Deploying Windows ‘Web Application Proxy’

KB ID 0001142

Problem

This is part of a larger piece of work Im putting together on publishing Remote Desktop Services with Microsoft Web Application Proxy.

This article is simply to guide you though the process of installing the Web Application Proxy role. In a later article I will run though configuring it to work with Active Directory Federation Services, and Remote Desktop Services, to present secure RemoteApps.

Solution

Before You Start: This is a secure web proxy so that means certificates, I find it a lot easier to use wildcard certs for this sort of thing, The best solution is to buy one from a vendor, or you can create your own wildcard certificate.

You will need a Server deployed to install this on, preferably a non-domain joined computer that resides in a DMZ (this is a secure deployment, if you want to put it on your LAN, then why not just point external clients directly at your Remote Desktop Services Web Access server and forget WAP?)

You will also need to have deployed ‘Active Directory Federation Services‘ in you LAN, and TCP port 443 (Https) needs to be open from the WAP server to the ADFS server.

Server Manager > Manage > Add Roles and Features > Next > Next > Select the server > Next > Server Roles > Select Remote Access > Next > Next >Next.

Select Web Application Proxy only > Accept all the defaults and install the role.

Launch the Post-Deployment configuration wizard.

Next.

Type in the name of your AD federated SERVICE  > And supply credentials to be able to access that server > Next.

Note: As you can see below I can resolve the name of the federation service “fs.smoggyninja.com”, from my DMZ server, it’s easier to just put an entry in the WAP servers hosts file rather than open DNS to the LAN, (or you can register it in public DNS of course!) Below you can see I’ve been able to ping the federation server, normally you would not be able to, (from the DMZ), I simply opened ICMP/Ping for testing, as stated (above), you only need https open > Next.

Select the certificate you are going to use.

Configure.

Close.

The ‘Remote Access Management Console’ should open, if not launch it from administrative tools.

Select Operational Status and all the services should be ‘Green’.

That’s the role installed, now you just need to setup a publishing rule to publish the service you want to present. In my case thats Remote Desktop Web Access. Which I will cover in the next article.

Related Articles, References, Credits, or External Links

NA

vSphere – Adding Domain Users/Groups to vCenter

KB ID 0001063

Problem

Note: This article is for vSphere 6, for vSphere 7 and vSphere 8 see the following article.

vCenter Domain Authentication

Despite my best efforts to keep working with the VMware VI client, my recent move to a MAC has finally forced me to start using the web client. So when I rebuilt my vCenter this week, I went out of my way to use that.

Note: If you have your vCenter and Platform Services Controller (PSC) separated, the use the following article instead;

vSphere: Setup Domain Authentication via PSC

Solution

I’m assuming you have a default install of vCenter and you have also installed the SSO options (this would be the default). You should also have taken note of the administrator@vsphere.local password you entered when you installed vCenter.

1. Log into the vCenter with the vSphere Web Client, as administrator@vsphere.local

URL will be https://{IP or Hostname}:9443

Navigate to Administration > Single Sign On > Configuration > Identity Sources > Select your domain and set it as the default domain.

2. Note: If your domain is not listed (you didn’t add it during the install of vCenter for example), then simply add it first.

3. Users and Groups > Groups > Administrators > Add > Change the domain to yours > Locate the user (or group) > Add > OK.

4. Now you need to grant rights, the simplest way is to grant rights at the vCenter level, and then those rights will cascade down to the Datacenter(s), Clusters, Hosts, and Virtual Machines.
Home > vCenter Servers > Select your vCenter > Manage > Permissions > Add.

5. Select the Administrator role > Add > Select your domain > Locate the users and groups you want to ad > Add > OK.

 

Related Articles, References, Credits, or External Links

Add Domain Authentication To The vCenter Server Appliance

Windows Server 2012 ‘Direct Access with Windows 8’

KB ID 0000842

Problem

In the following procedure I’m using Window Server 2012, and Windows 8 Enterprise, I am NOT configuring for Windows 7 so I don’t need to worry about PKI and certificates. (Other than the one the direct access server uses for https identification).

I’m not adding in any Application or Infrastructure servers, this is just a basic run through on setting up Direct Access to get you up and running.

