PowerShell Web Access

KB ID 0001036

Problem

One of my goals for this year is to become more proficient with PowerShell. During my studies I came across PowerShell Web access and thought it was so cool, I’d have a play with it.

What is PowerShell Web Access?

It’s a web service that runs on a Server 2012 IIS web server. It lets you remote connect to that host (via https) and then launch a PowerShell secure connection to any machine in your network. So by deploying a secure bastion host in your DMZ you can manage your infrastructure via PowerShell, you don’t even need to have PowerShell on your remote machine, (as demonstrated below) that machine does not even have to be Windows. It just needs a browser that can run JavaScript and can accept cookies.

You Expect Me to Open All My Servers To Remote Management?

In a word yes, in fact if you have server 2012 or newer they already are, and if you have not already enabled the Windows Remote Management Service, on your legacy machines, DO SO! If not all the modern domain management tools will gradually stop working. As far as Microsoft is concerned PowerShell is the tool that all the management tools will be built on.

In fact if you are a security conscious type, you probably already have domain services in your DMZ, think of this as a secure ‘reverse-proxy’, whose traffic is secured by SSL and Kerberos.

Solution

Setting Up PowerShell Remote Access

1. PowerShell web access is a ‘windows feature’ add it with the following command;

[box]

Add-WindowsFeature WindowsPowerShellWebAccess
[/box]

 

2. Now it’s available you can install it like so;

[box]

Install-PswaWebApplication

Note: My Target server is already running IIS and has a certificate binding for https, yours probably does not, if so generate a self signed certificate and assign it like so;

Install-PswaWebApplication –UseTestCertificate

Obviously in production replace this certificate with either a publicly signed one, or one form your own PKI environment.

[/box]

3. Now you need to allow access, the following allows all users to all machines to do everything (Note: I would not recommend this for a production environment, see next step).

[box]Add-PswaAuthorizationRule * * *[/box]

4. As I said above, lets be a little more secure, I’ve created a computer group, for my target computers, and a user group for my remote PowerShell admins. As above, I’ve not filtered what the users can do, you could give granular remote access to different levels of administrative groups using this, if that’s a requirement see this article.

[box]

Add-PswaAuthorizationRule -ComputerGroupName petenetlivePSComputers -UserGroupName petenetlivePSAdmins -ConfigutationName *

[/box]

5. So now if you connect to the server over https, (it creates a virtual directory called pswa) so we will need to go to https://{ip address or hostname}/pswa.

PowerShell Web Access – It Doesn’t Work!

If at this point there’s a problem, ensure the server and the client you are trying to connect to have comms, (can they ping each other by name and IP). Most importantly the machine you need to connect to needs to have WinRM running and its firewall configuring properly.

Configure Windows Remote Management for a Single Host

From an elevated command prompt execute the following command and follow the on-screen prompts;

[box]WinRM QuickConfig [/box]

Configure Windows Remote Management via Group Policy

A better approach would be to configure you hosts via GPO. You can find the correct GPO at;

[box]

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRM
On Server 2008 R2 and older the policy will be called 'Allow automatic configuration of listeners'

[/box]

Enable the policy and select which networks you want to allow remote connections from, above I’ve simply used asterisks to denote ‘all addresses’.

Providing all is well, you should have PowerShell access.

 

PowerShell from an Apple IOS Device (iPad shown)

PowerShell from an Android Device (Samsung Note shown)

Related Articles, References, Credits, or External Links

NA

Exchange 2010 Service Pack 2 Fails ‘Readiness Checks’

KB ID 0000720

Problem

When attempting to install Service Pack 2 on an Exchange 2010 Server the ‘Readiness Checks’ fail for the Client Access Role,

Client Access Role Prerequisites
Failed
Error:
The 'IIS 6 WMI Compatibility' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=0a71c4f6-68de-40f7-94cf-74b73cbda37b
Error:
The 'Client Certificate Mapping Authentication' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'Directory Browsing' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'HTTP Errors' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'HTTP Logging' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'HTTP Redirection' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'Tracing' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'Request Monitor' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'Static Content' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236

Solution

There are simply more server roles now required for an Exchange Server that has the Client Access Server role.

You can bypass the error by running the update with the ‘/Mode:Upgrade /InstallWindowsComponents’ switch on the end of it like so;

[box]Setup /Mode:Upgrade /InstallWindowsComponents[/box]

Adding required CAS Roles for Exchange SP2 Manually

I prefer to do things myself, so you can add all the roles from PowerShell.

