h1

The magic of the SysNative Folder

May 25, 2010

Working with 64 bit operating systems, especially on client operating systems, still presents some challenges. One recent interesting effect I’ve run into is the redirection of the %windir%\System32 folder. When a 32 bit application attempts to access the folder, it is redirected to %windir%\SysWOW64, this allows those applications to use the correct version of various tools.

The difficulty comes in when trying to use certain tools, like bcdedit.exe, do not exist in the %windir%\SysWow64 directory and error out. The solution is to access the tools under the %windir%\SysNative folder which bypasses the redirection.

More information can be found here: http://msdn.microsoft.com/en-us/library/aa384187(VS.85).aspx

Posted in General | Leave a Comment »

h1

Adding NAT to a Hyper-V hosts for access to isolated lab guests

January 15, 2010

This latest cool solution comes from a colleague of mine, Andrew Abbate and looks at providing access to isolated VM guests.

In my lab environment, I had a major constraint around IP address space.  As such, I was given 4 IP addresses that covered my 4 Hyper-V hosts.  Thus I needed a way to address and reach my 40+ VMs that are configured in isolated networks.

The solution?  VLAN tagging and NAT.

The first step was to utilize the HP NIC utilities to create a tagged VLAN port (virtual interface). This can be done with any NIC that supports VLAN tagging including Broadcom and Intel Pro.


This gave me a 2nd interface to which I could bind an additional subnet without needing any additional network ports to activate additional networks in the Hyper-V servers.

In Hyper-V, the virtual switch is bound to the tagged VLAN interface

Similarly, the individual VMs are bound to the same VLAN tag.

Within the VM, the guest is configured to use an IP from the subnet which is on the tagged VLAN and it uses the Hyper-V host as its default gateway.

The Hyper-V host then receiveds the Network Access and Policy Services role.  This gives us Routing and more importantly, Network Address Translation.

The “public” interface on the Hyper-V host is listed as the “internet” interface, and the tagged interface is used as the “shared” interface.  This allows the IP range on the VMs to use the Hyper-V host as a NAT gateway. Useful to note is that if you forget to check “Enable virtual LAN identification” on the virtual switch interface (as shown above) the VMs will be able to talk to each other from host to host, but not talk to the host itself.  This can be annoying for getting non-ISOs from the host to the guest and will prevent NAT from working.

At this point, NAT allows the VMs to talk to networks on the other side of the Hyper-V host – including the Internet!

Now at this point, my needs became slightly more esoteric.  I needed to test USB devices against the VM.  Since Hyper-V doesn’t have the ability to pass a USB device from the host to the guest, I needed another way.  I needed to be able to RDP directly into a VM that was on a network that wasn’t routable.  This is where the NAT configuration provides a solution.

By going into the properties of the public interface in the RRAS interface:

And then into the Services and Ports tab:

I’m able to add a service for a NAT/PAT rule allowing RDP on a custom port:

In this case, I’m saying “if someone hits the public interface on Hyper-V on port 3390, pass that to a specific VM on port 3389.”  This allows me to publish all my VMs RDP services via a single IP address.  I simply have to alter the port in the RDP client:

Net result, I can reach my 40 VMs running on an isolated network from a production network without having to burn 40 IP addresses.  This can be very useful in a lab environment where you need to be able to bypass the processes of the network folks to get something working. Also a fun exercise in VLAN tagging and NAT rules.

Second option specific to RDP access is to deploy a TS gateway on the host to listen on the Untagged VLAN and provide connections to systems on the Tagged VLAN.

To accomplish this, I added RPC over HTTPS Proxy as a feature and Remote Desktop Services (R2) along with IIS as roles.  Defined the access rules and for now, just created the self signed cert.

Installed the self signed cert into the Trusted Root container in my workstation and I’m able to reference the Hyper-V host as my TS Gateway and list the “not really reachable” IP as my target and RDP works fine.

So while both options can be used to provide RDP access to isolated guests, the incoming NAT translation can be used for many other purposes since its protocol independent, for example, with it I’m able to run Windows Updates on my isolated Lab systems!

~A

Posted in Virtualization | Leave a Comment »

h1

Creating a SAN certificate request using native Windows tools

December 7, 2009

Many applications today require the use of certificates that certify multiple subject names. These certificates are typicalled SAN certificates because the additional names are stored in the Subject Alternate Name field of the certificate. One of the simplest ways to generate a request for such a certificate is to use Exchange 2007/2010′s New-ExchangeCertificate PowerShell command. If, however, you’re not running Exchange in-house, this option is not available. For those instances, the following process can be used to generate a SAN certificate request using native Windows tools.

