Monthly Archives: December 2015

Getting Started with Nano Server

The next generation of Windows server is soon to be released, the final release date is estimated to Q2/Q3 2016.

Windows server 2016 is very exiting and will for sure change things up the way we administer servers.
Microsoft have added a new installation mode in Windows Server 2016. Nano Server.

Nano Server is truley a “Core Server”. It will not include the option to install GUI, you will not be able to logon to the server localy or through RDP.
This make it possible to build the microsoft OS on a completely new minimal level than before.
All management will be handeld remotly through WMI/Powershell.

Several microsofts enginners claims that the Nano server will require up to 80% less reboots.
This thanks to the servers will not contain any gui,it will have fewer services and processes running and it will require less critical patches.

Checkout some information from Teched’s great video at:
https://www.youtube.com/watch?v=HLtfDzJngQg

Lets go!!

Its time to get familiar with the new Windows Nano server.
Im going to run a Nano Server as a VM in my test-enivoroment. Here is how to get started:

Step 1:

Download the Windows Server 2016 TP4 at:
https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview

Be sure to login and registry for the evaluate copy.

Save the .ISO file to C:\TEMP\NanoServer

download_iso

 

Step 2:

Now its time to download all powershell scripts needed

Download the script “Create a New Nano Server VHD/VHDx” from Script center
Save the .ps1 script to C:\TEMP\NanoServer

download_script

You will also need the Convert-WindowsImage.ps1 from https://raw.githubusercontent.com/PlagueHO/Powershell/master/New-NanoServerVHD/Convert-WindowsImage.ps1
Save the .ps1 script to C:\TEMP\NanoServer

This becuase there is currently a bug in the orgiginal Convert-WindowsImage.ps1 that causes the TP4 not to work as it should.

Now you should have the thease files under C:\TEMP\NanoServer

10586.0.151029-1700.TH2_RELEASE_SERVER_OEMRET_X64FRE_EN-US.iso
Convert-WindowsImage.ps1
New-NanoServerVHD.ps1

Step 3:

Now it´s time to start the accual making of the .vhd file:

Start powershell ISE as Administrator

cd to C:\TEMP\NanoServer

Paste the following script and edit it how you would like to have the settings:

.\New-NanoServerVHD.ps1 `
-ServerISO ‘c:\temp\NanoServer\10586.0.151029-1700.TH2_RELEASE_SERVER_OEMRET_X64FRE_EN-US.iso’ `
-DestVHD c:\temp\NanoServer\NanoServerTP4_C.vhd `
-ComputerName NanoServerTP4 `
-AdministratorPassword ‘Secr3Tp@ssw0rd’ `
-Packages ‘OEM-Drivers’,’Guest’ `
-IPAddress ‘192.168.1.55’

The .vhd file is now beeing created with the specifics above.

crate_vhd_file.JPG

Now when you have the .vhd file ready, you only need to create a new GEN 1 vm and attach the .vhd disk, and then youre all set to start using Windows Nano Server!

This is how Nano Server looks through the Console in Hyper-V:

nanoserver_ready

 

Connect to the Nano server through powershell:

# Enable powershell remoting
Enable-PSRemoting -Force

# You might want to change * to the name or IP of the machine you want to connect to
Set-Item “wsman:\localhost\client\trustedhosts” -Value “*” -Force

# Credentials
$creds = Get-Credential servername\Administrator

# Enter PSSession, you must change “ServerAddress” to the name or IP you want to connect to
Enter-PSSession -Computername 192.168.1.55 -Credential $creds

 

Some (hopefully) basic usable powershell scripts:

Allowing ICMP trafic in the Nano firewall:

# Enable ICMP on Nano Server

# Start by importing the NetSecurity Module
Import-Module NetSecurity

# Create a new Firewall rule that will allow ICMP
New-NetFirewallRule -DisplayName “Allow ICMP” -Direction Inbound -Action Allow -Protocol icmpv4 -Enabled True

