Sunday, July 21, 2013

Duplicating all certificate templates and CA Servers for Enterprise CA in Windows Servers

By default, Enterprise Administrator can duplicate all certificate templates. To delegate duplication of all certificate templates, we need to modify the settings of Active Directory.

Lab environment
Host name: DC01.adcslab.local
Roles: Domain Controller and DNS server of adcslab.local
Operating System: Windows Server 2008 R2

Host name: DC02.corp.adcslab.local
Roles: Domain Controller and DNS server of corp.adcslab.local
Operating System: Windows Server 2008 R2

Host name: CS01.corp.adcslab.local
Roles: member server of corp.adcslab.local and AD CS
Operating System: Windows Server 2008 Enterprise x64 edition

CA environment:
1 CA server, CS01.corp.adcslab.local, with ADCSLAB root CA

Goal
Assign right to Terry, which is a user of corp.adcslab.local, to manage all certificate templates.

Configuring Manage CA permissions
By default, Enterprise Admins, Domain Admins and local administrators group of AD CS server can manage "Certification Authority". Now, I will grant the permission for Terry, is a user of corp.adcslab.local, to manage CA.

1. On CS01, log in as corp.adcslab.local Administrator.
2. Launch "Certification Authority".
3. Right-click "ADCSLAB Root CA", select "Properties".


4. On "ADCSLAB Root CA Properties" window, select "Security" tab.


5. On "Security" tab, click "Add".
6. On "Select Users, Computers, or Groups" window, enter "Terry".


7. Click "OK".
8. Next to "Permissions for Terry", check "Allow - Issue and Manage Certificates" and "Allow - Manage CA".


9. Click "OK".

Remark: In production environment, we should grant the permissions to a global or universal group that contains users for managing CA.

Test result
1. On CS01, log in as Terry.
2. Launch "Certification Authority".
3. Expand "ADCSLAB Root CA > Certificate Templates".


4. On right pane, right-click "Basic EFS" and then select "Delete".


5. On "Disable certificate templates" window, click "Yes".


As a result, Terry can manage ADCSLAB Root CA.


Delegate duplication of all certificate templates
1. On DC01, log in as adcslab.local Administrator.
2. Click "Start", enter "adsiedit.msc" to launch "ADSI Edit".
3. Right-click "ADSI Edit", select "Connect to".


4. On "Connection Settings" window, next to "Select a well known Naming Context", select "Configuration".


5. Click "OK".

Remark: Make sure you connected to "Configuration" of Forest Root Domain.

6. Expand "Configuration > CN=Configuration,DC=adcslab,DC=local > CN=Services > CN=Public Key Services".
7. On central pane, right-click "CN=Certificate Templates", select "Properties".


8. On "CN=Certificate Templates Properties" tab, click "Security" tab.


9. Click "Add".
10. On "Select Users, Computers, or Groups" window, click "Locations".


11. On "Locations" window, select "corp.adcslab.local".


12. Click "OK".
13. Next to "Enter the object names to select (examples)", enter "Terry".


14. Click "OK".
15. Next to "Permissions for Terry", check "Allow - Full control".


16. Click "OK".
17. On central pane, right-click "CN=OID", select "Properties".


18. On "CN=OID Properties" tab, click "Security" tab.
19. Click "Add".
20. On "Select Users, Computers, or Groups" window, click "Locations".


21. On "Locations" window, select "corp.adcslab.local".


22. Click "OK".
23. Next to "Enter the object names to select (examples)", enter "Terry" and then click "OK".
24. Next to "Permissions for Terry", check "Allow - Full control".


25. Click "OK".
26. Close "ADSI Edit".

Remark: In production environment, we should grant the permissions to a global or universal group that contains users for "Certificate Templates" and "OID".

Test result
1. On CS01, log in as corp.adcslab.local Administrator.
2. Click "Start", enter "certtmpl.msc" to launch Certificate Templates Console.
3. On "Certificate Templates" console, right-click "Computer" and then select "Duplicate Template".


4. On "Duplicate Template" window, select "Windows 2003 Server, Enterprise Edition" and then click "OK".


CORP.ADCSLAB.LOCAL administrator could not duplicate the certificate template because we haven't granted permission for CORP.ADCSLAB.LOCAL administrator.


5. Click "OK".
6. Log off corp.adcslab.local Administrator.
7. Log in as Terry
8. Launch "Certificate Templates".
9. On "Certificate Templates" console, right-click "Computer" and then select "Duplicate Template".
10. On "Duplicate Template" window, select "Windows 2003 Server, Enterprise Edition" and then click "OK".
11. On "General" tab of "Properties of New Template" window, next to "Template display name" and then enter "ADCSLAB Computer".


12. Click "OK".

As a result, Terry can duplicate the computer certificate template.


Reference:

This posting is provided “AS IS” with no warranties, and confers no rights!

Wednesday, July 10, 2013

Installing and Configuring Windows Deployment Services in Windows Server 2012 - Part 3

In part 2, MS02 was performed initial configuration of Windows Deployment Services. In this part, we will import a boot image in WDS.

Import a boot image in WDS
A boot image is Windows PE platform. Windows Deployment Services server will send the boot image through network to computers. Computers enter Windows PE platform for us to install the Windows. We can find it in a Windows installation DVD.

1. On MS02, log in as Domain Administrator.
2. Insert "Windows 8 Enterprise x64" DVD.
3. Launch "Windows Deployment Services".
4. Expand "Servers > MS02.corp.contoso.com > Boot Images".
5. Right-click "Boot Images", select "Add Boot Image".


