Category Archives: Windows Server

Getting Started with Nano Server

The next generation of Windows server is soon to be released, the final release date is estimated to Q2/Q3 2016.

Windows server 2016 is very exiting and will for sure change things up the way we administer servers.
Microsoft have added a new installation mode in Windows Server 2016. Nano Server.

Nano Server is truley a “Core Server”. It will not include the option to install GUI, you will not be able to logon to the server localy or through RDP.
This make it possible to build the microsoft OS on a completely new minimal level than before.
All management will be handeld remotly through WMI/Powershell.

Several microsofts enginners claims that the Nano server will require up to 80% less reboots.
This thanks to the servers will not contain any gui,it will have fewer services and processes running and it will require less critical patches.

Checkout some information from Teched’s great video at:
https://www.youtube.com/watch?v=HLtfDzJngQg

Lets go!!

Its time to get familiar with the new Windows Nano server.
Im going to run a Nano Server as a VM in my test-enivoroment. Here is how to get started:

Step 1:

Download the Windows Server 2016 TP4 at:
https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview

Be sure to login and registry for the evaluate copy.

Save the .ISO file to C:\TEMP\NanoServer

download_iso

 

Step 2:

Now its time to download all powershell scripts needed

Download the script “Create a New Nano Server VHD/VHDx” from Script center
Save the .ps1 script to C:\TEMP\NanoServer

download_script

You will also need the Convert-WindowsImage.ps1 from https://raw.githubusercontent.com/PlagueHO/Powershell/master/New-NanoServerVHD/Convert-WindowsImage.ps1
Save the .ps1 script to C:\TEMP\NanoServer

This becuase there is currently a bug in the orgiginal Convert-WindowsImage.ps1 that causes the TP4 not to work as it should.

Now you should have the thease files under C:\TEMP\NanoServer

10586.0.151029-1700.TH2_RELEASE_SERVER_OEMRET_X64FRE_EN-US.iso
Convert-WindowsImage.ps1
New-NanoServerVHD.ps1

Step 3:

Now it´s time to start the accual making of the .vhd file:

Start powershell ISE as Administrator

cd to C:\TEMP\NanoServer

Paste the following script and edit it how you would like to have the settings:

.\New-NanoServerVHD.ps1 `
-ServerISO ‘c:\temp\NanoServer\10586.0.151029-1700.TH2_RELEASE_SERVER_OEMRET_X64FRE_EN-US.iso’ `
-DestVHD c:\temp\NanoServer\NanoServerTP4_C.vhd `
-ComputerName NanoServerTP4 `
-AdministratorPassword ‘Secr3Tp@ssw0rd’ `
-Packages ‘OEM-Drivers’,’Guest’ `
-IPAddress ‘192.168.1.55’

The .vhd file is now beeing created with the specifics above.

crate_vhd_file.JPG

Now when you have the .vhd file ready, you only need to create a new GEN 1 vm and attach the .vhd disk, and then youre all set to start using Windows Nano Server!

This is how Nano Server looks through the Console in Hyper-V:

nanoserver_ready

 

Connect to the Nano server through powershell:

# Enable powershell remoting
Enable-PSRemoting -Force

# You might want to change * to the name or IP of the machine you want to connect to
Set-Item “wsman:\localhost\client\trustedhosts” -Value “*” -Force

# Credentials
$creds = Get-Credential servername\Administrator

# Enter PSSession, you must change “ServerAddress” to the name or IP you want to connect to
Enter-PSSession -Computername 192.168.1.55 -Credential $creds

 

Some (hopefully) basic usable powershell scripts:

Allowing ICMP trafic in the Nano firewall:

# Enable ICMP on Nano Server

# Start by importing the NetSecurity Module
Import-Module NetSecurity

# Create a new Firewall rule that will allow ICMP
New-NetFirewallRule -DisplayName “Allow ICMP” -Direction Inbound -Action Allow -Protocol icmpv4 -Enabled True

# Controle that the new firewall rule is listed in the rules list
Get-NetFirewallRule -DisplayName “Allow ICMP”

Result:

Nanoserver_ICMP.JPG

Allowing SMB browsing to the Nano Server:

# Enable SMB browsing on the Nano Server

# Start by importing the NetSecurity Module
Import-Module NetSecurity

# Create a new Firewall rule that will allow SMB Sharing
Set-NetFirewallRule -DisplayGroup “File And Printer Sharing” -Enabled True

Before:

SMB_access

After:

smb_working

 

More about the Nano Server:
https://technet.microsoft.com/en-us/library/mt126167.aspx

Adobe Reader DC – There was an error opening this document. Access denied

adobereaderx

I came across this issue when Adobe reader 11.0 was updated to Adobe Reader DC 2015.007 on a Remote desktop server.

Users who tried to open a .pdf file from outlook were prompted with the issue “There was an error opening this document. Access denied.”

However, if the users on the RDS server saved the file there was no issues opening the file.
This because the attachment .pdf file in outlook is classed as an unknown source from internet.

 

Why?

PDF files have grown from beeing static documents to beeing dynamic and smart documents.
PDF files have functions like running scripts on startup. This make pdf files a vulnerability from a security perspective.
Therefor Adobe have a builtin protection from pdf files from unknown sources called “Protection mode” or “Sandbox Protection”

 

Turn of “Protected mode” on a client/users RDS profile:

Open Adobe Reader DC

Click “Edit” and choose “Preferences”

Click on “Security (Enhanced)” and unmark “Enable Protected mode at startup”

adobe_security_pref

This might be a quick solution if you have a handful users, but if you have 250 users in a RDS enivoriment? Not so much.

Turn of “Protected mode” through GPO ( The fast way )

You can turn of “protected mode” through changing a registry key:

HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\DC\Privileged\
Change the valvue “bProtectedMode”=dword:00000001 to “bProtectedMode”=dword:00000000

This will workout just fine, but there is a better way, Through ADMX files.

 

Turn of “Protected mode” through ADMX GPO:

When using a ADMX template for the appropriate software, you can make several changes in the software easy. You will have easier to understand the changes and valvues in the GPO instead of having registry keys changed.

How to:

  1. Access one of your domain controller
  2. Download the ADMX files from adobe ( ftp://ftp.adobe.com/pub/adobe/reader/win/AcrobatDC/misc/ReaderADMTemplate.zip )
  3. unzip the files
  4. Take a copy of C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions  (in case of something will go wrong when you import the ADMX files)
  5. Copy the ADMX files into the folder C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
  6. Start Group Policy Management
  7. Create a new gpo, or use a current gpo
  8. Edit the gpo and go to Computer Configuration->Policies->Administrative Policy->Adobe Acrobat 2015->Startup-> Disable “Enable Protected mode on startup”

gpo

 

Transferring FSMO Roles

Hey!

So it´s time to phase out a older DC and demote it?

Here´s a basic description of how to:

There is a total of 5 roles that needs to be transferd before demoting and uninstalling the DC roles on the existing DC:

  • RID master
  • PDC Emulator
  • Infrastructure master
  • Domain naming master
  • Schema master

 

 To confirm where the roles are located:

Start cmd.exe and type:
netdom query fsmo

Now you should get a list of all FSMO roles and witch server that holds the specific role:

Capture

 

Stage 1:

Transfer RID Master, PDC Emulator, and Infrastructure Masters

 

Open the Active Directory Users and Computers

Right-click the Active Directory Users and Computers icon again and press Operation Masters.

Select the appropriate tab for the role you wish to transfer and press the Change button.

 

Stage 2:

Transfer Domain Naming Master Role

Open the Active Directory Domains and Trusts

Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.

Press Change.

 

Stage 3:

 Transfer the Schema Master Role

 

RUN regsvr32 schmmgmt.dll , success confirmation

Open MMC and add Active Directory Schema

Right-click right-click the Active Directory Schema icon again and press Operation Masters.

Press the Change button.

 

Be sure to check that the new DC have Global Catalog and that it is synced before demoting the old DC.
You should of course deactivate GC before phasing out the old DC.