Windows

    Windows (24)

    Windows Servers

    Some times you may receive an error if both Hyper-V and VMware workstation are installed. You can disable Hyper-V to run VMware Workstation and also disable Device / Credential guard.

    081420 2023 Yourhostdoe1

    Here is a procedure to disable Device/Credential guard on Windows 10 System.

    Disable Windows Defender Credential Guard by using Group Policy:

    • You can use Group Policy to enable Windows Defender Credential Guard.
    • From the Group Policy Management Console, go to Computer Configuration -> Administrative Templates -> System -> Device Guard.
    • Double-click Turn On Virtualization Based Security, and then click the Disabled option.

     

    081420 2023 Yourhostdoe2

    Update Group Policy to apply changes with gpupdate /force.

    If the group policy update does not resolve the issue, reboot the system.

    How to setup Microsoft Active Directory Certificate Services [AD CS]

    Microsoft Active Directory Certificate Services [AD CS] provides a platform for issuing and managing public key infrastructure [PKI] certificates. On top of securing application and HTTP traffic the certificates that AD CS provides can be used for authentication of computer, user, or device accounts on a network. Let us see how to install and setup Active Directory Certificate Services (AD CS).

    Open Server Manager and click Manage -> Add Roles and Features

    081420 2008 SetupMicros1

    Click Next In the following screen, click Next.

    081420 2008 SetupMicros2

    Select Role-based or feature-based installation

    081420 2008 SetupMicros3

    Select Select a server from the server pool

    081420 2008 SetupMicros4

    In the Select server roles window, select Active Directory Certificate Services

    081420 2008 SetupMicros5

    This will display Add Roles and Features Wizard. Click Add Features

    081420 2008 SetupMicros6

    Click Next

    081420 2008 SetupMicros7

    Click Next – Next.

    081420 2008 SetupMicros8

    Click Install in the Confirmation Window.

    081420 2008 SetupMicros9

    Once you see the Results window, Click Close.

    081420 2008 SetupMicros10

    Active Directory Certificate Services feature is installed on the server successfully. Now, let us configure the AD CS. Open Server Manager window if closed and clicking081420 2008 SetupMicros11will popup a drop down. Click Configure Active Directory Certificate Services on the remote server as shown in the following image.

    081420 2008 SetupMicros12

    Click Next in Credentials window. If needed, you can change the Credentials.

    081420 2008 SetupMicros13

    Click Next in Role Services Window.

    081420 2008 SetupMicros14

    Select Enterprise CA.

    081420 2008 SetupMicros15

    Select Root CA in CA Type.

    081420 2008 SetupMicros16

    Select Create a new private key.

    081420 2008 SetupMicros17

    Select SHA256 or as required.

    081420 2008 SetupMicros18

    In the CA Name window, check settings and click Next.

    081420 2008 SetupMicros19

    Specify the validity period.

    081420 2008 SetupMicros20

    Check the database settings and path and change if required.

    081420 2008 SetupMicros21

    Check all your configuration in Confirmation window and click Configure

    081420 2008 SetupMicros22

    You will see a Results window with a message Configuration succeeded.

    081420 2008 SetupMicros23

    We have completed Adding Active Directory Certificate Services (AD CS) and configuring.

    Create a Certificate Request using Active Directory Certificate Services

    Create a Certificate Request using Microsoft Management Console

    Login to the Server where you want a certificate to be requested.

    Open Microsoft Management Console (MMC) using mmc command. Make sure that you are running mmc as administrator. Click Add/Remove Snap-in

    081420 2011 CreateaCert1

    Select Certificates and click Add to add to the Selected snap-ins.

    081420 2011 CreateaCert2

    Select Computer account in Certificates snap-in.

    081420 2011 CreateaCert3

    Click Finish.

    081420 2011 CreateaCert4

    Click OK

    081420 2011 CreateaCert5

    Expand Certificates in Console Root.

    081420 2011 CreateaCert6

    Right click Personal -> All Tasks -> Advanced Operations -> Create Custom Request ..

    081420 2011 CreateaCert7

    Click Next

    081420 2011 CreateaCert8

    Click Next

    081420 2011 CreateaCert9

    Select Web Server in Template select option.

    081420 2011 CreateaCert10

    Click Next

    081420 2011 CreateaCert11

    Click Next

    081420 2011 CreateaCert12

    Click Details down arrow to configure options.

    081420 2011 CreateaCert13

    Click Properties and configure required properties.

    Give a file name to save and click Finish.