1)      Open a new instance of MMC and add the Certificates Snap-in. Configure the snap in to access certificates for the computer account of the local computer.

2)      Right click the Personal folder and choose All Tasks-> Advanced Operations->Create Custom Request.

a)      Click Next on the welcome page.

b)      If prompted to select a policy, choose to proceed without a policy and click Next

c)      Choose “(no template) Legacy Key” as the Template

d)      For Request format, select PKCS #10 (the default selection) and click Next.

e)      Click on Details to expand the listing and show the Properties button. Click Properties.

f)       Set the following properties

i)        Private Key tab

(1)   Key Type: Exchange

(2)   Key Options: select the desired Key size. I typically use 2048.

(3)   Key Options: check Make private key exportable.

ii)      Extensions Tab

(1)   Extended Key Usage:  Add the Server Authentication option to the selected list on the right.

iii)    Subject tab

(1)   Add an entry of type Common name to the Subject name field with primary subject name

(2)   Add entries of type DNS into the Alternative name field. Add the primary subject name and any other required additional names.

NOTE: Wild cards can also be used with this method although currently Windows Certificate Authorities do not support issuing wild card certificates.

iv)    General tab

(1)   Enter a friendly name and description text that will be associated with the certificate and make it easier to identify the certificate and its purpose.

g)      Click OK to close the Properties dialog and click Next.

3)      Enter a filename for the request file (e.g. c:\iis-san-csr.req) and click Finish.

4)      The request file can now be used with an internal Windows Certificate Authority (Using Web Enrollment) or a third party CA. Note that for a third party CA additional fields might be required to match the organization’s registered identity (OU, Department, State, Country, etc).

5)      Once you get back the certificate from the Certificate Authority, open the Certificates MMC again, right click on the personal folder and choose All tasks -> Import. Find the file and go through the wizard with the defaults.

That’s it. The resulting certificate can be exported with the private key.

Posted in PKI | Leave a Comment »

h1

Publishing Configuration Manager Internet based clients with an ISA server farm

December 3, 2009

The complexity of a System Center Configuration Manager 2007 R2 (from here on referred to as SCCM) is significant without the addition of native mode security and Internet Based Client Management (IBCM). But if you do need to extend your systems management for clients that rarely join your network, a common requirement for an organization with a remote sales force or telecommuting workers, you’ll appreciate the functions that are delivered with the additional complexity.

One additional element that adds to the complexity is the security implication of the IBCM solution. Since Internet based systems must connect to SCCM servers that are domain members, allowing those clients to connect directly to the IIS component on the servers probably violates not only your organization’s security policy but also general security best practices (not to mention common sense). The solution? Since the authentication for those IBCM clients is two way, requiring both a client and server authentication using PKI certificates, the options are limited to publishing the solution using an ISA server. Of course, since we want to avoid single points of failure, it would typically be an ISA farm with two (or more) servers in an array.

General instructions for configuring this scenario can be found here: http://technet.microsoft.com/en-us/library/cc707697.aspx

This is where we run into a couple of complications:

Certificate deployment

The ISA servers in this scenario will act as application proxies for the SCCM connection so the clients will authenticate to the ISA server (Using their SCCM client certificates) and the ISA server will authenticate to the client (Using the SCCM server certificate that was exported and imported in each ISA server). Then the ISA server will establish the connection to the SCCM servers and authenticate to them using its own client certificate.

The complication occurs because the client certificate deployment process that is executed on each ISA server results in a unique certificate for each server and the publishing rule certificate authentication configuration requires a common certificate in an array/farm configuration.

By default, the SCCM client certificate template does not allow the certificate to be exported since that will allow anyone with 5 minutes of access to any client system to export the certificate and use it to create any number of unauthorized SCCM Internet client systems.

The solution is to make a copy of the SCCM client certificate template that does allow the certificate to be exported using the following process:

1. Open the Certificates Template MMC

2. Right click on the Configuration Manager client template and select Duplicate Template

3. Select a name for the duplicate, such as Exportable Configuration Manager client

4. On the Request Handling tab, check the box labeled ‘Allow private key to be exported’

5. Select the security tab and configure the required security

NOTE: Make sure to configure the security on the new template to restrict enrollment and auto enrollment as appropriate.

