Your address will show here +12 34 56 78
Installation, Learn and Teach, Windows

You can Download this article as Word and PDF

Word Document: Understanding and Configuring Network Policy and Access Services in Server 2012

PDF: Understanding and Configuring Network Policy and Access Services in Server 2012

Introduction

In Part 1 of this series, we took a look at how the Network Policy and Access Services in Windows 2012, and particularly Network Access Protection (NAP) can help to protect your network when VPN clients connect to it by validating health requirements that you institute as part of a health enforcement plan. In Part 2, we shared some tips on actually deploying NAP on Windows Server 2012. In Part 3, we’re going to discuss the process of setting up RADIUS servers.

A brief review of RADIUS: What it does

In Windows Server 2012, the Network Policy Service (NPS) can do more than just Network Access Protection (NAP). It can also function as a RADIUS server or a RADIUS proxy, as we mentioned in Part 1 of this series. RADIUS has been around since the early 1990s and is an IETF standard. It was defined in by RFCs 2058 and 2059, which have since been made obsolete by new standards. A good starting point when you’re planning to deploy RADIUS in your organization is RFC 6158, Radius Design Guidelines, published in March 2011. RADIUS is an open source client/server protocol designed to give network administrators the capability of managing authentication, authorization and account (AAA) from a centralized location. These three functions work together to provide control over remote users and computers by first authenticating their identities to determine whether they are allowed to access the network, then authorizing them to use specific network services or connect to specific network resources and proving an accounting so you can track the use of the services. RADIUS servers verify identity through a database on the RADIUS server, the Active Directory database, an LDAP server, Kerberos, a SQL database or other means. Because RADIUS keeps accounting records, it makes it possible to collect statistical information about usage or even to bill users, departments or organizations according to their usage.

A brief review of RADIUS: How it works

 [ads1]
The RADIUS AAA process works as follows:
  1. Remote user/computer sends a request to the remote access server to access specific network resources contained on a network access server.
  2. The network access server prompts for credentials (e.g., user name and password).
  3. User provides credentials.
  4. The remote access server sends a request to the RADIUS server for authentication and authorization, which includes the credentials (password is encrypted).
  5. The RADIUS server examines the request and responds by rejecting the request (if no or incorrect credentials are provided), challenge the request by asking for more information (PIN, Smart Card, etc.), or accepting the request by authenticating the user’s/machine’s identity.
  6. If the request is accepted, the RADIUS server checks the database to determine which resources the user is allowed to use and authorizes the user to use the requested resources if they are on the list.
  7. Begins tracking when the network access server sends an Accounting Start packet.
  8. Receives interim update packets from the network server during the active session. Information can include the amount of time and data used.
  9. Receives an Accounting Stop packet when the session ends.
RADIUS uses UDP packets to communicate, over ports 1645 and 1646. It can use a number of different authentication methods.

Configuring RADIUS

To configure RADIUS authentication for your network, you start by opening the NPS management console that’s shown in Figure 1, which you’ll find in the administrative tools menu after you’ve installed the NPS server role (as we showed you in a previous installment in this article series). You can use either the Standard or Advanced Configuration option to configure RADIUS. The Standard Configuration option will start a configuration wizard, so we’ll look at it first. Image Figure 1 You have two choices under the Standard Configuration option:
  • You can configure a RADIUS server for dial-up or VPN connections
  • You can configure a RADIUS server for 802.1x wireless or wired connection
In our scenario, we’ll configure the RADIUS server for dial-up or VPN connections, since we have already set up a VPN server. Click the Configure VPN or Dial-up link. On the next page, you’ll be asked to select the type of connection (Dial-up or VPN). In this case, we’ll choose Virtual Private Network (VPN) Connections. NPS will be able to authenticate and authorize the connection requests from VPN clients. On this page, you also need to provide a name to be used as part of the policy name for policies that the wizard will create. This dialog box is shown in Figure 2. Image Figure 2 On the next page, you need to add the RADIUS clients. These are the network access servers that will forward connection requests from remote clients to the RADIUS server. Click the ADD button, shown in Figure 3,to add your RADIUS clients and fill in the dialog box fields asking for a friendly name, IP address or DNS, and a shared secret template if you’re using one. You can also manually type a shared secret if you prefer, or you can have a shared secret automatically generated, by clicking the appropriate button. Image Figure 3 On the following page of the wizard, you will configure the authentication method(s) to be used by RADIUS. The default selection is Microsoft Encrypted Authentication version 2 (MS-CHAPv2). You can also select MS-CHAP if the operating systems on your network do not support MS-CHAPv2, but this is not recommended as it’s not as secure. The other choice is to use the Extensible Authentication Protocol (EAP). If you choose EAP, you can use a secured password (EAP-MSCHAPv2) or Microsoft Protected EAP (PEAP), or you can use a smart card or certificate. This is the most secure authentication method. Note that you can select multiple protocols, as shown in Figure 4. Image Figure 4 The next step is to select user groups, the members of which will be allowed or denied access to the network access servers through the VPN, based on the network policy Access Permission setting. Click the Add button to add user groups. This will invoke a dialog box through which you can select the groups, as shown in Figure 5. Image Figure 5 The next page in the wizard allows you to configure IPv4 and IPv6 IP filters to control what types of network traffic can be sent and received through the VPN server. You can configure input and output filters for each IP protocol here, as you can see in Figure 6. We discussed input and output filters in a previous installment of this article series. Image Figure 6 The next page of the wizard is where you specify the encryption settings to determine the minimum encryption strength(s) that will be allowed between the access clients and the network access servers. Your choices include:
  • Basic encryption (MPPE 40 bit)
  • Strong encryption (MPPE 56 bit)
  • Strongest encryption (MPPE 128 bit)
You can select multiple encryption strengths and the server and clients will negotiate the strongest supported by both. All strengths are allowed by default, as shown in Figure 7. You can unchecked the lower strength encryption choices to force connections only when the more secure encryption can be supported. If you uncheck all of the boxes, the traffic from the clients to the network access server will not be encrypted, so this is not recommended. Image Figure 7 The next page of the wizard asks you to specify a realm name, which is part of the user name that the ISP uses to identify the connection requests that route to this server. It is not required that you specify a realm name; you can leave this field blank if you don’t know the realm name or don’t care about it. If you do specify a realm name, you should leave the box checked that says Before authentication, remove the realm name form the user name, as shown in Figure 8, so Windows will be able to authenticate the connection request. Image Figure 8 This completes the wizard and when you click Finish on the next page, it will automatically create two policies: a network policy and a connection request policy. The names of these policies will use the name that you assigned earlier in the wizard. The RADIUS clients will also be configured. There is a link labeled Configuration Details by which you can see a summary of the configuration settings (it opens in your default web browser) so you can review it and make sure everything is right before you click the Finish button. After you click Finish, the new policies will show up in the Policies nodes of the NPS management console, under Connect Request Policies and Network Policies, as you can see in Figure 9. Image Figure 9 Your RADIUS clients that you configured through the wizard will show up in the RADIUS Clients node.

