Windows Computing

What NAP is and how it works?

Yesterday was the first Windows 2008 event in Canada. The first event was in Toronto and had almost 3000 attendees. Twenty MVPs participated in Ask-The-Expert and I was one of them :). One of the commonly asked questions was question about “What NAP is and how it works?“

So, I’d like to show what posted on TheLazyAdmin.com about NAP:
With the recent launch of Windows Server 2008 you are no doubt spending all your free time playing around with everything new. One thing you might be playing around with is Network Access Protection. There is a great document on getting a DHCP based NAP lab set up but one thing the document is missing is how to configure the NAP client in XP SP3. In Windows Vista you simply start the service then enable the client through the NAP Client Configuration MMC (napclcfg.msc) but XP SP3 does not include the MMC. So how does one configure the NAP Client without a Nap Client configuration tool? Netsh, that is how!

To enable the NAP Client on XP SP3 you need to do the following:

1. Start –> Run –> Services.msc
2. Change the Network Access Protection Agent service to start automatically
3. Start the Network Access Protection Agent service
4. Start –> Run –> CMD.exe
5. Type netsh nap client set enforcement ID = ##### Admin = “Enable”
6. Start –> Run –> GPEdit.msc
7. Drill down to Computer Configuration | Administrative Templates | Windows Components | Security Center
8. Enable the Security Center
9. Start –> Run –> Services.msc
10. Start the Security Center service

You will need to replace the ##### with the ID based on whichever enforcement method you are using. You can use the following IDs for the various enforcement methods:

• DHCP = 79617
• RAS = 79618
• IPSec = 79619
• TS Gateway = 79621
• EAP = 79623

For more labs and information see:

Step-by-Step Guide: Demonstrate IPsec NAP Enforcement in a Test Lab

Step-by-Step Guide: Demonstrate 802.1X NAP Enforcement in a Test Lab

Step-by-Step Guide: Demonstrate VPN NAP Enforcement in a Test Lab

WAIK 1.1 for Windows Vista SP1 & Windows Server 2008

As many of you know, Microsoft released Windows Vista Service Pack 1 and Windows Server 2008 to Manufacturing RTM ! So, it’s a time to take a last Windows Automated Installation Kit (Windows AIK). The Windows Automated Installation Kit (Windows AIK) is designed to assist corporate IT professionals customize and deploy the Windows Vista and Windows Server 2008 families of operation systems. The Windows Automated Installation Kit (Windows AIK) is a set of tools and documentation that support the configuration and the deployment of Windows operating systems. By using Windows AIK, you can perform unattended Windows installations, capture Windows images with ImageX, create Windows PE images and much more.

Download WAIK1.1 here

Internet Explorer 7 (IE7) deployment - New white paper

Microsoft just released a new version of their IE7 deployment paper. The document has 156 pages. IE7 deployment can get tricky. Try to read this document before deployment, if you haven’t done it yet. It might be a useful reference if you run into problems.

Microsoft Releases Windows XP Service Pack 3 RC Refresh build 3264, download now

SP3 Update packages for English, German and Japanese are now available on the Windows XP SP3 Beta site on Microsoft Connect. Release notes and an updated list of fixes are also available. Update Package for Windows XP Service Pack 3

PXE and Boot Disk which created at Windows XP

Few month ago I published an article “PXE, aka Pre-Execution Environment - Part 1“. In this article, I talked about a problem to use boot disk which created at Windows XP for PXE boot. I’d like to say thanks to Michael Bridge. He found a way to make the Windows XP floppy image of the netbootdisk work.

Under \ pxelinux.cfg \ default

edit the default to

append initrd=.IMA raw

(add “raw” after the image name)
According to this http://syslinux.zytor.com/memdisk.php it allows access to protected mode memory. Michael Bridge, told me that he managed to get the solution on this web site:
http://syslinux.zytor.com/archives/2007-July/008918.html

One Line Commands

I’m posting some of my favorite scripts on blog and on my site (http://thesystemadministrator.com). Now, I’d like to show few of “one line commands” scripts. The command entry should all be on one line.

Domain Controllers
Nltest /dclist:%userdnsdomain%

Domain Controller IP Configuration
for /f %i in (’dsquery server -domain %userdnsdomain% -o rdn’) do psexec \\%i ipconfig /all

AD Database disk usage
for /f %i in (’dsquery server -domain %userdnsdomain% -o rdn’) do dir \\%i\admin$\ntds

MTEE Commandline Standard Stream Splitter - sends any data it receives to the console and / or to any number of log files

For me and my clients I create many scripts to simplify daily Administration tasks. Many of this script should be running from a command line ( cmd. exe). It’s very easy to run any script and to get a result of it to the log file. But, if you would like to run script and watch the result on the screen and in same time you need a hard copied log, you can use a MTEE command line utility. Mtee is a commandline utility that sends any data it receives to the console and to any number of files. Useful if you want to watch and record the output from a batch file or program.

