Microsoft Windows Server 2008 Archives - Page 8 of 9

Tab completion in Windows

Posted on Monday 6 August 2007Tuesday 7 August 2007 By Mark Wilson

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Many people will be familiar with the command line tab completion functionality that can be used to complete folder and filenames in recent versions of Windows, but what I wasn’t aware of (until I just used it, following some instructions from Microsoft in a hands-on lab training manual) was that wildcards like *.reg <tab> can be used to tab-complete filenames. This technique can even be used as arguments to a longer command, e.g. notepad *.reg <tab>.

Dustin L makes a good point in his comment on the Lifehacker article that discusses command line tab completion – Unix admins will already be familiar with the concept but there are a couple of differences between the Windows and Unix/Linux CLI tab completion implementations:

“In the Windows command line, if there is more than one match for what you’ve typed, successive presses will cycle through all of the matches rather than just display a list of the matches.

Windows will not complete commands, only files and directories.”

Fine grained password policies for Windows Server 2008 Active Directory Domain Services

Posted on Tuesday 31 July 2007 By Mark Wilson

Another new feature in Windows Server 2008 Active Directory Domain Services is that (at long last) it’s now possible to apply multiple password policies within a single domain using a new feature called fine grained password policies. Now PINs can be used for mobile device access and complex passwords for conventional form factor devices without requiring separate domains, third party software or writing a custom password filter DLL.

The fine grained password policies are user and group based (i.e. not per-OU – in order to avoid extra domain load during login) and multiple policies can be applied; however, the new functionality involves a complex administrative process and there is no GUI yet (although the password settings container can be found if Advanced Features are enabled in Active Directory Users and Computers). Fortunately, Joe Richards has written PSOMgr (a command line tool to manage fine grain password policy password settings objects) and Christoffer Andersson has a similar tool with MMC/PowerShell interfaces.

Improvements in Windows Server 2008 DNS

Posted on Monday 30 July 2007Monday 30 July 2007 By Mark Wilson

Windows administrators have been waiting to see the back of WINS for years but many applications still rely on single name lables (and multiple DNS name suffixes can become unwieldy). Windows Server 2008 DNS will provide an alternative through its GlobalNames zone (one of several improvements in Windows Server 2008 DNS).

Although it’s not listed in the article linked above, I understand (from Scotty McLeod) that Windows Server 2008 DNS allows the application of a conditional forward (globally – i.e. to all DNS servers) at the domain level; unfortunately, forwarder information still has to be defined on a server-by-server basis.

Windows Server 2008 read only domain controllers

Posted on Monday 30 July 2007 By Mark Wilson

This is the last post I’m intending to write based on the content from the recent Windows Server UK User Group meeting – this time inspired by Scotty Mc Leod‘s presentation on read only domain controllers (RODCs), a new feature in Windows Server 2008.

In my post from a few weeks back about some of the new features in Windows Server 2008, I wrote:

Backup domain controllers (BDCs) are back! Except that now they are called read-only domain controllers (with unidirectional replication to offer credential caching and whilst increasing the physical security of remote domain controllers, e.g. in branch offices).

That statement was slightly tongue-in-cheek and, if taken literally would be inaccurate. RODCs are more complex than Windows NT BDCs were. Active Directory still uses a multiple master replication model, but RODCs are really a means of providing a read-only replica of the directory (with outbound replication disabled) – for example at remote sites where to have a fully-functional domain controller would be a security risk. As far as Active Directory is concerned, an RODC is not a domain controller – it actually has a standard workstation account (with some extra attributes).

This has a major advantage in that, unlike a domain controller, an RODC has a local account database, with a local Administrators group (of which Domain Admins will be a member). In effect, this means that a user can be made a full administrator of the RODC, without needing to be a Domain Admin.

In order to create an RODC, the forest and domain need to be at Windows Server 2003 forest functional level with at least one (preferably more) Windows Server 2008 DC present. The forest and domain must also have been prepared for RODCs with adprep /rodc.