Summary

In Part 3 of this multi-part series on Understanding and Configuring NPAS in Windows Server 2012, we began our discussion of RADIUS and how to configure the NPS to act as a RADIUS server. We covered the steps of the configuration wizard this time, and next time we’ll talk about how to use the Advanced Configuration option, how to configure RADIUS server groups and how to configure a RADIUS proxy.
0

Installation, Learn and Teach, Windows

You can Download this article as Word and PDF

Word Document: Understanding and Configuring Network Policy and Access Services in Server 2012

PDF: Understanding and Configuring Network Policy and Access Services in Server 2012

 

Introduction

In Part 1 of this series, we took a look at how the Network Policy and Access Services in Windows 2012, and particularly how Network Access Protection (NAP) can help to protect your network when VPN clients connect to it by validating health requirements that you institute as part of a health enforcement plan. In Part 2, we’ll go into some tips on actually deploying NAP on Windows Server 2012. Keep in mind, however, that NPAS and NAP are complex topics and we are covering only some basics here. There is are much more detailed guidelines available in the TechNet Library that address many different network scenarios.

Installing the NPS role service on Windows Server 2012

To deploy NAP on Windows Server 2012, you need to install the Network Policy and Access Services role with the Network Policy Server role service. You can do this in one of two ways: by using Server Manager to install NPS via the graphical user interface, or by using PowerShell to install NPS via the command line. Before attempting installation, you need to know that if there is a manually configured IPv6toIPv4 address on the computer, NPS may fail to install correctly. You should disable the IPv6 configuration before attempting to install NPS. Here’s how:
  1. On the Windows Server 2012 Start Screen, type Network.
  2. In the right Search pane, select Settings.
  3. Click the View Network Connections option in the list.
  4. Right click the network connection for your local network and select Properties.
  5. On the Networking tab, uncheck the check box for Internet Protocol Version 6 (TCP/IPv6).
  6. Click OK.

Installing the NPS role service using Server Manager

To install the NPS role service in Windows Server 2012 via the graphical interface, first open Server Manager from the desktop taskbar or the Server Manager tile on the Start Screen, and perform the following steps:
  1. In Server Manager, click Manage and click Add Roles and Features.
  2. On the Before you begin page, click Next.
  3. On the Select Installation Type page, click Role/Feature Based Install and then click Next.
  4. On the Select destination server page, click Select a server from the server pool, click the names of the servers where you want to install NPS and then click Next.
  5. On the Select Server Roles page, click Network Policy and Access Services, and then click Next three times.
  6. On the Select role services page, click Network Policy Server, and in the Add Roles and Features Wizard dialog box, verify that Include management tools (if applicable) is selected.
  7. Click Add Features, and then click Next.
  8. On the Confirm installation selections page, click Install.
  9. On the Installation Results page, verify that the installation was successful, and then click Close.

