Saturday, June 7, 2014

Migrating FSMO's Using PowerShell

PowerShell continues to make Administrative tasks easier the more it is utilized. Migrating FSMO's is also part of those task. So you have to move the Active Directory Database to another server in your environment. Let's get this task underway. In our lab environment we have two servers. One is a Server 2008 R2 server and the other a Server 2012 R2 server.


The 2012 R2 Server is joined to the domain but is not a DC. Let's run the PowerShell cmdlet Install-WindowsFeature AD-Domain-Services -IncludeManagementTools to get the role going as seen below.

 



Next we will run the cmdlet as shown below
Install-ADDSDomainController -CreateDnsDelegation:$false -DatabasePath 'C:\Windows\NTDS' -DomainName 'FISG.LOCAL' -InstallDns:$true -LogPath 'C:\Windows\NTDS' -NoGlobalCatalog:$false -SiteName 'Default-First-Site-Name' -SysvolPath 'C:\Windows\SYSVOL' -NoRebootOnCompletion:$true -Force:$true

Enter the Safe Mode Password to continue the install

 


Next restart the server to complete the install.



Next we will verify that AD replicated to our new Server by checking the Active Directory Administrative Center (ADAC).



Next we will move or FSMO's to our new Server. In PowerShell on our new server we will run the netdom query fsmo command as seen below.



Next we will run the cmdlet
Move-ADDirectoryServerOperationMasterRole -identity "FISG-DC1" -OperationMasterRole 0,1,2,3,4 as seen below to transfer the roles.



Next we will run the netdom query fsmo cmdlet again to verify that all fsmo's were transferred to FISG-DC1 as seen below.



Success!!!

For Server Downloads visit http://aka.ms/msproducts

For a 30 day trial of Azure with a $200 credit limit visit http://aka.ms/try-azure

By: Adnan Cartwright


Sunday, March 16, 2014

Deploying Remote Desktop Services In Windows Azure

Windows Azure has indeed made deployments much easier and less costly in some cases. One of those cases being a remote office that needs their clients to connect to a server for remote app works. Applications such as Microsoft Office, Quickbooks and others can now be deployed and accessed with the great of ease using Windows Server 2012 R2 in Windows Azure.

For a quick deployment and single server setup connect to a Windows Azure account. Don't have one. no worries. Obtain one for free at http://aka.ms/msproducts.

Once your account is active the next step is to configure a storage account. To create a storage account click New, Data Services, Storage and then Quick Create. Enter the name of the storage account one you can remember and is not use. I selected Locally Redundant for Replication as this is a lab. You can choose to have it Geo-Redundant to replicate your storage account based on your needs. As seen below.


Our Next Step is to set up the network in which our RDS Server will be utilizing. Click New, Network Services, Virtual Network then Custom Create as seen below.


On the Virtual Network Details Page enter the Name of your Virtual Network and Select Create a New Affinity Group as seen below. Select the Region and then name the Affinity Group. Click next.


Leave the DNS Servers blank as we will be adding one in later in the lab. As seen below. Click Next.


On the Virtual Network Address Spaces page select your space and add your subnet as seen below. Click OK.


Now that our network is successfully created! We can now create out Virtual Machine in Azure where our RDS Role will be installed.


From the Azure Platform Click New, Compute, Virtual Machine and then From Gallery as seen below.




 In Choose an Image Select Windows Server 2012 R2. Click Next.


Enter the credentials for your virtual machine and the click next.


In the Virtual Machine Configuration Screen. Enter the Virtual Network which we created earlier as well as the storage account. Click Next.


On the End Points page add HTTPS and click OK to finish the Virtual Machine configuration.


Now that our Virtual Machine is up and Running lets get connected to configure Active Directory.




Open Power Shell and enter the command "Install-WindowsFeature AD-Domain-Services -IncludeManagementTools" to lay down the binaries for Active Directory. Next enter the command "Install-ADDSForest -DomainName (your domain name here)" The virtual machine will shutdown and restart once completed. The next step is add the DNS Server to our Azure Virtual Network. From the Virtual Network click configure then add the name of the AD Server we just created as well as the IP Address as seen below. VERY IMPORTANT!!!! (Also enable Remote Management in the local Server. It will need to be enabled for the installation of the Remote Desktop Services role to succeed).