Mtee is an 11kb standalone executable. There is no installation procedure, just run it.
Mtee is simple to use and only has several options. To list them, type mtee/?

You can download Mtee from offisial web site by following to the http://www.commandline.co.uk/mtee/index.html

Free Deployment System

All Network Administrators at least once thought about how to install a program on remote computer without ever touching it. Hopefully, today we have a lot of ways to achieve this goal. The very interesting part of it all is, when ever I provide a consulting services to companies, I hear the same question, “Michael, do you know any FREE solutions to distribute programs, patches or run anything on remote computers?”

I’d like to show you the solution, I’ve created for myself. Let’s call it “Free Deployment System :)”…

“Free Deployment System” contains a set of scripts and free tools. The heart of this system is a PSExec by Sysinternals.

Before I start, let’s clarify few pre-requirements. We need one server or computer that will hold off packages and scripts. The Deployment System will run on this system. We need a user with administration privileges on all remote computers (We can create a user on Domain level and set the necessary permissions to this user).

Ok, now we are ready to start.

Let’s created a directory structure on deployment server.

C:Operation
 |_Scripts
 |_Tools
 |_Packages

In my situation, I don’t have any files in C:\Operation directory. In C:\Operation\Tools directory I have tools that I have been using in my scripts. The main scripts of “Free Deployment System” are located in C:\Operation\Scripts. C:\Operation\Packages contains packages for remote installation. Set a Share on the C:\Operation\Packages and give all users Read Permissions.Now we need to create a few files in C:\Operation\Scripts directory. The first file is #Servers.txt. This file contains an IP addresses or Computer Name of remote computers. Each IP or name should be on new line. In my case #Servers.txt looks as follow:

192.168.3.95
192.168.3.96
192.168.3.97
192.168.3.98
192.168.3.99
192.168.3.10

The next file in our system will be a Config.bat. By using Config.bat I set credentials for connection to remote computers. Config.bat looks as follow:

@echo off
set DM=AdminInfo
set USR=TSAADMIN
set PASS=TSAPassWord

OK, now we are going to create a main script of our system. I named it INSPKG.bat, meaning “Install Packages”. Before show the content of INSPKG.bat I’d like to say a few words about how it works.

INSPKG.bat runs in loop and checks each line of #Servers.txt file and use this addresses as a destination where the installation package should be installed. When the package installed on last computer (last line in #Servers.txt file) INSPKG.bat will stop working. If you have too many computers in your network, the package deployment could take time, be patient. So, INSPKG.bat contains the following lines:

@echo off

Rem *****************************************************************************
Rem *       For 1 envirement use the Pakage file name                           *
Rem *       The general location of all Pakage is: C:OperationPackages        *
Rem *       On remote computer computer should be located  “C:Updates”         *
Rem *                                                                           *
Rem *       Websites:  http://thesystemadministrator.com                        *
Rem *                                                                           *
Rem *****************************************************************************

if {%1}=={} @Echo Please set the Pakagename.The format is INSPKG.bat 7Zip &goto :EOF

set Scripts=C:OperationScripts
set Tools=C:OperationTools
set Packages=C:OperationPackages

call %Scripts%Config.bat

SET IP-SRV=
SET LoopNum=
SET Line=
SET I=
SET RCOMP=
SET Line=0

TYPE %Scripts%#Servers.txt > %TEMP%SRVLIST.txt

FOR /F “TOKENS=*” %%a in (’%Tools%LINEX -c ^<%TEMP%SRVLIST.txt’) do set IP-SRV=%%a
SET /a LoopNum=%IP-SRV% + 1

:LOOP1
SET /a I=%I% + 1
SET /a Line=%Line% + 1
IF “%I%”==”%LoopNum%” goto END
FOR /F “TOKENS=*” %%a in (’%Tools%LINEX -l %Line% ^<%TEMP%SRVLIST.txt’) do set RCOMP=%%a

copy “%Packages%%1%1.bat”  “\%RCOMP%c$Updates\” /Y

@echo Please wait …

%Tools%psexec.exe \%RCOMP% -u %DM%%USR% -p %PASS% -i C:Updates%1.bat

SET Line=%Line%
goto LOOP1

:END
SET IP-SRV=
SET LoopNum=
SET Line=
SET I=
SET RCOMP=
SET Line=

INSPKG.bat should run from a console (cmd.exe) of our deployment server. The format is following:

C:OperationScriptsINSPKG.bat 7Zip

Where, 7Zip is a name of a package. As you can see, in this example, I’m going to deploy a 7-Zip to all computers, but before this I have to create a package. So, for this purpose I’m going to the C:\Operation\Packages directory and create a new directory, 7ZIP. Inside 7ZIP I create a file 7ZIP.bat and put the installation file of 7-Zip. I’m going to install a 7z442.exe on all computers. By using RTFM rule :), I know that to install a 7-Zip in silent mode I have to use switch /S. So, my 7Zip.bat contains the following lines:

@echo off
\192.168.3.39packages7ZIP7z442.exe /S

Note: Change 192.168.3.39 to the IP or name of your Deployment Server.

And, on the final, we need put necessary tools to the C:\Operation\Tools directory. Download last version of PSExec and put it to C:\Operation\Tools directory. In INSPKG.bat I’m using a very cool tool, LINEX.EXE. Linex.exe is a part of “Bill Stewart’s freeware Batch Script Tools”. When I wrote this article, I tried to find an official web site of “Bill Stewart’s freeware Batch Script Tools”, but failed. So, you can download a Linex.exe directly from my web site.As additional example, I’ve created packages for Acrobat Reader and Firefox.  Keep in mind to create a separate directory for each package. The Directory and name of package script should be the same, meaning if you are going to create a package for Firefox inside C:\Operation\Packages create directory Firefox and inside C:\Operation\Packages\Firefox create a script Firefox.bat and also inside C:\Operation\Packages\Firefox put the installation file of Firefox. Here is my Firefox.bat:

@echo off
\192.168.3.39packagesFirefoxFirefoxSetup2.0.0.9.exe -ms 

Note: Change 192.168.3.39 to the IP or name of your Deployment Server.

I hope I didn’t forgot anything .
Let me know what kind of package you are interesting in and I’ll try to create it. I’ll be very happy if you write comment for this article.

Get Serial Number of Main Board from Command Line

Windows XP and Windows Server 2003 contain the WMI (Windows Management Instrumentation) Wmic.exe command-line utility. By using Wmic.exe we can get a lot of information about computer (server).

To display the local computer name and serial number of Main Board I’ve created a very simple script, SerNum.bat. SerNum.bat contains:

@echo off
Setlocal
For /F %%a in (’wmic baseboard GET SerialNumber /value^|find “SerialNumber”‘) do Set %%a
@echo %Computername% - %SerialNumber%
endlocal

On my desktop, the above script displays:

PELEKAN-XP1 - VF0SA75A0SK

Managing Windows 2008 Server Core through RDP

As described in previous articles, Windows Server 2008 has an interesting option to install it with a minimal graphical user interface (or GUI for short). This method of installation is called “Server Core“, and it allows an administrator to only install the minimum binaries required to run a specific server role (currently, there are 9 possible Server Core roles). You can read more about it on my “Understanding Windows Server 2008 Server Core” article.

To manage a server running a Server Core installation by using a terminal server client

1. On the server running a Server Core installation, type the following command at a command prompt:

   cscript C:\Windows\System32\ Scregedit.wsf /ar 0

   This enables the Remote Desktop for Administration mode to accept connections.

   In order to view your current settings you can type:

   cscript C:\Windows\System32\ Scregedit.wsf /ar /v

   

   If you see “1″ in the script output, that means that RDP connections are denied. If you see a “0″, they will be allowed.

   Note: If you are running the Terminal Services client on a previous version of Windows, you must turn off the higher security level that is set by default in Windows Server 2008. To do this, type the following command at the command prompt:

   cscript C:\Windows\System32\Scregedit.wsf /cs 0

To enable remote management from an RDP connection through the firewall

1. To enable remote management from any MMC snap-in, type the following:

   netsh advfirewall firewall set rule group=”Remote Desktop” new enable=yes

To open an RDP session with the Server Core machine

1. On the remote management computer, click Start > Run, type mstsc, and then click OK.
2. In Computer, enter the name of the server running a Server Core installation, and click Connect.

   

3. Log on using an administrator account.

   

4. When the command prompt appears, you can manage the computer using the Windows command-line tools.

   

   Note that while you’re logged on to the server, the original server console session is locked out.

   

5. When you have finished remotely managing the computer, type logoff in the command prompt to end your Terminal Server session.

Summary

Windows Server 2008 Server Core installations, like any other servers, require remote management. In order to allow for that, the server’s Firewall and registry settings need to be changed. This article showed you how to do that.