Installing the NPS role service using PowerShell

[ads2]
To install the NPS role service in Windows Server 2012 using PowerShell, you first need to right-click the PowerShell icon on the taskbar and select to Run as administrator in order to open a PowerShell session with administrative privileges. Then perform the following steps:
Load the Server Manager module by typing: Import-Module Servermanager Next, install the NPS role service by typing: Install-WindowsFeature –name napas-policy-server –includemanagementtools Note: This will also install the DHCP server role When the role service has been successfully installed, PowerShell will report Success = True and the Feature Result will show Network Policy and Access Services, as shown in Figure 1. Image Figure 1: The NPS role has been successfully installed

Configuring the NAP server

You can configure the NAP server with three different types of policies: Connection Request Policies that use connections and settings to authenticate client requests to access the network. These policies also control where the authentication will be performed. You must have a connection request policy for each NAP enforcement method. Network Policies that use conditions, settings and constraints to determine the level of access that will be authorized for a client that attempts to connect to the network. You need at least two network policies to deploy NAP: one for client computers that are found to be compliant with your health policies and one for those clients that are out of compliance. Health Policies that specify which System Health Validators (SHVs) are to be evaluated and how they’re to be used to evaluate health status. You have to enable at least one SHV for each health policy. When creating network policies, you need to keep in mind that a client request can match one connection policy and one network policy. It cannot match multiple policies of a type, so when a match is made, none of the other policies will be applied. That means the order of processing policies is important. The source of the request is also used in determining the order for evaluation. If there are policies that specify a source, requests sent from a matching source are only evaluated against these policies. If none of the policies specify a source that matches, clients try to match policies with the Unspecified source. If there are multiple policies with the same source that matches the client source, the policy that’s highest in the processing order is used (and if it fails, the NPS goes down the list of policies in the processing order until it finds a policy that matches). To configure NSP with a network policy, use the New Network Policy wizard on the NPS server. On the NPS server, open the Network Policy Server administrative tool from the Administrative Tools menu. In the left pane, expand the Policies node and click Network Policies. Right click and select New to start the New Network Policy Wizard, as shown in Figure 2. Image Figure 2: Creating a new network policy You can create a new connection request policy or a new health policy by right clicking the Connection Request Policy or Health Policies node and selecting New.

Configuring the VPN servers with NPS

The steps involved in configuring VPN servers with NPS are as follows: Install and configure your VPN servers as discussed in the first part of this chapter. Decide what authentication method is to be used. Install the NPS role on the NPS server. Autoenroll a server certificate to the NPS server(s) or purchase a server certificate (for PEAP-MS-CHAP v2 authentication). For EAP-TLS or PEAP-TLS without smart cards, autoenroll user and/or computer certificates to domain users and client computers that are domain members. Configure your VPN servers as RADIUS clients in NPS. Create an Active Directory user group for users who will be allowed to connect via the VPN servers. Configure network policies for VPN services in NPS. To create the connection request and network policies that you need in order to deploy VPN servers as RADIUS clients to the NPS server, you can use the New Dial-up or Virtual Private Network Connections wizard. Open the NPS console from the Administrative Tools menu on the server where you have installed the Network Policy Server role service. Click the NPS (Local) top level node in the left pane and follow these steps: Under Standard Configuration, in the drop-down box, select RADIUS server for Dial-up or VPN Connections, as shown in Figure 3. Image Figure 3: Creating the policies required to deploy VPN servers as RADIUS clients to the NPS Click Configure VPN or Dial-Up. In the wizard, select Virtual Private Network (VPN) Connections under the Type of connections section, as shown in Figure 4. Image Figure 4:Selecting the connections type (VPN) Provide text to be part of the name for each of the policies the wizard creates or accept the default, and click Next. On the Specify Dial-Up or VPN Server page, the local computer will be automatically added as a RADIUS client to the NPS server if it is running RRAS as a VPN server. You can add remote VPN servers by clicking the Add button. On the Configure Authentication Methods page, select the protocol(s) you want to use for authentication, as shown in Figure 5. Image Figure 5: Configuring the authentication method(s) On the Specify User Groups page, you can select the groups to which the policy will apply by clicking the Add button. If you don’t select any groups, the policy will apply to all users. On the Specify IP Filters page, you can configure IPv4 and IPv6 input and output filters for the RRAS VPN server. On the Specify Encryption Settings page, you can select the encryption strength to be used for MPPE (40-bit, 56-bit and/or 128-bit). By default, all three are selected, as shown in Figure 6. Image Figure 6:Specifying encryption settings On the Specify Realm Name page, you can specify a realm name to replace the domain name in user credentials. This is the name that your ISP uses to forward requests. This is an optional field. On the Completing New Dial-Up or Virtual Private Network Connections and RADIUS clients page (the last page of the wizard), you can click Configuration Details to review your configuration choices. This will open the configuration details in your default web browser, as shown in Figure 7. Image Figure 7: Viewing configuration details in the browser Click Finish in the wizard to create the policies. They will now show up in the Connection Request Policies and Network Policies nodes in the Network Policy Server console.

Configuring the HRA

You can configure the authentication requirements, certification authorities and request policy for the HRA. Authentication requirements: You can either restrict the issuance of health certificates to authenticated domain users or you can allow anonymous users to obtain health certificates. If you allow both, two separate web sites will be created, one for requests by domain users and one for requests by anonymous users. You can enable SSL so that clients communicating with the web sites must use a secure (https://) URL. The IIS server will need an SSL certificate in the local computer certificate store or the current user certificate store, to be used for server authentication. Certification Authority: You must configure the HRA with at least one NAP CA. You can add or delete CAs and change their order from the HRA console’s Certification Authority node. You can use either a standalone CA or an enterprise CA. Request Policy: The request policy settings define how the HRA communicates with clients, specifically the cryptographic policy elements that include asymmetric key algorithms, hash key algorithms, cryptographic service providers and transport policy. You can use the default request policy setting that negotiate a mutually acceptable encryption mechanism, and this is usually the best practice unless you are certain your modified settings will work properly.

