Configuring Networking in Server Core

  1. Open PowerShell on the Server Core.
  2. Get the current Interface Index of the adapter you want to configure.
    1. Issue command “Get-NetAdapter”

Capture

  1. Assign IP, Prefix Length, and Gateway for the interface you want to configure.
    1. Issue command “New-NetIPAddress -InterfaceIndex 3 -IPAddress 10.1.0.11 -DefaultGateway 10.1.0.1 -PrefixLength 24”

Capture

  1. NOTE: This is the equivalent of the section in the UI version specified below.

Capture

  1. Assign DNS Servers to use.
    1. Issue command “Set-DnsClientServerAddress -InterfaceIndex 3 -ServerAddresses 10.1.0.11”
    2. NOTE: This is the equivalent of the section in the UI version specified below.

Capture

Renaming Network Adapter

NOTE: It may be beneficial to rename adapter for documentation and clarification purposes.

  1. Get the current list of the Network Adapter.
    1. Issue command “Get-NetAdapter”

Capture

  1. Identify the adapter you want to rename and initiate change.
    1. Issue command “Get-NetAdapter -Name Ethernet0 | Rename-NetAdapter -NewName “Management”

Capture

  1. Confirmation.
    1. Capture

Exchange – Application log generated Error Event 9325

Hi there IT FELLA,

This post is a followup on my previous post for “EXCHANGE – APPLICATION LOG GENERATED WARNING EVENT 9327

Sample Event:
Log: Application
Type: Error

Event: 9325

Alert Time: 2017-01-23 05:09:00Z

Event Time: 11:08:31 AM 23-Jan-2017 UTC

Source: MSExchangeSA

Category: OAL Generator

Username: N/A

Computer: exch.itfellas.internal

Description: OABGen will skip user entry ””architel_test”” in address list ””\Global Address List”” because the SMTP address ”””” is invalid.

– \Default Offline Address List

This event specifies what account was skipped when Exchange tried to generate the OAB List. Most of the time, this happens when the account specified was created from a copy of an AD object that has a mailbox, during this process some of the exchange attributes were copied over causing the object to qualify for the OAB list, but as Exchange tried to add the SMTP value of the object it could not find it because the object is not mail enabled or does not have a valid smtp address.

The easiest way to fix this is to

  1. Create a mailbox for a mentioned user in the event.
  2. Disable the mailbox.

This will force a cleanup of the exchange associated attributes for the exchange object.

Exchange – Application log generated Warning Event 9327

Hi there IT Fella, I hope you all are having a wonderful day.

This post explains how to deal with the Exchange event 9327. This usually happens when a newly created account was copied from a mailbox enabled user or mail contact enabled user, where some of the exchange fields were copied over on the new account. When the OALGen task ran, it will query all exchange qualified objects objects but OALGen is not smart enough to determine if an object has mailbox connected or if the SMTP attribute of the qualified object was populated with a valid smtp address.

See Sample Event:
Log: Application
Type: Warning
Event: 9327
Alert Time: 2017-01-24 02:05:21Z
Event Time: 08:04:31 AM 24-Jan-2017 UTC
Source: MSExchangeSA
Category: OAL Generator
Username: N/A
Computer: exch.itfellas.internal

Description: OALGen skipped some entries in the offline address list ””\Global Address List””. To see which entries are affected, event logging for the OAL Generator must be set to at least medium.

– \Default Offline Address List

This error code does not provide a detailed enough message for us to identify what user or object in the AD was skipped for the OAB generation. For us to be able to identify the object in the next occurrence of OAB generation, we must adjust the diagnostic logging of the exchange server that holds the Mailbox Role.

  1. Open Exchange MMC
  2.  Server Configuration > Mailbox > Right click the server > Select “Manage Diagnostic Logging Properties” > MSExchangeSA > OAL Generator
  3. Adjust Logging to Medium

The next time Exchange will generate the OAB list, it will be able to identify the specific object that was skipped in the OAB Generation. Event should look like  Application log generated Error Event 9325

Scanning File Share NTFS Permission with PowerShell

Introduction

Hello. Its been quite a while since I have post something here in my blog and its good to be back.

