Tuesday, 11 September 2018

Group Managed Service Accounts

The Managed Service Accounts (MSA) was introduced in Windows Server 2008 R2 to automatically manage (change) passwords of service accounts. Using MSA, you can considerably reduce the risk of system accounts running system services being compromised. MSA has one major problem which is the usage of such service account only on one computer. It means that MSA Service Accounts cannot work with cluster or NLB services, which operate simultaneously on multiple servers and use the same account and password. To fix this, Microsoft added the feature of Group Managed Service Accounts (gMSA) to Windows Server 2016.
To create a gMSA, we should follow the steps given below −
Step 1 − Create the KDS Root Key. This is used by the KDS service on DC to generate passwords.
KDS Service
To use the key immediately in the test environment, you can run the PowerShell command −
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
To check whether it creates successfully or not, we run the PowerShell command −
Get-KdsRootKey
Step 2 − To create and configure gMSA → Open the Powershell terminal and type −
New – ADServiceAccount – name gmsa1 – DNSHostNamedc1.example.com – PrincipalsAllowedToRetrieveManagedPassword "gmsa1Group"
In which,
  • gmsa1 is the name of the gMSA account to be created.
  • dc1.example.com is the DNS server Name.
  • gmsa1Group is the active directory group which includes all systems that have to be used. This group should be created before in the Groups.
To check it, Go to → Server Manager → Tools → Active Directory Users and Computers → Managed Service Accounts.
Managed Service Accounts
Step 3 − To install gMAs on a server → open PowerShell terminal and type in the following commands −
  • Install − ADServiceAccount – Identity gmsa1
  • Test − ADServiceAccount gmsa1
The result should come “True” after running the second command, as shown in the screenshot given below.
True
Step 4 − Go to service properties, specify that the service will be run with a gMSA account. In the This account box in the Log on tab type the name of the service account. At the end of the name use symbol $, the password need not to be specified. After the changes are saved, the service has to be restarted.
Log On
The account will get the “Log On as a Service” and the password will be retrieved automatically.
Posted by at No comments:

Windows Server 2016 - File System

In Windows Server 2016 a new file system it is presented with is caller Resilient File System (ReFS).
The key attributes of ReFS include −
  • Maintaining a high level of data availability and reliability, even when the individual underlying storage devices experience failures.
  • Providing a full, end-to-end resilient architecture when used in conjunction with Storage Spaces. When used together, ReFS and Storage Spaces provide enhanced resiliency to storage device failures.
The significant functionality included with ReFS is described below −
  • Integrity − ReFS stores data in a way that protects it from many of the common errors that can normally cause data loss. When ReFS is used in conjunction with a mirror space or a parity space, detected corruption — both metadata and user data, when integrity streams are enabled — can be automatically repaired using the alternate copy provided by Storage Spaces. In addition, there are Windows PowerShell cmdlets (Get-FileIntegrity and Set-FileIntegrity) that you can use to manage the integrity and disk scrubbing policies.
  • Availability − ReFS prioritizes the availability of data. Historically, file systems were often susceptible to data corruption that would require the system to be taken offline for repair. With ReFS, if corruption occurs, the repair process is both localized to the area of corruption and performed online, requiring no volume downtime. Although rare, if a volume does become corrupted or you choose not to use it with a mirror space or a parity space, ReFS implements salvage, a feature that removes the corrupt data from the namespace on a live volume and ensures that good data is not adversely affected by non-repairable corrupt data. Because ReFS performs all repair operations online, it does not have an offline chkdsk command.
  • Scalability − As the amount and size of data that is stored on computers continues to rapidly increase, ReFS is designed to work well with extremely large data sets — petabytes and larger — without performance impact. ReFS is not only designed to support volume sizes of 2^64 bytes (allowed by Windows stack addresses), but ReFS is also designed to support even larger volume sizes of up to 2^78 bytes using 16 KB cluster sizes. This format also supports 2^64 – 1-byte file sizes, 2^64 files in a directory and the same number of directories in a volume.
  • Proactive Error Correction − The integrity capabilities of ReFS are leveraged by a data integrity scanner, which is also known as a scrubber. The integrity scanner periodically scans the volume, identifying latent corruptions and proactively triggering a repair of that corrupt data.
When the metadata for a ReFS directory is corrupted, subfolders and their associated files are automatically recovered. ReFS identifies and recovers the files while ReFS remains online. Unrecoverable corruption of the ReFS directory metadata affects only those files that are in the directory in which the corruption has occurred.
ReFS includes a new registry entry, RefsDisableLastAccessUpdate, which is the equivalent of the previous NtfsDisableLastAccessUpdate registry entry. The new storage command lets in Windows PowerShell are available (Get-FileIntegrity and SetFileIntegrity) for you to manage the integrity and disk scrubbing policies.
Posted by at No comments:

