Install RSAT (Remote Server Administration Tools)

 RSAT KB ID 0000099

Problem

Windows RSAT (Remote Server Administration Tools) is a suite of tools from Microsoft that allows IT administrators to remotely manage and administer Windows Servers and other Microsoft services from a Windows client machine. These tools are essential for system administrators to perform various tasks without needing to log directly into the server.

Here is a list of some of the primary tools included in RSAT:

  • Active Directory Administrative Center (ADAC): A graphical interface for managing Active Directory.
  • Active Directory Users and Computers (ADUC): A tool to manage users, groups, computers, and organizational units in Active Directory.
  • Active Directory Sites and Services: Used to manage the configuration of Active Directory sites, subnets, and services.
  • Active Directory Domains and Trusts: Manages domain trusts and functional levels.
  • Active Directory Module for Windows PowerShell: Provides a set of cmdlets for administering Active Directory.
  • DHCP Server Tools: Includes the DHCP Management Console, DHCP Server cmdlets for Windows PowerShell, and the Netsh command-line tool.
  • DNS Server Tools: Includes the DNS Manager snap-in and the DNS Server cmdlets for Windows PowerShell.
  • Group Policy Management Tools: Includes the Group Policy Management Console (GPMC) and the Group Policy Object Editor.
  • Hyper-V Tools: Provides the Hyper-V Manager snap-in and the Hyper-V Module for Windows PowerShell for managing Hyper-V servers.
  • File Services Tools: Includes the File Server Resource Manager (FSRM) snap-in and command-line tools, and the Distributed File System (DFS) Management snap-in.
  • Network Policy and Access Services Tools: Includes the Network Policy Server (NPS) console and the Routing and Remote Access Service (RRAS) console.
  • Remote Desktop Services Tools: Includes the Remote Desktop Licensing Diagnoser Tool, the Remote Desktop Services Manager, and the Remote Desktop Connection Manager.
  • Server Manager: A tool for managing roles and features on Windows servers.
  • Windows Server Update Services (WSUS) Tools: Includes the WSUS console and PowerShell cmdlets for managing Windows updates.
  • Failover Clustering Tools: Includes the Failover Cluster Manager snap-in and PowerShell cmdlets for managing failover clusters.
  • Storage Explorer Tools: For managing storage area networks (SANs).
  • IP Address Management (IPAM) Tools: Includes the IPAM client console and PowerShell cmdlets for IP address management.
  • Best Practices Analyzer (BPA): Tools that help administrators ensure their servers are configured according to best practices.

Solution : Install RSAT

Installing RSAT with PowerShell

To see what can be installed open an administrative PowerShell Window and execute the following command.

[box]

Get-WindowsCapability -Name RSAT* -Online | Format-List Displayname

[/box]

To install them ALL use the following command.

[box]

Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

[/box]

Installing RSAT with DISM

To see what can be installed open an administrative Command Window and execute the following command.

[box]

DISM.exe /Online /Get-Capabilities | find "Rsat"

[/box]

Below I’m checking to see if the RSAT tool I want (the Group Policy Management Tool) is already installed  – as it returned State: Not Present I then installed it

[box]

DISM.exe /Online /Get-CapabilityInfo /CapabilityName:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0

DISM /Online /Add-Capability /CapabilityName:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0

[/box]

Installing RSAT Graphically

You can of course install the RSAT tools without issuing a command! Settings > System > Optional Features.

View Features > Type RSAT in the search option > Select the tools required  > Next.

Add > Go and have a coffee it can take a while!

 

Related Articles, References, Credits, or External Links

Windows 8 – RSAT Tools Will Not Install?

Windows Error Code 0x800F0954

KB ID 0001626

Problem

Seen when attempting to add a Windows Optional Feature;

Windows couldn’t complete the required changes.
The changes could not be completed. Please reboot your computer and try again
Error code: 0x800F0954

Solution

Typically you see this error if your machine is set to get its updates from WSUS. You can change the way Windows operates to get the ‘Feature addition’ files directly from Microsoft with a group policy.

  • For Local Policy: Windows Key+R > gpedit.msc {Enter}
  • For Domain Policy: (On a domain controller) > Windows Key+R > gpmc.msc {Enter} > Create a new policy or edit one that’s linked to computer objects.