# Controle that the new firewall rule is listed in the rules list
Get-NetFirewallRule -DisplayName “Allow ICMP”

Result:

Nanoserver_ICMP.JPG

Allowing SMB browsing to the Nano Server:

# Enable SMB browsing on the Nano Server

# Start by importing the NetSecurity Module
Import-Module NetSecurity

# Create a new Firewall rule that will allow SMB Sharing
Set-NetFirewallRule -DisplayGroup “File And Printer Sharing” -Enabled True

Before:

SMB_access

After:

smb_working

 

More about the Nano Server:
https://technet.microsoft.com/en-us/library/mt126167.aspx

Adobe Reader DC – There was an error opening this document. Access denied

adobereaderx

I came across this issue when Adobe reader 11.0 was updated to Adobe Reader DC 2015.007 on a Remote desktop server.

Users who tried to open a .pdf file from outlook were prompted with the issue “There was an error opening this document. Access denied.”

However, if the users on the RDS server saved the file there was no issues opening the file.
This because the attachment .pdf file in outlook is classed as an unknown source from internet.

 

Why?

PDF files have grown from beeing static documents to beeing dynamic and smart documents.
PDF files have functions like running scripts on startup. This make pdf files a vulnerability from a security perspective.
Therefor Adobe have a builtin protection from pdf files from unknown sources called “Protection mode” or “Sandbox Protection”

 

Turn of “Protected mode” on a client/users RDS profile:

Open Adobe Reader DC

Click “Edit” and choose “Preferences”

Click on “Security (Enhanced)” and unmark “Enable Protected mode at startup”

adobe_security_pref

This might be a quick solution if you have a handful users, but if you have 250 users in a RDS enivoriment? Not so much.

Turn of “Protected mode” through GPO ( The fast way )

You can turn of “protected mode” through changing a registry key:

HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\DC\Privileged\
Change the valvue “bProtectedMode”=dword:00000001 to “bProtectedMode”=dword:00000000

This will workout just fine, but there is a better way, Through ADMX files.

 

Turn of “Protected mode” through ADMX GPO:

When using a ADMX template for the appropriate software, you can make several changes in the software easy. You will have easier to understand the changes and valvues in the GPO instead of having registry keys changed.

How to:

  1. Access one of your domain controller
  2. Download the ADMX files from adobe ( ftp://ftp.adobe.com/pub/adobe/reader/win/AcrobatDC/misc/ReaderADMTemplate.zip )
  3. unzip the files
  4. Take a copy of C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions  (in case of something will go wrong when you import the ADMX files)
  5. Copy the ADMX files into the folder C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
  6. Start Group Policy Management
  7. Create a new gpo, or use a current gpo
  8. Edit the gpo and go to Computer Configuration->Policies->Administrative Policy->Adobe Acrobat 2015->Startup-> Disable “Enable Protected mode on startup”

gpo

 

How to delete windows.old folder in Windows 10

windows.old

Windows 10 have been out for a couple of months, and with the threshold 2 it feels great!

When you have upgraded to windows 10 from win 7 or 8.1 you get a folder under C:\ named “windows.old”.
This folder contains your old operating system, if you would restore back to your old os this is the data that will be used.

If you have decided to stick with windows 10, this folder is unnecessary and will only take up space on your delicious ssd drive 🙂

The folder contains systemfiles, therefore you will not be able to delete all files. The system just won’t let you.

 

This is how I solved this and saved about 16GB of space:

Press windows key + R and type cleanmgr.exe then press “OK”

cleanmgr

 

Press “Clean up system files”

cleanup system files

 

Scroll down to “Previous Windows Installations and select it, then “OK”

cleanup old_os

 

Click “delete files”

delete

 

Click “Yes” to confirm the delete

delete2

 

Windows will now delete the files, this will take all from 30 seconds to a couple of minutes depending on size and disk preformance.

working