1. All Programs > Accessories > Windows PowerShell > execute the following command;

[box]Import-Module ServerManager[/box]

2. Then execute the following command;

[box]Add-WindowsFeature Web-WMI,Web-Asp-Net,Web-ISAPI-Filter,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-Request-Monitor,Web-Static-Content[/box]

3. Then re-run the SP2 setup.

Related Articles, References, Credits, or External Links

NA

Installing Exchange 2010 on Server 2012

KB ID 0000785 

Problem

With the release of Exchange 2010 Service Pack 3, Exchange 2010 is now supported on Windows Server 2012, but as there (at time of writing) is no media with SP3 slipstreamed into it, installing the product on Windows Server 2012 is a little problematic.

If you got here because you have tried and have got an error, follow the procedure below and you should have the product installed and running without any further problems.

To see the possible errors jump to the end.

Solution

1. If you have Exchange 2010 already deployed on the servers, I would suggest you get all these upgraded to Service Pack 3 before you start.

2. Install the Office 2010 Filter Pack, and the Office 2010 Filter Pack Service Pack 1.

3. Issue the following PowerShell Command;

[box]
Add-WindowsFeature Web-WMI,Web-Asp-Net,Web-ISAPI-Filter,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-Request-Monitor,Web-Static-Content,NET-WCF-HTTP-Activation45,Web-Security,Web-Windows-Auth,Web-Digest-Auth,NET-HTTP-Activation,Web-Basic-Auth,Web-Lgcy-Mgmt-Console,Web-Dyn-Compression,Web-Stat-Compression,RPC-over-HTTP-Proxy,RSAT-ADDS
[/box]

Note: Don’t panic if it appears to hang at 68% for a while!

4. Download this zip file, it contains a .reg file, run it and merge those files into the registry of the 2012 server.

5. Insert the Exchange 2010 DVD, or run setup.exe from the extracted Exchange 2010 install media.

Note: I’m using Exchange 2010 with SP1 included (because its the newest one I can download, and a version with SP2 or SP3 included is not yet available).

6. MAKE SURE, you DO NOT have the ‘Automatically install Windows Server roles and features required for Exchange Server’ option selected or you will see this error.

7. When complete install Service Pack 3.

Errors You May See If You Don’t Follow This Procedure

Error 1.
Error:
The following error was generated when "$error.Clear();
if($RoleInstallWindowsComponents)
{
# Install any Windows Roles or Features required for the Management Tools role
Install-WindowsComponent -ShortNameForRole "AdminTools" -ADToolsNeeded $RoleADToolsNeeded
}
" was run: "The system cannot find the file specified".
The system cannot find the file specified

You see this error if you left ‘Automatically install Windows Server roles and features required for Exchange Server’ ticked, simply click back and untick this box then try again.

Error 2

Mailbox Role
Failed

Error:
The following error was generated when "$error.Clear();
$wevtutil= join-path (join-path $env:SystemRoot system32) wevtutil.exe;
$manifestPath = [System.IO.Path]::Combine($RoleInstallPath, "ScriptsTSCrimsonManifest.man");
Start-SetupProcess -Name:"$wevtutil" -Args:"im `"$manifestPath`" "
" was run: "Process execution failed with exit code 15010.".
Process execution failed with exit code 15010.

Download this zip file, it contains a .reg file, run it and merge those files into the registry of the 2012 server. Then run the setup again.

Know Problem Opening Exchange Management Console

(19/06/13) Update from reader Jeremy Krautkramer.

You may find that on Server 2012, (and Windows 8) You can launch the Exchange Management Console, but are unable to expand any of the objects in the left hand pane.

Jeremy fixed it by dropping to command line and running the following three commands;

[box]set __COMPAT_LAYER=RUNASINVOKER
set COMPLUS_Version=v2.0.50727
“C:Program FilesMicrosoftExchange ServerV14BinExchange Management
Console.msc”[/box]

Note: Change the drive letter and path to match your own server.

Why this happens? The Exchange 2010 Exchange Management Console was built with CLR (Common Language Runtime) version 2.0. Windows 2012/8 by default runs its MMC snap ins with CLR version 4.0.

Related Articles, References, Credits, or External Links

Original article written: 14/03/13

Thanks to Jeremy Krautkramer for his feedback.