Category Archives: Windows Server

MICROSOFT EXPOSES A SECURITY ISSUE THAT AFFECTS MILLIONS OF WINDOWS 10 COMPUTERS, RDP AND DHCP ON WIN2008R2

January 15, 2020 Mohammed Hamada Leave a comment

Windows 10 Crypto API Spoofing

Microsoft has released a new security patch for a vulnerability that could affect millions of Windows 10 Users world wide. The decades old CryptoAPI tool validates and signs packages/software which could be utilized by hackers/developers to sign and execute illegitimate software thus would allow users to run anything without user’s nor Antivirus/Internet Security software’s notice.

Microsoft mentioned that the vulnerability could also allow hackers to change or modify encrypted communications.

It’s important to notice that CryptoAPI is a legacy API that’s being replace by a new CNG (Cryptography Next Generation API) which also supports CryptoAPI.

CryptoAPI Key Storage Architecture

cryptoapi architecture

Download Patch

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

Windows 2008 R2, Windows 7 RDP

A day ago Microsoft released two very important security patches on May 14, 2019. One of these patches has been detected in the RDP service (CVE-2019-0708) which affects Windows 7 and Windows 2008 R2. According to MS’s Article a remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Download Patch

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Windows 2008R2, 2012R2, 2016 and 2019 DHCP

The other one is in the DHCP service (CVE-2019-0725), and both exploitations are very critical. When we look at CVE-2019-0708, which is related to the RDP service, we see that attackers are able to run code on systems by sending specially produced packages without any user interaction and authentication and manage to install malware like Ransomware or other execution files.

Download Patch

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0725

Sources:

Microsoft, NSA, Other Security Researchers

Active Directory, Powershell, Windows Server

How to get all domain Joined Server services that using a unique or domain user

August 6, 2019 Mohammed Hamada Leave a comment

If you’re wondering which of your servers are using domain joined account or a non regular account like network service or system. You will need to go through every server’s service console and check that one by one but thanks to PowerShell this job was made like a piece of cake.

The requirement to run this script is a domain admin account since the PowerShell will require access to other servers using Remote PowerShell using Invoke command and run a Get-WMIObject script to find out those details. So in short I will write the required things for this to work

1- Logged in to Active Directory (In order for AD PowerShell module to run and find computers).

2- Domain admin account (To run the remote PowerShell on other servers and get service details)

3- Firewall for domain joined computers is open (To allow remote PowerShell to work) or have remote PowerShell enabled via GPO.

The Script will also show you the offline (inaccessible servers) and will state those servers as down as you can see in the screenshot below.

The script will also prompt you for a path to save the output. You can enter something like C:\Services.csv as soon as you type the file path and extension it’ll be opened using Notepad.

#Check servers down and get services from the responsive servers

$Computers = Get-ADComputer -Filter { OperatingSystem -Like ‘*Windows Server*’}

$Input = ForEach ($computer in $computers)

{

             $comp = $Computer.DNSHostName

             $dist = $Computer.DistinguishedName

             if (Test-Connection -Computername $comp -count 2 -Quiet )

             {

             Invoke-Command -ComputerName $comp -ScriptBlock {Get-WmiObject win32_service | where {$_.StartName -notlike “*LocalSystem*” -and $_.StartName -notlike “*LocalService*” -and $_.StartName -notlike “*NetworkService*” -and $_.StartName -notlike “*System*”} | select DisplayName,StartName,State }}

else{ Write-host $comp is down -foregroundColor red -BackGroundColor black

             }

}

$Output = Read-Host “Enter File path and Name to save output to”

Out-File -FilePath $Output -InputObject $Input -Encoding ascii

Notepad $Output

Powershell, Windows 10, Windows Server

Enable PowerShell remotely on all PCs in a domain

October 5, 2015 Mohammed Hamada Leave a comment

Enable PowerShell remotely on all PCs in a domain

First from the DC I’ll get all the PCs list in the forest/domain and add them to a text file called “Servers.txt” in C root drive.

