binaryfactory.ca

As many companies have skipped Vista and may be starting to migrate to Windows 7, the need for servers running KMS (Key Management Services) is going to be felt for many of them.

 

KMS allows you to do the authorization/activation of Windows in-house, and allows you to get stats about what is going on. However, running this on a full blown Windows installation could be too expensive, overkill.

 

This article explains the steps to get KMS working in your domain, using a Windows 2008 R2 server in Server Core mode, virtualized. Yes, it is possible to run a KMS in a VM, unlike a few years ago when the EULA explicitly stated you were not allowed to.

Another good reason to go with Windows 2008 R2 is that it supports being a KMS for Windows 7 as well as 2008 servers. If you had a Windows 7 KMS, not only could you not run it in core mode but it would only be able to authorize workstations. And Windows 2008 first release is simply not supported.

 

Create a Virtual Machine

This VM can be in a Hyper-V environment or a VMware environment.

As we will be running Core, the requirements are lower. I suggest starting with:

• 1 vCPU
• 512MB of RAM
• 10GB of Hard drive (single drive)
• Low resource shares relative to your other VMs

Install Windows Server

Select your Windows 2008 R2 ISO from your data stores. Obviously, this article is not about that, I assume people interested in KMS know how to install Windows.

Select the core mode.

 

Windows is up – now what?

Log into the server’s console through VMware or hyper-v (well this guide mostly works for physical servers too – I just find it’s a waste of metal !). You will be greeted by the minimal UI of Core.

Configure the networking

Run the sconfig command. Chose option 8.

Select your NIC (normally number 0 if you only have one).

Configure it with a static IP , and make sure you configure the DNS settings properly for your domain.

KMS relies on DNS a lot so having a static IP will save you trouble in the future. Alternately depending on your setup, how you manage VLANs and IPs etc, have a reservation for it. ipconfig /all will show you the MAC address of the card, as on the standard Windows install.

Once you’re done configuring the network, go back to the main menu of sconfig.

Configure your Windows Update Settings

Set it to obtain updates from Microsoft for now. Later on you will surely manage this by GPO so it does not really matter. Back to the main menu, chose option 6 to download the updates that are required right now. (As core has no Internet explorer or Windows update UI that’s the way of getting them manually).

Configure date and time (option 9)

Configure the hostname (option 2)

I recommend rebooting after you changed it and before you join the domain – if the computer account is pre-staged in AD it will use the old name instead of the pre-staged one if you don’t.

Join the domain (option 1)

You can also use the typical netdom commands if you want to join it and force a specific OU.

Reboot

Add a local administrator

Once the server reboots, on the domain, log in with your local admin account. Run sconfig, and use option 3 (or use net localgroup – faster!) and add a domain account to your local admins, so you can login with an AD account and manage the server. While you are there, you may want to change the local admin password (the ctrl-alt-del screen does have that option).

Remote management

Once the server is fully patched up, and your local admin account is secured and you can now login using a domain account, consider enabling remote management. Option 4 in sconfig allows you to enable remote powershell, remote MMC, WinRM, etc. An interesting thing you can do once this is open is open the event log remotely easily, which may be useful. Be aware that KMS is very low maintenance and that keeping everything locked down may prove more secure, but be sure your operational teams will have a way to get into the server, either through the virtualized console, powershell, or RDP (enabled in the sconfig main menu – with two options, one to allow only secure RDP clients like Vista and Win 7 or one to allow any clients, useful if you still use XP workstation).

Enable KMS

Enabling KMS is very simple. The only thing you will need is your “KMS Key”, which can be found on the Microsoft licensing website.

Run this command:

slmgr.vbs /ipk KmsKey

You should then see a small window pop up and confirm the product has been activated.

Now, we should activate our server, while we’re at it.

slmgr.vbs /ato

There we go. KMS is enabled, the server is activated. What else needs to be done?

