DFSR Setup and considerations

DFSR is actually relatively easy to setup.

There’s no need for me to re-invent the wheel or explain in tiny detail, as most of it has all been done before.

So, to start

MS blog about how it can work for you.

DFS Replication in Windows Server 2012 R2

How to set it up

DFSR Setup with screenshots

Another MS blog about how if you have a huge estate, you better use DFSRADMIN command line! (Yeah you’d better!)

DFS Replication and command line

 

AD Certificate Services

I hate certificates. Well, a nice wildcard cert deployed internally is fine, but when there’s a faff to replace certificates and it’s been so long, that you really cannot remember what you did in the first place…I just hate it. So imagine my childish delight when I had to build AD CS!

It’s not that bad in all fairness and it boils down to make server, add role, next next next and let AD do it’s magic for all machines you need sending the certificate to within the domain. That’s just reminded me about the VDM certificate for connection servers, which will come later on.

I followed the MS lab guides and also backed this up with a very nice blog post with pretty screenshots and all worked fine. Just remember to add in any subject alternative names if you have a mixture of FQDN and abbreviated server names within your domain.

AD CS and PKI

Deploying Standalone Root CA (Server 2012)

AD Sites, Subnets and Links

Ok, so you may have set up AD, done your Domain and it all works and the world is a happy place. But Alas! You now have to deal with the Branch Office. Dead easy. You got your connection to it? Check. You know the name you want to use? Check. You got the subnet? Check.

Read these and be done with it!

Understanding it!

Step by Step Set up

More details

There considerations such as the Cost (really for multiple sites) and the Replication schedule. I’ve always found the traffic/bandwidth use, to be minimal, but your mileage may vary depending on those underground wires you’re connected to. Or satellite. Or point to point laser link (Pew pew! Aw it’s foggy it doesn’t work anymore!)

Documenting Active Directory

Over the years I’ve amassed a huge amount of AD related information. Most of it at the moment I’m working through is about creating a Forest/Domains, OU structure, logical/Geographical models and I think if you need to do that… You probably know how to or where to get the information to do it! All the MS stuff is easily accessible so it’s a bit pointless me posting everything I’ve ever read on it.

One thing that is of use and that bypasses the need to actually…Pay for things is a very old school way of making pretty pictures from AD. It doesn’t work on server 2012, so it will need playing with, but it saves a ton of time working through text documents, AD users and computers, then Visio:

AD Visio Tool

Disable IE Enhanced Security

New server built. Need access to vSphere or any other web based, server or appliance web front.

Are you sure?

Do you trust this site?

Do you really trust this site?

Are you sure you trust this site?

Are you really sure you really trust this site?

Just turn it off via GPO

Disable IE Enhanced mode

In all fairness, some people have security concerns about using any browser on a server. I get that. If you’re using server 2012 R2, relatively recently updated and well… You aren’t an idiot, you’re probably OK using it to get media from a trusted site, or use your web based admin pages. Final decision lies with you!

There are situations and environments, where you may have apprentices, or non IT literate staff who are the IT staff; I’ve been involved with a lot of places where they don’t have anyone in an official IT capacity and the highest qualified person is the one who can change the lockscreen on their phone – ¬†where you shouldn’t do this and in fact, should lock it all down as much as you can.

Get Default Gateway…Change Default Gateway

Sometimes, people change things. Sometimes people change subnets and default gateways and you aren’t allowed to inflict serious physical or emotional pain on them like a vengeful senior team member. You have to fix it. Actually that reminds of the time someone took ownership of all the GPO’s in an environment and gave himself the only permissions and everyone wondered why it all broke. And he screamed ‘Blamefest!’ at everyone when he got told off. Ah well, that’s what happens when you give full domain admin rights to an apprentice. But I digress!

Actually, changing default GW 2, The Search For A Script, came about because I was working on an environment where there was originally no internet, then some machines had a working GW, then other machines were given a different one and like many infrastructure related tasks I feel I may have to do again as part of process, I try and find a solution to automate or expedite for next time. So, with no further ado, I used these great links to Find the GW and Change the GW.

PSEXEC to Find:

Get Default GW

Powershell to Change:

Change GW

Fix home drive permissions with powershell

Honestly, there’s some times when…Ok, ALOT of times when you feel like cold water has been thrown over the burden on your shoulders and within a few minutes of googling, someone you’ve never met will save your life. This is one of those ūüėČ

Hundreds of home drives under DFS…And everyone has access to everyone’s drives (thankfully said drives are empty). Then as you create more, you realise that even new ones are doing the same thing. Thankfully, this wonderful person already wrote a powershell script to fix it!