Add-Content -path C:\Servers.txt -Value Dummy ; Get-ADComputer -LDAPFilter “(name=*)” -SearchBase “DC=moh10ly,DC=com” | Select -expand Name | Out-File -Encoding utf8 “C:\Servers.txt” -append

Next I will add those servers list to the syntax $PC

$PC = Get-content “c:\servers.txt”

Then I will get the list of the PCs in the $PC (server.txt file) to get ready for processing commands with a domain admin credentials.

Invoke-Command -ComputerName $PC -ScriptBlock { hostname } -Credential moh10ly\administrator

Enable powershell access remotely on all clients in the text file.

Get-Content C:\Servers.txt | ForEach-Object {Enable-PSRemoting -Force} –Verbose

This should do the job and now you ‘ll be able to access powershell remotely on all your domain clients.

https://technet.microsoft.com/en-us/library/hh847893.aspx

https://technet.microsoft.com/en-us/magazine/ff700227.aspx

Exchange 2016, Microsoft Exchange, Windows Server

Preparing, Installing and Configuring Exchange 2016 with DAG on Windows 2016

August 7, 2015 Mohammed Hamada 2 Comments

So Exchange 2016 preview version came on MSDN and I decided to give it a try along with the DAG …

Previously in Exchange 2013 I used to have an issue with the fast search on DAG as in some cases it used to stop and cause the original database and copy to report not healthy.

Here I wanted to Install exchange 2016 on new windows edition along with configuring DAG and observe the database’s indexing status.

So to start, I used the available Microsoft Technet related to Exchange 2016.

I’ll launch Powershell as adminsitrator an start by installing the requested software

Install-WindowsFeature RSAT-ADDS

From <https://technet.microsoft.com/en-us/library/bb691354{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}28v=exchg.160{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}29.aspx?f=255&MSPPError=-2147217396>

Windows 2012/2012R2

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

Windows 2016 (Windows Server)

Install-WindowsFeature Net-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

1- (Extending Schema)

Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

From <https://technet.microsoft.com/en-us/library/bb125224(v=exchg.160).aspx#Step1>

2- (Preparing AD)

Setup.exe /PrepareAD /OrganizationName:”<organization name>” /IAcceptExchangeServerLicenseTerms

From <https://technet.microsoft.com/en-us/library/bb125224(v=exchg.160).aspx#Step1>
Setup.exe /PrepareAD /OrganizationName:TEST /IAcceptExchangeServerLicenseTerms

3- Prepare one domain in the forest or all domains

Setup.exe /PrepareDomain:<FQDN of the domain you want to prepare> /IAcceptExchangeServerLicenseTerms

From <https://technet.microsoft.com/en-us/library/bb125224(v=exchg.160).aspx#Step1>

To prepare all domains run the following cmd

Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms

From <https://technet.microsoft.com/en-us/library/bb125224(v=exchg.160).aspx#Step1>

Before moving on you will have to fulfill the Software Prerequisites which is attached below.. It’s the same as in Exchange 2013.

Now I will start the Exchange Installation from the Setup, You can follow the setup till the end as in the following screenshots:

Now I will create DAG and replicate DBs and notice FastSearch logs

Since this is a LAB and I only have 2 nodes (DAG must have an odd number for Failover), so I am going to use the DC server as my FSW (Which is highly not recommended for Production Environment).

In order for the FSW on DC to work, you will have to add your DC to the Exchange Trusted Subsystem group

Here I added the DC as a member of the group

Normally file server feature is already added to the server by default, but to make sure I’ll run the following command

It’s already there

Now I’ll go back to Exchange servers and add a second NIC for Replication..

I usually rename each NIC so I know which is which, the default NIC belongs to the MAPI traffic and the other one is the replication NIC.