Windows Server 2016 - DC Accounts

In Windows 2016, creating account OU and group is nearly the same as in the previous versions.
To Create an OU user, please follow the steps given below.
Step 1 − Go to: Server Manager → Tools → Active Directory Users and Computers.
Active Directory Users
Step 2 − To create an OU named Management. Right-click domain in Active Directory Users and Computers, choose New and click Organizational Unit.
Organizational Unit
Step 3 − Type Management to name the OU. Check the Protect container from accidental deletion option. This option will protect this object from accidental deletion.
Management
Step 4 − To create a user, Right-click on the Management OU → click New→ and then click User.
User
Step 5 − Complete the field with the data of the users → then click Next.
Data User
Step 6 − Now type-in the password. Check on the tick box → User must change password at next logon. The user will be forced to change the password when the user logs in → Click Next → and then click Finish.
Click Finish

Posted by at No comments:

Windows Server 2016 - Active Directory

In this chapter, we will see how to Install Active Directory in Windows Server 20126 R2. Many of us who have worked with the previous version run DCPROMO.EXE to install it, but in the 2016 version, it is recommended by Microsoft not to use it anymore.
To continue with Installation follow the steps given below.
Step 1 − Go to “Server Manager” → Manage → Add Roles and Feature.
Add Roles
Step 2 − Click the Next button.
Next Button
Step 3 − As we are installing AAD on this machine, we will select “Role-based or featurebased Installation” → Next.
Feature Based
Step 4 − Click on “Select a server from the server pool”, this is the case when it will be installed locally.
Installed Locally
Step 5 − Check mark in the box next to Active Directory Domain Services. A box will be explaining additional roles services or features which are also required to install domain services.
Add Directory
Step 6 − Click Add Features.
Add Features
Step 7 − Check “Group Policy Management” → Next.
Group Policy Management
Step 8 − Click the “Next” button.
Next
Step 9 − Click “Install”.
Install
Installation Screen will come up now and you have to wait until installation bar completes.
Installation Screen
Now that the installation of DC role is finished, you have to configure it for you server.
Step 10 − Click “Server Manager” → Open the Notifications Pane by selecting the Notifications icon from the top of the Server Manager. From the notification regarding configuring AD DS (Active Directory Domain Services), click Promote this server to a domain controller.
Notification Icon
Step 11 − Click “Add a new forest” → Insert your root domain name into the Root domain name field. In my case, I have put “example.com”.
Add New Forest
Step 12 − Select a Domain and Forest functional level. Once selected fill in a DSRM password in the provided password fields. The DSRM password is used when booting the Domain Controller into recovery mode.
Select Domain
Step 13 − In the next screen which shows up, there is a warning on the DNS Options tab, click OK and then select Next.
DNS Options Tab
Step 14 − Enter NETBIOS name and click “Next”.
NETBIOS
Step 15 − Select location of the SYSVOL, Log files and Database folders and then click Next.
SYSVOL
Step 16 − Click “Install” and wait until it is finished. The server will restart several times.
Installed
The installation is now complete.
Posted by at No comments:

