[Tutorial] Configuring Direct Access on Server 2012 R2

17 Replies

This tutorial will cover deployment of Windows Server 2012 R2's latest version of DirectAccess.  While there are multiple ways to configure Direct Access, I tried to pull together what I believe are the best/recommended practices and what I believe would be a common deployment between organizations.  If you have any thoughts/feedback on how to improve this deployment, please leave a comment below.

Before beginning, if you are curious what DirectAccess is, here is a brief overview of what it is and what it will allow us to accomplish.

DirectAccess, also known as Unified Remote Access, is a VPN-like technology that provides intranet connectivity to client computers when they are connected to the Internet. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet. DirectAccess was introduced in Windows Server 2008 R2, providing this service to Windows 7 and Windows 8 "Enterprise" edition clients.
http://en.wikipedia.org/wiki/DirectAccess

Prerequisites

  • Domain Admin rights to complete the tutorial below
  • Windows Server 2012 R2 machine
    • Two network cards - One in your internal network, the other in your DMZ
    • Joined to your domain
    • Latest Windows Updates
      (seriously, apply these, there are updates released specifically for DirectAccess)
  • DMZ
  • PKI Setup (Public Key Infrastructure to issue self-signed certificates)
    • Custom template setup for issuing servers with an intended purpose of Server Authentication
    • Certificate auto-enrollment has been configured
  • Active Directory Security Group designated with Computer Objects allowed to use DirectAccess
  1. Login to your Server 2012 R2 server we will be using for installing the Direct Access
  2. Ensure all windows updates have been applied.
    Latest Windows Updates
  3. Open up Server Manager
    Server 2012 R2 - Server Manager
  4. Select Manage -> Add Roles and Features
    Server 2012 - Manage - Add Roles and Features
  5. Click Next > on the Before you Begin step
    Add Roles and Features Wizard - Before you begin
  6. Ensure Role-based or feature-based installation is checked and click Next >
    Add Roles and Features Wizard - Select installation type
  7. Select Next > on the Select destination server step
    Add Roles and Features Wizard - Select destination server
  8. Check Remote Access and click Next >Add Roles and Features Wizard - Server Roles - Remote Access
  9. Click Next > on the Select Features step
    Add Roles and Features Wizard - Server Roles - Features
  10. Click Next > on the Remote Access step
    Add Roles and Features Wizard - Remote Access
  11. Check DirectAccess and VPN (RAS)
    Add Roles and Features Wizard - Remote Access
  12. Click the Add Features button on the dialog box that prompts
    Add Roles and Features Wizard - Remote Access - Add Features
  13. Check DirectAccess and VPN (RAS) and then click Next >
    Add Roles and Features Wizard - Remote Access - Select role services
  14. Click Next > on the Web Server Role (IIS) page
    Add Roles and Features Wizard - Web Server Roll IIS
  15. Click Next > on the Role Services page
    Add Roles and Features Wizard - Web Server Roll IIS - Roll Services
  16. Check the Restart the destination server automatically if required checkbox and click Yes on the dialog box.
    Add Roles and Features Wizard - Confirm installation selections
    Add Roles and Features Wizard - Restart is required dialog
  17. Click Install
    Add Roles and Features Wizard - Confirm installation selections - Restart the destination server automatically if required
  18. Click Close when the install has completed
    Add Roles and Features Wizard - Results
  19. Back in Server Manager, click on Tools -> Remote Access Management (You can ignore the warning icon, the Open the Getting Started Wizard will only do a quick setup of DirectAccess.  We want to do a full deployment).
    Server Manager - Tools - Remote Access Management
    Here is what the quick deployment looks like.  Don't click on this. Server Manager - Post-Deployment Configuration - DirectAccess
  20. On the Remote Access Management Console, click on DirectAccess and VPN on the top left and then click on the Run the Remote Access Setup Wizard.
    Remote Access Management Console - DirectAccess and VPN
  21. On the Configure Remote Access window, select Deploy DirectAccess only
    Configure Remote Access - Deploy DirectAccess Only
  22. Click on the Configure... button for Step 1: Remote Clients
    Remote Access Management Console - DirectAccess and VPN - Step 1 Remote Clients
  23. Select Deploy full DirectAccess for client access and remote management and click Next >
  24. Remote Access Setup - Deploy full DirectAccess for client access and remote managment
  25. Click on the Add... button
  26. Remote Access Setup - Select one or more security grups containing client computers that will be enabled for DirectAccess
  27. Select the security group inside of Active Directory that will contain computer objects allowed to use DirectAccess and click OK
    Remote-Access-Setup-Select-Groups
  28. Optionally, uncheck or check Enable DirectAccess for mobile computers only as well as Use force tunneling and click Next >
    1. If Enable DirectAccess for mobile computers is checked, WMI will query the machine to determine if it is a laptop/tablet.  If WMI determines the machine is not a "mobile device", the group policy object will not be applied to those machines in the security group.  In short, if checked, DirectAccess will not be applied to computers that are desktops or VMs placed inside the security group.
    2. If Use force tunneling is checked, computers will always use the direct access server when remote.  For example, if the user surfs the web to a public website like jackstromberg.com, the traffic will go through the DirectAccess tunnel and back to the machine, rather than directly to the ISP.  Generally, this is used for strict compliance environments that want all network traffic to flow through a central gateway.
    3. Remote Access Setup - Select Groups - Next
  29. Double click on the Resource | Type row
    1. What this step is trying to do is find a resource on the internal network that the client can "ping" to ensure the DirectAccess client has successfully connected to the internal network.
      Remote Access Setup - Network Connectivity Assistant - Resource Type
  30. Select whether you want the client to verify it has connected to the internal network via a HTTP response or network ping, optionally click the validate button to test the connection, and then click Add
    1. You may want to add a couple resources for failover testing purposes, however it isn't recommended to list every resource on your internal network.
      Remote Access Setup - Network Connectivity Assistant - Configure Corporate Resources for NCA
  31. Enter in your Helpdesk email address and DirectAccess connection name (this name will show up as the name of the connection a user would use), and check Allow DirectAccess clients to use local name resolution and click Finish.
    1. Based on what I could find, checking Allow DirectAccess clients to use local name resolution will allow the DirectAccess client to use the DNS server published by DHCP on the physical network they are connected to.  In the event the Network Location server is unavailable, the client would then use the local DNS server for name resolution; allowing the client to at least access some things via DNS.
      Remote Access Setup - Network Connectivity Assistant - Helpdesk email address - DirectAccess connection name
  32. Click on Configure... next to Step 2: Remote Access Server
    Remote Access Management Console - DirectAccess and VPN - Step 2 Remote Access Server
  33. On the Remote Access Server Setup page, select Behind an edge device (with two network adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect back to your environment, and then click Next >
    1. NOTE: By default, your domain's FQDN will be used, so if you have a .local domain, you will want to switch this to your actual .com, .net, .org, .whatever.
    2. As an additional side note, hereis some information from the following KB article on what the differences are between each of the topologies.  From what I gather, using the dual NIC configuration is Microsoft's best practice from a security standpoint.
      • Two adapters—With two network adapters, Remote Access can be configured with one network adapter connected directly to the Internet, and the other is connected to the internal network. Or alternatively the server is installed behind an edge device such as a firewall or a router. In this configuration one network adapter is connected to the perimeter network, the other is connected to the internal network.
      • Single network adapter—In this configuration the Remote Access server is installed behind an edge device such as a firewall or a router. The network adapter is connected to the internal network.