I will configure the Replication NICs on both exchange servers to disable the “Register this connection’s addresses in DNS”

Checking ping between Exchange servers on the Replication NIC

Now I will create the CNO Object (Cluster Name Object) in the Active directory for the DAG

I will disable the object

Double click on the DAG object and go to Security tab and add Exchange servers

Now configure the security for the Exchange members to full

Apply and close…

Now on the DC I will create the FSW’s folder and give it full permission to the Trusted Subsystem group and exchange servers

Click apply and go back to EAC and I’ll start configuring the DAG

Microsoft says that one of the enhancements that have been added to Exchange 2016 is that DatabaseAvailabilityGroupIpAddresses is no longer required when creating a DAG.

By default, the failover cluster will be created without an administrative access point, as this is the recommended best practice.

From <http://blogs.technet.com/b/exchange/archive/2015/05/05/exchange-server-2016-architecture.aspx>

So in this case we won’t need to assign any IP address to the DAG…

I’ll click on save and see what happens

Navigating to the administrators group on AD, The Exchange subsystem group is not added so I’ll add it.

Now I will add Exchange servers as members to the DAG

Upon adding the Exchange members to DAG I got the following error

A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: Windows Failover Clustering isn’t installed on ‘EXCH2K16.test.com’.. [Server: EXCH2K16.test.com]
error
A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: Windows Failover Clustering isn’t installed on ‘EXCH2k1602.test.com’.. [Server: EXCH2k1602.test.com]

So I checked the following,
1- Firewall
2- CNO’s security settings.

Error occurs due to firewall being enabled on the DC (Where the FSW is )

I disabled the firewall and gave full permission to the Exchange trusted system to the DAG object

After that I signed out of Exchange servers, signed back in.. Deleted DAG and recreated it… that didn’t work either

Tried using Exchange management shell but it didn’t work too

Checking the log coming in the description, I find out the log is complaining about not finding DAG while trying to resolve it.

Also the log says that it has installed Failover cluste rbut still the cluster can’t find FQDN called DAG.

So I will have to configure DAG in the dns and give it an IP of my first Exchange server

Checking DAG resolving from Exchange server

As the log says, restart is required after installing failover cluster so I’ll restart Exchange servers and then retry to add Exchange servers to the dag.

After restarting the server, It seems that things are working

The second server gave the following error

The Microsoft Exchange Replication service does not appear to be running on “EXCH2k1602”. Make sure that the server is operating, and that the services can be queried remotely.

Apparently the error is correct, After restarting the server it turned out that most of the second Exchange server’s services were not working..

To be honest I didn’t ask myself why did not the services started since I am using a preview version of Exchange 2016 and Windows as well so I manually started all the services.

Interestingly while checking services, I noticed new services e.g. (DAG Management, Compliance Audit, Notifications broker)

After starting the services, now I tried to add the second server again to the DAG.

So eventually, DAG doesn’t need an IP address but still a DNS value needs to be created for the NCO object and needs to have an IP assigned to it which will be the Exchange server IP address..

Next: I will add a database copy and see how it’s improved and do I need to restart the IS service as in Exchange 2013.

I will leave all the default values and add the second server for the database to be copied on. Unlike Exchange 2013 in most of the times the database would fail first and gives an error ..

In 2016 it starts directly seeding the database to the second Exchange server that’s member of the DAG.

On the second Server where the database has been copied to, I checked the Logs and Fastsearch was throwing errors as usual since database logs are not copied … as soon as the database logs finished copying the fastsearch will return ok and the database will appear as Healthy in EAC.

Fastsearch finally reported that indexing started on the newly copied DB.

The database copy should now report healthy in the EAC.

Hope you find this useful.
In the next article I will publish the Exchange server online to check the rest of the functionalities.

Active Directory, Windows Migration, Windows Server

Domain Controller Cross Forest migration Part 2

May 5, 2015 Mohammed Hamada Leave a comment

Current environment on the LAB.com DC

Additional DC2
SCVMM
SCVMM SQL
Exchange
SCMM
SCMM SQL

Computers

Migration plan

AD 2012 R2 (LAB.com) to (Contoso.com) 2012 R2.

