(with Python 2.x)
1. After installing Ansible, let us configure it to access Windows servers. Hoping that Windows server is already configured with WinRM. 1. Install PIP if not installed already.
sudo apt install python-pip
2. Install WinRM module on Ansible server
sudo pip install "pywinrm>=0.3.0" . . . . Running setup.py install for pywinrm ... done Successfully installed ntlm-auth-1.4.0 pywinrm-0.4.1 requests-ntlm-1.1.0
3. Now edit hosts file with Windows hosts and Variables
sudo nano /etc/ansible/hosts [windows] 172.168.20.10 [windows:vars] ansible_user=test\wintel ansible_password=P@ssw0rd ansible_connection=winrm ansible_winrm_transport=ntlm ansible_port=5985
*** Please do not give password in Production environment. You can use ansible-vault to encrypt the inventory file. 4. Now check a simple module to check windows host connectivity
winadmin@ansible01:~$ ansible windows -i inventory -m win_ping 172.168.1.10 | SUCCESS => { "changed": false, "ping": "pong" }
5. If you configured WinRM with a certificate, add the following line to inventory file.
ansible_winrm_cert_validation=ignore
This is not recommended in production environment. Instead, you configure certificate from a certificate server. 6. The above will work for NTLM authentication. Let us configure with Kerberos authentication.
Install and Setup Kerberos
sudo apt install python-dev libkrb5-dev krb5-user sudo pip install pywinrm[kerberos]
7. Check kerberos configuration file if the required values are set correctly
sudo nano /etc/krb5.conf [libdefaults] default_realm = TEST.ORG [realms] TEST.ORG = { kdc = 172.168.1.10 admin_server = 172.168.1.10 }
8. Check if the kerberos is working.
winadmin@ansible01:~$ kinit This email address is being protected from spambots. You need JavaScript enabled to view it. Password for This email address is being protected from spambots. You need JavaScript enabled to view it.: winadmin@ansible01:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: This email address is being protected from spambots. You need JavaScript enabled to view it. Valid starting Expires Service principal 01/19/2020 08:25:47 01/19/2020 18:25:47 krbtgt/This email address is being protected from spambots. You need JavaScript enabled to view it. renew until 01/20/2020 08:25:43 winadmin@ansible01:~$
We can see that kerberos ticket is generated. 9. You can destroy using command kdestroy.
winadmin@ansible01:~$ kdestroy venu@ansible01:~$ klist klist: No credentials cache found (filename: /tmp/krb5cc_1000) winadmin@ansible01:~$
10. Modify inventory file to use kerberos authentication.
ansible_winrm_transport=kerberos
Install and configure Ansible on Ubuntu server 18.04
1. Update Ubuntu repositories and Upgrade.
sudo apt update && sudo apt upgrade
2. Check if python is installed. If installed, go to step 3.
python --version
Install Python. If not Python is not installed, ansible will install by default.
sudo apt install python
3. Install Ansible
winadmin@ansible01:~$ sudo apt install ansible Reading package lists... Done Building dependency tree Reading state information... Done The following package was automatically installed and is no longer required: libdumbnet1 Use 'sudo apt autoremove' to remove it. The following additional packages will be installed: ieee-data libpython-stdlib libpython2.7-minimal libpython2.7-stdlib python python-asn1crypto python-certifi python-cffi-backend python-chardet python-crypto python-cryptography python-enum34 python-httplib2 python-idna python-ipaddress python-jinja2 python-jmespath python-kerberos python-libcloud python-lockfile python-markupsafe python-minimal python-netaddr python-openssl python-paramiko python-pkg-resources python-pyasn1 python-requests python-selinux python-simplejson python-six python-urllib3 python-xmltodict python-yaml python2.7 python2.7-minimal Suggested packages: cowsay sshpass python-doc python-tk python-crypto-doc python-cryptography-doc python-cryptography-vectors python-enum34-doc python-jinja2-doc python-lockfile-doc ipython python-netaddr-docs python-openssl-doc python-openssl-dbg python-gssapi python-setuptools python-socks python-ntlm python2.7-doc binutils binfmt-support Recommended packages: python-winrm The following NEW packages will be installed: ansible ieee-data libpython-stdlib libpython2.7-minimal libpython2.7-stdlib python python-asn1crypto python-certifi python-cffi-backend python-chardet python-crypto python-cryptography python-enum34 python-httplib2 python-idna python-ipaddress python-jinja2 python-jmespath python-kerberos python-libcloud python-lockfile python-markupsafe python-minimal python-netaddr python-openssl python-paramiko python-pkg-resources python-pyasn1 python-requests python-selinux python-simplejson python-six python-urllib3 python-xmltodict python-yaml python2.7 python2.7-minimal 0 upgraded, 37 newly installed, 0 to remove and 0 not upgraded. Need to get 12.1 MB of archives. After this operation, 79.5 MB of additional disk space will be used. Do you want to continue? [Y/n]Y
4. Once Ansible is installed, check version.
winadmin@ansible01:~$ ansible --version ansible 2.5.1 config file = /etc/ansible/ansible.cfg configured module search path = [u'/home/venu/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/dist-packages/ansible executable location = /usr/bin/ansible python version = 2.7.17 (default, Nov 7 2019, 10:07:09) [GCC 7.4.0]
5. Check a simple module to check if ansible is working or not. As we have not yet added / updated our inventory file, we can check with localhost.