    Remote Access Server Setup - Network Topology

  34. On the Network Adapters step, select your External (DMZ) and Internal (LAN) adapters.Remote Access Server Setup - Network Adapters - External Internal
  35. Leave the Remote Access Setup screen open and right click on Start button and select Run
    Server 2012 - Run
  36.  Type mmc and select OK
    Server 2012 - Run - mmc
  37. Click File -> Add/Remove Snap-in...
    mmc - File - Add-Remove Snap-in
  38. Select Certificates and click Add >
    Add or Remote Snap-ins - Certificates
  39. Select Computer account and click Next >
    Certificates snap-in - Computer Account
  40. Ensure Local Computer is selected and click Finish
    Certificates snap-in - Select Computer
  41. Click OK on the Add or Remove Snap-ins machine
    Add or Remove Snap-ins - Certificates - Local Computer
  42. Expand Certificates (Local Computer) -> Personal -> Certificates, right click on Certificates and select Request New Certificate...
    Certificates - All Tasks - Request new certificate
  43. Click Next on the Before You Begin screen
    Certificate Enrollment - Before You Begin
  44. Click Next on the Select Certificate Enrollment Policy
    Certificate Enrollment - Select Certificate Enrollment Policy
  45. Select your template that will support server authentication and click More information is required to enroll for this certificate.  Click here to configure settings.
    Certificate Enrollment - Request Certificates