 

Well first of all, clients rely on DNS to locate the KMS. So if you do not have dynamic updates enabled, start by disabling the automated registration by running:

slmgr.vbs /cdns

The command to enable automatic updates (default but try it if you run into issues or change your mind) is :

slmgr.vbs /sdns

After running these, make sure to restart sppsvc by using net stop and net start or by using the services MMC, if you enabled remote MMC.

If using manual DNS, create an entry with the following settings:

Service	_VLMCS
Protocol	_TCP
Port number	1688
Host offering the service	Fully qualified domain name (FQDN) of the KMS host

 

Verify the DNS entry

Manual or automated, let’s check if it worked.

nslookup -type=srv _vlmcs._tcp.<your DNS domain>

If this command returns the SRV record pointing to your KMS server on port 1688, it means clients will now find the KMS.

Open the firewall

As you noticed while creating or verifying the SRV record, the KMS, by default, is listening on port 1688. This can be changed with the slmgr.vbs command. However, no matter what port you do, you will need to open it up in the firewall. You can use netsh…

netsh firewall set portopening tcp 1688 KMS enable

However, the beauty of Server core is that you should never have to connect to it. For this, I highly recommend that you apply your standard Windows 2008 security baseline GPOs, and create a KMS Specific one. In this GPO, you should ensure that the KMS service is set to automated, and that this TCP port is opened.

You can then apply further hardening to the machine, and configure Windows updates by GPO as well. As server core is not a service that is very visible to the users, this server could easily be patched and rebooted at almost any time, but you can patch it like any server that you use. Less patches will be required, as Server core does not include a lot of software that comes with the full install.

Troubleshooting

Read the slmgr.vbs documentation for more information. slmgr.vbs /dli will show you some information, and there will be an Event Log created just for KMS where you can get useful information about activations. If you have any issues, remember to check the DNS record from the workstation you’re trying to activate, as well as test connectivity to port 1688.

The error you receive on a workstation may seem cryptic but most of them have a good explanation, so Google them ! Remember you need at least 25 workstation licenses or 5 server licenses to use KMS, and have fun !

Depending on how you use Active Directory in your organization, you may be setting a lot of security policies on workstations, and some of these settings can be problematic during the automated build of computers.

A few workarounds exist to avoid applying those to the workstations being imaged:

* Create a temporary OU for the computer account, and move it to the proper location once the build is done
* Change the order of the steps in your build to avoid issues caused by security settings
* Configure a GPO to override the settings that need to be set only during deployment, and filter that only to machines being used.

For multiple different reasons, I had to use the last option. It is a rather clean option, as it doesn’t involve moving computer accounts after the build or any chances on the domain during the imaging process, other than joining the machine, which is great.

One word of notice: Make sure whatever you are overriding is not a must for security and is simply an “annoyance”, because eventually (within a few minutes probably), a user WILL figure out how you’re doing the filtering and WILL apply it to his own machine, in order to bypass some security settings.

Only a few steps are involved :

1) Create a GPO that will set the values to what they need to be during the build (don’t link it yet)

2) Create a WMI filter called “BoxBeingBuilt” or something similar. Have it do a query on something you know is true only during imaging. If you can’t find anything reliable, do something like this:

Select * from Win32_Environment Where Name = “BuildinDaBox”

3) Ensure your built process sets a system variable with that name at the beginning, and removes it at the end.

Tada!

Having issues pushing SCOM through the Windows firewall?

You opened the Remote Administration exception, you can ping it, you can browse shares, file and print sharing is enabled, yet it still fails?

There is one thing I have not seen documented in the SCOM installation/deployment guides: The agent actually adds an exception for itself when it runs, so if you block local exceptions (What’s the point of having a GPO for the firewall config on your serves if you don’t?) , it will fail.

Add this to your Firewall policy, as a program exception:
%SystemRoot%\422C3AB1-32E0-4411-BF66-A84FEEFCC8E2\MOMAgentInstaller.exe

Be sure to open it for the proper IPs only for added security. Then try to push it again..