Solution

Step 1 Create Direct Access Group

You can of course accept the default of allowing access to the domain computers group, but I would like to tie things down a little further.

1. Server Manager> Tools > Active Directory Administrative Center > Select the OU (or create one) where you want to create the group.

2.Give the group a sensible name like DirectAccessComputers.

3. Remember when you try and ‘add’ members it will by default NOT have computers listed you will need to add them in.

4. Add in your computer objects as required.

Step 2 Install Direct Access

5. You can simply execute the following command;

[box]
Install-WindowsFeature RemoteAccess -IncludeManagementTools[/box]

6. Or from Server Manager > Tools > Add Roles and Features.

7. Simply add in ‘Remote Access’ and accept all the defaults.

Step 3 Configure Remote Access

8. Once installed launch Remote Access Management.

9. Run the getting stated wizard.

10. Deploy Remote Access Only (I’m not deploying VPNs).

11. Select how the server will be deployed, mine has a single NIC and I’m going to port forward TCP Port 443 (https) to it from the firewall. Enter its Publicly addressable name > Next > Finish.

Note: If you get an error see here.

12. Configure Remote Clients > Edit.

13. I want both options > Next

14. Remove the domain computers and add in the group we created above. Untick the ‘mobile only’ option.

Note: Force Tunnelling means that the remote clients will access the internet though YOUR corporate network. This is only a good idea if you have internet filtering, AV or NAP that you want to take advantage of. (It’s literally the exact opposite of split tunnelling).

15. Remote Access Server > Edit.

16. Select an existing Cert or create a new one > Next.

17. Remember I’m just using Windows 8, if you see the Windows 7 box and think “ooh I’ll tick that!” Then you need to start using certificates > Finish.

18. Finish.

19. Review the settings > Apply.

20. Operation Status.

21. Press Refresh until all the services are green.

Step 4 Configure Clients

The title is a misnomer and to be honest there is no configuration to be done, but they have to get the settings through group policy, so log then onto the domain.

22. A quick simple check is to run the following command;

[box]
Get-DaConnectionStatus[/box]

Note: If you get an error message make sure you are not using Windows 8 Pro see here.

23. The client knows it’s ‘inside’ the LAN, because it has a Name Resolution Policy Table and it can see your internal DNS, you can prove this with the following command;

[box] Get-DNSClientNrptPolicy[/box]

Step 5 Test Clients Externally

Note: Before you proceed your Direct access server needs to be publicly available via the name you specified on the certificate in step 11, and needs to have https open to it.

25. Whilst out on the internet you can test your remote client by first making sure it’s pointing to the correct place;

[box]netsh interface httpstunnel show interface[/box]

This should give the the URL that is on the certificate you specified in step 11, when you ping it by name you should expect a reply (unless ICMP has been blocked by your edge device).

26. And to prove that the client knows it’s NOT on the corporate LAN execute the following;

[box]netsh dnsclient show state[/box]

27. So If i try to ping the internal FQDN of my Direct Access server it should respond (Note its IPv6 address will respond this is normal).

Note: Here I’ve only setup the one server, you can add more Infrastructure and Application servers in the Remote Access Management Console.

28. Because I can resolve that, I can access resources on that server like UNC paths.

29. To access shared resources.

Step 6 Monitoring Remote Access Clients

30. Back on the Direct Access server, you can see the remote clients under ‘Remote Client Status’.

31. Right click each one for a more detailed view.

Related Articles, References, Credits, or External Links

NA

Windows Server – Installing IIS and PHP

KB ID 0000879

Problem

What used to be a complicated task has been simplified greatly by the Microsoft Web Platform installer, the process of adding PHP is the same for Windows 8,(though to install IIS you need to enable that as a windows feature (run appwiz.cpl > Turn Windows feature on or off).

Solution

1. From Server Manager (ServerManager.exe) > Manage > Add Roles and Features > Follow the wizard and in the Server Roles section tick ‘Web Server IIS‘.

2. At the role Services selection expand Application Deployment > Select CGI >Complete the wizard and let the role install.