    1. Note: The WebServers enrollment policy is not something out of the box configured by Microsoft.  You will need to manually login to your certificate authority, duplicate the Web Servers template with the settings you wish, ensure your usergroup can Enroll for a certificate, and then publish it to AD.
  46. On the Subject tab, enter the following values (substituting in your company's information):
    Common name: da.mydomain.com
    Country: US
    Locality: Honolulu
    Organization: My Company
    Organization Unit: Information Technology
    State: Hawaii
    Certificate Enrollment - Certificate Properties - Subject Tab
  47. On the Private Key tab, expand Key options and check Make private key exportable.  Click Apply when done.
    Certificate Enrollment - Certificate Properties - Private Key Tab
  48. Click Enroll.
    Certificate Enrollment - Request Certificates - Enroll
  49. Click Finish.
    Certificate Enrollment - Certificate Installation Results
  50. Go back to the Remote Access Setup screen and click Browse...
    Remote Access Server Setup - Network Adapters - External Internal
  51. Select your da.mydomain.com certificate we just created and click OK.
    Remote Access Setup - Select a certificate
  52. Click Next >
    Remote Access Setup - Network Adapters - External Internal Certificate
  53. Check Use computer certificates and check Use an intermediate certificate and then click Browse...
    Remote Access Setup - Authentication - Active Directory Credentials
  54. Select the certificate authority that will be issuing the client certificates and click click OK
    Remote Access Setup - Authentication - Select a certificate
  55. Optionally, you may enable Enable Windows 7 client computers to connect via DirectAccess as well as Enforce corporate compliance for DirectAccess clients with NAP.  Note: Configuring these two options are not covered in the scope of this tutorial.  Click Finish when done.
    Remote Access Setup - Authentication - Finish
  56. Click on Configure... next to Step 3: Infrastructure Servers
    Remote Access Management Console - DirectAccess and VPN - Step 3 Infrastructure Servers
  57. On the Remote Access Setup screen, check The network location server is deployed on a remote web server (recommended), type in the website address to the Network Location Server, and click Next >
    1. So for whatever reason, there aren't many articles explaining what exactly the network location server is and how to set it up.  From what I gather, the Network Location Server is merely a server with a website running on it that the client can contact to ensure it has reached the internal network.  The webpage can be the default IIS webpage; just ensure the website is NOT accessible externally.
      Remote Access Setup - Network Location Server
  58. Specify any additional DNS servers you wish to use for name resolution, ensure Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended) is checked and click Next >
    Remote Access Setup - Infrastructure Server Setup - DNS
  59. Check Configure DirectAccess clients with DNS client suffix search list, ensure your local domain's suffix has been added, and click Next >
    Remote Access Setup - DNS Suffix Search List
  60. Click Finish on the Management page.
    Remote Access Setup - Management
  61. Click the Configure.... button on Step 4: Application Servers
    Remote Access Management Console - Step 4 Application Servers
  62. Check Do not extend authentication to application servers and click Finish
    Remote Access Setup - Do not extend authentication to application servers
  63. Click Finish... on the Remote Access Management Console page
    Remote Access Management Console - Finish
  64. Click Apply on the Remote Access Review page
    Remote Access Review - Summary of Remote Access configuration settings
  65. Click Close once direct access has successfully finished deploying
    Apply Remote Access Setup Wizard Settings - The configuration was applied successfully
  66. Login to one of your Windows 8.X Enterprise machines that is inside of your DirectAccess Compuers security group and run a gpupdate from command line to pull down the latest group policy.
  67. At this point, you should now be able to login to your network via DirectAccess!