winadmin@ansible01:~$ ansible localhost -m ping [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' localhost | SUCCESS => { "changed": false, "ping": "pong" }
Generating SSL/TLS certificates for your website is much easier than you think on a windows operating system like Windows 10. A commercial certificate provider can charge you a lot and Let's Encrypt is free but issue certificate for 90 days. We can extend these for free for lifetime. Let us see how to generate and renew Let's Encrypt certificate.
Download Powershell package from https://github.com/PowerShell/PowerShell/. Download a suitable version depending on the version of the Operating System you have. Here I am showing the procedure for Ubuntu Server 16.04. Below is the process for installing and configuring PowerShell on Ubuntu Linux.
Run the following command to download Powershell Package for Ubuntu 16.04 .
Then execute the following in terminal.
sudo dpkg -i powershell_6.0.0-alpha.17-1ubuntu1.16.04.1_amd64.deb
sudo apt-get install -f
Powershell is installed on Ubuntu now. This is time to test the powershell on Ubuntu Linux. Let us run some commands.
Enter powershell in the terminal to start Powershell.
Enter the following in powershell console.
$PSVersionTable
The output should be something like the following.
The following is a brief listing of the common Cmd.exe and UNIX commands that you can use inside Windows PowerShell:
cat |
dir |
mount |
rm |
cd |
echo |
move |
rmdir |
chdir |
erase |
popd |
sleep |
clear |
h |
ps |
sort |
cls |
history |
pushd |
tee |
copy |
kill |
pwd |
type |
del |
lp |
r |
write |
diff |
ls |
ren |
However, all the PowerShell commands are not available on Linux PowerShell. For further reference please check at https://docs.microsoft.com/en-us/powershell/scripting/whats-new/known-issues-ps6?view=powershell-7 : (Known Issues for PowerShell on Non-Windows Platforms)
Some times you may receive an error if both Hyper-V and VMware workstation are installed. You can disable Hyper-V to run VMware Workstation and also disable Device / Credential guard.
Here is a procedure to disable Device/Credential guard on Windows 10 System.
Disable Windows Defender Credential Guard by using Group Policy:
Update Group Policy to apply changes with gpupdate /force.
If the group policy update does not resolve the issue, reboot the system.
How to setup Microsoft Active Directory Certificate Services [AD CS]
Microsoft Active Directory Certificate Services [AD CS] provides a platform for issuing and managing public key infrastructure [PKI] certificates. On top of securing application and HTTP traffic the certificates that AD CS provides can be used for authentication of computer, user, or device accounts on a network. Let us see how to install and setup Active Directory Certificate Services (AD CS).
Open Server Manager and click Manage -> Add Roles and Features
Click Next In the following screen, click Next.
Select Role-based or feature-based installation
Select Select a server from the server pool
In the Select server roles window, select Active Directory Certificate Services
This will display Add Roles and Features Wizard. Click Add Features
Click Next
Click Next – Next.
Click Install in the Confirmation Window.
Once you see the Results window, Click Close.
Active Directory Certificate Services feature is installed on the server successfully. Now, let us configure the AD CS. Open Server Manager window if closed and clickingwill popup a drop down. Click Configure Active Directory Certificate Services on the remote server as shown in the following image.
Click Next in Credentials window. If needed, you can change the Credentials.
Click Next in Role Services Window.
Select Enterprise CA.
Select Root CA in CA Type.
Select Create a new private key.
Select SHA256 or as required.
In the CA Name window, check settings and click Next.
Specify the validity period.
Check the database settings and path and change if required.
Check all your configuration in Confirmation window and click Configure
You will see a Results window with a message Configuration succeeded.
We have completed Adding Active Directory Certificate Services (AD CS) and configuring.
Login to the Server where you want a certificate to be requested.
Open Microsoft Management Console (MMC) using mmc command. Make sure that you are running mmc as administrator. Click Add/Remove Snap-in
Select Certificates and click Add to add to the Selected snap-ins.
Select Computer account in Certificates snap-in.
Click Finish.
Click OK
Expand Certificates in Console Root.
Right click Personal -> All Tasks -> Advanced Operations -> Create Custom Request ..
Click Next
Click Next
Select Web Server in Template select option.
Click Next
Click Next
Click Details down arrow to configure options.
Click Properties and configure required properties.
Give a file name to save and click Finish.
Now we have completed a request. Let us generate the certificate if Active Directory Certificate Authority Web Enrolment is configured in your domain.