3. Once complete, open a web page and navigate to http://localhost and you should be greeted with the following.

4. Download the Microsoft Platform Web Installer.

5. Run the installer > Products > Frameworks > PHP {version} > Add.

6. I Accept > The software will install.

7. To test open notepad and create a file with the following;

[box]
<?php phpinfo(); ?>
[/box]

8. Save the file into {Drive Letter}:inetpubwwwroot > Change the file type to ‘All Files’ > call it phpinfo.php > Save.

Note: The drive letter will usually be C: unless you have moved the IIS root folder.

9. To test PHP > open a browser and navigate to http://localhost/phpinfo.php > You should see something like the following.

 

Related Articles, References, Credits, or External Links

NA

WDS Deploying Windows Part 1: Install and Configure WDS

KB ID 0000735 

Problem

You want to deploy the Windows 8 Client Operating System, to a number of clients using WDS. In this part we will configure the WDS Server, then we will move onto taking an image of your reference Windows 8 machine. Finally we will cover taking that image, and deploying it out to many target systems.

Solution

Add the WDS Role

1. From Server Manager (ServerManager.exe) > Local Server.

2. Manage > Add Roles and Features.

3. Next.

4. Next.

5. Next.

6. Select ‘Windows Deployment services’ > Next > It will ask to install some other features let it do so.

7. Next.

8. Next.

9. Accept the default (both roles) > Next.

10. Install.

Configure the WDS Server

11. From the Start menu > Launch the Windows Deployment Services management console.

12. Expand servers > Right click the server name > Configure Server.

13. Read the prerequisites > Next.

14. Next.

15. Select the location where you want to store your images and keep the WDS files.

16. Note: In this case it’s warning me NOT to use the C: drive, as this is just a test server I will accept the warning and leave it as it is. In production environments make sure you are using a different drive/volume.

17. This particular server IS a DHCP server, but we will address the DHCP requirements when we are finished > Next.

18. I’m going to choose ‘Respond to all (known and unknown)’ > Next.

19. WDS should configure and the service SHOULD start.

20. Here we can see the service has not started (the server will have a small stop symbol on it).

21. So I need to manually start the service.

Adding Image Groups and Images

22. Firstly I’m going to create an group that will hold all my Windows 8 Client machine images. Right click Install Images > Add Image Group.

23. Give it a name > OK.

Adding a boot image (To send an image to a remote machine)

24. Now I need to add a boot image, so I can boot my remote clients from the WDS server and use this image to load WindowsPE on them, so they can be imaged. Right click Boot Images > Add Boot Image.

25. You can use either a Windows 8 DVD or a Windows Server 2012 DVD, you will need to navigate to the sources directory, and locate Boot.wim > Open.

26. Next.

27. Rename the image ‘Install an Image’ > Enter a description > Next.

28. Next.

29. The Image will be imported.

30. Finish.

Adding a Capture Image (To take an image from a remote machine)

31. Right click the image we have just added > Create Capture Image.

32. Call this one ‘Capture an Image’ > Give it a description > Save the image (with a .wim extension). Note: It does not matter where you save the image, but I would suggest somewhere in the ‘Remote Install’ folder > Next.

33. The image will be created.

34. Finish

35. Now even through we have created the capture image, we still need to import it. Right click > Add Boot Image.

36. Select the capture image you created earlier > Next.

37. Make sure it’s called ‘Capture and Image’ > Next.

38. Next.

39. Now the capture image will be imported into WDS.

40. Finish.

Configure DHCP with WDS Options

41. Launch the DHCP management console.

42. Open the active scope > IPv4 > Server Options > Configure Options.

43. Tick Option 66 > Set its value to the IP address of the WDS server > Apply > OK.

44. Tick Option 67 > Set its value to;

[box] bootx64wdsnbp.com [/box]

Apply OK

45. Now you are ready to capture an image of your reference Windows 8 machine.

 

Related Articles, References, Credits, or External Links

2012 – WDS Deploying Windows 8 Part 2: Prepare Windows 8, and Capture to WDS

WDS 2003 Deploying Windows XP

WDS 2008 R2 Deploying Windows 7

Using Windows Deployment Services with Symantec Ghost

 

SBS Exchange Certificate Expired

KB ID 0000535

Problem

When you setup SBS2008 (and Exchange 2007) it creates and uses a self signed certificate, which is fine. But by default it only lasts two years. The best option is to buy a proper certificate, but if you simply want to generate a new one here’s how to do it.