Recently I have a delima of figuring out of a specific Security groups are being used somewhere as an ACE (Access Control Entry) in one of the File Server that we managed. I know that the labor involved is very intensive and I’m just lazy doing this manually. Why would I?

So, I invested some of my time (to be honest, it’s around 2 hours of my time 🙂 ), and google and created a script that will scan the directory of my shared folder and find the security group I am interested in and check if they are being used somewhere in that Heirarchy.

The Code

Download at OneDrive: https://1drv.ms/u/s!ApePyXZrHH4Nhp9scSYX2MN-6oDgiA

# Author: Sheen Ismhael Lim
# Created: 7/2/2016 10:40 PM PHT
# Notes: This Powershell Script was created to assist administrators to look into a file share and compare AD objects
# based on the sAMAccountName entries in a referenced txt file.
# Parameter: ADObjectList -> Points to a file which contains ADObject Identies in a sAMAccountName (domain\objectname)
# Parameter: folderPath -> Points to a folder interested in scanning.

Param (
 [String]$ADObjectList,
 [String]$folderPath)



function Get-FolderAcl() {
 $objectsToFind = Get-Content -Path $ADObjectList
 $qualifiedItems = @()

 Write-Host "Starting script."
 Write-Host "Getting object list to scan from $($ADObjectList)"

 $errors = $null

 foreach ($currentItem in `
 $(Get-ChildItem -Path $folderPath -Recurse -ErrorVariable $errors -ErrorAction SilentlyContinue) | `
 Where-Object { $_.GetType().FullName -eq [System.IO.DirectoryInfo] }) {

 $aclsInFolder = Get-Acl -Path $currentItem.FullName | Select -ExpandProperty Access

 Write-Host "Checking Folder / File: $($currentItem.FullName)"

 foreach ($aclEntry in $aclsInFolder) {
 foreach ($objectEntry in $objectsToFind) {
 if ($objectEntry -eq $aclEntry.IdentityReference) {
 $item = New-Object -TypeName psobject

 $item | Add-Member -MemberType NoteProperty -Name FullName -Value $currentItem.FullName
 $item | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $aclEntry.IdentityReference
 $item | Add-Member -MemberType NoteProperty -Name FileSystemRights -Value $aclEntry.FileSystemRights
 $item | Add-Member -MemberType NoteProperty -Name IsInherited -Value $aclEntry.IsInherited

 $qualifiedItems += $item
 break
 }
 }
 }
 }

 $qualifiedItems | Export-Csv -Path $env:USERPROFILE\Desktop\adobjectlist_scanresult.csv
 $errors | Out-File -FilePath $env:USERPROFILE\Desktop\adobjectlist_scanresult_errors.txt
 $qualifiedItems | Sort-Object FullName | FT FullName, IdentityReference, FileSystemRights, IsInherited -AutoSize

 Write-Host "Script is done running."
}

Get-FolderAcl

How to Use

  1. First you will need to define the security group you want to scan in a “sAMAccountName” attribute fortmat and save it to a text file.So, If you are interested is searching a security group named “Accounting Team”, you will need to define it as “DomainName\Accounting Team” – without the quotes.
    It is also important to know that you can add multiple security group to search for, one line per security group.
  2. Then define the folder path you want to scan relative to the server where you are running the Script.
  3. Make sure the account running the script has read permission to the folder heirarchy your are targetting.

Sample:

PS C:\Users\Sheen Ismhael Lim> Get-FolderACLv2.ps1 -ADObjectList “c:\securitygrouplist.txt” -folderPath “e:\shared\”

 

Output

It may look like the script  or the powershell window where you are running the script seems to not do anything, but in reality is it the part of the code medntioned below (line 24 in the script) that takes time to execute.

Get-ChildItem -Path $folderPath -Recurse

After the script has finished running it will generate 2 files in the desktop of the profile where the script is running. The output files are named adobjectlist_scanresult_errors.txt and adobjectlist_scanresult.csv.