Configuring Client Computers

Microsoft recommends, as part of its best practices, that client computers be configured automatically. NAP-capable client computers (those Windows XP SP3 and above systems on which the NAP Agent software is installed and running) can be configured automatically by importing NAP configuration files into Group Policy. You can configure NAP client settings in one of three ways: NAP Client Configuration Console gives you a graphical UI for configuring the NAP client settings. Netsh gives you a way to configure NAP client settings from the command line. Group Policy Management Console allows you to configure NAP client settings in Group Policy on clients that are domain members. You can save NAP client settings in a configuration file that you can then apply to other computers. You need to be a member of the local Administrators group on the computer to import a configuration file. To import a configuration file, type NAPCLCFG.MSC at the command line or in the Run box to open the NAP Client Configuration console. Right click the top level node, NAP Client Configuration (Local Computer) in the left pane, and select Import. Navigate to the location where the file is stored, type the file name for the configuration file and select Open. Alternatively, you cantype netsh nap client import filename = <file name> You must enable at least one NAP enforcement client on the client computers. The six NAP enforcement client types are: DCHP IPsec Remote Desktop Gateway EAP Remote Access Wireless EAP over LAN Your VPN clients need to be enabled as Remote Access clients so health policies will be enforced when they attempt to access the network through the NAP-enabled VPN server. The NAP enforcement clients are enabled and disabled through the NAP Client Configuration console or the netsh command. You need to be a local Administrator to enable or disable enforcement clients. To enable the Remote Access enforcement client through the console, click the Enforcement Clients node in the left pane. In the middle pane, right click Remote Access Quarantine Enforcement Client and click Enable. To enable the Remote Access enforcement client at the command line, type: netsh nap client set enforcement ID = 79618 ADMIN – “ENABLE”

Summary

In Parts 1 and 2 of this series on understanding and configuring Network Policy and Access Services in Windows Server 2012, we have looked at the deployment of NAP. In Part 3, we’ll move on to the process of setting up RADIUS servers.
0

Installation, Learn and Teach, Windows

You can Download this article as Word and PDF

Word Document: Understanding and Configuring Network Policy and Access Services in Server 2012

PDF: Understanding and Configuring Network Policy and Access Services in Server 2012

 

Introduction

An important part of a network security strategy is the protection of the network from threats that can be introduced via the client computers that connect to that network. This becomes particularly vital in the case of remote clients, such as laptops that workers take off site and home computers that employees use to access their work during off-work time or even full-time as telecommuters. Windows Server 2012 based networks have many mechanisms aimed at giving administrators more control over who connects to the corporate network and over the computers they use to connect. DirectAccess is one such technology, and I’ve discussed it in previous articles. But not all clients are able to use DirectAccess; those that run legacy operating systems (pre-Windows 7) and those that are not domain members will need to use a different connection method, such as virtual private networking (VPN). Windows Server operating systems provide features that help to protect the network when VPN clients connect, as well. Network Access Protection (NAP) has been around for quite some time. It was introduced with Windows Server 2008 to provide a built-in policy-based technology similar to Cisco’s Network Access Control (NAC). Windows Server 2008 R2 added functionality and features. Remote Authentication Dial In User Service (RADIUS) server support in Windows Server has been around even longer. If you’re coming to Windows Server 2012 from Windows Server 2003, when you think of RADIUS in Windows, you probably think of Internet Authentication Service (IAS). In Windows Server 2008, IAS was replaced by NPS – the Network Policy Server. The NPS is part of a larger framework: Microsoft’s Network Policy and Access Services (NPAS).

[ads1]

Understanding NPAS: What it includes

The Network Policy and Access Services include the following role services:
  • Network Policy Server (NPS)
  • Health Registration Authority (HRA)
  • Host Credential Authorization Protocol (HCAP)
  • RADIUS server and proxy
This is the server role through which you deploy Network Access Protection (NAP) in Windows Server 2012, and that’s what we’re going to be talking about in the first part of this series of articles. A new feature in Windows Server 2012 is the ability to use PowerShell to install and configure the Network Policy Server. NAP enforces health policies on a number of connection types, including IPsec-protected communications, IEEE 802.1X-authenticated communications, and terminal services gateway connections. In this article, we’ll be looking at NAP primarily as an enforcement mechanism for remote clients connecting via a VPN.

Understanding NAP: What it does

NAP utilizes a number of components on the server and client to allow administrators much greater control over which computers are allowed to connect to the network, and specifically to prevent systems that may be at risk – such as those that do not have up-to-date security patches, aren’t running antivirus software and antimalware software with current definitions, don’t have an active host firewall, etc. – from connecting to the network and potentially putting other systems at risk as well. NAP can be used with client computers running Windows XP SP3 and above; these operating systems support the NAP Agent that is the component on the client that collects and manages health information. When the NAP Agent service is installed and running, the client can communicate its health status to the NAP servers. The health status information is based on the state of the client’s configuration and can include such factors as:
  • The firewall status
  • Antivirus signature status
  • Status of service packs and security updates.