NOTES:

Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment.  Once you click on the link, in the bottom left corner, you will find two steps to some good KB articles: http://technet.microsoft.com/en-us/library/jj134262.aspx

Here is another article from Microsoft with a more indepth explanation about where to place the Network Location Server: http://technet.microsoft.com/en-us/library/ee382275(v=ws.10).aspx

Office 365 - Single Sign-On for SharePoint, Skydrive, CRM, etc. via Smart Links

12 Replies

Update: I have released a smart link generator to have these items created automatically, please find this here: http://jackstromberg.com/o365-smart-linksso-link-generator/

Synopsis: One of the biggest problems I have seen with Office 365 is ease in accessibility to all of the Office365 resources.  As pointed out on many of the Microsoft forums, SharePoint, CRM, Skydrive, etc. do not automatically complete a single-sign on request when browsing the website.

Problem: When a user browses https://mydomain.sharepoint.com for example, the user is prompted to enter in their email address.  What a user expects is that they should automatically be logged in and see sharepoint when navigating to https://mydomain.sharepoint.com  Additionally, for whatever reason, users cannot remember the website address to https://mydomain.sharepoint.com  Instead, they want to do something like http://sharepoint.mydomain.com

Solution: Create name branded "fancy URLs" that will complete an idp claim to give the user a true SSO experience.

  • http://owa.mydomain.com
  • http://sharepoint.mydomain.com
  • http://skydrive.mydomain.com
  • http://crm.mydomain.com

Solution:

  1. Open up Internet Explorer
  2. Navigate to https://mydomain.sharepoint.com
    Sign into Office 365
  3. Press F12 to open up the developer tools console (I am running IE 11, the console looks way different than previous versions of IE)
    Sign into Office 365 - Developer Console
  4. Scroll down and select the icon that looks like a little WiFi antenna
    Sign into Office 365 - Developer Console - Network
  5. Click the green play button
    Sign into Office 365 - Developer Console - Network - Start Capture
  6. Type in your email address as you would to login to sharepoint ([email protected])
  7. You should be redirected to your ADFS server and inside the network console, you should see a link like https://sts.mydomain.com/adfs/ls/?..................  Copy this link into notepad.
    Office 365 - Federated URL
  8. Remove the extra stuff from the debug console
    Before
    Office 365 - Federated URL - Notepad
    After
    Office 365 - Federated URL - Cleaned - Notepad
  9. Remove everything from cbcxt=..... to wa=wsignin1.0
    Office 365 - Federated URL - cbcxt removed
  10. Remove the ct%3D1386214464%26 and bk%3D1386214464%26 parameters
    Office 365 - Federated URL - ct and bk removed
  11. Next, open up another new notepad document named index.html and paste the following text into it
    1. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>      <title>CRM</title>
      <meta http-equiv="refresh" content="0; url=https://sts.mydomain.com link goes here" /></head>

      <body>

      </body>
      </html>
      Redirect to URL template

  12. Replace https://sts.mydomain.com link goes here with your new smart link and save the document.
    Redirect to federated URL
  13. Upload the index.html file to one of your your webservers
  14. Create a new A record called sharepoint.mydomain.com pointing to your webserver
  15. Now when a user browses http://sharepoint.mydomain.com, the user will automatically be redirected to your secure ADFS Proxy and authenticate automatically.

You will need to repeat the steps above for each of the Office 365 products your company uses.  The federated addresses do change, so you will have to follow all of the steps over again for each Smart Link you wish to create.

NOTES:

Here is an official article on creating smart links: http://community.office365.com/en-us/wikis/sso/using-smart-links-or-idp-initiated-authentication-with-office-365.aspx

Server 2012 R2 - Missing Group Policy - Internet Explorer Maintenance

14 Replies

Symptom: When navigating to User Configuration - Policies - Windows Settings via Group Policy Management Editor, Internet Explorer Maintenance is missing from the list of configurable policies.

Server 2012 - Group Policy Management Editor - User Configuration - Policies - Windows Settings

Explanation: Internet Explorer 10 (which is installed by Default on Server 2012 R2) deprecates Internet Explorer Maintenance (IEM) in favor of a more robust tool called Group Policy Preferences.  As you can see in the following Microsoft KB article, a link to the Internet Explorer Maintenance policy alternatives can be found here: http://technet.microsoft.com/library/hh846772.aspx

Solution: Remove the old Internet Explorer Maintenance policies and switch over to use Preferences to manage your domain machines.  This tutorial will not go into using Preferences, however it will go over removing the Internet Explorer Maintenance policies from your GPO.  Since I went ahead and upgraded our environment to Server 2012 R2 I ended up having to configure a new Server 2008 R2 machine.  If someone has an easier solution, please let me know in the comments below.

  1. Login to any member machine of the domain that is running Server 2008 R2 or earlier and does not contain Internet Explorer 10 or greater
  2. Open up Server Manager
    Server Manager
  3. Install Group Policy Management if it is not installed
    1. Select Features and click Add Features
      Server Manager 2008 R2 - Add Features
    2. Select Group Policy Management and click Next >
      Server 2008 R2 - Add Features Wizard - Group Policy Management
    3. Click Install
      Server 2008 R2 - Add Features Wizard - Group Policy Management - Install
    4. Click Close
      Server 2008 R2 - Add Features Wizard - Group Policy Management - Close
  4. Select Features- > Group Policy management -> Expand your forest -> Expand Domains -> Select your domain -> Right click and Edit... one of your policies
    Server Manager 2008 R2 - Features - Group Policy Management - Edit GPO
  5. Expand User Configuration -> Policies -> Software Settings -> Windows Settings and select Internet Explorer Maintenance.
  6. Right click on Internet Explorer Maintenance and select Reset Browser Settings
    Group Policy Management Editor - User Configuration - Policies - Windows Settings - Internet Explorer Maintenance - Reset Browser Settings
  7. Click Yes on the Internet Explorer Maintenance dialog box
    Internet Explorer Maintenance Dialog Box
  8. If all went well, you should now see all of the deprecated Internet Explorer Maintenance policies removed from your Group Policy Object.
    Before
    Group Policy Management - Before
    After
    Group Policy Management - After

Notes:
Official KB on installed Group Policy Manager: http://technet.microsoft.com/en-us/library/cc725932.aspx

Official KB article on replacements for Internet Explorer Maintenance: http://technet.microsoft.com/en-us/library/jj890998.aspx

Forum post showing frustration over this: http://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance?forum=winserver8gen

Yammer and Office 365 Enterprise

Leave a reply

If you are on the enterprise plans of Office 365 (E4 for example), your users may be eligible to use Microsoft's enterprise social network called Yammer.  This article will cover a few questions I was curious about when rolling out Yammer as well as what to expect.

How do I tell if I am eligible?

  1. Login to the Office 365 admin portal (https://portal.microsoftonline.com)
  2. Click on included services on the dashboard
    Office 365 Portal - Included Services

How do I activate Yammer?

  1. If you are eligible for the Yammer service, click on the Yes, activate Yammer Enterprise for my network
    Office 365 Portal - Included Services
  2. Click on the Activate Yammer Enterprise button
    Office 365 - Activate Yammer Enterprise
  3. You will be redirected to a screen where you see a loading bar.  Grab a can of pop/coffee/tea/water and come back.
    Office 365 - Were activating Yammer Enterprise
  4. Click on the Create Yammer Account link once Yammer Enterprise has been provisioned.
    Office 365 - Yammer Enterprise is now ready
  5. Type in the same email address you use for your Office 365 Admin credentials
    Sign Up for Yammer
  6. If successful, you should see the screen below:
    Yammer - Thank you for signing up
  7. Check your email and click on the Complete Signup button
    Yammer Activation Email
  8. Type in your information and click the Next button
    Yammer - Welcome to the network
  9. Click Next on the who do you work with page, or spam your colleagues to sign up as well.
    Yammer - Who do you work with
  10. Join or create any groups you would like and then click Next
    Yammer - Join Relevant Groups
  11. Optionally, add a profile picture and click Save & Continue
    Yammer - Add your profile photo
  12. Click on the 3 dots in the top right corner and select Network AdminYammer - Network Admin
  13. Welcome to your Yammer Enterprise Admin portal!  Here you can manage all aspects of Yammer for your organization.
    Yammer - Network Admin - Dashboard
  14. Lastly, if you go back to your Office 365 Admin portal, you should see a link that will redirect you to the Yammer.com website.
    Office 365 - Admin - Yammer

FAQ

Does Yammer support single-sign on or ADFS?

Currently, Yammer does not support this integration at this time.

Will Yammer find users previously signed up with email addresses from @mydomain.com?

Yes

Does Microsoft have plans on continuing to integrate Yammer and Office 365?

Yes, Microsoft has announced they would like deeper integration with Office 365, more specifically with functionality in SharePoint.  Quarter 4 of this year (2013) was their deadline for the first integration, and we have seen they have started to deliver.  However, there are no specific dates yet of when users will be 100% synchronized between the two systems.

When I activate Yammer on Office 365 for my organization will it email all of my users to create profiles?

No, they will have to manually join or you will have to manually send them invites to create a separate Yammer account.

Error: DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.

4 Replies

Symptom: In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 you receive the following Warning when running the Microsoft Best Practices Analyzer.

Severity: Error
DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.
BPA - Error DHCP Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server

What does this mean?

If you have the DHCP service installed on your domain controller without a service account configured, by default, DNS registrations from DHCP clients will be prevented from being registered and will log event 1056 in event viewer.

Solution: Complete the following steps below to change the credentials of the service account used for DHCP.

  1. Before beginning, make sure you have a service account you can use to set the DHCP Server to run as.  This account should be a domain account (not a local account) and should not have any fancy privileges (standard user account, not an administrator).
  2. Open up Server Manager
    Server 2012 R2 - Server Manager
  3. Click Tools and select DHCP
    Server Manager - Tools - DHCP
  4. Expand your DHCP server and right click on the IPv4 service and select Properties
    DHCP - IPv4 - Properties
  5. Select the Advanced tab and then click the Credentials... button
    DHCP - IPv4 Properties - Advanced - Credentials...
  6. Enter in the User name, domain, password, and confirmation password to the user and click OK
    DNS dynamic update credentials
  7. Click OK on the IPv4 Properties screen
  8. Repeat this step on each of the DHCP servers in your domain.  It is recommended to use the same service account on each of the machines.

Notes: The official KB article from Microsoft on this subject can be found here: http://technet.microsoft.com/en-us/library/ee941181(v=ws.10).aspx
Another very good Technet article written by karammasri on this subject can be found here: http://blogs.technet.com/b/stdqry/archive/2012/04/03/dhcp-server-in-dcs-and-dns-registrations.aspx

Warning: Short file name creation should be disabled

2 Replies

Symptom: In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 you receive the following Warning when running the Microsoft Best Practices Analyzer.

Severity: Warning
Short file name creation should be disabled
Short file name creation should be disabled

What is short file name creation?

Back in the good ol' days of windows, filenames were limited to a format of 8 characters for the name, a period, and then 3 characters for a file extension.  The filename was limited by FAT formatted partitions.  Unless running very old legacy applications, this can be safely turned off to help with performance.

Solution: Complete the following steps below to disable short file name creation.

  1. Open up an elevated powershell console
    Server 2012 - PowerShell - Run as Administrator
  2. Execute the following command
    1. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name NtfsDisable8dot3NameCreation -Value 1
      Set-ItemProperty HKLM-SYSTEM-CurrentControlSet-Control-FileSystem
  3. Optionally, you can open up registry viewer and confirm the value has been changed.
    Registry Editor - HKLM-SYSTEM-CurrentControlSet-Control-FileSystem

Notes: An official KB article from Microsoft on this topic can be found here: http://technet.microsoft.com/en-us/library/ff633453(v=ws.10).aspx

Warning: Enable Receive Side Scaling (RSS) on a network adapter

Leave a reply

Symptom: In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 you receive the following Warning when running the Microsoft Best Practices Analyzer.

Severity: Warning
Enable Receive Side Scaling (RSS) on a network adapter
Server Manager - Best Practices Analyzer - Warning - Enable Receive Side Scaling RSS on a network adapter

What is Receive Side Scaling (RSS)?

Per Microsoft's website, Virtual Receive-side scaling (RSS) is a feature in Windows Server® 2012 R2 that allows the load from a virtual network adapter to be distributed across multiple virtual processors in a virtual machine.

Solution: Complete the following steps below to enable Receive-side scaling (RSS) on a network adapter.

  1. Open up an elevated command prompt
    Elevated Command Prompt
  2. Execute the following command
    1. netsh interface tcp set global rss=enabled
      command prompt - netsh interface tcp set global rss enabled
  3. At this point, Receive Side Scaling should be enabled.  Optionally, you can verify this in the Windows GUI.  Follow the steps below for verification.
    1. Execute the following command to open up device manager
      1. DEVMGMT.msc
        command prompt - devmgmt
    2. Expand Network adapters, right click on your adapter and select Properties
      device manager - network adapters - properties
    3. Select the Advanced tab and find Receive Side Scaling.  Set this to Enabled if it isn't already.
      Network Adapter Properties - Advanced - Receive Side Scaling

Notes:
An official KB article on this issue can be found here: http://technet.microsoft.com/en-us/library/gg162712(v=ws.10).aspx
An official KB article about Receive Side Scaling can be found here: http://technet.microsoft.com/en-us/library/dn383582.aspx

Warning: All OUs in this domain should be protected from accidental deletion

1 Reply

Symptom: When running the Microsoft Best Practices Analyzer on Server 2008 - Server 2012 R2, you receive the following warning:

Severity: Warning
All OUs in this domain should be protected from accidental deletion
Server Manager - Best Practices Analyzer - Warning - All OUs in this domain should be protected from accidental deletion

What is accidental deletion?

By protecting all OUs in the domain from accidental deletion, you will prevent yourself from being able to simply right click and delete an organizational unit in Active Directory Users and Groups.  By enabling accidental deletion on all OUs, you will have to take an extra step to delete the OU (which can be nice, as you don't want to accidentally delete an OU with important users or groups in it).

Solution:

Complete the steps below to enable protect all OUs in the domain from accidental deletion.

  1. Open up Server Manager
    Server 2012 R2 - Server Manager
  2. Click Tools and select Active Directory Module for Windows PowerShell
    Server Manager - Tools - Active Directory Module for Windows PowerShell
  3. Optional Step: Execute the following command to see which OUs are not currently protected from accidental deletion
    1. Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft DistinguishedNameList unprotected OUs from Accidental Deletion PowerShell
  4. Execute the following command to protect all OUs in the domain from accidental deletion
    1. Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $trueProtect OUs from Accidental Deletion PowerShell

Notes: An official KB article from Microsoft on this subject can be found here: http://technet.microsoft.com/en-us/library/dd723677(v=ws.10).aspx

Warning: DNS: The DNS server should have scavenging enabled

1 Reply

Symptom: When running the Microsoft Best Practice Analyzer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2, you receive the following recommendation/warning:

Severity: Warning
DNS: The DNS server should have scavenging enabled.
Server 2012 - BPA - The DNS server should have scavenging enabled

What is DNS scavenging?

Per Microsoft: Scavenging automates the deletion of old records. When scavenging is disabled, these records must be deleted manually or the size of the DNS database can become large and have an adverse effect on performance.

Solution: Complete the following steps below to enable scavenging of DNS records.

  1. Click Start (right click Start if in Server 2012), and select Run
    Server 2012 - Run
  2. Type dnsmgmt.msc and click OK
    Run - dnsmgmt-msc
  3. Right click on your server and select Properties
    DNS Manager - Properties
  4. Click on the Advanced tab and check Enable automatic scavenging of stale records
    DNS Manager - Properties - Advanced - Enable automatic scavenging of stale records
  5.  Click OK

Notes: The official KB article from Microsoft can be found here: http://technet.microsoft.com/en-us/library/ff807390(v=ws.10).aspx

Enabling SSL on Windows Server Update Services (WSUS)

28 Replies

Here are the steps to configure SSL on your servers running the Windows Server Update Services.  This guide was written using Server 2012 R2, however it should be the same steps for Windows Server 2008 R2 as well.  This guide also assumes you have a working instance of WSUS installed and configured, using default ports.