    081420 2011 CreateaCert14

    Now we have completed a request. Let us generate the certificate if Active Directory Certificate Authority Web Enrolment is configured in your domain.

    Generate Certificate:

    Login to the webserver (in my case it is http://dc01.winadmin.org/certsrv/Default.asp).

    081420 2011 CreateaCert15

    Click Request a certificate and then click advanced certificate request.
    081420 2011 CreateaCert16

    Click the second option "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."
    081420 2011 CreateaCert17

    Now open the request file with a notepad and copy text. Paste in the field Base-64-encoded certificate request. Select Certificate Template as Web Server and click Submit button.
    081420 2011 CreateaCert18

    The certificate is now ready to download.

    VPShellRes.dll could not be found error message.

    When you right click any file generates "VPShellRes.dll could not be found" error message specially after removing Symantec product.

     

    081420 2005 VPShellResd1

     

    Please follow the instructions given at https://support.symantec.com/en_US/article.TECH153712.html by Symantec.

    Deleting Windows.old folder from System Drive

    Windows.old folder is created when you upgrade your windows to a higher version. This is meant for roll back purpose. If you think that if you are not going to roll back to previous version, you can delete this folder to save much disk space. Windows.old folder is also created if your installation failed and you tried to install windows again in same drive without formatting.

    Here is how to delete windows.old folder. Deleting the Windows.old folder can't be undone.

    1. Open Disk Cleanup by clicking the Start button, in the search box, type Disk Cleanup (or cleanmgr.exe), and then, in the list of results, click Disk Cleanup.

      081420 2003 DeleteWindo1
      Click OK.
      081420 2003 DeleteWindo2

    2. Disk Cleanup window will open. Click Clean up system files.
      081420 2003 DeleteWindo3
    3. The tool will check for any old windows and will display in a new window. Select Previous Windows installation(s) and click OK.

       081420 2003 DeleteWindo4If you get any prompt that 'You cannot restore the machine back to the previous version of Windows', click Yes.
      081420 2003 DeleteWindo5

    4. The cleaning process will begin. This process may take some time.
      081420 2003 DeleteWindo6
    5. Once the operation is completed, you can check disk space of your System Drive. All the old Windows installations are deleted.

    Offline install of .NET Framework 3.5 in Windows 10

    To install .NET Framework 3.5 in Windows 10, do the following:

    1. Insert your Windows 10 DVD, or double click its ISO image / or right click and select Mount the ISO, or insert your bootable flash drive with Windows 10, depending on what you have.
    2. Open 'This PC' in File Explorer and note the drive letter of the installation media you have inserted. In my case it is disk H:
    3. If you are using an ISO file, make sure that it is mounted.
    4. Now open the elevated command prompt and type the following command:
      Dism /online /enable-feature /featurename:NetFX3 /All /Source:H:\sources\sxs /LimitAccess
    5. Replace H: with your drive letter for Windows 10 installation media.

       

      081420 2002 Offlineinst1

    6. WIndows feature 3.5 is installed successfully.
    7. If you face any problem please post here.

    Adding a Windows Server 2012 Domain Controller to an Existing Windows Server 2003 network

    As the end of support for Windows 2003 is nearing, it is time to upgrade to Windows 2012. Here I am going to show how to how to add Windows Server 2012R2 Domain controller to an existing Windows Server 2003 network.

    Prerequisites:

    1. Domain functional level must be Windows Server 2003 and above.
    2. We cannot have Windows 2000 Domain controllers or earlier. Please keep in mind that raising Domain Functional Level is a onetime action and cannot be reverted.
    3. You must be a member of Enterprise Admins group.

     

    1. Raise domain functional level to Windows Server 2003 from Active Directory Users and Computers if not done.
      081420 2000 AddingaWind1
    2. Login to Windows 2012R2 server using Administrator credentials.
    3. Open Server Manager and Click Add Roles and features.
    4. Click Next. Select Role-based or feature-based installation. Click Next.
    5. In Server Selection window, Select a server from the server pool and select server. Click Next.
    6. Check Active Directory Domain Services. Check DNS Server if you want DNS is to be installed on this server.
      081420 2000 AddingaWind2
    7. In Add features that are required for Active Directory Domain Services window, click Add features.
    8. Click Next. Click Install in confirmation window. Click Close after the installation is completed.
    9. Once completed, notification is made available on the dashboard highlighted by an exclamation mark. Select it and select Promote this server to a domain controller.
      081420 2000 AddingaWind3
    10. In Active Directory Domain Services Configuration wizard, select Add a domain controller to an existing domain. Make sure that correct domain name is selected in Domain field. Click Next.
      081420 2000 AddingaWind4
    11. Type DSRM password and click Next.
      081420 2000 AddingaWind5
    12. Click Next and finally click Install.
    13. After the installation is completed, the server will reboot. The new Windows Server 2012 Domain Controller setup is completed.

    Configuring Server Core as a Domain Controller After installing the core Windows Operating System, the first step will be configuring the server. We can use sconfig.cmd to configure settings.081420 1959 Configuring1  Change Hostname, configure IP settings, default gateway and DNS settings. Configuring a Windows Server 2012-based Server Core installation as a Domain Controller starts with one of the following:

    1. Promoting a standalone server to a Domain Controller for a new domain
    2. Promoting a member server to a replica or read-only replica Domain Controller (also known as an additional Domain Controller)
    3. Cloning a Windows Server 2012-based Server Core Domain Controller to a new replica Domain Controller

      In order to create new Forest and promote Windows Server 2012 Core to be Domain Controller for that Forest, first Active Directory Services Role has to be added: Open Powershell using powershell.exe Install-WindowsFeature AD-Domain-Services –IncludeManagementTools

    081420 1959 Configuring2

    Next type the following in powershell Install-ADDSForest -DomainName "winadmin.org" -DomainNetbiosName "WINADMIN" -DomainMode Win2012R2 -ForestMode Win2012R2 -InstallDns –Force The server will be rebooted after the server is promoted to Domain Controller. We can manage Active Directory using Active Directory Domain Services Tools from a remote computer.

    Windows Authentication process:

    How Kerberos authentication works?

    The Kerberos Authentication Process:

    In a Kerberos environment, the authentication process begins at logon. The following steps describe the Kerberos authentication process:
    1. When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm.

    2. The KDC looks up the user's master key (KA), which is based on the user's password. The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows.

    3. The client computer receives the information from the KDC and runs the user's password through a one-way hashing function, which converts the password into the user's KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.

    When a client receives the session key and TGT from the server, it stores that information in volatile memory and not on the hard disk. Storing the information in the volatile memory and not on the hard disk makes the information more secure, because the information would be lost if the server were physically removed.

    4. When a Kerberos client needs to access resources on a server that is a member of the same domain, it contacts the KDC. The client will present its TGT and a timestamp encrypted with the session key that is already shared with the KDC. The KDC decrypts the TGT using its KKDC. The TGT contains the user name and a copy of the SA. The KDC uses the SA to decrypt the timestamp. The KDC can confirm that this request actually comes from the user because only the user can use the SA.

    5. Next, the KDC creates a pair of tickets, one for the client and one for the server on which the client needs to access resources. Each ticket contains the name of the user requesting the service, the recipient of the request, a timestamp that declares when the ticket was created, and a time duration that says how long the tickets are valid. Both tickets also contain a new key (KAB) that will be shared between the client and the server so they can securely communicate.

    6. The KDC takes the server's ticket and encrypts it using the server master key (KB). Then the KDC nests the server's ticket inside the client's ticket, which also contains the KAB. The KDC encrypts the whole thing using the session key that it shares with the user from the logon process. The KDC then sends all the information to the user.

    7. When the user receives the ticket, the user decrypts it using the SA. This exposes the KAB to the client and also exposes the server's ticket. The user cannot read the server's ticket. The user will encrypt the timestamp by using the KAB and send the timestamp and the server's ticket to the server on which the client wants to access resources. When it receives these two items, the server first decrypts its own ticket by using its KB. This permits access to the KAB, which can then decrypt the timestamp from the client.

    Let us see how to grow drive space in Windows. It is very simple in Windows server 2008 and later. But there is some process while extending OS drive in 2003 server. Windows doesn't support growing OS drive.

    First let us see how to extend in Windows 7 and 2008.

    Grow disk space from VMware side and open Disk Management console. The added space is displayed in the management console. If it is a physical server, we must have free space immediately after the drive.

    1. Select extend volume.

    081420 1950 Growdrivesp1

    2. In the extend volume wizard, click Next.

    3. Select the disk to be extended and select the amount of space in MB. Click Next.

    081420 1950 Growdrivesp2

    4. Click Finish.

    5. The drive / volume is extended.

    081420 1950 Growdrivesp3

    Page 1 of 2
    © 2021 WinAdmin.org. All Rights Reserved.