Navigate to;

[box]

Configuration > Administrative Templates > System 

[/box]

Locate ‘Specify Settings for optional component installation and component repair‘.

Set to Enabled > Tick ‘Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS) > Apply > OK > Close the policy editor.

Then either wait or Windows – Forcing Domain Group Policy

Related Articles, References, Credits, or External Links

NA

Remote Server Administration Tools (On Server 2008)

KB ID 0000169 

Problem

After 20 minutes of Googling I was scratching my head. I wanted “Active Directory Users and Computers” on a 2008 server, that wasn’t a domain controller. I thought as Vista had the same codebase, then Vista RSAT would work, (but it wont.)

Solution

After a bit of stumbling around, I found it, its already on the server as a “Feature” its just not turned on.

Click Start > Server Manager > Features > Add Features > Scroll down to Remote Server Administration Tools > Active Directory Domain Services Tools > Tick > Active Directory Domain Controller Tools > Next.

Related Articles, References, Credits, or External Links

NA

Microsoft LAPS – Deployment and Configuration

KB ID 0001059 

Problem

Microsoft have released the Local Administrator Password Solution (LAPS). What is does is automatically change the load administrator password on workstations, (and servers if required) periodically. It then keeps those passwords securely in AD. Microsoft tried to mitigate attacks from the local admin account back in the days of Windows Vista by shipping with this account disabled, which is fine, but most large deployments I’ve worked on, I’ve been specifically asked to enable the local administrator account and set its password on deployment.

Some organisations create a different account and leave the local administrator account disabled, but they still suffer from the same problem, (all the machines have the same local admin password), and it gets known, if you have a disgruntled ex-employee they may know this password. Yes you can change them all periodically but it’s a bit of a faff. Note: LAPS can manage local accounts that are admin accounts but not necessarily the ‘administrator’ account.

The LAPS solution works by creating some new attributes on the computer object, ms-MCS-AdmPwd which actually stores the password, and ms-MCS-AdmPwdExpirationTime which is the time stamp for the password expiration. What LAPS sets out to do, is provide a random complex password for the local administrator account, and protect that password in AD by use of an AD ACL. In doing so it will protect your machines from a ‘Pass the Hash’ attack which can use common local administrators passwords to compromise a network.

Solution

 

Microsoft LAPS – Step 1 Setup a Management Machine

1. On a management machine download and install the LAPS software, Things will be easier if this machine is also running RSAT tools for Active Directory, and the Group Policy Management Console as well.

2. Be aware you get the documentation form the download page as well. Make sure you get the appropriate x86 or x64 bit version (LAPS supports Server 2003 SP1 and above).

3. Install the software and install ALL the options. (if you apply the defaults it will only install the GPO Extensions), which is what you would want on the ‘controlled machines’ but you want everything on the ‘controlling machine’.

Microsoft LAPS – Step 2 Deploy the software to the machines to be controlled.

1. To be honest this could not be simpler, I just sent the software out as a standard software package via GPO, (watch the video above if you don’t know how to do that). You can script the install and it will also manually install with a /quiet switch to avoid any user interaction. But if you have any amount of machines, GPO is the way to go.

To manually install quietly;

[box]

msiexec /i \\Server\Share\laps.x64.msi /quiet

or simply

msiexec /i c:\laps.x64.msi /quiet

[/box]

2. To check if the client has received the LAPS software, look in Add/Remove programs and you should see it listed (Run > appwiz.cpl {Enter}).

Microsoft LAPS – Step 3 Extend Active Directory Schema

1. It goes without saying that to do this you need to be a member of ‘Schema Admins’. On the management machine run the following two PowerShell commands, to add the two new attributes mentioned above;

[box]

Import-Module AdmPwd.PS
Update-AdmPwdADSchema 

[/box]

Microsoft LAPS – Step 4 Check/Set Permissions to Read Local Admin Passwords

1. On my test network below you can see I’ve got a couple of test Windows 8 machines in an OU called ‘Domain Computers’, this is the OU that I will be working with.

2. The first thing I need to do is grant the rights to the computers themselves to be able to update the password in Active Directory. (If you have nested OU’s, simply apply on the top level OU). Change the value in red to suit your own OU/OU’s.

