Configure Ansible to access Windows Servers:
(with Python 2.x)
1. After installing Ansible, let us configure it to access Windows servers. Hoping that Windows server is already configured with WinRM. 1. Install PIP if not installed already.
sudo apt install python-pip
2. Install WinRM module on Ansible server
sudo pip install "pywinrm>=0.3.0" . . . . Running setup.py install for pywinrm ... done Successfully installed ntlm-auth-1.4.0 pywinrm-0.4.1 requests-ntlm-1.1.0
3. Now edit hosts file with Windows hosts and Variables
sudo nano /etc/ansible/hosts [windows] 172.168.20.10 [windows:vars] ansible_user=test\wintel ansible_password=P@ssw0rd ansible_connection=winrm ansible_winrm_transport=ntlm ansible_port=5985
*** Please do not give password in Production environment. You can use ansible-vault to encrypt the inventory file. 4. Now check a simple module to check windows host connectivity
winadmin@ansible01:~$ ansible windows -i inventory -m win_ping
172.168.1.10 | SUCCESS => {
"changed": false,
"ping": "pong"
}
5. If you configured WinRM with a certificate, add the following line to inventory file.
ansible_winrm_cert_validation=ignore
This is not recommended in production environment. Instead, you configure certificate from a certificate server. 6. The above will work for NTLM authentication. Let us configure with Kerberos authentication.
Install and Setup Kerberos
sudo apt install python-dev libkrb5-dev krb5-user sudo pip install pywinrm[kerberos]
7. Check kerberos configuration file if the required values are set correctly
sudo nano /etc/krb5.conf
[libdefaults]
default_realm = TEST.ORG
[realms]
TEST.ORG = {
kdc = 172.168.1.10
admin_server = 172.168.1.10
}
8. Check if the kerberos is working.
winadmin@ansible01:~$ kinit This email address is being protected from spambots. You need JavaScript enabled to view it. Password for This email address is being protected from spambots. You need JavaScript enabled to view it.: winadmin@ansible01:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: This email address is being protected from spambots. You need JavaScript enabled to view it. Valid starting Expires Service principal 01/19/2020 08:25:47 01/19/2020 18:25:47 krbtgt/This email address is being protected from spambots. You need JavaScript enabled to view it. renew until 01/20/2020 08:25:43 winadmin@ansible01:~$
We can see that kerberos ticket is generated. 9. You can destroy using command kdestroy.
winadmin@ansible01:~$ kdestroy venu@ansible01:~$ klist klist: No credentials cache found (filename: /tmp/krb5cc_1000) winadmin@ansible01:~$
10. Modify inventory file to use kerberos authentication.
ansible_winrm_transport=kerberos
Install and configure Ansible on Ubuntu server 18.04
1. Update Ubuntu repositories and Upgrade.
sudo apt update && sudo apt upgrade
2. Check if python is installed. If installed, go to step 3.
python --version
Install Python. If not Python is not installed, ansible will install by default.