6. Click OK to save the new template

7. Open the Certificate Authority management console

8. Expand the certificate authority, right click on the Certificate Templates folder and select New->Certificate Template to Issue

9. Select the newly created exportable template.

Once the new template is deployed to the CA, use it to issue a certificate to one of the ISA servers, export the certificate and import it into all the other ISA array/farm members and it can be used on the publishing rule successfully.

Software Update deployment – WSUS

The software update deployment process, for internal and Internet based clients, uses WSUS as an update catalog. The result is that Internet based clients must access WSUS as well as SCCM components over the Internet.

The complication here is that WSUS doesn’t support client authentication at all, certificate or otherwise. Only regular SSL based server authentication is required. In an ISA published world, that means a new listener with a unique IP address/port combination.

The solution is to deploy WSUS to a custom web site on the Internet facing SCCM servers using custom ports (typically 8530, 8531 for WSUS) and configuring an ISA publishing rule for the custom ports. Step by step for the creation of the publishing rule are available here: http://blogs.technet.com/wemd_ua_-_sms_writing_team/archive/2008/10/29/how-to-configure-isa-ssl-bridging-for-the-internet-based-softare-update-point.aspx.

If you’ve already deployed WSUS to the default web site, moving it to the custom web site can be accomplished with the following command:

C:\Program Files\Update Services\Tools> wsusutil UseCustomWebSite True

And don’t forget to change the port configuration on the Software Update component in the SCCM console.

I hope these tips help someone avoid the two weeks it took me to put all the pieces together.

Posted in ISA Server, SCCM | Leave a Comment »

h1

P2V(hd) the easy way

November 22, 2009

There are many methods for migrating a physical server to a Hyper-V virtual server but most of them require a management platform or third party software. For those in the market for a free and easy method to migrate physical server onto a virtual Hyper-V platform, life recently got much easier with the introduction of Disk2vhd. Created by Mark Russinovich and Bryce Cogswell (of Sysinternals), the latest version of this tool makes P2V migrations as easy as can be.

Disk2vhd is free and will run on Windows Server 2003 SP1, Windows XP SP2 or later. The utility supports 32 and 64 bit systems. Running the tool is as simple as selecting the disks to be captured and the target location. For performance reasons it is recommended not to save the vhd image to the disk being captured, but capturing across a fast network works very well.

Disk2vhd is available for download here (http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx).

One seemingly common problem with the capture process occurs when capturing a boot disk that does not include the required disk controller drivers for the IDE controller used by Hyper-V. This situation can be identified when the captured image boots with a blue screen on Hyper-V showing a 0x0000007B error code. Luckily, a simple modification can be made to the system before the migration process is started to correct this issue. This process involves making sure that 4 IDE driver files are available on the server and registered in the registry. This additional process is typically needed only on Windows Server 2003 servers and the required steps are explained in this KB article: http://support.microsoft.com/kb/314082. In my experience, on each system only one of the identified files was missing and once it and the associated registry keys were added, the P2V process worked flawlessly.

Now go get rid of those aging physical servers!

Posted in Virtualization | Leave a Comment »

h1

Group Policy Preferences aka GPPs

November 13, 2009

The biggest change to group policies since Windows 2000 comes to Windows courtesy of a Microsoft purchase of a company called Desktop Standard. Among several excellent enhancements to group policies comes Group Policy Preferences (GPPs). GPPs allow group policy objects to control a whole new set of Windows settings using Active Directory based GPOs. Along with dozens of new policy settings, GPPs introduce several new concepts to GPOs, namely multiple setting actions, item level targeting and one time application of settings. Each of these individually would make this new mechanism worth a look, but the combination is one of the most powerful tools available to Windows system administrators, and it’s all included in Windows at no additional cost.

Requirements

Before we dig into what GPPs can control and how they control it, let’s go over the requirements for using GPPs. The popular misconception is that GPPs require a significant investment in upgrading the domain, DCs or the entire network to Windows 2008/R2 and Vista/Windows 7. The truth is that the requirements are significantly lower than that. There are two sets of requirements related to using GPPs, the requirements to edit a GPO and to apply a GPO:

  • Editing a GPO with GPPs requires a system running Windows Server 2008, Windows Server 2008 R2, Windows Vista SP1+ or Windows 7. Therefore, introducing a single machine running any of these operating systems to a network would allow GPOs using GPPs to be created.
  • Applying a GPO with GPPs is supported on the  above mentioned operating systems (Windows Server 2008, Windows Server 2008 R2, Windows Vista SP1+ and Windows 7) but also on Windows XP SP 2+ and Windows 2003 SP2+. In order to use GPPs on Windows XP SP2, Windows 2003 and Vista RTM, the new Client Side Extensions (CSEs) for GPPs must be downloaded and installed. The updated CSEs are included in Windows XP SP3 and Vista SP1.

