Sam.McGeown.co.uk

This is a pretty specific set of instructions for a specific environment:

• If
• you are using Microsoft System Center Operations Manager 2007
• and
• you have a Microsoft Certificate Services 2003 Certificate Authority on your domain
• and
• you have non-domain Windows Server 2008 servers you wish to monitor or set up as a gateway server.

Getting a certificate for either a Gateway Server or remotely monitored Server can be a touch vexing. If you’re installing on the same domain as the SCOM management server the security settings take care of themselves, not so for non-domain servers, which require mutual certificate authentication. The Gateway must trust the Domain CA and identify itself as trusted to the Management Server. I have bashed my head against this several times now, so I thought I’d make a precise blog post to cover the steps required!

In this scenario, we will have 2 servers CA01, the Windows 2003 Certificate Authority, and Gateway01, the SCOM 2007 gateway. The certificate template for Operations Manager has been created on CA01 as per the documentation and is called “OperationsManagerCert”. On Gateway01 I have copied the Gateway installer to c:\SCOM\Gateway and the SCOM Tools to c:\SCOM\Tools. SCOM01 is our SCOM collection server.

CA01: Navigate to https://ca01/certsrv and download the CA Certificate.

Gateway01: Copy the CA Certificate to the c:\SCOM folder by whatever means you have. Open mmc.exe and add the Certificates Snap-in for the local computer account. Right click the Trusted Root Certification Authorities store and Import the CA01 CA certificate.

Gateway01: Open notepad and create a new certificate request file with the contents below. Name the file Gateway01.inf and save in c:\SCOM

[NewRequest]

Subject="CN=<FQDN of Gateway01>"

Exportable=TRUE

KeyLength=2048

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

OID=1.3.6.1.5.5.7.3.2

Gateway01: Open a command prompt as administrator and navigate to c:\SCOM, use certreq.exe to generate a certificate request:

certreq –new –f Gateway01.inf Gateway01.req

Gateway01: Open Gateway01.req in notepad and copy the contents to clipboard.

CA01: Open https://ca01/certsrv and start a new advanced certificate request, create the certificate request using a base64 encoded CMC. Paste the data from Gateway01.req into the “Saved Request” box. Select your SCOM certificate template and click next. Save the response as a Base 64 encoded certificate.

Gateway01: Copy the certificate file over to c:\SCOM on Gateway01 by whatever method you have available. Open a command prompt with admin rights and approve the new certificate with certutil.

certreq –accept Gateway01.cer

Check that the certificate has been imported into the Computer/Personal store using mmc.exe.

SCOM01: At this point you can either install your SCOM agent, or Gateway Server on Gateway01 – if you are installing the Gateway Server like me, you need to first approve the Gateway using the Gateway Approval Tool. Open a command prompt as administrator and navigate to “c:\Program Files\System Center Operations Manager 2007” or wherever your SCOM install is. Copy the Microsoft.EnterpriseManagement.GatewayApproval.Tool.exe from Support Tools into the parent folder (it requires .dlls in that folder).

Microsoft.EnterpriseManagement.GatewayApproval.Tool.exe ¬

/ManagementServerName=SCOM01 /GatewayName=Gateway01

Gateway01: Run the Gateway Server installer and enter the details of the Management Server and Management Group name. When that’s finished, you need to tell SCOM which certificate to use with the MOMCertImport.exe tool located in c:\SCOM\Tools

MOMCertImport /SubjectName Gateway01.Domain.Lcl

Give it a few minutes and you should be able to see the new gateway under Management Servers in the Administration console for SCOM. Remember to right-click, properties, security and allow the server to act as a proxy if it’s reporting for other servers.

I use the same procedure to install Agents in my DMZ that don’t have access to the certificate services – likewise our production web servers isolated in their hosting environment.

I hope this helps you, I know this is an article that I will be referring back to time and time again!