sudo apt install python
3. Install Ansible
winadmin@ansible01:~$ sudo apt install ansible Reading package lists... Done Building dependency tree Reading state information... Done The following package was automatically installed and is no longer required: libdumbnet1 Use 'sudo apt autoremove' to remove it. The following additional packages will be installed: ieee-data libpython-stdlib libpython2.7-minimal libpython2.7-stdlib python python-asn1crypto python-certifi python-cffi-backend python-chardet python-crypto python-cryptography python-enum34 python-httplib2 python-idna python-ipaddress python-jinja2 python-jmespath python-kerberos python-libcloud python-lockfile python-markupsafe python-minimal python-netaddr python-openssl python-paramiko python-pkg-resources python-pyasn1 python-requests python-selinux python-simplejson python-six python-urllib3 python-xmltodict python-yaml python2.7 python2.7-minimal Suggested packages: cowsay sshpass python-doc python-tk python-crypto-doc python-cryptography-doc python-cryptography-vectors python-enum34-doc python-jinja2-doc python-lockfile-doc ipython python-netaddr-docs python-openssl-doc python-openssl-dbg python-gssapi python-setuptools python-socks python-ntlm python2.7-doc binutils binfmt-support Recommended packages: python-winrm The following NEW packages will be installed: ansible ieee-data libpython-stdlib libpython2.7-minimal libpython2.7-stdlib python python-asn1crypto python-certifi python-cffi-backend python-chardet python-crypto python-cryptography python-enum34 python-httplib2 python-idna python-ipaddress python-jinja2 python-jmespath python-kerberos python-libcloud python-lockfile python-markupsafe python-minimal python-netaddr python-openssl python-paramiko python-pkg-resources python-pyasn1 python-requests python-selinux python-simplejson python-six python-urllib3 python-xmltodict python-yaml python2.7 python2.7-minimal 0 upgraded, 37 newly installed, 0 to remove and 0 not upgraded. Need to get 12.1 MB of archives. After this operation, 79.5 MB of additional disk space will be used. Do you want to continue? [Y/n]Y
4. Once Ansible is installed, check version.
winadmin@ansible01:~$ ansible --version ansible 2.5.1 config file = /etc/ansible/ansible.cfg configured module search path = [u'/home/venu/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/dist-packages/ansible executable location = /usr/bin/ansible python version = 2.7.17 (default, Nov 7 2019, 10:07:09) [GCC 7.4.0]
5. Check a simple module to check if ansible is working or not. As we have not yet added / updated our inventory file, we can check with localhost.
winadmin@ansible01:~$ ansible localhost -m ping
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match
'all'
localhost | SUCCESS => {
"changed": false,
"ping": "pong"
}
Use Windows system for generating Let's Encrypt SSL/TLS certificates
Written by WinAdminGenerating SSL/TLS certificates for your website is much easier than you think on a windows operating system like Windows 10. A commercial certificate provider can charge you a lot and Let's Encrypt is free but issue certificate for 90 days. We can extend these for free for lifetime. Let us see how to generate and renew Let's Encrypt certificate.
- Download the latest version of the Certbot installer for Windows at https://dl.eff.org/certbot-beta-installer-win32.exe.
- Run the installer and follow the wizard. The installer will propose a default installation directory, C:\Program Files(x86)
- select the Start menu, enter cmd (to run CMD.EXE) or powershell (to run PowerShell), and click on "Run as administrator"
- Run the following command certbot certonly --manual
- Enter your website name when prompted. If you need certificate for multiple domains, you can add wildcard.
- Choose your option
- Create a DNS TXT record by going to your hosting provider and DNS settings for your domain.
Will look something like the following based on your hosting provider. 
- Create a file on your website with the mentioned parameters.
- If all the above steps are correct, you should receive following Congratulations message.
- Now the certificate is generated. Login to your CPanel account and find SSL/TLS settings.
- Click "Install and Manage SSL for your site (HTTPS)" and upload your Certificate (fullchain.pem) and private key (privkey.pem)
- Map the current uploaded certificate to your website and test by browsing.
Installing and configuring PowerShell on Ubuntu Linux
Download Powershell package from https://github.com/PowerShell/PowerShell/. Download a suitable version depending on the version of the Operating System you have. Here I am showing the procedure for Ubuntu Server 16.04. Below is the process for installing and configuring PowerShell on Ubuntu Linux.
Run the following command to download Powershell Package for Ubuntu 16.04 .
Then execute the following in terminal.
sudo dpkg -i powershell_6.0.0-alpha.17-1ubuntu1.16.04.1_amd64.deb
sudo apt-get install -f
Powershell is installed on Ubuntu now. This is time to test the powershell on Ubuntu Linux. Let us run some commands.
Enter powershell in the terminal to start Powershell.
Enter the following in powershell console.
$PSVersionTable
The output should be something like the following.