You’ll notice that there are no requirements for your domain controllers and or other server operating systems!!!

Significant Features

GPPs introduce several unique new features that expand and enhance the usage of group policies and can be used for all GPPs:

  • Item level targeting

This feature, available on the Common tab, allows the construction of a multipart conditional statement that must be met before the setting is applied. Since the condition only applies to one setting, a single GPO can have settings that are applied to different users and computers. The condition parameters include items such as:

  • Computer Name
  • CPU Speed
  • Disk Space
  • Domain
  • Environment Variable
  • IP Address Range
  • Operating System
  • Organizational Unit
  • RAM
  • Site
  • and User

Also available are conditions that query specific registry keys, files, LDAP objects and WMI properties.

  • Apply once

Another feature that can be found on the Common tab and therefore used for the large majority of GPPs, is represented by a checkbox labeled ‘Apply once and do not reapply’. Using this setting allows the administrator to implement a default setting but allow users to modify the setting. This ‘soft’ application of GPO settings is a powerful tool for system administrators.

  • Modification actions

Found on the default and left-most tab of most GPPs is the Action pulldown. This setting provides granular control for the type of action used when applying the setting and contains the following options:

  • Create – This action will create a new object as specified. If an object exists, no action will be taken.
  • Replace – If the specific object exists, it will be removed and a new one created with the specified settings. If the object doesn’t exist, it will be created. This setting is similar to traditional GPOs and force a configuration regardless of existing settings.
  • Update – If the specific object exists, it will be updated with any specified settings. Other settings will not be distributed. If the object doesn’t exist, it will be created.
  • Delete – This action will search for the specific object and delete it.

GPP Extensions

Of the approximately 20 new setting areas (or extensions) introduced with GPP, the majority provide a new, easier method of configuring settings that historically required complex scripts, third party utilities or were not possible at all.

The following extensions can be used to replace tasks traditionally completed with scripts or batch files:

  • Drive maps
  • Printers
  • Environment
  • Files
  • Registry
  • Shortcuts
  • Local Users and Groups

Whereas the following extensions present functionality that is new to GPOs:

  • Start Menu
  • Folder Options
  • Power Options
  • Data Sources
  • Network Shares

The features, functions and elements described here are just examples of the new options available with GPPs. A review of the preferences sections within the GPO will quickly allow any administrator to find settings that address their own issues and optimize systems management in their organization.

hopefully this introduction helps readers understand GPPs a little better and leads some to leverage these very capable tools. If you have found a cool use for GPPs, please comment and share.

Posted in Group Policy | 5 Comments »

h1

Welcome to the RDP Files

November 13, 2009

It seems only fit to kick off a new blog with an introduction. An introduction to the author, to the content, and to the reason for writing a blog.

My name is Guy Yardeni.

I’m a 15 year veteran of IT infrastructure work, most of it done as a consultant and/or implementer assisting various organizations with deploying technologies such as directories, messaging, system management, security systems and content management platforms.

Most of my work these days focuses on the Microsoft products filling the above categories, but my past adventures have included in-depth exploration of Novell, Cisco, Citrix products and many more.

My typical day is spent designing solutions, implementing complex systems, supporting the technologies or providing knowledge transfer to IT staff about each solution and related products.

Which leads me to the question of why do we need another blog about IT technology: In the course of my work, I run across many difficult problems, questions and challenges. Most of these eventually do get solved, but many of the elements of the troubleshooting process or the solution are not available online. Furthermore, seldom are the details about the problem and the solution captured in an easily retrievable manner.

The notion that this hard to get, valuable information will not be available to myself (yes, I typically forget the details of the problem and solution after several months), my colleagues and IT professional seems very wasteful.

Therefore, the goal for this blog is to capture important information that I uncover in the course of my work and that would be valuable to myself and others down the road.

Finally, the name of the blog was selected because when I examine my work for the past several years, it seems that the tool that I use most often and that is most indispensable for my work is a good RDP client interface, which is used to remotely manage servers.

That’s it for the introduction, hope you’re ready for a steady stream of useful technical information.

Guy

Posted in General | Leave a Comment »