  1. Login to your WSUS server
  2. Open up Server Manager
    Server 2012 R2 - Server Manager
  3. Select Tools -> Internet Information Services (IIS) Manager
    Server Manager - Tools - Internet Information Services IIS Manager
  4. Generate a SSL certificate
    1. Click on your Server and select Server Certificates
      Internet Information Services (IIS) Manager - Server Certificates
    2. If you have your own PKI environment, follow these steps, if not, jump to step three
      1. Click Create Domain Certificate on the right side
        Internet Information Services (IIS) Manager - Server Certificates - Create Domain Certificate
      2. Fill in the requested information on the Distinguished Name Properties page and click Next
        Internet Information Services (IIS) Manager - Server Certificates - Distinguished Name Properties
      3. Select your certificate authority and enter a friendly name (this can be anything), and then click Finish
      4. Internet Information Services (IIS) Manager - Server Certificates - Create Domain Certificate - Online Certification Authority
    3. If you need to submit a certificate request to an external certificate authority like Goaddy, Verisgn, Comodo; follow these steps
      1. Click Create Certificate Request on the right side
        Internet Information Services (IIS) Manager - Server Certificates - Create Certificate Request
      2. Fill out the Distinguished Name Properties and click Next
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - Distinguished Name Properties
      3. Change the Bit length to 2048 and click Next
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - Crytographic Service Provider Properties
      4. Select a location on where to place the CSR file that will be generated by the wizard and click Finish
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - File Name
      5. At this point, send the request to your certificate authority (like GoDaddy, Verisign, or your own internal certificate authority). You should receive back a .cer file once the claim has been fulfilled.
      6. Click on Complete Certificate Request on the right side
        Internet Information Services (IIS) Manager - Server Certificates - Complete Certificate Request
      7. Select the .cer file that your public certificate authority provided you, type in a friendly name (this can be anything), select Web Hosting for the certificate store, and click OK
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - Specify Certificate Authority Response
  5. Next, we need to bind the SSL certificate to your network adapter.
    1. Expand your server, expand Sites, and select WSUS Administration
      IIS - Sites - WSUS Administration
    2. Select Bindings... on the right side
      IIS - Bindings
    3. Select the https site and hit the Edit... button
      Site Bindings - Port 8531
    4. Select https for the type, select the SSL certificate you created above, and click OK
      IIS - Edit Site Binding - WSUS
    5. Click Close on the Site Bindings window
      IIS - Site Bindings - https
  6. Next, we need to enforce SSL encryption on the following virtual roots
    • ApiRemoting30
    • ClientWebService
    • DSSAuthWebService
    • ServerSyncWebService
    • SimpleAuthWebService

    1. Expand WSUS Administration and foreach of the directories above, complete the following steps
      1. Select the virtual site
        IIS - WSUS Administration
      2. Double click on SSL Settings
        IIS - WSUS Administration - SSL Settings
      3. Check Require SSL and leave client certificates to ignore
        IIS - WSUS Administration - SSL Settings - Require SSL
      4. Click Apply in the top right corner
        IIS - SSL Settings - Apply
  7. Next, we need to execute a command to tell WSUS to use ssl
    1. Open up an elevated command prompt
      Server 2012 - Administrative Command Prompt
    2. Navigate to your WSUS installation folder
      1. cd "c:\Program Files\Update Services\Tools"
        cmd - program files - update services - tools
    3. Execute the following command (replace your server with the correct FQDN)
      1. WSUSUtil.exe configuressl myserver.mydomain.local
        wsusutil configuressl
  8. Restart the WSUS server to make sure all changes take effect.  You should be able to bring up the WSUS management console if all went well.
  9. Configure your clients to connect via SSL to the WSUS server via Group Policy
    1. Login to your domain controller
    2. Open up Server Manager
      Server 2012 R2 - Server Manager
    3. Open up Group Policy Management
      Server Manager - Tools - Group Policy Management
    4. Right click on the policy you want to edit and select Edit
      Edit GPO
    5. Expand Computer Configuration -> Polices -> Administrative Templates -> Windows Components -> Windows Update
    6. Double click on Specify intranet Microsoft update service location
      Specify intranet Microsoft update service location
    7. Change the intranet update service url to https and specify port 8531 and then click Apply.
      Specify intranet Microsoft update service location - options

That should do it!  Try doing a gpupdate /force on your local machine and the check for windows updates.  If windows successfully completes checking for updates, you should be good to go! 🙂

Notes: Official documentation from Microsoft in regards to using SSL and WSUS can be found here: http://technet.microsoft.com/en-us/library/hh852346.aspx#consswsus