The following is a brief listing of the common Cmd.exe and UNIX commands that you can use inside Windows PowerShell:
|
cat |
dir |
mount |
rm |
|
cd |
echo |
move |
rmdir |
|
chdir |
erase |
popd |
sleep |
|
clear |
h |
ps |
sort |
|
cls |
history |
pushd |
tee |
|
copy |
kill |
pwd |
type |
|
del |
lp |
r |
write |
|
diff |
ls |
ren |
However, all the PowerShell commands are not available on Linux PowerShell. For further reference please check at https://docs.microsoft.com/en-us/powershell/scripting/whats-new/known-issues-ps6?view=powershell-7 : (Known Issues for PowerShell on Non-Windows Platforms)
Some times you may receive an error if both Hyper-V and VMware workstation are installed. You can disable Hyper-V to run VMware Workstation and also disable Device / Credential guard.
Here is a procedure to disable Device/Credential guard on Windows 10 System.
Disable Windows Defender Credential Guard by using Group Policy:
-
You can use Group Policy to enable Windows Defender Credential Guard.
-
From the Group Policy Management Console, go to Computer Configuration -> Administrative Templates -> System -> Device Guard.
-
Double-click Turn On Virtualization Based Security, and then click the Disabled option.
Update Group Policy to apply changes with gpupdate /force.
If the group policy update does not resolve the issue, reboot the system.
How to setup Microsoft Active Directory Certificate Services [AD CS]
Microsoft Active Directory Certificate Services [AD CS] provides a platform for issuing and managing public key infrastructure [PKI] certificates. On top of securing application and HTTP traffic the certificates that AD CS provides can be used for authentication of computer, user, or device accounts on a network. Let us see how to install and setup Active Directory Certificate Services (AD CS).
Open Server Manager and click Manage -> Add Roles and Features
Click Next In the following screen, click Next.
Select Role-based or feature-based installation
Select Select a server from the server pool
In the Select server roles window, select Active Directory Certificate Services
This will display Add Roles and Features Wizard. Click Add Features
Click Next
Click Next – Next.
Click Install in the Confirmation Window.
Once you see the Results window, Click Close.
Active Directory Certificate Services feature is installed on the server successfully. Now, let us configure the AD CS. Open Server Manager window if closed and clicking
will popup a drop down. Click Configure Active Directory Certificate Services on the remote server as shown in the following image.
Click Next in Credentials window. If needed, you can change the Credentials.
Click Next in Role Services Window.
Select Enterprise CA.
Select Root CA in CA Type.
Select Create a new private key.
Select SHA256 or as required.
In the CA Name window, check settings and click Next.
Specify the validity period.
Check the database settings and path and change if required.
Check all your configuration in Confirmation window and click Configure
You will see a Results window with a message Configuration succeeded.
We have completed Adding Active Directory Certificate Services (AD CS) and configuring.
Create a Certificate Request using Active Directory Certificate Services
Create a Certificate Request using Microsoft Management Console
Login to the Server where you want a certificate to be requested.
Open Microsoft Management Console (MMC) using mmc command. Make sure that you are running mmc as administrator. Click Add/Remove Snap-in
Select Certificates and click Add to add to the Selected snap-ins.
Select Computer account in Certificates snap-in.
Click Finish.
Click OK
Expand Certificates in Console Root.
Right click Personal -> All Tasks -> Advanced Operations -> Create Custom Request ..
Click Next
Click Next
Select Web Server in Template select option.
Click Next
Click Next
Click Details down arrow to configure options.
Click Properties and configure required properties.
Give a file name to save and click Finish.
Now we have completed a request. Let us generate the certificate if Active Directory Certificate Authority Web Enrolment is configured in your domain.
Generate Certificate:
Login to the webserver (in my case it is http://dc01.winadmin.org/certsrv/Default.asp).
Click Request a certificate and then click advanced certificate request.