The next stage is to provision the computer account, selecting a site, and whether or not DNS/Global Catalog services will be enabled). Control over the information stored on an RODC is controlled with password replications policies – allow/deny lists for replication of passwords based on users, groups or computers. 2 new groups are created – DeniedRODCPassword and AllowsRODCPassword and as for other Windows NT ACLs, deny takes precendence over allow. Next, it’s necessary to define who will manage the RODC – this effectively defines a user account that can administer the server without needing Domain Admins membership (e.g. to apply patches, restart the server, etc.). One gotcha is that this is a user contact (not a group) – many organisations will circumvent this with service accounts, but that’s really not good practice.

Following this, a new computer account should be visible in the directory. The Windows Server 2003 version of Active Directory Users and Computers (ADUC) will see the account as disabled, whereas the Windows Server 2008 tools will report it as an unoccupied DC account. On joining the domain, the computer will be linked with its account and will become an RODC.

The RODC concept relies on a principle called constrained Kerberos delegation, which in turn needs value linked replication – hence the requirement for a Windows Server 2003 domain and forest dunctional level. In addition the requirement for a Windows Server 2008 DC with which to communicate is created as Windows Server 2003 DC will see the RODC as a “normal” computer – e.g. a workstation. Of course, the Windows Server 2008 DC is potentially a single point of failure, so more than one should be deployed.

The constrained Kerberos authentication works as follows:

In addition to the krbtgt account that will already exist in the domain (a Kerberos ticket granting service account), each RODC will have its own TGT account created in the form krbtgt_identifier in order to issue its own Kerberos tickets without compromising domain security.
If a user attempts to logon at a remote site, their credential
s will initially be validated by the local RODC.
Because password hashes are stripped from RODC replication, if this is the user’s first login attempt, or if they are not in the AllowsRODCPassword group, then the authentication request will be passed across the WAN to a full DC. When the ticket is returned, the RODC asks a full DC running Windows Server 2008 DC replicate a single attribute (the password hash), which is then held for future logins.
If a login is authenticated by the RODC then a local Kerberos ticket is issued. This local ticket will not be valid elsewhere on the domain (effectively each RODC becomes a subdomain for authentication purposes) and requests to access other resources will be referred to a full DC running Windows Server 2008.

It is possible to force inbound replication to an RODC for a defined set of users (i.e. to pre-populate the information for users on a particular site); however this information can quickly become stale.

Scotty went on to mention a couple of things to beware of when planning to use RODCs:

Because an RODC cannot be written to, some applications will see RODCs as an LDAP server, if an LDAP v3 referral is invoked then many applications will fail.
Whilst Exchange Server will treat an RODC as a GC, Outlook will not.

Apache HTTP server on Windows Server 2008 Server Core

Posted on Monday 16 July 2007Tuesday 17 July 2007 By Mark Wilson

Microsoft’s James O’Neill wrote about how:

“Some bright spark tried running Apache on [Windows Server 2008 Server] Core and having no special Windows dependencies it works.”

I couldn’t find any references to this elsewhere on the ‘net so I had to give it a go – it’s actually really easy:

Install Windows Server 2008 Server Core
Map a network drive, insert a CD or some other media and copy over the Apache HTTP server installer MSI.
Issue the command, msiexec /i apache_2.2.4-win32-x86-no_ssl.msi.
Not surprisingly, the installer is unable to create application shortcuts:

Apache HTTP Server 2.2 Installer Information

Warning 1909. Could not create shortcut Apache Online Documentation.lnk. Verify that the destination folder exists and that you can access it.

Apache HTTP Server 2.2 Installer Information

Warning 1909. Could not create shortcut Help, I’m stuck!.lnk. Verify that the destination folder exists and that you can access it.

Presumably, that’s what causes an error dialog with no message and an OK button at the end of the install.
Open up the firewall with netsh firewall set portopening TCP 80 "Apache Web Server".
Point a browser at the server’s IP address and the words “It works!” should be displayed.

OK, so Apache running on Windows is no big deal but if this one cross-platform application runs on Server Core with no modifications, think what else this stripped out version of Windows can be used for.