To check the IP Address of the server view the network configuration. You may have to stop and start the virtual machine for the IP configuration for the network to take affect. Once it does you will have the same IP Configuration as we do below.



Once confirmed our next is to do a little DNS Cleanup. This will remove any issues we will have with DNS resolving not only internally but externally as well. Will need to remove all forwarders and have DNS listen only to the IPv4 Address as seen below.




Once you have removed the forwarder and only checked the IPv4 Address to listen on. Please perform and Security Updates from Microsoft and restart the server.

Our next steps are to install the RDS Role. Click Manage from Server Manager then Add Roles. Select your server and then Remote Desktop Services Installation. Click Next.


In the deployment type select Quick Start then click next.


Select Session-based desktop deployment and then click next.


With your server added click next. On the complete install page check the box to Restart the server automatically during the configuration. The server will restart one time and then complete the install.


Once the install is complete you will be given a link to connect to your newly created RDS deployment. As seen below. Once logged in you will see the default applications you can connect to As seen below.




To configure a SSL cert for secure communications create a certificate request for your Trusted Certificate Authority and complete the request once the certificate is received. 


You have successfully completed the deployment of Remote Desktop Services in Windows Azure!!!!

By: Adnan Cartwright

Resource Links:

Windows Azure and Server 2012 R2 Downloads: http://aka.ms/msproducts 

Friday, November 29, 2013

Deploying an Internal PKI for Azure Recovery Services Prerequisite

Azure Recovery Services uses certificates to authenticate and encrypt connections to and from the Azure Platform. In the training video - Configuring Azure Backup In Windows Server 2012 the PKI environment was already setup and configured. This blog entry is the prerequisite to that configuration.

In our lab we have a Domain Controller where Active Directory Certificate Services will be installed and a File Server both using the Windows Server 2012 R2 and Windows Server 2012 Operating Systems. Below is a picture of lab in HYPER-V.

 
 

Let's get our PKI installed. On DC-1 we will add a role and select Active Directory Certificate Services.

 
 
 Next we will take the default selection of a certificate authority and select next.
 
 
 

Once installation is completed our next step is to configure Certificate Authority for Certificate distribution.
 
 
 
 

 When the specify credentials screen appears we will take the defaults and select next.



Select Certificate Authority and select next.

 
 Select Enterprise CA and select next.

 
 Select Root CA and select next.


We will create a new private key and click next.

 
 In the Cryptography for the CA we will select 4096 for the key length SHA256 for the hash algorithm and RSA#Microsoft Software Key Storage Provider for the Cryptographic Provider and click next.
 
 We will use the default for the CA name.

 
 The validity period we will use the length of 3 years.

 
 We will take the database defaults and click next.

 
 Confirm our configuration and then click configure.

 
 We have successfully configured an Internal PKI environment.

 
 Our Certificate Services is now ready to distribute certificates on the network and to Azure!

 
Next we will head to our File Server and select run then enter mmc for the Microsoft Management Console.

 
 In the console we will select file then Add-Remove Snap-in.

 
 In the Snap-in select Certificates then the add button.

 
 Select the Computer Account then click next.

 
 Leave the default selection for the Local Computer then select Finish.

 
 Note that the Certificates on the Local Computer is selected for management. Click ok.

 
 Expand Certificates, then Personal and then Certificates.

 
Right click an empty spot in the right pane for the menu to appear. Select All tasks then Request a New Certificate.
 
 The Enrollment wizard will kick off the click next.

 
 Select computer then Enroll.

 
 The certificate request for enrollment is successful! Click Finish to close out.

 
Our next step is to export the certificate. Make sure that the certificate you are exporting is the Client Authenticated one. Select your certificate right click, select all task then export.

 
 Do not export the private key as it is not needed for Azure Recovery Services. Click next.

 
 We will take the default of the DER encoded binary X.509 cert.

 
 I will place the certificate on the desktop for easy access.

 
 The export of our certificate is successful!

 
 You now have a certificate for your Azure Recovery Services Vault in the Azure platform!

 
 

To get a free 30 day trial to Azure - http://aka.ms/try-azure
 
To download Windows Server 2012 R2 - http://aka.ms/msproducts