You can see from the comments a slight change needs to be made and if I remember rightly, I think you need to use powershell 2 (or a less modern version anyway)

Fix NTFS home drive permissions script

If you’re using DFS or folder redirection with home drives the following MS KB also helps!

How to dynamically create security-enhanced redirected folders or home folders

Disable Automatic Maintenance using PSEXEC

I had this exact same problem as the post describes. VM’s were laggy and cpu was at 100%, the culprit was¬†‚ÄúTiWorker.exe‚ÄĚ , which is auto maintenance, not some nasty malware bug… But a ‘feature’ in Server 2012 and R2.

I went one stop further and added a command to use a text document which contained a list of server names, so I could disable on all the necessary servers – I’ll add that to the post if i find it:

Disable automatic maintenance with PSEXEC

DNS Bulk records creation

So I’m starting to work my way through all my favourites and anything that I found useful historically and came across this.

When you’ve got multiple linux appliances/VMs that you need to manually create host records for and especially on a green field site, or when installing a bunch of new kit – or even when you create a lot of infrastructure from bare bones, it’s always faster to have a good script to take away some of the pain of going through the manual process!

For me, this came in handy because I had 13 ESXi hosts with various linux virtual appliances that needed manually adding. The following link shows how you can either make use of DNSCmd, or powershell:

DNS Bulk records creation

WannaCry Attack and Petya

Yes, yes, we’re all sick of hearing about it this, but for those of you who didn’t get exposed to it, or did and needed that little bit more information, I’m posting it anyway.

As you may know, it wasn’t just Windows XP machines that got hit (contrary to popular media belief), there was a huge effect on Windows 7 machines that hadn’t been updated in a while.

I worked on this for the NHS and although it was mitigated by being a Horizon View environment, for another Trust, it was absolutely devastating to their physical environment.

So, aside from the patching you’ve all done and the MS KB:

KB4012212 for Win7 and KB4012213 for Server 2012

https://technet.microsoft.com/library/security/MS17-010

There is also the option to completely disable SMB v1. You can…Honest… It won’t break anything!

Good article from MS on why you NEED to stop using it and one on how to disable it:

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/

Also, for those of you who would like to use a script, I found the following (somewhere!) Credit to the author!

=========================================================================

DISABLE SERVER SIDE SMB V1 PROTOCOL

=========================================================================

 

# Disable SMB V1 – Windows Server 2012 R2, Windows 10 and Windows 8.1

$ComputersList¬†=¬†Get-Content¬†-Path¬†“D:\temp\testservers.txt”

Invoke-Command -ComputerName $ComputersList {Remove-WindowsFeature FS-SMB1 -NoRestart}

 

# Disable SMB V1 – Windows 8 and Windows Server 2012

$ComputersList¬†=¬†Get-Content¬†-Path¬†“D:\temp\testservers.txt”

Invoke-Command -ComputerName $ComputersList {Set-SmbServerConfiguration -EnableSMB1Protocol $false}

 

# Disable SMB V1 – Windows Server 2008, Windows Server R2, Windows 7 and Windows Vista

$ComputersList¬†=¬†Get-Content¬†-Path¬†“D:\temp\testservers.txt”

Invoke-Command¬†-ComputerName¬†$ComputersList¬†{Set-ItemProperty¬†-Path”HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters”¬†SMB1¬†-Type¬†DWORD¬†-Value¬†0¬†-Force}

 

 

=========================================================================

DISABLE CLIENT SIDE SMB V1 PROTOCOL

=========================================================================

 

# Disable SMB V1 – Windows Server 2012 R2, Windows 10 and Windows 8.1

$ComputersList¬†=¬†Get-Content¬†-Path¬†“D:\temp\testservers.txt”

Invoke-Command -ComputerName $ComputersList {Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart}

 

# Disable SMB V1 – Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

$ComputersList¬†=¬†Get-Content¬†-Path¬†“D:\temp\testservers.txt”

Invoke-Command -ComputerName $ComputersList {sc.exe configlanmanworkstation depend= bowser/mrxsmb20/nsi}

Invoke-Command -ComputerName $ComputersList {sc.exe config mrxsmb10start= disabled}

 

Just goes to show that the reluctance for various institutions to perform updates needs to be overcome, as the consequences for older OS are becoming more and more serious!