Output: adobjectlist_scanresult_errors.txt

This output enumerate the errors the script encountered during its execution. It could the path it cant read of the path where folder path is too long.

Output: adobjectlist_scanresult.csv

This output is main result that we are interested in, it will show you the folder path where the security group assigned matches the ones we listed in the 1st step in the How to Use section and what group has matched on that folder path.

 

Hope it helps! Good Luck!

HTTP not redirecting HTTPS for Exchange

Recently I have encountered an issue with one of the servers we manage at work.

Supposedly, when they type in the website of the exchange site, in this case lets say mail.limdynasty.com they want it to be redirected to https://mail.limdynasty.com/owa

At first we thought that using the HTTP redirect from the “Default Web Site” in the IIS Manager (inetmgr) will do the job. But it wasn’t. Then we started to notice that by visiting https://mail.limdynasty.com the web server will execute the redirect we set in the HTTP Redirect.

What we didn’t realize is that setting the HTTP Redirect was just half way the process. We had to disable the “Require SSL” function from the “Default Web Site” in the SSL Settings.

It makes sense, since the redirection only occurs when the “Require SSL” function is on.

That means when the server receive the request for mail.limdynasty.com it will only allow secure connections, since mail.limdynasty.com is an implicit request for http://mail.limdynasty.com it will not execute the redirection the site is only accepting secure connection.

However when we disable the “Require SSL” from the SSL settings in the “Default Web Site” we are telling the server to accept unsecure connection (that is http). Combine this setting with the redirection, this makes perfect sense. We have already set the “HTTP Redirect” on the “Default Web Site”. After we disable the “Require SSL” for the “Default Web Site”, the server is now allowing the mail.limdynasty.com request, after it accepts the request, it will execute the redirect which is the https://mail.limdynasty.com/owa

 

Capture

 

Capture2

Switching to Windows Server 2012 R2 Core to Standard

Hello everyone,

I hope you are having a wonderful day.

its been awhile since I posted here, been busy lately. But I finally found some extra time to squeeze in this post.

Scenario

Okay, you’ve heard the news and know benefits of Windows Server 2012 R2 Core, finally you installed Windows Server 2012 R2 Core, but to your surprise you are unable or not comfortable enough to configure Server Core. You then decided to go back to Server 2012 R2 Standard, configure everything and then switch back to core to minimize attack surface on your server.

When you issued the command

Install-WindowsFeature –Name server-gui-mgmt-infra,server-gui-shell

you then see the progress (like the one below)

Capture

you then left your server to finish the setup but when you got back, your screen display like this..

image

You then try it again, but same thing happens. Now what?

Solution:

Well, as you may already know, the Server 2012 versions have features on demand, when you have decided to install Server Core on you machine you should know that the assemblies (features payload) or the actual bits of some features are not existing on the disk. If you try to issue a command

Get-WindowsFeature –Name Server-Gui-Mgmt-Infra,Server-Gui-Shell | FT DisplayName, Name, InstallState

from a newly installed Server 2012 Core, you will notice that the installstate of the features for the Server-Gui-* features are removed. There are 3 possible states of a feature in Server Core.

  • Available – This means that you can install this feature using the install-windowsfeature without to have to refer to a source.
  • Removed – This mean that the assemblies (or payloads) are not present on the system, if you want to install this feature you will have to refer to the “source” parameter when issuing Install-WindowsFeature
  • Installed – This means that this feature is installed on the server and should be accessible via Server Manager.

So if you want to install Server 2012 Standard or the UI version of Windows Server 2012, you will need to specify the –source parameter in the Install-WindowsFeature cmdlet.

  1. Locate a copy of the install.wim file, you can find this from the installation media of Windows Server 2012.
  2. Then issue the command “Get-WindowsImage –imagePath “pathtothe_WIM_file.wim”
    Capture
    Select the destination of the version you want to convert to, however, if you have installed Standard Core, you can only concert to Server Standard, vice versa and Server Datacenter Core to Server Datacenter and vice versa.
  3. In my installation i have Windows Server 2012 R2 Standard Core so my command should be
    Install-WindowsFeature –Name Server-Gui-Mgmt-Infra,Server-Gui-Shell –Source:wim:d:\sources\install.wim

Well thats pretty much it, it should take a minute or two for the feature to install and then reboot your server, you then now have the GUI version of Windows Server 2012 R2.