Certificate Services, Windows Server 2008, Windows Server 2003, System Center Operations Manager SCOM, windows server 2003, Windows Server 2008, certificates, gateway, agent

If you have a Windows Server 2008 box in a workgroup that you require access to one of the admin shares, it can be a little more complicated than with Server 2003. In my case, we had a SQL server on the back end which was trying to access the web server in the DMZ using PSExec.exe to remotely run a process. Executing PSExec and passing the correct credentials failed with “Access is Denied”.

Similarly, when I tried to access the c$, ADMIN$ shares on the server, it would deny me access, and would lock out my admin account when I tried. Creating a separate share would allow me access, but that’s no good for PSExec. To further confuse things, when I accessed the \\server\c$ share from the server, it worked.

Checking the share properties using “net share c$” shows that the settings are all correct, Everyone has FULL access (this is default, it uses NTFS permissions to restrict access):

This issue does not affect domain member servers, I was able to browse to the c$ shares of several Windows Server 2008 servers on the domain.

The problem is caused by UAC and the elevated privileges required to access the administrative shares. This Microsoft KB article (951016) describes the issue in Windows Vista

To better protect those users who are members of the local Administrators group, we implement UAC restrictions on the network. This mechanism helps prevent against "loopback" attacks. This mechanism also helps prevent local malicious software from running remotely with administrative rights.

and the steps to resolve it, open a new PowerShell window as administrator:

New-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -name "LocalAccountTokenFilterPolicy" -value "1" -propertyType dword

A word of caution: this is opening up a security hole and it should only be done with careful consideration of the risks. The need to use PSExec to remotely run a process was an important part of the deployment, however the same result could be achieved using PowerShell remoting. Until it’s tested and we’re ready to deploy that, I’ll be using this method.

Windows Server, Windows Server 2008, Security, Admin Tools Windows Server 2008, Admin shares, UAC, User Account Control, PSExec

So, you’ve installed a new server with Server 2008 R2 Core – what next? Logging on, you’re presented with a shiny command prompt, you can run notepad or regedit…but aside from that, where do you go from there? In the next few series of posts I’ll hopefully point out the basics, and some not so basics!

I’m going to look at some management tasks – the bread and butter of being a Windows admin.

Activating Server 2008 Core

Activating Server 2008 Core is done via a pre-packaged script called slmgr.vbs -  “Windows Software Licensing Management Tool”

Firstly, you have to install a Product Key (unless it was done during your install)

cscript C:\windows\system32\slmgr.vbs /ipk <Product Key>

After that, it’s just a case of automatic activation, assuming you have internet access

cscript C:\windows\system32\slmgr.vbs /ato

If you’ve not got internet access for the server you can use the /dti option to get the Activation ID, call the Microsoft Licensing and Activation line and tap it in. Then use the /atp option to enter the response and activate.

Windows Updates

If you read the last post in this series, Configuring Server 2008 R2 Core Series: Network Settings, you may have seen the option in sconfig.cmd to set Windows Update settings. That’s the first, interactive, way to configure Windows Updates. It’s worth noting that the easiest way to do this is via your Group Policies, if you’re on a domain.

===============================================================================
                         Server Configuration
===============================================================================

1) Domain/Workgroup:                    Domain:  MCGEOWN.LOCAL
2) Computer Name:                       ServerCore2008
3) Add Local Administrator
4) Configure Remote Management

5) Windows Update Settings:             Manual
6) Download and Install Updates
7) Remote Desktop:                      Disabled

8) Network Settings
9) Date and Time

10) Log Off User
11) Restart Server
12) Shut Down Server
13) Exit to Command Line

Enter number to select an option: 5

Windows Update currently set to: Manual
Select (A)utomatic or (M)anual updates: A

Enabling Automatic updates...

The second method is the more command-line, scripting method. This sets it to download automatically and install at 3am every day (“/au 1” disables, “/au /v” shows current value):

Cscript c:\windows\system32\scregedit.wsf /au 4

Enabling Remote Management

Similarly to Windows Updates, remote management can be configured via sconfig.cmd or command line. Here’s how:

Enter number to select an option: 4
--------------------------------
  Configure Remote Management
--------------------------------

1) Allow MMC Remote Management
2) Enable Windows PowerShell
3) Allow Server Manager Remote Management
4) Show Windows Firewall settings

5) Return to main menu

Enter selection: 1

Enabling MMC firewall exceptions and Virtual Disk Service...