[box]Set-AdmPwdComputerSelfPermission -OrgUnit ‘Domain Computers‘[/box]

3. To see who has rights to view the passwords in AD (for a given OU), use the following command. Below you can see the default of SYSTEM and Domain Admins is displayed.

[box]Find-AdmPwdExtendedRights -Identity ‘Domain Computers‘[/box]

4. To grant read password permissions to a particular group, use the following syntax, below I have an AD group called HelpDesk setup and I’m adding them into the AD ACL to be able to read local administrator passwords for the Domain Computers OU.

[box]Set-AdmPwdReadPasswordPermission -Orgunit ‘Domain Computers‘ -AllowedPrincipals PeteNetLiveHelpDesk[/box]

Note: If you have multiple groups you can separate/delimit them with a comma.

Microsoft LAPS – Step 5 – Deploy the GPO Extensions to ‘Controlled’ Machines.

1. On the management machine, create a new GPO object, and link it to the OU containing the computers/servers you want to apply the password settings to.

2. Edit the GPO.

3. Navigate to;

[box]Computer Configuration > Policies > Administrative Templates > LAPS[/box]

4. The policy that turns LAPS on is the last one ‘Enable local admin password management’ > Enable it.

5. The actual complexity and age of the password is set in the ‘Password Settings’ policy, > Enable it and accept the defaults.

Note: the other two policies are;

Name of the administrator account to manage: Use if you you have manually created another common admin account on all your machines NOT if you have renamed the local administrator account.

Do not allow password expiration time longer than required by policy: Set to Enabled.

Microsoft LAPS – Step 6 – View the Local Admin Passwords for Controlled Machines.

1. You can do this from PowerShell with the following command;

[box]Get-AdmPwdPassword -ComputerName hostname[/box]

2. Or if you have installed the Fat client, you can launch that from; [box]C:\Program Files\LAPS\AdmPwdUI.exe[/box]

3. Or as it’s an AD object attribute, you can view it on the Computers AD object.

Related Articles, References, Credits, or External Links

NA

Windows 8 – RSAT Tools Will Not Install?

KB ID 0000827 

Problem

For newer versions of Windows see,

Install RSAT (Remote Server Administration Tools)

I wanted the RSAT tools installing on a Windows 8 machine today, I downloaded the RSAT update and ran it, but the tools did not appear? Also they were not available under ‘Turn Windows features on or off’.

Solution

As it turns out, even though it says ‘Installation complete’ that’s not the same as Installation Successful (cheers Microsoft!). It is actually failing in the background, because this machine does not have the English (United States) language pack installed.

1. Press Windows Key+X > Control Panel > Change the View to ‘Small Icons’ > Language.

2. Add a language.

3. Under ‘E’ > English > English (United States) > Add.

4. Make sure you click the link to download and install language pack.

5. It’s over 150MB so it may take a while.

6. When installed, reinstall the Windows RSAT package for Windows 8, and this time it should be there!

 

Related Articles, References, Credits, or External Links

NA

Windows – Cannot Manage Active Directory Certificate Services

KB ID 0001037 

This article is from long time site supporter: Daniel Newton

Problem

On my laptop today I installed the RSAT Tools for Remote Management. I went to do some PKI Work in my Test Environment and Came with the Following Error:

“Cannot Manage Active Directory Certificate Services. The specified service does not exist as an installed service. 0x424 (WIN32: 1060 ERROR_SERVICE_DOES_NOT_EXIST)”

I thought it would automatically connect to my PKI Server, but after 5 minutes I came up with the Solution!

Solution

1. Right Click on Certification Authority > Re-target Certification Authority.

2. Then select “Another Computer” and then type in the IP address or FQDN of the PKI Server.

Related Articles, References, Credits, or External Links

NA

Installing the Hyper-V Management Tools

Pete’s Adventures in Hyper-V Part 2

KB ID 0000093 Dtd 10/11/09

Problem

Back in Part 1 we looked at getting your Hyper-V Media up to date, the next logical step would be to install Hyper-V, but I’ve never been that logical, and I already had a Hyper-V server at home, So I thought before I went any further I would install the Hyper-V Management tools on My laptop, then I could continue this from the comfort of my sofa.

In an ideal world that would have taken about 5 minutes and then I could get back to doing things in a logical order, BUT it turned out to be such a trip round the houses I thought I’d better do this first.