Understanding NAP: How it works

NAP is Microsoft’s implementation of a “health” enforcement solution. In the context of protecting remote clients and protecting the network from health “issues” that those remote clients may bring to the network, it checks the identity of each remote client and determines whether it is in compliance with the organization’s health policies. The health information that each client sends to the NAP server is called a statement of health or SoH. The server evaluates this information based on the policies and settings that have been configured. It uses this information, along with group membership, to determine whether and at what level of access the client will be allowed to connect to the corporate network. Clients that are out of compliance with the policies can be brought into compliance through NAP’s mechanisms. NAP does this by performing a network health analysis, verifying the effectiveness of existing security policies, and helping administrators to identify risks by creating a health profile for the network. This improves the overall health of the network by enforcing compliance with your network health policies and restricting the access of remote client computers that are not in compliance.

Understanding NAP: The parts and pieces

The Network Policy Server is the core component of a NAP deployment. It is used to manage network access through the VPN server, RADIUS servers and other points of access to the network. Depending on your network environment, you may deploy multiple NPS servers. An NPS can be a RADIUS server, a RADIUS proxy or a NAP policy server. The NAP server is where you configure the NAP policies and settings such as health policies, SHVs, and remediation server groups. Remediation servers are the servers to which non-compliant clients are allowed to connect in order to update their configurations so as to become compliant, after which they can be re-evaluated and allowed to connect to other network resources. The NPS works in conjunction with other components, including the System Health Agents (SHAs) and System Health Validators (SHVs). The SHA that is built into Windows Vista and Windows 7 operating systems is called the Windows Security Health Agent (WSHA), which works with the Windows Security Center on the client computer and the Windows Security Health Validator (WSHV). You can configure the WSHV settings to report on the host firewall, virus protection, spyware protection, automatic updating status, and security updates installed. Third party vendors can use the NAP API to create SHAs and SHVs for their software products (for example, third party antivirus programs). The Health Registration Authority (HRA) is another server component of NAP that is used in IPsec enforcement and is installed on a computer that is running NPS and IIS. These services must be installed on the HRA computer. When you install the Network Policy and Access Services server role on a Windows Server 2012 server, the HRA administrative tool will be installed on the NPS server. Likewise, if you install HRA, NPS is automatically installed. The HRA approves the issuance of health certificates to NAP clients. These health certificates are X.509 certificates that are issued by an Active Directory certification authority (CA). A CA that issues health certificates is known as a NAP CA. To get a health certificate from the NAP CA, the client must submit a SoH to the HRA. IIS is used to provide the interface by which the clients contact the HRA to request a health certificate.

Understanding NPS policies

The NPS can apply and enforce three different types of policies:
  • Connection request policies
  • Network policies
  • Health policies
In Part 2, when we start configuring policies, we’ll go into more detail about what each of these policy types does. NPS also supports templates for health policies, that you can use to make it quicker and easier to configure NPS on the server. These are available in the Templates Management section of the NPS console (which you’ll see in Part 2). You can easily create new templates.

Planning for NAP

Before you undertake the deployment of NAP on your network, there are a number of planning tasks that you should complete. The following checklist can serve as a guideline for planning your NAP deployment:
  • Determine the NAP enforcement method (in this case, we are focusing on VPN enforcement)
  • Plan the appropriate placement of your NAP server(s) on the network so it can communicate with other NAP components and so it will have a connection to Active Directory Domain Services (AD DS) for authentication of domain users connecting through the VPN.
  • Determine whether you need multiple NAP servers for load balancing and failover.
  • Determine which health requirements you want to enforce (for example, firewall, virus protection, antivirus software updates, spyware protection and updates, automatic updating enabled, security updates installed via WSUS      and/or Windows Update).
  •  Determine how you will deal with those computers that will be exempt from health checks (e.g., domain controllers and most other servers, devices that are not NAP-capable, and users who must have access at all times. This is your exception management strategy.
  • Consider your NAP reporting strategy.
  • Create a pilot program to help you evaluate your NAP deployment decisions.
  • Document the NAP deployment design.

Deploying NAP: A preview

To deploy NAP on Windows Server 2012, you will need to install the Network Policy and Access Services role with the Network Policy Server role service. You can do this in one of two ways: by using Server Manager to install NPS via the graphical user interface, or by using PowerShell to install NPS via the command line. In Part 2 of this article series, we’ll dig down into how to install NPAS using both of these methods, and then we’ll look at the steps that you need to complete in order to your VPN servers to work with the Network Policy Server (NPS) so they can use NAP to validate the health of VPN clients that attempt to connect to your corporate network.        
0

Downloads, Learn and Teach, Windows
  Anyone that has to manage multiple computers understands that having multiple terminal service windows open is a pain. To combat this problem Microsoft has provided Remote Desktop Connection Manager (RDCMAN). I recommend RDCMAN to all my customers. What I have noticed however is, my customers struggle with getting all the servers they want into RDCMAN. Note: Make sure the remote desktop is enabled on the servers that you want to manage from RDCMAN In this blog I will cover how to quickly import all the servers from a lab environment into RDCMAN file. These steps can be used in production as well. The only difference might be that you may not want to import all your production servers into one RDCMAN session. In these scenarios using PowerShell servers can be filtered out. For example, if you’re the Exchange administrator for your organization, and all the Exchange servers are homed in the same Organizational Unit (OU), you would only export the servers in the Exchange Server OU. From a computer with PowerShell 2.0 or higher, open PowerShell has an administrator Within the PowerShell window type or copy the syntax below. This command will import the PowerShell commands to manage Active Directory. Import-Module ActiveDirectory Now that the Active Directory commands have been exposed to PowerShell, the Get-ADComputer can be used to return all the computer names stored in Active Directory. The Select command will only grab the computer name, the FT command will remove the table heading, and the > will export the pipeline to a text file. Get-ADComputer -Filter ‘ObjectClass -eq “Computer”‘ | select name | ft -HideTableHeaders > C:exportServers.txt The output should look something like this: NOTE: Make sure there are no whitespaces in the text file. You can remove whitespace by opening the file in Excel and saving the file as a text file or using find and replace (Control + H) in notepad. Lets open RDCMAN and get these servers imported. RDCMAN is located under C:Program Files (x86)Remote Desktop Connection Manager Within RDCMAN go to File > New and create a new rdg file. I named my rdg file as lab Right click on Lab.rdg and select Properties > select the Logon Credential tab > uncheck Inherit from Parent > enter your User Name Password Domain Once your User name Password Domain have been entered click OK to save your settings Within the RDCMAN window click Edit > Import servers… In the Server Settings tab click the Browse button Navigate to the Server text file and import the file Now you should see all the servers in RDCMAN and be able to connect to any of the servers
0

Learn and Teach, Windows

Printers Migration drivers and ports

For the Printer Migration Server 2012 Print Management tool supports an export feature, this will export the printers, print queues, printer drivers to a print migration file. just go to print management > right click your print server > choose export. then take the file to you new print server and do an import. you can access the print migration directly as well see the link below: https://technet.microsoft.com/en-us/library/cc773832(v=ws.10).aspx another option is to use the windows server migration tools: https://technet.microsoft.com/en-us/library/dd379545(v=ws.10).aspx here is a print migration guide: https://technet.microsoft.com/en-us/library/dd379488(v=ws.10).aspx as for redirecting the users existing printers, are the computers domain joined? if so then I would use Group Policy Preferences to map new printers to their computers, set the default printer and remove the old ones.
0

Learn and Teach, Windows
source: http://www.windows-commandline.com/cmd-net-user-command/

Net user command : Manage user accounts from command line

Using Net user command, administrators can manage user accounts from windows command prompt. Below are some examples on how to use this command. Add a domain user account:
Net user /add newuseLoginid  newuserPassword /domain
Add new user on local computer:
Net user /add newuserLoginid  newuserPassword
Advanced options to add new user account can be read in the below article. Add new user from windows command line. Disable/Lock a domain user account:
Net user loginid  /ACTIVE:NO /domain
To enable/unlock a domain user account:
Net user loginid /ACTIVE:YES  /domain
Prevent users from changing their account password:
Net user loginid /Passwordchg:No
To allow users to change their password:
Net user loginid /Passwordchg:Yes
To retrieve the settings of a user:
Net user username
Example:
C:\>net user techblogger
User name                    techblogger
Full Name
Comment
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            4/21/2011 10:10 PM
Password expires             8/19/2011 10:10 PM
Password changeable          4/21/2011 10:10 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Users
Global Group memberships     *None
The command completed successfully.
0

Using SCCM 2012 R2 to Deploy Windows 7   copied from the source Here   Deploying Windows 7 Using SCCM 2012 R2 n this post we will see the steps for deploying windows 7 using SCCM 2012 R2. In my previous post we saw the steps to capture a reference operating system (Windows 7) using SCCM 2012 R2. Note that this post is different from the one which shows the steps to build and capture the operating systems using SCCM 2012, we will not be using build and capture approach here rather we will capture a reference operating system, i.e. capture windows 7 using SCCM 2012 R2 and we will deploy the same using SCCM 2012 R2 in the this post. We will be creating a device collection first and then we will import the computer information to this device collection. One the computer is added to the collection we will create task sequence, configure it and deploy it the device collection.

Deploying Windows 7 Using SCCM 2012 R2

So in my previous post we had successfully captured the windows 7 operating system and now we will be deploying the captured image using SCCM 2012 R2. To do that lets create a blank virtual machine without any operating system installed on it. Note down the MAC address of the virtual machine (the same applies to a physical box too). Deploying Windows 7 Using SCCM 2012 R2 Lets create a new device collection. This is to add the computer to this collection for which the operating system is going to be deployed. Right click on Device Collections, click Create Device Collection. Deploying Windows 7 Using SCCM 2012 R2 Provide the name for this collection , set the Limiting collection to All Systems. Click Next. Deploying Windows 7 Using SCCM 2012 R2 We will not define any rules for this collection. Click on Next. Since we will be creating a collection without defining any rule, the wizard prompts that the collection will not contain any members until we define a membership rule. On the pop up box click on OK. [ads1] Deploying Windows 7 Using SCCM 2012 R2 The device collection has been created. Now we will import the computer information to add the new computer object to this collection. Click on Devices, click on Import Computer Information. Deploying Windows 7 Using SCCM 2012 R2 Choose Import single computer and click Next. [ads2]      
0

Take an image for window 7 by sccm

Capture Windows 7 Using SCCM 2012 R2

  In this post we will see the steps to capture windows 7 using SCCM 2012 R2. This post is different from the one which shows the steps to build and capture the operating systems using SCCM 2012 R2. We will not be using build and capture approach here rather we will capture a reference operating system, i.e. capture windows 7 using SCCM 2012 R2 and we will also see how to deploy the same using SCCM 2012 R2 in the next post. Please note that the computer operating system that we are going to capture should not be part of domain, else the sysprep fails during this process. So you capture a computer that has windows 7 installed (along with softwares like office, adobe reader etc) which is not joined to the domain. At any point of time you can check the step by step guide for SCCM 2012 R2 which contains all the posts related to SCCM 2012 R2.  

Capture Windows 7 Using SCCM 2012 R2

We will first create a task sequence media and create a capture media which is in saved .iso format. This .iso file contains the necessary files and instructions to capture a reference operating system. The same .iso file captures the operating system and stores the captured OS in .wim format. Once we get the .wim file we will import the file to SCCM 2012 R2 and we can use this .wim to deploy this OS to another computer either by using SCCM or WDS. The first step involves creating a capture media which is in .iso file. Launch the ConfigMgr console, click on Software Library, expand Overview, expand Operating Systems, right click Task Sequences and click on Create Task Sequence Media.Capture Windows 7 Using SCCM 2012 R2 Snap1 Type of Media – Select the type of media as Capture Media. Click Next. Capture Windows 7 Using SCCM 2012 R2 Snap2 Media Type – You can select either USB flash drive or CD/DVD. I have tried using USB flash drive and even that works. In this example we will choose CD/DVD, and we will store the media file in one of the shared location on SCCM server. You can choose to store the capture media on any shared location, it may not be necessarily SCCM server. One important thing here you must save the capture media with .isoextension. Click on Next. Capture Windows 7 Using SCCM 2012 R2 Snap3 [ads1] Selecting Boot Image – This is very important step. Select the Boot Image by clicking on Browse. Select Boot Image (x64) and for DP click on Browse and select the desired DP. Click Next.
NOTE – You must first enable the command support on both the boot images(x64 and x86) and then distribute it to the distribution point. To enable the command support right click on each of the boot image, click on properties and under Customization tab check the box Enable Command Support (testing only). Enable command support for both the boot images. By default the boot images are not distributed to DP and if you don’t distribute the boot images you will not be able to select the DP in the below step. To distribute the boot images to DP, right click on each boot image and click Distribute Content.
Capture Windows 7 Using SCCM 2012 R2 Snap4 The capture media has been created by the wizard. Click on Close. [ads2] Capture Windows 7 Using SCCM 2012 R2 Snap5 After creating the capture media we will now mount the capture media (.iso file) on the windows 7 machine and run the image capture wizard. In this example I have a virtual machine which has been installed with windows 7 professional SP1 x64 OS and we will be capturing this computer OS image. If its a physical machine you can burn the capture media .iso to a CD and insert it in the CD tray and run the image capture wizard. If its a virtual machine you can mount the .iso file by providing the path where the capture media .iso file exists. On a virtual machine when you mount the .iso file by providing a shared location, it asks for a user account to access the .iso file, provide a domain user account which has enough permissions to access the folder where the .iso file exists. Once you mount the capture media on a windows 7 machine you will see the autorun box. Click Run TSMBAutorun.exe, you will see the Image Capture Wizard. Click on Next. Capture Windows 7 Using SCCM 2012 R2 Snap6 [ads1] Image Destination – Provide a folder path where the captured image should be stored. The name of the captured image should have .wim as extension. Also provide a user account that has enough permissions to store the captured file to the shared folder. Click Next. Capture Windows 7 Using SCCM 2012 R2 Snap7 Image Information – Provide the image information such as Created by, Version and Description. Click on Next. Capture Windows 7 Using SCCM 2012 R2 Snap8 Click on Finish to complete the Image Capture Wizard. Note that we have just run the image capture wizard, in the next step sysprep captures the OS. Capture Windows 7 Using SCCM 2012 R2 Snap9 In the below screenshot we can see that the sysprep command is running. Wait for the computer to restart automatically where the actual capture process begins. Capture Windows 7 Using SCCM 2012 R2 Snap10 The computer restarts and we see that the wizard now starts capturing volume and the OS. This process took around 25 minutes to complete in my lab setup. Capture Windows 7 Using SCCM 2012 R2 Snap11 Alright, we now see that the windows 7 OS image  has been captured and saved to the destination folder. Click on OK. The computer now restarts and enters Out of Box experience (OOBE). Capture Windows 7 Using SCCM 2012 R2 Snap12 Once we have got the .wim file, we can import the .wim as operating system image in SCCM 2012 R2. To import the operating system image, right click Operating System Images, click on Add Operating System Image. Enter the path where the captured .wim file is present. Click on Next. Capture Windows 7 Using SCCM 2012 R2 Snap13 The name and version is picked up automatically, click on Next. Capture Windows 7 Using SCCM 2012 R2 Snap14 The operating system image has been imported successfully. Click on Close. Capture Windows 7 Using SCCM 2012 R2 Snap15 After importing the image the next step is to distribute the image to the DP. Right click on the windows 7 image and click on Distribute Content. Capture Windows 7 Using SCCM 2012 R2 Snap16 Add the DP and click Next. Capture Windows 7 Using SCCM 2012 R2 Snap17 The image file has been distributed to the DP. Click on Close. Wait for sometime while the DP updates the content, check the content status and you must see a green circle which means that content is now available with DP. Capture Windows 7 Using SCCM 2012 R2 Snap18  
0