Users

In the second part of this series (DC cross forest migration) I will demonstrate some major required steps for the migration from the old DC (lab.com) to the new DC (Contoso.com)

NOTE:

SQL Servers and their applications can’t be migrated due to SQL permissions and Schema mismatch.

Requirements are :

Destination DC Forest Function and domain function level must be set to at least 2008 R2 for ADMT3.2 to work

And a health check must be performed on the FSMO roles to make sure everything is functioning properly on the Source DC.. PDC, SchemaMaster..etc

The checks I will perform are

Check replication (In case there’s more than one DC In the source forest).
DC health (DCDiag tool)
Check the reachability of the PDC.

Netdom query FSMO ( this command will show you which DC in the source forest holds the roles exactly)

1- For Checking replication you can use the repadmin command line which checks replication between sites, DCS and reports any errors in between. in case you have one server in pace the following outcome should be printed for you.

Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems.

https://technet.microsoft.com/en-us/library/cc770963.aspx

2- Check DC health using DCDIAG tool

Analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting

https://technet.microsoft.com/en-us/library/cc731968.aspx

as they are multiple types of tests that can be applied with dcdiag depending on the parameter used. I will start with the DNS.

If the DNS is healthy then it should show as following. and we can continue to the next test.

For an extensive test, you can use the parameter /v along with this sign >c:dcdiag.txt to export the test to a file and look at it line by line.

If everything sounds good and healthy we shall move on to the next step which is DNS configuration

DNS Configuration

Preparation:

DNS replication between both domains
Installing Windows 2008 R2 for ADMT 3.2
Setting up domain trust between forests.

DNS replication between the source and target domain

In order for the trust to be created between both forests, you either have to create a conditional forwarders that will copy the source zones to the destination DNS server and vice versa or you can create a secondary forwarder zone in destination DC for the source DC and vice versa.

In my case I will go for creating a secondary zone and to do this I will go to each DNS server and allow Zone to be transferred.

Note:

You can include only the IPs of the Source and Destination servers in the zone transfer and any additional DNS servers.

Now I a have created a secondary zone DNS and trying to resolve FQDNs from the source server as in the below snapshot.

Same will be done on the destination server.

Checking Name Resolution for both domains:

Once the nslookup works as expected from both servers then we’ll ahead with creating forest trust between both DCs.

Creating Forest trust between Source and Destination Domain.

NOTE:

In order for the trust to be created between both source and destination domains the PDC on the Destination Domain must be available.

1. Open the Active Directory Domains and Trusts, right click on the domain and click properties.

We will have to validate trust after creating it to make sure that trust in both ways are validated.

Now since trust is created and already validated both ways, we’ll have to add a GPO policy to update all clients with the new Domain name in the DNS suffix search list to resolve netbios names.

Updating DNS Suffix Search list:

DNS suffix search list:

In order to add the source and destination domains suffix to the dns suffix search list we will have to open GPO on the destination Domain (Contoso.com)

On the target domain (contoso.com) we’ll have to open GPO .

Right Click on default domain policy / Edit

Go to (Computer Configuration Policies Administrative Templates Network DNS client

Double click on the DNS Suffix Search list to open it and enable it.

Click ok and apply the police and see how it should show in the report.

Once this is done and policy is applied among all clients you should have no problem and it should show first on the DC where you applied the policy.

Hope you find this helpful and stay tuned for the next part. Winking smile

del.icio.us Tags: ADMT,Active Directory,Migration

Active Directory, Windows Migration, Windows Server

Domain Controller Cross Forest migration Part 1

May 1, 2015 Mohammed Hamada Leave a comment

In this series of articles I will demonstrate the Cross forest migration for Microsoft Windows Active directory 2012 R2.

Before starting any step, I will have to do a revision for the current environment and check what is there, what can be migrated and what can not be.

