Windows

Windows activation on Core without Internet connection

by jonas

Our Windows Core Domain controller installations do reside in a place without internet connectivity so activating

Windows activation on Core without Internet connection

Install the Key, if you did not during installation:

cscript windows\systen32\slmgr.vbs –ipk ABCDE-FGHIJ-KLMNO-PQRST-UVWXY

If the Server would have internet access, the activation would work with:

cscript windows\systen32\slmgr.vbs –ato

For the net connected Server wi do have to phone Microsoft

To get the installation ID:

cscript windows\systen32\slmgr.vbs –dti

To get the installation into a textfile

cscript windows\systen32\slmgr.vbs –dti >>C:\act.txt

Call Microsoft, you will then get a confirmation ID

Enter the received confirmation ID:

cscript windows\systen32\slmgr.vbs –atp 1234567890123456789012345678901234567890

Install an Read only Domain controller (RODC)

by jonas
  • Create a VM
  • Install Windows 2012R2 Core
  • If from a Template – run sysprep
  • Install VMWare tools
  • Change name
  • Change IP Address to fix and the DNS server

Make sure the IP address is set to fix and the computer name is change!

Join the Domain

In Power Shell:

Add-Computer -DomainName domain.local

Setup RODC role

Install-WindowsFeature AD-Domain-Services

Install-ADDSDomainController -DomainName domain.local -installDNS:$true -ReadOnlyReplica:$true -Credential (Get-credential) -SiteName Default-First-Site-Name

Credetials: Domain\Administrator

Enter the recovery password twice

(Document the recovery password on a safe and secure place!!)

Install second Domain Controller

by jonas

Create a VM

  • Install Windows 2012R2 Core
  • If from a Template – run sysprep
  • Install VMWare tools
  • Change name
  • Change IP Address to fix and the DNS server

Join the Domain

In Power Shell:

Add-Computer -DomainName domain.local

Reboot Server

Shutdown –r –t 0

Setup DC role

In Power Shell:

Install-WindowsFeature AD-Domain-Services

Install-ADDSDomainController –DomainName xjbk.local –installDNS:$true

Deploy from a vmWare Template

by jonas

Open vCenter
Select a matching template
Right click and choose
Enter the Name of the Server

and select a folder
Select the cluster
Select the host in the cluster
Select the storage

Set the proper Network

Sysprep

You need to generalize after the cloning

Enter

\windows\system32\sysprep\sysprep
Select OOBE

And don’t forget

Rename-computer, change Name

Note: you should not use sconfig for this if you do not want to have the hostname
in capital letters

Start Powershell

Enter “Powershell” at the prompt

Change Name of the Server

Rename-computer –NewName ComputerName

Reboot Server

Shutdown –r –t 0

Change IP Address to Fix

This can be done by sconfig as well

(just enter sconfig at the prompt)

Start Powershell

Enter “Powershell” at the prompt

Identify the NIC

Get-NETIPInterface

Set the IP V4 address

New-NetIPAddress -InterfaceIndex 12 -IPAddress 172.20.100.20 -PrefixLength 24 -DefaultGateway 172.20.100.1

Set the DNS address

Set-DNSClientServerAddress –InterfaceIndex 12 -ServerAddresses (“172.20.20.20”,“172.20.20.21”)

Configure the TCP/IP protocol with DNS settings

Nslookup

Enable Remote management

Enable-NetFirewallRule –displaygroup “Windows Remote Management”

Lazy Windows

by jonas

Typical windows Server environment

All servers have the same local Administrator password – easier to remember. Domain controller and file-servers do have internet access – it easier to activate windows that way, isn’t it? Easy to guess Domain Admin password, which does never expire – makes remembering easier. Why not agree on an easy standard password for any place, where a password is required? – This makes life and collaboration a lot easier. And this annoying Windows firewall is disabled by default anyway – it just keeps blocking important traffic.

Service account must be member of the Domain Admins group and have a never expiring password (the standard password)– you don’t have to think about privileges. Some Service accounts are used for multiple services with no logical connection.

And anyway, documentation is for wimps – no documentations helps securing my job

 

Is it lazy IT Guys, or is it time-pressure causing this?

Questions

by jonas

Ask yourself some questions

Hand on your heart: would you be able to change the password of every service account in your domain and on your servers without breaking anything?

How many peoples have left the company, which do know passwords of Service accounts, Administrator accounts which are still valid?

How many peoples within you organization do know the credentials of an high privileged account?

Do you have the passwords documented (Secure and Safe) of every Administrator or Service Account?

Do your IT Staff use a “standard” password for various stuff?

Do you use the same PC to surf the internet and receive emails as you are using to administer your active directory?

How much Money and effort is your company spending on securing the net? Firewalls, proxies, mail-gateways and so on – but your windows servers are left more or less naked

Do your users (and yourself) logout when you leave the pc, or do you just lock the machine? Do you really know what is going on in your windows session, when you are away (lunch, break and meeting)

Do you have a CSO (Chief Security Officer)? Does he know or care what is going on in the Windows area?

Do your IT-Staff have access to file structures contain business documents? Do they really need this?

Have you ever tested an active directory restore from backup?

Are you sure, all Business data is backed up properly and a restore is possible within reasonable time?

Is your password policy enforcing complex passwords? How many peoples in you organization are wring down their passwords? How many peoples just use iteration to comply with password rule?

e.g. Password1, Password2, Password3 and so on

How many passwords are guessable by social engineering? E.g. pets name, partners, children names Conclusion – in my Eyes, human beings are the weakest link here