Windows Server 2008 Server Core

Posted on Monday 16 July 2007Thursday 19 July 2007 By Mark Wilson

Scotty McLeod recently gave a presentation to the Windows Server UK User Group on Windows Server 2008 Server Core. I mentioned Server Core in a previous post but here’s some more on the subject, based on Scotty’s presentation (it’s also worth checking out Micheal Pietroforte’s post on Server Core essentials).

Contrary to popular belief, Server Core still has a GUI. There is no Start Menu, no Explorer, no Internet Explorer (it is entirely command-line driven), but the logon screen is graphical and some GUI applications can be used (the latest beta includes an old version of notepad.exe that has very few dependencies and rundll.exe can be used to launch some GUI hooks). It is rumoured that, because some of the product teams didn’t follow Microsoft’s own application development rules, it’s too difficult to remove the GUI from Windows without breaking it completely.
At present, the Server Core image is about 600MB in size – small enough to facilitate some interesting potential deployment scenarios – and, because of its small size, Server Core installs quickly.
The number of supported roles for Server Core is growing quickly – that could be seen as a potential weakness but even so, the basic principle of providing a reduced attack service for common server scenarios still holds true. Interestingly, one of the roles (and potentially the most problematic of them all) is as an (IIS) web server – only for ISAPI/ASP applications (i.e. no .NET Framework – yet) but rumour has it that Apache will also run on Server Core and a cut-down IIS allows the installation of PHP for a Windows alternative to a LAMP web server (this lends itself to an unfortunate acronym though – WIMP – Windows, IIS, MySQL, PHP).
Because there is no .NET Framework for Server Core at this time, there is no ability to run PowerShell scripts.
After installation, Server Core has a blank administrator password. This must be changed at logon but can be changed to another blank password; however keeping it blank will prevent remote access to the server.
Core server has huge potential, but still seems to be a little disjointed on the administration front (ironic, given what a huge improvement has been made in the full installation through the introduction of the Server Manager tool) – it seems that the recommended approach is to use a full Windows Server 2008 server as a management server for the various Core Server installations around the enterprise.

Windows Server UK user group

Posted on Wednesday 11 July 2007Thursday 19 July 2007 By Mark Wilson

Scotty McLeod has been working hard to get the Windows Server User Group UK website off the existing SharePoint platform and onto something more appropriate (SharePoint is great for some things but it was not great for the user group website – hey, even SharePoint blogs uses Community Server! Come to think of it, so do most of the Microsoft blog sites!).

Anyway, head over to http://www.winserverteam.org.uk/. It’s still work in progress but, over the coming weeks and months, I’m hoping it will grow to become a lively discussion area (backed up with regular meetings) for UK-based IT Professionals who are interested in the development of the Windows Server platform.

Some more about Terminal Services Gateway Servers

Posted on Tuesday 10 July 2007Tuesday 10 July 2007 By Mark Wilson

In an earlier post, I mentioned Austin Osuide’s recent Windows Server User Group presentation on Terminal Services Gateway Server and what follows is some of the detail from that session.

Terminal Services Gateway Server is a server role in Windows Server 2008 – effectively a protocol translator that allows authorised users to remotely access resources on a corporate LAN using RDP over HTTPS.

Up until now, it’s been necessary to open TCP port 3389 to allow RDP traffic through the corporate firewall but by encapsulating the RDP traffic within an SSL-secured tunnel, control may be exercised over which computers (and hence which applications), users can connect to and from. Other advantages include the fact that there is no need for a VPN infrastructure, so connectivity can be gained from any PC, anywhere (home, hotel, business partner or client premises, mobile or wireless hotspot). Then there are other advantages for IT organisations looking to reduce costs…

Consider a large outsourcer, with many support teams, each supporting a single customer’s infrastructure. What if one team (with the appropriately scaled resources) could manage multiple networks? Maybe even in an offshore scenario? As an IT professional, I’m not keen on this and as a customer I would be concerned about the potential impact on security but what if my managers could convince the customer that they can maintain security in a global infrastructure such as this? Using technologies such as network access protection (NAP) the health of any connected devices can be ensured and terminal services gateway servers can be deployed to control who can connect to which computers – perhaps only to defined administrative servers with a controlled application set.