Revisions:

Check if the environment is using an old cryptographic algorithms that’s not supported during the migration .e.g. (SHA-1 1024bit Certification authorities).
Notice that Group Policy user profile folder redirection might have a bug from SCCM. To fix this the SCCM needs to be checked for one option needs to be disabled

Under the SCCM Configuration manager,

– Select Administration

– Select Client Settings

– Pull up PROPERTIES of Default Client Settings configuration and click on Compliance Settings

From <http://blogs.technet.com/b/askds/archive/2013/12/13/an-update-for-admt-and-a-few-other-things-too.aspx>

– Enable User Data and Profiles mentioned above is the setting which drives the control of Folder Redirection and Remote User Profiles.
The above configuration by Default is set to NO. Once enabled (set to YES), it passes the control of Folder Redirection, Offline Files, and Remote User Profiles to WMI and stores this configuration under the registry path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUserStateUserStateTechnologiesConfigurationControls

TCP/IP crashes and errors: Hotfix released to correct a crash in TCP/IP.

Ref:

http://blogs.technet.com/b/askds/archive/2013/12/13/an-update-for-admt-and-a-few-other-things-too.aspx

Hardware Requirements

Windows 2008 R2 DC on the destination forest.
Windows 2012 R2 ADMT and SQL express 2008 R2 or 2012 R2 express or full.

Reference:

https://support.microsoft.com/en-us/kb/2753560

Software Requirements

1- Rights Management Services Analyzer Tool

From <http://www.microsoft.com/en-us/download/details.aspx?id=46437>

RMS Analyzer provides the following features:

• Support for Azure RMS and AD RMS diagnostics

• Prerequisite checks for Azure RMS integration (such as any required hotfixes, registry key settings, Microsoft Online Sign-In Assistant)

• Ability to collect trace logs to capture real-time problems

• Diagnostics and remediation for Office 2013 and Office 2010

• Basic diagnostics for federation services

• Group membership check, based on groups and policy templates

• Display of your RMS configuration settings and verification tests to validate service health for RMS

• Ability to monitor multiple servers and find all RMS servers in trusted forests

By installing and using the software you accept the License terms which are located in the zip folder download. If you do not accept the terms, do not install or use the software.

2- Password Export Server (PES) – x64

http://www.microsoft.com/en-us/download/details.aspx?id=46437

3- Active Directory Migration Tool (ADMT) QFE – x86

https://connect.microsoft.com/site1164/content/content.aspx?ContentID=30561&IsDraft=False>

I will publish the next parts as soon as I am done with them. stay tuned Winking smile

del.icio.us Tags: ADMT,Active Directory,Windows Server

Windows Migration, Windows Server

Active Directory Migration from Windows Server 2008 R2 to Windows Server 2012 R2

March 22, 2015 Mohammed Hamada Leave a comment

Active Directory Migration from Windows Server 2008 R2 to Windows Server 2012 R2

Friday, March 20, 2015

4:28 PM

Requirements:

New VM machine with Windows Server 2012 R2 installed and up to date on it.
ISO DVD copy of Windows 2012 R2 loaded on your 2008/R2 machine

First we’ll need to prepare the existing forest using the ADPREP command on the Windows 2012 R2 server DVD

You will have to insert the DVD on your 2008/R2 server and navigate to the following path

X:supportadprep

Then use the following command line

Adprep /forestprep

See the snapshot below

When this screen comes up, it’ll ask you to press C and enter to confirm the forest update. Click C and enter to continue and then it’ll show you the previous and next schema version

The process will continue to update the schema as in the below snapshot and it shouldn’t take time too

Here it has completed successfully and now we can move on to the next step.

Now you will have to join the 2012r2 VM machine that you have prepared to the existing DC 2008r2. after you do so you will have to promote this new 2012 server to an additional DC in the domain.

Open Server manager and add new ADDS role to this new server and follow the steps to add it as an additional DC.