Windows activation on Core without Internet connection

8th September 2015 by jonas

Our Windows Core Domain controller installations do reside in a place without internet connectivity so activating

Install the Key, if you did not during installation:

cscript windows\systen32\slmgr.vbs –ipk ABCDE-FGHIJ-KLMNO-PQRST-UVWXY

If the Server would have internet access, the activation would work with:

cscript windows\systen32\slmgr.vbs –ato

For the net connected Server wi do have to phone Microsoft

To get the installation ID:

cscript windows\systen32\slmgr.vbs –dti

To get the installation into a textfile

cscript windows\systen32\slmgr.vbs –dti >>C:\act.txt

Call Microsoft, you will then get a confirmation ID

Enter the received confirmation ID:

cscript windows\systen32\slmgr.vbs –atp 1234567890123456789012345678901234567890

Taking care of duplicated WSUS ID’s

8th September 2015 by jonas

When you are using Templates in VMWare or just do clone a machine which was connected to a WSUS server before, you might get dupplicated WSUS client ID’s

You will notice those mchines will not show up in the WSUS console

WSUS Log for troubleshooting

%windir%\WindowsUpdate.log

Stop the Service

Net stop wuauserv

Delete registry keys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate

Delete those two keys

SusClientId

SusClientIdValidation

Restart the service

Net start wuausrv

Reregister the client:

WUAUCLT /ResetAuthorization /DETECTNOW

Uninstall domain controller role

8th September 2015 by jonas

In powershell:

Uninstall-ADDSDomainController -Credential (Get-Credential)

RODC specials

Dcpromo /forceremoval /demotefsmo:yes /administratorpassword: theNewLocalPassword

Remove-WindowsFeature DNS –restart

Enable LDAP over SSL for AD

8th September 20158th September 2015 by jonas

We will need LDAPS later on for the two factor authentication, using openOTP
The suggested solution of the OpenOTP is not best practice, they suggest setting up a CA on the domain controller.

This Microsoft article is providing the necessary information’s

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

Template – Enhanced Key Usage – Server Authentication (1.3.6.1.5.5.7.3.1) is important

Place the certificate

how to add the certificate to the NTDS service’s Personal certificate store

http://technet.microsoft.com/en-us/library/dd941846(WS.10).aspx

for troubleshooting

http://support.microsoft.com/kb/938703

Requesting and installing a certificate

Create the CSR

Logon

Create a CSR on the core server

certreq -new c:\temp\cert.inf c:\temp\certrequest.req

the cert.inf file:

[NewRequest]
Subject=”C=CH,S=ZH,L=Zurich,O=Company,OU=IT,CN=server.domain.local”
PrivateKeyArchive=FALSE
Exportable=FALSE
UserProtected=FALSE
MachineKeySet=TRUE
ProviderName=”Microsoft RSA SChannel Cryptographic Provider”
ProviderType=12
UseExistingKeySet=FALSE
RequestType=PKCS10
HashAlgorithm=sha256
KeyLength=4096
KeyUsage = 0xF0 ; Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment
KeySpec=1
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

Sign the Certificate at the CA

Install the certificate

certreq -accept c:\temp\SignedCertificate.cer

Install the Root certificate

Do not forget to install the root certificate into the machine “trusted store”

Certutil –addstore –f “TrustedPublisher” c:\temp\root.cer

Verification

After a certificate is installed, follow these steps to verify that LDAPS is enabled:

Start the Active Directory Administration Tool (Ldp.exe)
- For Windows Vista, Windows 7, or non-domain controller Windows Server 2008, or Windows Server 2008 R2 computers, see Remote Server Administration Tools (RSAT) for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2
On the Connection menu, click Connect.
Type the name of the LDAP server (e.g. domain controller or AD LDS/ADAM server) to which you want to connect.
Type 636 as the port number.
Click OK.

Debug in case of problems

Certutil –VerifyStore MY

result:

MY “Personal”

================ Certificate 0 ================

Serial Number: 75000000088db1a509904b6eff000000000008

Issuer: CN=XCA01-CA

NotBefore: 24.06.2015 09:03

NotAfter: 24.06.2016 09:13

Subject: CN=xdc01.xjbk.local

Non-root Certificate

Cert Hash(sha1): 1e 8b df 3f 67 1c 18 fe a9 7d 2b 32 0d d2 1a a3 9f 17 8c fd

Key Container = 87698826a058b37df04eac8a815a9b98_837e2fc9-5182-4419-9660-e414d

e50a998

Simple container name: CertReq-0ecbfed1-329c-4ac6-a5ec-246aa7b87939

Provider = Microsoft RSA SChannel Cryptographic Provider

Private key is NOT exportable

Encryption test passed

Revocation check skipped — server offline

Certificate is valid

CertUtil: -verifystore command completed successfully.

Technical Information:

How to enable LDAP over SSL with external CA

https://support.microsoft.com/de-ch/kb/321051/en-us

https://technet.microsoft.com/en-us/library/cc736326.aspx

Geekiness and more

Various

Windows activation on Core without Internet connection

Taking care of duplicated WSUS ID’s

Stop the Service

Delete registry keys

Restart the service

Reregister the client:

Uninstall domain controller role

Enable LDAP over SSL for AD

Requesting and installing a certificate

Create the CSR

Sign the Certificate at the CA

Install the certificate

Install the Root certificate

Verification

Debug in case of problems

Technical Information: