Friday, March 27, 2015

Basic configuration of Server Core Domain Controller

Recently I was tasked with configuring a Windows 2012 server Core as a domain controller from scratch. The process is well documented and fairly painless. I figured I would aggregate and post the process.

Assumptions:

  • This process doesn't cover the basic installation of the OS. This assumes you have installed the OS for the first time as CORE and you are logged in for the first time with administrative credentials.
  • We don't use IPv6 (yet). I lilke to unbind and disable the adapters and protocol needed for IPv6. If you use IP6 don't follow this guide.
  • You already have an existing domain infrastructure. This process adds an additional domain controller to an existing domain.
  • In my example the domain is called LAB.LOCAL.
  • You will be installing DNS on the domain controller.
  • You don't wish to change the default NTDS and SYSVOL locations.
  • You understand what the directory services restore mode password is.

In this process we will:

  • disable unneeded adapters
  • disable "IP Helper" service (iphlpsvc)
  • rename computer
  • set IP/DNS addresses
  • install AD

disable 6to4, isatap adapter, Teredo tunnel adapter
From the command line:

netsh int ipv6 isatap set state disabled
netsh int ipv6 6to4 set state disabled
netsh interface teredo set state disable

 disable IP Helper service
sc config iphlpsvc start= disabled
(there is a space between = and disabled)


Start Powershell
powershell

unbind IPv6
Get-NetAdapterBinding -InterfaceAlias Ethernet | Select-Object Name,DisplayName,ComponentID

 Pay attention to the name displayed for the adapter you intend to modify. Petri insider’s tip: In a fresh Server core installation with one network adapter installed, the name will be Ethernet by default.

 Disable-NetAdapterBinding -InterfaceAlias Ethernet -ComponentID ms_tcpip6

Get-NetAdapter

For the next few steps I want to mention that you could alternatively use sconfig to rename the computer and set the IP + DNS address.
To start sconfig just type "sconfig" at the command line.


Set IP Address
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 10.0.0.10 -DefaultGateway 10.0.0.1 -PrefixLength 24

(if you mess up the IP address)
remove-netipaddress -ipaddress x.x.x.x -defaultgateway x.x.x.x

 Set DNS address
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddress 10.0.0.100

*make sure everything looks right
ipconfig /all

Rename Computer
Rename-Computer -NewName NewComputerNAME

 Reboot
(even though this is a command line command, it will work within powershell)
shutdown /r /t 1

 Log back in, start PowerShell, Add computer to domain
Add-Computer -DomainName domain.local -DomainCredential (Get-Credential)

Reboot
shutdown /r /t 1

 Install AD
*log back in with (administrative) domain credentials, start powershell

Install-WindowsFeature AD-Domain-Services –IncludeManagementTools
(wait a few minutes)

Install-ADDSDomainController -DomainName lab.local -InstallDNS:$True –Credential (Get-Credential)

You will be asked for a SafeModeAdministratorPassword. This is the Directory Services Restore Mode Password.

 "the target server will be configured as a domain controller..."
continue with this operation? Y

 (a series of warnings)

 The first warning lets you know that Windows Server 2012 has defaults for certain security settings that can affect very old OSes on the network such as Windows NT 4.0. The second warns that a DNS Server delegation can’t be created. Since we’re installing DNS on this server as part of the DC promotion process, both of these errors are safe to ignore.

Reboot when complete


set and remove IP address from powershell:

Posted by at No comments:
Labels: , , , , , ,

Tuesday, March 10, 2015

Uninstall program from the command line, fails as non-admin, fails as admin with RUNAS

Uninstall program using "Run As" as admin fails when a non-admin is currently logged in and UAC is disabled.

The problem is as follows:
Generally helpdesk has a need to uninstall/reinstall a program on an end-user's PC whilst the end-user is logged in. Another case is admin simply needs to uninstall a program\app\driver from a non-admin end user's computer.

The problem is that if UAC is turned OFF (never notify), you cannot remove(uninstall) a program, even though you are logged in as an ADMIN, via the runas command. The process fails.
When I say UAC is disabled, I mean User Account Control is set to "never notify"



For Example:
Joe User (non admin) is currently logged in.
UAC is disabled on the user's PC (see image above).
You, a domain admin, are at the user's PC - either in person or via a screen sharing technology.
You run (from command line) "runas /user:BillyTheAdmin@domain.local cmd"
You are prompted for your password - you enter your password
A new command line opens with your credentials, you type "appwiz.cpl"
   (Alternatively you could have run "runas /user:BillyTheAdmin@domain.local appwiz.cpl")
add\remove programs opens, you select the program you wish to remove, click Uninstall.
You are prompted with "You must be an administrator.... The process fails, the app is not uninstalled/removed.



In the above scenario, IF UAC was ENABLED you would be prompted again for your username/password and the process would succeed.

*Note: To access the user account control settings as an admin by running the following:
C:\Windows\System32\UserAccountControlSettings.exe

To work around the issue and AVOID logging out the user you can uninstall\remove apps from the command line. In this example, I want to remove the Live Meeting 2007 client.

1. Open a command prompt as an administrator
    In my example, run "runas /user:BillyTheAdmin@domain.local cmd"

2. Input WMIC and press Return. You will see a prompt that looks like this:
wmic:root\cli>

 3. At the new prompt, execute the following command:
product get name

This will generate a list of installed applications. On my computer (very fast PC) this took 30 seconds to return results, be patient.

4. At the prompt, execute the following command:
product where name="exact product name" call uninstall
where application name is the name of the program you wish to uninstall (use the exact name provided by the previously generated list).

In the image below, the output is from "product get name". I want to uninstall the live meeting client.


5. When prompted, input "y" to confirm that you wish to uninstall the application and press Return. In the image below the line is very long (I tried to capture it, sorry if the image appears small).



The application will be uninstalled. You will get a quasi-useless return code.


Type "Exit" to leave WMIC
Type "Exit" to close the cmmand line
Posted by at 1 comment:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)