Click the second option "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."
Now open the request file with a notepad and copy text. Paste in the field Base-64-encoded certificate request. Select Certificate Template as Web Server and click Submit button.
The certificate is now ready to download.
VPShellRes.dll could not be found
Written by WinAdminVPShellRes.dll could not be found error message.
When you right click any file generates "VPShellRes.dll could not be found" error message specially after removing Symantec product.
Please follow the instructions given at https://support.symantec.com/en_US/article.TECH153712.html by Symantec.
Delete Windows.old folder
Written by WinAdminDeleting Windows.old folder from System Drive
Windows.old folder is created when you upgrade your windows to a higher version. This is meant for roll back purpose. If you think that if you are not going to roll back to previous version, you can delete this folder to save much disk space. Windows.old folder is also created if your installation failed and you tried to install windows again in same drive without formatting.
Here is how to delete windows.old folder. Deleting the Windows.old folder can't be undone.
-
Open Disk Cleanup by clicking the Start button, in the search box, type Disk Cleanup (or cleanmgr.exe), and then, in the list of results, click Disk Cleanup.
Click OK.
-
Disk Cleanup window will open. Click Clean up system files.
-
The tool will check for any old windows and will display in a new window. Select Previous Windows installation(s) and click OK.
If you get any prompt that 'You cannot restore the machine back to the previous version of Windows', click Yes.
-
The cleaning process will begin. This process may take some time.
-
Once the operation is completed, you can check disk space of your System Drive. All the old Windows installations are deleted.
Offline install of .NET Framework 3.5 in Windows 10
To install .NET Framework 3.5 in Windows 10, do the following:
-
Insert your Windows 10 DVD, or double click its ISO image / or right click and select Mount the ISO, or insert your bootable flash drive with Windows 10, depending on what you have.
-
Open 'This PC' in File Explorer and note the drive letter of the installation media you have inserted. In my case it is disk H:
-
If you are using an ISO file, make sure that it is mounted.
-
Now open the elevated command prompt and type the following command:
Dism /online /enable-feature /featurename:NetFX3 /All /Source:H:\sources\sxs /LimitAccess -
Replace H: with your drive letter for Windows 10 installation media.
-
WIndows feature 3.5 is installed successfully.
-
If you face any problem please post here.
More...
Adding a Windows Server 2012 Domain Controller to an Existing Windows Server 2003 network
Written by WinAdminAdding a Windows Server 2012 Domain Controller to an Existing Windows Server 2003 network
As the end of support for Windows 2003 is nearing, it is time to upgrade to Windows 2012. Here I am going to show how to how to add Windows Server 2012R2 Domain controller to an existing Windows Server 2003 network.
Prerequisites:
-
Domain functional level must be Windows Server 2003 and above.
-
We cannot have Windows 2000 Domain controllers or earlier. Please keep in mind that raising Domain Functional Level is a onetime action and cannot be reverted.
-
You must be a member of Enterprise Admins group.
-
Raise domain functional level to Windows Server 2003 from Active Directory Users and Computers if not done.
-
Login to Windows 2012R2 server using Administrator credentials.
-
Open Server Manager and Click Add Roles and features.
-
Click Next. Select Role-based or feature-based installation. Click Next.
-
In Server Selection window, Select a server from the server pool and select server. Click Next.
-
Check Active Directory Domain Services. Check DNS Server if you want DNS is to be installed on this server.
-
In Add features that are required for Active Directory Domain Services window, click Add features.
-
Click Next. Click Install in confirmation window. Click Close after the installation is completed.
-
Once completed, notification is made available on the dashboard highlighted by an exclamation mark. Select it and select Promote this server to a domain controller.
-
In Active Directory Domain Services Configuration wizard, select Add a domain controller to an existing domain. Make sure that correct domain name is selected in Domain field. Click Next.
-
Type DSRM password and click Next.
-
Click Next and finally click Install.
-
After the installation is completed, the server will reboot. The new Windows Server 2012 Domain Controller setup is completed.
Configuring Server Core as a Domain Controller After installing the core Windows Operating System, the first step will be configuring the server. We can use sconfig.cmd to configure settings.
Change Hostname, configure IP settings, default gateway and DNS settings. Configuring a Windows Server 2012-based Server Core installation as a Domain Controller starts with one of the following:
-
Promoting a standalone server to a Domain Controller for a new domain
-
Promoting a member server to a replica or read-only replica Domain Controller (also known as an additional Domain Controller)
-
Cloning a Windows Server 2012-based Server Core Domain Controller to a new replica Domain Controller
In order to create new Forest and promote Windows Server 2012 Core to be Domain Controller for that Forest, first Active Directory Services Role has to be added: Open Powershell using powershell.exe Install-WindowsFeature AD-Domain-Services –IncludeManagementTools
Next type the following in powershell Install-ADDSForest -DomainName "winadmin.org" -DomainNetbiosName "WINADMIN" -DomainMode Win2012R2 -ForestMode Win2012R2 -InstallDns –Force The server will be rebooted after the server is promoted to Domain Controller. We can manage Active Directory using Active Directory Domain Services Tools from a remote computer.
Windows Authentication process
Written by WinAdminWindows Authentication process:
How Kerberos authentication works?
The Kerberos Authentication Process:
In a Kerberos environment, the authentication process begins at logon. The following steps describe the Kerberos authentication process:
1. When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm.
2. The KDC looks up the user's master key (KA), which is based on the user's password. The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows.
3. The client computer receives the information from the KDC and runs the user's password through a one-way hashing function, which converts the password into the user's KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.
When a client receives the session key and TGT from the server, it stores that information in volatile memory and not on the hard disk. Storing the information in the volatile memory and not on the hard disk makes the information more secure, because the information would be lost if the server were physically removed.
4. When a Kerberos client needs to access resources on a server that is a member of the same domain, it contacts the KDC. The client will present its TGT and a timestamp encrypted with the session key that is already shared with the KDC. The KDC decrypts the TGT using its KKDC. The TGT contains the user name and a copy of the SA. The KDC uses the SA to decrypt the timestamp. The KDC can confirm that this request actually comes from the user because only the user can use the SA.
5. Next, the KDC creates a pair of tickets, one for the client and one for the server on which the client needs to access resources. Each ticket contains the name of the user requesting the service, the recipient of the request, a timestamp that declares when the ticket was created, and a time duration that says how long the tickets are valid. Both tickets also contain a new key (KAB) that will be shared between the client and the server so they can securely communicate.
6. The KDC takes the server's ticket and encrypts it using the server master key (KB). Then the KDC nests the server's ticket inside the client's ticket, which also contains the KAB. The KDC encrypts the whole thing using the session key that it shares with the user from the logon process. The KDC then sends all the information to the user.
7. When the user receives the ticket, the user decrypts it using the SA. This exposes the KAB to the client and also exposes the server's ticket. The user cannot read the server's ticket. The user will encrypt the timestamp by using the KAB and send the timestamp and the server's ticket to the server on which the client wants to access resources. When it receives these two items, the server first decrypts its own ticket by using its KB. This permits access to the KAB, which can then decrypt the timestamp from the client.
Grow drive space in windows
Written by WinAdminLet us see how to grow drive space in Windows. It is very simple in Windows server 2008 and later. But there is some process while extending OS drive in 2003 server. Windows doesn't support growing OS drive.
First let us see how to extend in Windows 7 and 2008.
Grow disk space from VMware side and open Disk Management console. The added space is displayed in the management console. If it is a physical server, we must have free space immediately after the drive.
1. Select extend volume.
2. In the extend volume wizard, click Next.
3. Select the disk to be extended and select the amount of space in MB. Click Next.
4. Click Finish.
5. The drive / volume is extended.