Windows Server 2016 - Resource Monitor

Resource Monitor is a great tool to identify which program/service is using resources like program, applications, network connection and memory usages.
To open Resource Monitor, go to Server Manage → Tools.
Resource Monitor
Click on “Resource Monitor”, the First Section is “Overview”. It tells how much CPU is consuming every application and on the right side of the table, it monitors in real time the chart of CPU usage. The Memory tells how much memory every application is consuming and in the right side of the table it is being monitored in real time in the chart of CPU usage.
The Disk tab splits it by the different hard drives. This will show the current Disk I/O and will show the disk usage per process. The network tab will show the processes and their network bytes sent and received. It will also show the current TCP connections and what ports are currently listening, IDs too.
Disk Tab

Posted by at No comments:

Remote Desktop Management

In this chapter, we will see how to enable remote desktop application. It is important because this enables us to work remotely on the server. To do this, we have the following two options. For the first option, we have to follow the steps given below.
Step 1 − Go to Start → right click “This PC” → Properties.
Properties
Step 2 − On Left side click “Remote Setting”.
Remote Settings
Step 3 − Check radio button “Allow Remote connection to this computer” and Check box “Allow connection only from computers running Remote Desktop with Network Level Authentication (recommended)” → click “Select Users”.
Select Users
Step 4 − Click Add.
Click Add
Step 5 − Type user that you want to allow access. In my case, it is administrator → click OK.
Administrator
For the second option, we need to follow the steps given below.
Step 1 − Click on “Server Manage” → Local Server → click on “Enable” or Disable, if it is Disabled.
Disabled

Posted by at No comments:

Windows Server 2016 - Windows Firewall

The Windows Firewall with Advanced Security is a firewall that runs on the Windows Server 2016 and is turned on by default. The Firewall settings within Windows Server 2016 are managed from within the Windows Firewall Microsoft Management Console. To set Firewall settings perform the following steps −
Step 1 − Click on the Server Manager from the task bar → Click the Tools menu and select Windows Firewall with Advanced Security.
Advanced Security
Step 2 − To see the current configuration settings by selecting Windows Firewall Properties from the MMC. This allows access to modify the settings for each of the three firewall profiles, which are – Domain, Private and Public and IPsec settings.
Windows Firewall Properties
Step 3 − Applying custom rules, which will include the following two steps −
  • Select either Inbound Rules or Outbound Rules under Windows Firewall with Advanced Security on the left side of the management console. (As you Know outbound traffic is the traffic generated from server towards the internet and inbound traffic is vice versa). The rules that are currently enabled are denoted by green checkbox icon, while disabled rules display a grey checkbox icon.
  • Right-clicking a rule will allow you toggle enable/disable.
Custom Rules

How to Create a New Firewall Rule?

To create a new Firewall Rule, you have to adhere to the following steps −
Step 1 − From the right side of either the Inbound Rules or Outbound Rules – click “New Rule”.
New Firewall Rule
Step 2 − Custom from the Rule Type radial button → click Next.
Rule Type
Step 3 − Select the Program association for the Custom Firewall Rule as either All programs or the path to a program → click Next.
Custom Firewall Rules
Step 4 − Protocol type field select the protocol type → click Next.
Select Protocol Type
Step 5 − Select an IP address association for both local and remote addresses → click Next.
IP address association
Step 6 − Select an action to take on matching traffic → click Next.
Matching Traffic
Step 7 − Select the profiles associated with the custom rule → click Next.
Profiles Associated
Step 8 − Put a name for your Firewall rule and an optional description → Finish.
Optional Description
Step 9 − The firewall rule can be found on the corresponding Rule tab, either inbound or outbound depending on the type created. To disable or delete the rule find the rule in the MMC, right-click it and select either Disable Rule or Delete.
Disable Rule

Posted by at No comments:
Subscribe to: Posts (Atom)