Generate Certificate:
Login to the webserver (in my case it is http://dc01.winadmin.org/certsrv/Default.asp).
Click Request a certificate and then click advanced certificate request.
Click the second option "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."
Now open the request file with a notepad and copy text. Paste in the field Base-64-encoded certificate request. Select Certificate Template as Web Server and click Submit button.
The certificate is now ready to download.
VPShellRes.dll could not be found error message.
When you right click any file generates "VPShellRes.dll could not be found" error message specially after removing Symantec product.
Please follow the instructions given at https://support.symantec.com/en_US/article.TECH153712.html by Symantec.
Deleting Windows.old folder from System Drive
Windows.old folder is created when you upgrade your windows to a higher version. This is meant for roll back purpose. If you think that if you are not going to roll back to previous version, you can delete this folder to save much disk space. Windows.old folder is also created if your installation failed and you tried to install windows again in same drive without formatting.
Here is how to delete windows.old folder. Deleting the Windows.old folder can't be undone.
Click OK.
If you get any prompt that 'You cannot restore the machine back to the previous version of Windows', click Yes.
Offline install of .NET Framework 3.5 in Windows 10
To install .NET Framework 3.5 in Windows 10, do the following:
Adding a Windows Server 2012 Domain Controller to an Existing Windows Server 2003 network
As the end of support for Windows 2003 is nearing, it is time to upgrade to Windows 2012. Here I am going to show how to how to add Windows Server 2012R2 Domain controller to an existing Windows Server 2003 network.
Prerequisites:
Configuring Server Core as a Domain Controller After installing the core Windows Operating System, the first step will be configuring the server. We can use sconfig.cmd to configure settings. Change Hostname, configure IP settings, default gateway and DNS settings. Configuring a Windows Server 2012-based Server Core installation as a Domain Controller starts with one of the following:
In order to create new Forest and promote Windows Server 2012 Core to be Domain Controller for that Forest, first Active Directory Services Role has to be added: Open Powershell using powershell.exe Install-WindowsFeature AD-Domain-Services –IncludeManagementTools
Next type the following in powershell Install-ADDSForest -DomainName "winadmin.org" -DomainNetbiosName "WINADMIN" -DomainMode Win2012R2 -ForestMode Win2012R2 -InstallDns –Force The server will be rebooted after the server is promoted to Domain Controller. We can manage Active Directory using Active Directory Domain Services Tools from a remote computer.
Windows Authentication process:
How Kerberos authentication works?
The Kerberos Authentication Process:
In a Kerberos environment, the authentication process begins at logon. The following steps describe the Kerberos authentication process:
1. When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm.
2. The KDC looks up the user's master key (KA), which is based on the user's password. The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows.
3. The client computer receives the information from the KDC and runs the user's password through a one-way hashing function, which converts the password into the user's KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.
When a client receives the session key and TGT from the server, it stores that information in volatile memory and not on the hard disk. Storing the information in the volatile memory and not on the hard disk makes the information more secure, because the information would be lost if the server were physically removed.
4. When a Kerberos client needs to access resources on a server that is a member of the same domain, it contacts the KDC. The client will present its TGT and a timestamp encrypted with the session key that is already shared with the KDC. The KDC decrypts the TGT using its KKDC. The TGT contains the user name and a copy of the SA. The KDC uses the SA to decrypt the timestamp. The KDC can confirm that this request actually comes from the user because only the user can use the SA.
5. Next, the KDC creates a pair of tickets, one for the client and one for the server on which the client needs to access resources. Each ticket contains the name of the user requesting the service, the recipient of the request, a timestamp that declares when the ticket was created, and a time duration that says how long the tickets are valid. Both tickets also contain a new key (KAB) that will be shared between the client and the server so they can securely communicate.
6. The KDC takes the server's ticket and encrypts it using the server master key (KB). Then the KDC nests the server's ticket inside the client's ticket, which also contains the KAB. The KDC encrypts the whole thing using the session key that it shares with the user from the logon process. The KDC then sends all the information to the user.
7. When the user receives the ticket, the user decrypts it using the SA. This exposes the KAB to the client and also exposes the server's ticket. The user cannot read the server's ticket. The user will encrypt the timestamp by using the KAB and send the timestamp and the server's ticket to the server on which the client wants to access resources. When it receives these two items, the server first decrypts its own ticket by using its KB. This permits access to the KAB, which can then decrypt the timestamp from the client.
Let us see how to grow drive space in Windows. It is very simple in Windows server 2008 and later. But there is some process while extending OS drive in 2003 server. Windows doesn't support growing OS drive.
First let us see how to extend in Windows 7 and 2008.
Grow disk space from VMware side and open Disk Management console. The added space is displayed in the management console. If it is a physical server, we must have free space immediately after the drive.
1. Select extend volume.
2. In the extend volume wizard, click Next.
3. Select the disk to be extended and select the amount of space in MB. Click Next.
4. Click Finish.
5. The drive / volume is extended.