Solution

1. Here you can see your certificate has expired.

2. Normally you need to access your certificate services web enrolment console to carry this procedure out. But when you navigate to https://localhost/certsrv you will probably see this:

Server Error in Application “SBS WEB APPLICATIONS”

Note: If web enrolment is installed, and you still cant access certificate services (CertSrv) then click here

3. You are seeing this error because certificate services might be installed, but the “Certificate Authority Web Enrolment” role service is not, you can add it from server manager.

4. Select it and follow the on screen prompts > Go and have a coffee.

5. Now you should be able to access the web front end.

6. To get a certificate we need a certificate request, you can write the powershell yourself like so:

[box] New-ExchangeCertificate -GenerateRequest -Path c:mail_yourpublicdomianname_co.csr -KeySize 2048 -SubjectName “c=gb, s=Your State COunty, l=Your City, o=Your Org, ou=Your Department, cn=mail.yourpublicdomianname.com” -PrivateKeyExportable $True [/box]

OR simply go here and let the good folk at Digicert do the heavy lifting for you.

7. Now you have the code, generate the request, on the Exchange server >  Start > All Programs > Microsoft Exchange Server 2007 > Exchange Management Shell > Execute the command you copied above.

8. This will dump the request on the C: drive (because in your command above you set the path to C:mail_yourpublicdomianname_co.csr) Locate it and open it with Notepad. Then select and copy ALL the text (copy as shown no extra spaces etc.)

9. If you have closed it down log into certificate services web access. Select “Request Certificate” > We will be submitting an advanced certificate request.

10. “Submit a certificate request by using………..”.

11. Paste in the text you copied at step 8, change the certificate template to “Web Server” > Submit.

12. Download the certificate.

13. Save it somewhere you can find it (the root of the C: drive is easiest, as you are going to be referencing it in a command shortly).

14. Job done, close the browser window.

15. Back at the Exchange Management Shell issue the following command:

[box] Import-ExchangeCertificate -Path c:the-name-of-your-cert.cer [/box]

As it imports it shows you the thumbprint of the certificate, mark this and copy it to the clipboard.

16. Now you have the certificate imported you can enable it, issue the following command:

[box] Enable-ExchangeCertificate -Services “SMTP,POP,IMAP,IIS” [/box]

It will ask you for the thumbprint > paste it in > when prompted enter “A” to confirm all.

17. That’s the job finished.

SBS2008 Unable to access Certificate Services

I’ve seen this on a few SBS2008 Servers, when you install the web enrolment service it installs into the servers “Default Web Site”, For any other Windows/Exchange combo that’s fine but SBS likes to do things its own way. It creates another web site called “SBS Web Applications” and uses that. That’s fine, but only one can be up and running at a time.

CertSrv The Webpage cannot be found

1. Warning: You are about to stop things like OWA briefly. From Administrative tools launch the Internet Information Services (IIS) Manager > Locate the SBS Web Applications site and click stop (right hand column) > then select the Default Web site and start it.

2. Select the CertSrv virtual directory.

3. You can now browse via http/https and this will open the site in your default browser. Don’t forget to stop the Default website, and restart the SBS Web Applications site when you are finished.

 

Related Articles, References, Credits, or External Links

NA

Vista – Installing Hyper-V

Pete’s Adventures in Hyper-V Part 3

KB ID 0000094

Problem

It seems a long road to get to installing Hyper-V, but now we are ready to actually install it as a SERVER ROLE, Server 2008 has many different roles, and Hyper-V is just one of them. However unlike most other roles Hyper-V requires a reboot, if you think about what hyper-v actually does then this should come as no surprise. Hyper-V is (as the name suggests) a bare metal hyper visor that sits beneath the OS. So the reboot is the digital equivalent of Windows Server 2008 jumping in the air, and sliding Hyper-V underneath itself, hence the reboot.