Good luck!

You may have issues with the discovery in SCOM not doing anything other than pretending to be working…for days.

It can happen on new setups, or on existing ones if things in particular break. It is a very common problem, and being the lucky guy I am, I obviously had this issue except none of the fixes discussed on forums worked.

Here’s a link to the thread I opened on technet… which includes a detailed description of the problem:

http://social.technet.microsoft.com/Forums/en-US/operationsmanagergeneral/thread/0d76679f-a6ae-4b41-bae8-5477d905a160

Here’s a rundown of what to check. However, this document doesn’t explain how to do every Windows or AD operation, but if you need more info on a specific step, believe me, there’s a lot of information out there on how to proceed with them..

Bottom line:

1 – Is your SCOM running with Local System or domain service accounts?

read more »

If you are trying to perform EFS recovery by backing up encrypted files on a client machine and sending the backup file to a dedicated recovery workstation, remember this:

1) You need to be a local admin while performing the backup, and the restore, in order to back up the data stream even though you don’t have access to the encrypted files.

2) If a policy is disabling EFS on the recovery workstation, ntbackup won’t tell you that it can’t create the encrypted files because EFS is disabled. No. It will simply SKIP the files. So if you have files that get skipped, try to manually create a folder and encrypt it. It has to work else you will not be able to restore the backup properly..

Having issues similar to:

Trying to enable EFS on a specific OU, while it’s disable at the top of the structure or domain?
Recovery certificates from two different GPOs mixing up instead of being replaced?

Overall EFS GPOs looking like they aren’t merging properly?

Well, it’s not because EFS GPOs are supposed to behave like black magic. Turns out there’s a bug, Microsoft’s aware of it, but doesn’t think it would be a good idea to FIX IT on Windows XP and 2003.

Thankfully, all it means is you need to edit your GPOs from a Vista, 2008 or Windows 7 machine.

KB : EFS may not be enabled expectedly after you disable a policy and this policy turn off the EFS feature

Opening my EFS GPOs in Windows 7, switching the Allow/Don’t allow and applying the ‘change’ fixed my GPOs. A few minutes later, and stuff was behaving like it should’ve been… Can I have those wasted hours of my life back, Mr. Ballmer?

As I was attempting to play with Windows 2008 R2, which only comes in 64bit flavors, I received this error when trying to start the setup:

nothing useful nothing useful nothing useful 0xC0000225 blah blah blah blah blah

This was on the latest version of VirtualBox, on a 32bit host. At first I thought it was a bug in VirtualBox, since it didn’t support 64bit guests on 32bit hosts for so long, but it turns out that when I enabled IO APIC for that Virtual machine, everything worked fine !

Happy testing.

You might have had some computers not communicating properly with your WSUS servers.

After looking at the WindowsUpdate.log file, you notice an error, WARNING: WU client failed Searching for update with error 0x8024400e .

You then find info about
1) This error being related to Office 2003 Service Pack 1, and that unapproving it fixes the isse
2) Microsoft having released a patch for this issue that you can install on your servers.

But in reality, the issue might be…
3) You’re retarded, and called a computer group on your test lab .. Group! .. With the ! !

For security reasons, it might be advisable to clear your swap file at shutdown.

It doesn’t provide great security, and you really should be using full drive encryption anways.

But in case anyone is wondering, for a 1.5gig swap file, this option (ClearPageFileAtShutdown) seems to add about 30 to 40 seconds of time to the shutdown procedure as it overwrites the file with zeroes.

Now turn it back off and install Truecrypt!

I got a voucher for the Windows 7 exam a few weeks ago , so I had signed up for today..

 

I barely had the time to install the release candidate, so there’s a bunch of features I was not familiar with, but there was still some stuff that wasn’t Windows 7 specific. In any case, if you follow the guide, you should end up fine.

In any case, I’ll know if I passed in about 8 weeks, which should take us close to the middle of July.

 

Good luck to everyone trying it out.