 

Applies To: Windows Server 2012, Windows Server 2012 R2

Deploying Software via Group Policy

Hello, its been awhile since i last post in this blog post. Today I will walk you through on deploying a software through MSI packaged installer to your network using Group Policy from Microsoft AD Directory Services.

Servers and Computer Involved.

ELSAL-SRV1 – Domain Controller
ElSAL-SRV3 – File Server
ELSAL-WKS1 – Client Computer

Introduction:

In a small office or corporate environment it is important to deploy software that will assist users on how they will do their work. In this blog post we will simulate on installing Mozilla Firefox in a Domain Environment. There are 3 ways to install MSI packaged installers in Group Policy:

  1. Via computer, Assigned Software
  2. Via user, Assigned Software
  3. Via user, Published Software

In this blog post, I will walk you through deploying software via computer. There are some reasons why would you want to deploy a software via computer instead for a user. Some Software’s might have licensing issues that makes them more appropriate to be deployed on a computer rather than a user assigned or published software deployment.

The Difference between the different Software deployment:

Deployed to User, Assigned Software – Not installed until the default shortcut is opened in the Programs Folder in the Start Menu.

Deploy to User, Published Software – Not installed until initiated to be installed from the “Programs and Features > Install a program from the network” control panel of the client computer

Deploy to Computer, Assigned Software – Automatically Installed during computer boot. You cannot publish a software when you are deploying it to a Computer.

The Procedure:

First of all, we need to have a good OU structure and planning on how we would want to deploy our software in our environment. The OU structure and deployments we are going to follow will be one of my test environment. (See below)

image

Notice that “C – Install Mozilla Firefox” has a single security filtering entry which is “DL_ElSalvador_Computers_Install_MozillaFirefox” This security group contains another security group called “G_ElSalvador_Computers_Install_MozillaFirefox”.

The GPO entries are prefix by C or U, this means C it is a Computer Policy and U is a User policy defined on them. The Domain Security Groups starts with DL (Domain Local Group), G (Global Group), U (Universal Group). The way I deployed my security groups are following the concept from this website http://ss64.com/nt/syntax-groups.html

Combining a good Security Group Practice, GPO naming convention and GPO Deployment makes our Software Deployment more easier for junior administrators to add computers that needs this software just as we will discuss them later in this post.

Preparing the MSI Installer:

First, we need to make the MSI available to the network as a shared file. In this case, i have downloaded the Firefox MSI Installer from an internet source at  http://www.frontmotion.com/Firefox/download_firefox.htm put it in my File Server named ELSAL-SRV3 and put it on a folder named “Mozilla Firefox” in a shared folder named Installers. Now it looks like this.

image

Now, I am going to give everyone have read/write permission to the Installers Shared Folder so that computer or user may able to access the installer file.

image

Now, the installers folder is a shared folder in ELSAL-SRV3 server and can be accessed via “\\ELSAL-SRV3\Installers”

image

Creating and Defining the GPO Object:

Create a blank, name it “C – Install Mozilla Firefox” or name it as you desired and link the GPO to the “OU=Computers,OU=El Salvador,OU=Offices,DC=limdynasty,DC=com” OU or to your appropriate OU.

Edit the GPO Object and go to its properties.

image

Since this will be a computer policy, we will be disabling the User Configuration.

image

Close the properties window.

Now, Navigate to the  Computer Configuration > Policies > Software Settings > Software Installation.

image

Right Click Software Installation and Click New > Package.

image

A popup window should then appear asking you for the location of the MSI Package Installer. Now, if you remember what we did in the Preparing the MSI Installer section, we have made the installer available from “\\ELSAL-SRV3\Installers”, now type it in the open dialog window that popped up.

image

Then open Mozilla Firefox Folder then select the MSI installer for Firefox, or select the MSI installer for the software that you want to be deployed on your computer.

image

NOTE: It is important to know that the location of your MSI installer must be reachable/accessible by the computer account that you are going to deploy with your software with. In this case, we have already made that settings.