Enter selection: 2

Enabling Windows PowerShell...
Setting Windows PowerShell execution policy to remotesigned...

[Server requests a reboot here - you can't enable Server Manager until it's done]

Enter selection: 3

Setting Windows PowerShell execution policy to remotesigned...
Enabling Server Manager cmdlets...

Configuring Remote Server Manager settings...

If you need to do this via the command line, it happens like this…

Enable WinRM:

C:\Users\Administrator> winrm quickconfig
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:
Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
Make these changes [y/n]? y
WinRM has been updated for remote management.
Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.

Fire up PowerShell (powershell.exe) and set the execution policy to RemoteSigned

Set-ExecutionPolicy RemoteSigned

Then enable the Remote Administration rules on the firewall:

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

To configure management by Remote Desktop, you can run the now-familiar sconfig.cmd and select option 7, or you can issue the following commands:

cscript c:\windows\system32\scregedit.wsf /ar 0

netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes

Bear in mind that your RDP session will need TLS authentication and will not give you a desktop or GUI, just the command line interface. If you need to disable TLS for older clients (e.g. XP) you have to disable it with the following command:

cscript C:\Windows\System32\Scregedit.wsf /cs 0

Can you manage?

With all those steps completed, you should be able to connect to your server with Remote Server Administration Tools on any Server 2008 or Windows 7 computer.

This is my Windows 7 PC connected via “Server Manager”

To connect via WinRS (Windows Remote Shell) and execute remote commands, use:

winrs -r:<server name> <command>

e.g:

winrs –r:<Server Name> cmd

Allows me access to the command shell on that server.

Finally, this is what RDP to the same server looks like:

Hopefully that gives you a few options for managing your Windows Server 2008 Core machine!

Windows Server 2008, Admin Tools windows server 2008, core, management tools, RSAT, WinRM, WinRS

I’m pleased to announce that I’ve passed the 70-649, which gives me the following MCTS certifications:

Windows Server 2008 Active Directory, Configuration

Windows Server 2008 Applications Infrastructure, Configuration

Windows Server 2008 Network Infrastructure, Configuration

Next I’ll be looking at the 70-647 to get the full MCITP: Enterprise Administrator (I already took the 70-620 exam for my MCSE).

Microsoft, Qualifications MCTS, Microsoft, Windows Server 2008

If you read the Microsoft blurb for R2, the first thing you notice is that Server 2008 R2 is 64-bit only(!). It seems Microsoft are forcibly removing 32-bit server hardware from the data centre. I’ve not seen a decent upgrade guide online so far, so here’s my process.

I’m going to be upgrading a Server 2008 R2 x64 SP2 Standard Edition virtual server to R2. To see what editions can and can’t be upgraded, check out this Technet Article, but it’s safe to say that you can’t upgrade across architectures (32-bit to 64-bit) and you can’t downgrade SKUs (Enterprise to Standard).

The first step, as ever, is always to back up your server, if the upgrade goes wrong, you can always restore and try again. You have been warned!

So, without further ado, slip in your R2 DVD and begin…

Install

Update

Select your target SKU

Select “upgrade” (obviously :)

Check your upgrade report (which is saved as HTML on your desktop. The first time I ran this it said that I didn’t have enough free space – it required a whopping 15GB, which makes me think that this is no Server 2003 –> R2 upgrade, it’s the full blown OS install. Assuming everything checks out, go ahead.

Sit back and grab a cup of coffee. After a while, you’ll reboot

  and the upgrade begins in earnest. Once the process is completed, and another reboot has happened, you’ll be upgraded to R2. You’ll need to activate it with your R2 key.

Once you’re activated, update your server using Microsoft update or your patching method.

Et voila!

Windows Server 2008 Windows Server 2008, R2, Windows Server, Server, 2008, upgrade