6. On "Image File" window, click "Browse".


7. Navigate to "D:\Sources" folder, select "boot.wim", click "Open".


D drive is a DVD drive of MS02.

8. On "Image File" window, click "Next".


9. On "Image Metadata" window, next to "Image name" and "Image description", enter "Windows 8 PE (x64)".


Remark: To deploy Windows 8 OS, we need the boot.wim from Windows 8 installation DVD. If we use the boot.wim from older version Windows, it fails to deploy the OS.


10. Click "Next".
11. On "Summary" window, click "Next".


12. On "Task Progress" window, click "Finish".


Remark: If you need to Windows 8 x86 OS to a computer, you also need to import boot.wim of Windows 8 x86 version in WDS.

This posting is provided “AS IS” with no warranties, and confers no rights!

Monday, July 8, 2013

Using wmic finds a machine serial number

It is easy for us to find a computer serial number by using wmic.

1. On a computer, log in as Administrator.
2. Launch "Command Prompt" as administrator.
3. Perform "wmic bios get serialnumber".


References:


This posting is provided “AS IS” with no warranties, and confers no rights!

Friday, July 5, 2013

Installing and Configuring Windows Deployment Services in Windows Server 2012 - Part 2

In part 1, I installed Windows Deployment Services in MS02. In this part, I will configure the Windows Deployment Services in MS02.

Initial configuration of Windows Deployment Services
1. On MS02, log in as Domain Administrator.
2. Launch "Windows Deployment Services".
3. Expand "Servers > MS02.corp.contoso.com".
4. Right-click "MS02.corp.contoso.com", select "Configure Server".


5. On "Before You Begin" window, click "Next".


6. On "Install Options" window, select "Integrated with Active Directory".


7. On "Remote Installation Folder Location" window, leave default path, click "Next".


Remark: Make sure the remote installation folder must be under NTFS volume.

8.  On "System Volume Warning" window, click "Yes".



The remote installation folder should be stored on a separate volume or disk. In my lab environment, there is 1 hard disk with 1 volume in MS02.

9. On "PXE Server Initial Settings" window, select "Respond to all client computers (known and unknown)".


10. Click "Next".

Remark: This option respond the known computers, which are created in Active Directory, or unknown computers to install the Windows image by network.

11. On "Operation Complete" window, clear "Add images to the server now" check box.


12. Click "Finish".


This posting is provided “AS IS” with no warranties, and confers no rights!

Using Remote Server Management to manage previous versions of Window Servers in Windows Server 2012

To fully manage remote servers that are running Windows Server 2008 or Windows Server 2008 R2, we need to install the following updates in Windows Server 2008 or Windows Server 2008 R2.
  • Microsoft .Net Framework 4
  • Windows Management Framework 3.0
  • KB2682011
Remark: Server Manager of Windows Server 2012 cannot be used to add roles and features to servers that are running Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2.

Lab environment
1) 1 Windows Server 2008 R2 server named MS2K8R2 joined corp.contoso.com
2) The IP address of MS2K8R2 is 192.168.2.31
3) 1 Windows Server 2012 server named DC01 joined corp.contoso.com

1. On MS2K8R2, log in as Domain Administrator.
2. Install "Microsoft .Net Framework 4".


3. Install "Windows Management Framework 3.0" for Windows Server 2008 R2.


4. Install "KB2682011" for Windows Server 2008 R2.


5. Launch "PowerShell" as administrator.
6. Perform "Set-ExcutionPolicy -ExcutionPolicy RemoteSigned" to update the execution policy to "Remote Signed".
7. Enter "Y".


8. Perform "Configure-SMRemoting.ps1 -force -enable" to enable remote management.


Remark: "Configure-SMRemoting.ps1" updates the WinRM settings and firewall settings of MS2K8R2. The following firewall rules have been enabled.
  • Remote Service Management (NP-In)
  • Remote Service Management (RPC)
  • Remote Service Management (RPC-EPMAP)
  • Remote Event Log Management (NP-In)
  • Remote Event Log Management (RPC)
  • Remote Event Log Management (RPC-EPMAP)
  • Windows Firewall Remote Management (RPC)
  • Windows Firewall Remote Management (RPC-EPMAP)
Remark: In production environment, we can use group policy to deploy the above firewall settings for the servers which you want to manage.

9. Go to DC01, log in as Domain Administrator.
10. Launch "Server Manager".
11. On "Dashboard' window, click "Add other servers to manage".


12. On "Add Servers" window, next to "Name (CN)" , enter "MS2K8R2".
13. Click "Find Now".
14. Select "MS2K8R2" and then click ">" icon.


15. Click "OK".
16. On left pane, click "All Servers".


Now, you can manage MS2K8R2 by Server Manager of DC01.

Test result
1. On DC01, log in as Domain Administrator.
2. Launch "PowerShell" as administrator.
3. Perform "Enter-PSSession -ComputerName MS2K8R2".
4. Perform "Import-Module ServerManager".
5. Perform "Get-Windows Feature *backup*"


As a result, we can use PowerShell to manage MS2K8R2.

Remark: The following functions can be managed in Server Manager for Windows Server 2008 R2.


To add a new feature or role in Windows Server 2008 or Windows Server 2008 R2, we need to use PowerShell.

This posting is provided “AS IS” with no warranties, and confers no rights!