Solution

1. If you ran through Part 1 then your Disc is up to date – If not zip over to Microsoft and download/install the Hyper-V RTM update.

2. Server manager should start when you log in if not Start > run CompMgmtLauncher.exe {enter} > Roles > Add Roles.

3. Next

4. Tick Hyper-V > Next.

5. Next.

6. We have only got one NIC in this case select it > Next.

7. Install.

8. Coffee time………………

10. Close.

11. Yes > Let it reboot (Coffee cooled down by now).

12. Server Manager > Roles > Hyper-V > Hyper-V Manager > {Server name} > Select Hyper-V Settings.

13. How you store your drives is up to you I tend to create a master folder and then place a folder inside that one for Virtual Hard Drives, and one for Configuration Files > Browse > Set accordingly.

14. Repeat for your configuration files.

15. Much tidier.

16.And again.

17. Now, EXCLUDE the master folder from your AV scanning software on the host 2008 server. for THREE reasons.

a. Why scan a machine that you should have AV software running inside of anyway.

b. Your VM will run slow if its getting scanned on every read and write operation.

c. Do something clever like failover etc, and VM’s may no mount if it sees the configuration file “locked” i.e. getting scanned by AV.

18. Virtual Networks, there are three types….

External: Connect VM Guest to VM Guests and the outside world.
Internal: Connects VM Guests to VM Guests AND the Hyper-V Server
Private: Connect VM Guests to VM Guests

19. I want my VM Guests to be available to the outside world so I’ve connected the Server NIC to the External Network > Apply > OK

20. Click Yes – remember if your RDP connected this will boot you off for about one cup of coffee’s worth of time……………..

Related Articles, References, Credits, or External Links

NA

Exchange 2010 (c/w SP1) Install – Greenfield Site

(Installing on Server 2008 R2)

KB ID 0000416

Problem

Microsoft have not only slipstreamed the service pack into the install media, they have (Finally!) got the install routine to put in all the usual pre-requisites, roles, and features, that you had to do yourself before. (With the exception of the Microsoft 2010 filter pack, but even then you can do that after the install).

The procedure below was done on a single server in a test environment, to demonstrate the simplified procedure, it IS NOT good practice to install Exchange (any version) on a domain controller.

Solution

Before Site Visit

1. Have your install media downloaded and ready to go (Make sure you also have the unlock codes for Exchange – or you will have 119 days to licence it, post install).

2. Does your current anti virus solution support Exchange 2010? Do you need an upgrade?

3. Does your current backup software support Exchange 2010? Do you need to purchase extra remote agents or updates?

Before Deploying Exchange 2010

1. Depending on what documentation you read, some say that the global catalog server(s) in the current site need to be at least Server 2003 SP2. Other documentation says the schema master needs to be at least Server 2003 SP2. Let’s hedge our bets, and make sure that ALL the domain controllers are at least Server 2003 SP2 🙂

2. Your domain and forest functional levels need to be at Windows Server 2003.

3. Don’t forget – your server needs to be x64 bit (the video below was shot on a Server 2008 R2 server).

4. Make sure both the server you are installing on, and the Windows domain, are happy (get into the event viewers of your servers and have a good spring clean before deploying Exchange 2010).

5. Install the Office 2010 Filter Pack, and the Office 2010 Filter Pack Service Pack 1.

6. Install the roles required with the following PowerShell Commands;

[box]

Import-Module ServerManager

For Client Access, Hub Transport, and the Mailbox roles issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy,Web-WMI -Restart

For Client Access and Hub Transport server roles issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy,Web-WMI -Restart

For only the Mailbox role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server -Restart

For only the Unified Messaging role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Desktop-Experience -Restart

For only the Edge Transport role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS -Restart

[/box]

7. Set the Net.Tcp Port Sharing Service for Automatic startup by running the following command;

[box]Set-Service NetTcpPortSharing -StartupType Automatic[/box]

Exchange 2010 (c/w SP1) Install – Greenfield Site

The single best thing Microsoft has done with the SP1 install media, is to include this tick box.

Related Articles, References, Credits, or External Links

How To Install Exchange 2016 (Greenfield Site)