Why simply installing a management console has to be so difficult I don’t know, I’ve read many posts on other sites and forums, where it “Just Worked” but mine didn’t so lets take the worse case scenario and deal with that.

Before you start you need…….

1. A machine running Vista WITH SP1 installed

2. The Hyper-V management update, there’s a sea of dead links in the internet for these x86 or x64

3. The RSAT Tools Installed CLICK HERE

Solution

1. Assuming you have installed the RSAT already > Put the administrative tools on your start menu > Right click the taskbar > Properties > Start menu > Customize > System Administrative Tools > Display on the all programs and start menu.

Note: I add the run command here as well because I use it all the time (Yes I know in vista you can use the “Start Search” box but you will see in my articles I always use Start > Run

2. And there they are, but Hyper-V that’s nowhere to be found, I spent an age searching the internet for the update, and about two minutes after I asked the question in the Technet Forum I found them download the x86 or x64 version as appropriate and install the update.

3. And there it is – Brilliant! Click it……….

4.Select Connect to Server.

5. Give it the name or IP of the Hyper-V server > OK

6. And mine broke……………

Error: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer “Server name”.

OK – After some web searching, head scratching, and reading some excellent articles/blogs, the problem seems to be, I have a domain at home, and my laptop is not in that domain, its in my work domain. You will also get this error in a workgroup environment. You need to create a user on the Hyper-V server and assign some permissions.

Configuration – (On the Vista Client)

7. Start > Run > cmd {enter} > Issue the following two commands.

netsh advfirewall firewall set rule group=”Windows Management Instrumentation (WMI)” new enable=yes

netsh firewall add allowedprogram program=%windir%system32mmc.exe name=”Microsoft Management Console”

8. Start > Run > dcomcnfg {enter} > Component Services > Computers > My Computer > My Computer > Right Click > Properties.

10. COM Security tab > Access Permissions area (top section) > Edit Limits > ANONYMOUS LOGON > Grant Local and remote access > Apply > OK.

Now take a note of the username you are using on your Vista machine (in my case pete).

Configuration – (On the Hyper-V Server)

11. Create a user on the server (if its a domain controller it will need to be a domain user) with the same name and password as the one logged into your Vista client PC. Then Start > run > cmd {enter} > Enter the following command,

netsh advfirewall firewall set rule group=”Windows Management Instrumentation (WMI)” new enable=yes

11. Start > Run > dcomcnfg {enter}.

12. Component Services > Computers > My Computer > My Computer > Right Click > Properties.

13. COM Security tab > Launch and Activation Permissions (bottom) > Edit Limits > Add.

14. You need to add in your new user and the Authenticated Users group.

15. > Grant > Remote Launch and Remote Activation > (FOR AUTHENTICATED USERS) > OK.

16. Grant > Remote Launch and Remote Activation > (FOR YOUR LOCAL USER) > OK.

17. Start > Run > Compmgmt.msc {enter}.

18. WMI Control > Right click > Properties.

19. OK You need to make changes to permissions on TWO things for your USER and Authenticated Users > The first object you are going to change is CIMV2 select it then press Security.

Add > Authenticated users > Your Local User > Select EACH > Advanced > select the new user and group in then > Edit > “Apply to drop-down “This name space and subnamespaces” > Select Remote Enable > Tick “Apply these permissions to objects and/or containers within this container only”.

NOTE: So by the time you have finished this step you have assigned a group and a user rights to CIMV2

THEN REPEAT THE WHOLE PROCESS AND ASSIGN THE SAME PERMISSIONS TO THE ROOTVIRTUALIZATION NAMESPACE (it’s near the bottom of the list that CIMV2 is in).

20. Start > Run > azman.msc {enter}.

21.Authorization Manager > Right-click > Authorization Store.

22. Browse > c:ProgramDataMicrosoftWindowsHyper-VInitialStore.xml > OK.

23. Expand Hyper-V services > Role Assignments > Administrator > Administrator > In the right hand window > Right click >Assign Users and Groups > From Windows and Active Directory > Add your user and authenticated users.

24. Users and group added > OK

Close all open windows and REBOOT THE SERVER!!

25. Now, when you connect it should work, go and have a brew you’ve earned it 🙂

Related Articles, References, Credits, or External Links

NA