The Bitlocker version of Windows 7 had to encrypt the whole drive, while now the new version for Window 10 can encrypt only the space used, thus making the encryption process a lot faster. Network Unlock allows an administrator to unlock an encrypt a hard drive during boot process while the device is connected to a trusted environment. Full Disk Encryption (FDE) encrypts block by block, offering a much better encryption but slows the HDD down a bit

The BitLocker installaion requires two reboots of the sever, to install it using PS run:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart

When using EFS (Encrypted File System) you can use the cipher.exe command line to manage the files. If your machine does not have a TPM chip, use these GPOs to configure Bitlocker:

  • Default Domain > Computer Config > Admin Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives > Require additional authentication at startup : Enable
  • Default Domain > Computer Config > Admin Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives > Choose how Bitlocker-protected OS drives can be recovered  : Enable

Network Unlock has lots of requirements like PKI infrastructure, DHCP and WDS

 

Distributed File System (DFS) stuff

To use DFS install the roles "DFS Namespaces" (it gives you the virtual tree) and "DFS Replication". Some of the advantages of using DFS are:

  • Simplified Data Migration; because users don't need to know the physical location of the data, this one can be move from server to server by admins
  • Security Integration; all access is rule by NTFS
  • Access-Based Enumeration (ABE); DFS can display only the filles users have access to, hidden the rest

A new feature of Server 2012 R2 is the ability to clone a DFS database to another server instead of waiting for DFS replication to complete; to do so follow these steps:

  1. Create a replication group and a replication folder [New-DfsReplication -GroupName "REP01"] [New-DfsReplicateFolder -GroupName "REP01" -FolderName "FOLDER1"
  2. Add the upstream server as a member of the DFS topology, a member of the group and folder
  3. Run Update-DfsConfigurationFromAD to update the DFSR AD Domain configuration on the upstream server
  4. Wait for replication to complete, you'll know is completed when Event ID 4112 shows up in the DFS Replication Event log
  5. Finally, export the cloned database by using Export-DfsClone cmdlet. The export will be completed when you see event ID 2402
  6. Last, use robocopy.exe to preseed the files to the destination server

A new feature of Windows Server 2012 R2 is the ability to restore files from the "ConflictAndDeleted" and "PreExisting" folders by using the cmd Ge-DfsPreservedFiles

Performance Monitor stuff

Open Server Manager > Tools > and there you'll see both Performance Monitor and Resource Manager

Registry changes happens without the need to reboot. Make only one change at a time, otherwise (if you make too many changes) you'll never know which of those changes had the positive impact; in addition, making one change at a time allows you to roll back if needed. The System Stability Index of Performance Monitor goes from the value of 1 (least stable) to up to 10 (most stable). These are some of the tools included with Performance Monitor:

  • Data Collector Sets ;defines where the logs are stored , the credentials to run the set and when the logs are run
  • Other tools you can use are Network Monitor (you can download it here: https://www.microsoft.com/en-gb/download/details.aspx?id=4865), Task Manager and Event Viewer. The different tabs of Task Manager are Process (see memory and CPU allocation), Performance (see graphs), Users (disconnect and message them), details (stop applications and set affinity level) and Services (stop and start, also can open services.msc from there)
  • The Subscriptions section of Event Viewer allows you to receive alerts about events that you predefine. Custom Views is a great way of creating a view of the logs that you're interested in
  • SNMP ;install the SNMP from Roles and Features, then configure the Service using "services.msc"
  • The good of Microsoft Baseline Security Analiser can still be downloaded from here: https://www.microsoft.com/en-us/download/details.aspx?id=19892 Run a scan when you open the app to check for vulnerabilities
mbsacli.exe /hf -h AD01  #scans machine AD01 for vulnerabilities
mbsacli.exe /hf -i 192.168.0.x   #scans machine with that IP address

 

Auditing stuff

Use the settings of GPO Policies > Windows Settings > Security Settings > Audit Policy ;the "auditpol.exe" command can be used to backup, restore and set audit policies. Refer to this my other article for a deep dive on Audit Policies:

Expression-Based Audit Policies are use with Dynamic Access Control to allow admins to track al read/write operations on files that are considered critical

 

References

https://www.winhelponline.com/blog/convert-esd-to-wim-dism-windows-10/

 

 

 

 

 

 

 

Print Friendly, PDF & Email

Comments powered by CComment