The process for connection is as follows:

Client tunnel RDP connection through HTTPS.
Terminal Services Gateway strips out the HTTPS encapsulation and forwards the request to the terminal server/remote desktop (if the request passes appropriate policy checks – connection authorisation policies control who can connect and resource authorisation policies control what they can connect to, using user-defined or built-in groups for servers).
Remote machine beleives that the request has come directly from the client and responds appropriately.

It all sounds straightforward enough but, as Austin explained, there are some gotchas too:

As for when tunneling RPC through HTTPS with Outlook and Exchange, the certificate must be recognised as valid – there is no manual option to trust a site if there are certificate issues (as there would be when browsing the Internet). There are two possible options:
1. Establish a corporate public key infrastructure and install the appropriate certificates on the client. The downside to this is where clients don’t allow certificates to be installed by users (e.g. in a kiosk scenario).
2. Alternatively, purchase a certificate from a trusted certification authority.
At least initially, few organisations will have a PKI based on Windows Server 2008 and, due to the removal of the Xenroll ActiveX control from Windows Vista (see Microsoft knowledge base article 922706), Windows Vista and Windows Server 2008 computers cannot use the WIndows 2000/2003 CA web interface (or indeed the equivalent interfaces on the Thawte or Verisign websites). It should be possible to craft an appropriate web server certificate using the MMC Certificates snap-in, but the common name for the server needs to be fully qualified and the MMC tools insert an unqualified name in a computer certificate. Thankfully there is another method – using the certreq.exe command line tool and a .inf file with the certificate template information (the syntax is described in Microsoft knowledgebase article 321051 and certutil -csplist will list the trusted cryptographic service providers), for example:
[Version] Signature="$Windows NT$

[NewRequest] Subject = "CN=servername.domainname.tld" KeySpec = 1 KeyLength = 2048 Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0

[EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1

In terms of best practice, Austin had some more advice to give:

Use a dedicated Terminal Services Gateway Server.
Consider placing the gateway server behind an ISA server.
Terminate the SSL connection in the DMZ and put the Terminal Services Gateway Server on the corporate network
VPNs may still have a place in the infrastructure – Terminal Services gateway servers are best used where no local copy of the data is required or where bandwidth issues mean that the user experience over a VPN experience is poor.

Further information

Microsoft Terminal Services.
Microsoft Terminal Services team blog.
Terminal Services in the Windows Server 2008 Technical Library.

Windows Server 2008 Technical Overview

Posted on Monday 9 July 2007Monday 9 July 2007 By Mark Wilson

Windows Server 2008 logo A few days back, I wrote a post looking forward to Windows Server 2008

It turns out that Microsoft also has published a Windows Server 2008 Technical Overview white paper that may be worth a read.

Using snapshots as insurance for product demonstrations

Posted on Thursday 5 July 2007Friday 6 July 2007 By Mark Wilson

I spent this evening at Microsoft UK, attending the inaugural Windows Server UK user group meeting. There weren’t many of us there but there was a lot of information passed around as Scotty McLeod from Perot Systems and Austin Osuide from EDS gave presentations on Windows Server 2008, Read Only Domain Controllers and Terminal Services Gateway Servers.

Based on his ability to retain technical information, it strikes me that Scotty has a brain the size of a planet and Austin quite simply oozes enthusiam (he knows his stuff too!). I intend to blog some more about the topics that were covered; however I did want to mention Austin’s technique for ensuring that his demo could complete, regardless of anything going wrong (although there wasn’t much he could do about the Microsoft Campus security closedown at 10pm). When preparing his demo, with a number of virtual machines running on VMware Workstation, Austin had also taken snapshots at key points so that he could revert to a basic system and walk through the process, or jump to any point in the demo with a partially or fully completed configuration.

Some people pray to the demo gods but it seems to me that this technical approach may be more reliable!

markwilson.it

get-info -class technology | write-output > /dev/web

Microsoft Windows Server 2008