Then click advanced on the Deploy Software Popup window. Noticed that the Published radio button is

image

A properties window should then appear for the package. Go to the deployment tab.

image

In this case check the “Uninstall this application when it falls out of the scope of management”, this will make sure if the computer account gets relocated somewhere in the Domain that is not supposed to have Mozilla Firefox on them, Firefox is will automatically be removed without user intervention. Combining this settings with GPO Security Filtering will give us more flexibility on automating software installation via MSI.

Note that we have confured the Computer Configuration Node in the Group Policy, this means that even there is a user object in the “OU=Computers,OU=El Salvador,OU=Offices,DC=limdynasty,DC=com” OU, only computer accounts are affected.

Preparing Security Group:

The reason why I associated security groups in Group Policy is that I prefer to give access to security groups instead to direct user accounts. I follow the best practices provided in this article http://ss64.com/nt/syntax-groups.html

I have made the ELSAL-WKS1 computer account a member of the G_ElSalvador_Computers_Install_MozillaFirefox. According to the article (link above) it is recommended to only give permission access to Domain Local Security Group. Universal Group does not really make any sense here in our post as we only have one domain. The structure i have made for my domain is I created 3 Security Groups of type Domain Local, Global, and Universal, denoted by (DL_* for Domain Local, G_* – Global, U_* – Universal).

In my domain I have

Security Group Name Security Group Type
G_ElSalvador_Computers_Install_MozillaFirefox Global
U_ElSalvador_Computers_Install_MozillaFirefox Universal
DL_ElSalvador_Computers_Install_MozillaFirefox Domain Local

The Global Security Group is the one that has the list of the allowed computer accounts to be installed with the software that is deployed. Add the computer account to the Global Security Group.

image

The Global Security Group is also nested and a member of the Universal and Domain Local security Group.

image

Applying Security Filtering:

Now, all what we did in the article instructed above comes together in this part.

Open up your Group Policy Management Console and click the GPO that we have defined. Then click Scope.

image

By default, the security group that is populated on the Security Filtering is the Authenticated Users. Authenticated Users are domain objects that has been given Kerberos ticket from the Domain Controller, this includes computer accounts.

Unless you are trying to deploy this policy to all computer accounts in the
“OU=Computers,OU=El Salvador,OU=Offices,DC=limdynasty,DC=com” OU, the configuration is complete.

But in this article i have designed the GPO in tandem of Security Groups to have a granular permission.

Now, remove the authenticated users (if its not already) then click the Add button from the security filtering. A window will popup asking for the object to add in the security filtering. Type in the Domain Local security group then click ok.

image

Because the G_ElSalvador_Computers_Install_MozillaFirefox security group is a member of the DL_ElSalvador_Computers_Install_MozillaFirefox, members of the G_ElSalvador_Computers_Install_MozillaFirefox are also inheriting the permissions we set from DL_ElSalvador_Computers_Install_MozillaFirefox.

Now the configuration of the GPO is complete.

Conclusion:

The advantage of this kind of settings is for junior administrators that do not have administrative privileges to modify GPO are able to deploy the software to the identified computers just by making the targeted computer a member of the G_ElSalvador_Computers_Install_MozillaFirefox security group and relocate the computer account to the OU where the GPO is deployed.

If the computer account is not a member of the required security group or a member of the security group but is not located in the correct OU, the computer account will fail to qualify to apply the GPO and the GPO will not be applied.

If the software was previously installed via GPO and for somehow you decided to either remove the required security group membership or move the computer account to another OU where the GPO is not applied. The software will be uninstalled on the computer the next time it reboots. This is because we have configured the software to “Uninstall this application when it falls out of the scope of management”. (See Creating and Defining the GPO Object Section, above)

Hope it helps,

For God and Country!