Learn and Teach, Windows
Her I am going to report all windows command that I have been used to make easy for me and visitors who would like to return to it at anytime and wherever. All Windows command will be below I will try to sort it alphabetically:

A

B

C

D

Listing the files
  • dir
Listing all files and directories in the Directory that you are in
  • dir /p
Listing all files and sub-directories files
  • dir /s
   

Source

Dir syntax

Microsoft Windows 2000, XP, Vista, 7, and 8 syntax

Displays a list of files and subdirectories in a directory.

DIR [drive:][path][filename] [/A[[:]attributes]] [/B] [/C] [/D] [/L] [/N] [/O[[:]sortorder]] [/P] [/Q] [/R] [/S] [/T[[:]timefield]] [/W] [/X] [/4]

[drive:][path][filename] Specifies drive, directory, or files to list.
/A Displays files with specified attributes.
attributes D- Directories R- Read-only files H- Hidden files A- Files ready for archiving S- System files I- Not content indexed files L- Reparse Points – Prefix meaning not
/B Uses bare format (no heading information or summary).
/C Display the thousand separator in file sizes. This is the default. Use /-C to disable display of separator.
/D Same as wide but files are list sorted by column.
/L Uses lowercase.
/N New long list format where filenames are on the far right.
/O List by files in sorted order.
sortorder N By name (alphabetic) S By size (smallest first) E By extension (alphabetic) D By date/time (oldest first) G Group directories first – Prefix to reverse order
/P Pauses after each screenful of information.
/Q Display the owner of the file.
/R Display alternate data streams of the file.
/S Displays files in specified directory and all subdirectories.
/T Control what time field displayed or used for sorting
timefield C Creation A Last Access W Last Written
/W Uses wide list format.
/X This displays the short names generated for non-8dot3 file names. The format is that of /N with the short name inserted before the long name. If no short name is present, blanks are displayed in its place.
/4 Displays four-digit years

Microsoft Windows 95, 98, and ME syntax

Displays a list of files and subdirectories in a directory.

DIR [drive:][path][filename] [/P] [/W] [/A[[:]attributes]] [/O[[:]sortorder]] [/S] [/B] [/L] [/V]

[drive:][path][filename] Specifies drive, directory, or files to list. (Could be enhanced file specification ormultiple filespecs.)
/P Pauses after each screenful of information.
/W Uses wide list format.
/A attributes: D Directories R Read-only files H Hidden files A Files ready for archiving S System files – Prefix meaning not
/O List by files in sorted order, sortorder: N By name (alphabetic) S By size (smallest first) E By extension (alphabetic) D By date and time (earliest first) G Group directories first – Prefix to reverse order A By Last Access Date (earliest first)
/S Displays files in specified directory and all subdirectories.
/B Uses bare format (no heading information or summary).
/L Uses lowercase.
/V Verbose mode.

Switches may be preset in the DIRCMD environment variable. Override preset switches by prefixing any switch with – (hyphen)–for example, /-W.

Dir examples

dir

Lists all files and directories in the current directory. By default the dir command lists the files and directories in alphabetic order.

dir *.exe

The above command lists any file that ends with the .exe file extension. See the wildcarddefinition for further wildcard examples.

dir *.txt *.doc

The above is using multiple filespecs to list any files ending with .txt and .doc in one command.

dir /ad

List only the directories in the current directory. If you need to move into one of the directories listed use the cd command.

dir /s

Lists the files in the directory that you are in and all sub directories after that directory, if you are at root “C:\>” and type this command this will list to you every file and directory on the C: drive of the computer.

dir /p

If the directory has lots of files and you cannot read all the files as they scroll by, you can use this command and it displays all files one page at a time.

dir /w

If you don’t need file information you can use this command to list only the files and directories going horizontally, taking as little as space needed.

dir /s /w /p

This would list all the files and directories in the current directory and the sub directories after that, in wide format and one page at a time.

dir /on

List the files in alphabetical order by the names of the files.

dir /o-n

List the files in reverse alphabetical order by the names of the files.

dir \ /s |find “i” |more

A nice command to list all directories on the hard drive, one screen page at a time, and see the number of files in each directory and the amount of space each occupies.

dir > myfile.txt

Takes the output of dir and re-routes it to the file myfile.txt instead of outputting it to the screen.

E

F

G

H

I

J

K

L

M

N

NBTSTAT -A IPADDRS Used for:
  • Finding computer name using IP

O

P

Q

R

S

T

U

V

W

X

Y

Z

   
0