Getting started with Desired State Configuration – Part 1

I have been thinking a long time about forcing myself to learn Desired Stat Configuration (DSC), but I haven’t gotten around to it… Now is the time

Desired State Configuration is this super cool technology that appeared in Windows Server 2012 R2 and when Microsoft st6arted talking about it the typical example was the you hade this farm of Web Servers and you wanted to ensure that they were identically configured. The problem is that most of my customers do not have a farm of web servers… so what do I use it for. Well, Microsoft is releasing these new DSC resources on a regular basis for a lot of products which means that it is getting more and more interresting. The latest resource kit is called Wave 9 and it contains the following resources:

cFileShare
xActiveDirectory
xAdcsDeployment
xAzure
xAzurePack
xBitlocker
xChrome
xComputerManagement
xCredSSP
xDatabase
xDhcpServer
xDismFeature
xDnsServer
xDscDiagnostics
xDSCResourceDesigner
xExchange
xFailOverCluster
xFirefox
xHyper-V
xInternetExplorerHomePage
xJea
xMySql
xNetworking
xPendingReboot
xPhp
xPowerShellExecutionPolicy
xPSDesiredStateConfiguration
xRemoteDesktopAdmin
xRemoteDesktopSessionHost
xSafeHarbor
xSCDPM
xSCOM
xSCSMA
xSCSPF
xSCSR
xSCVMM
xSmbShare
xSqlPs
xSQLServer
xSystemSecurity
xTimeZone
xWebAdministration
xWindowsRestore
xWindowsUpdate
xWinEventLog
xWordPress

As you can see thare are A LOT of them… some that I think are really cool are for instance TimeZone, RemoteDesktopAdmin, BitLocker and more. Note that all DCS recources starting with an X are eXperimental. So lets get started…

Prerequsites

DSC is built in to Windows Server 2012 R2 but it needs a patch KB2883200. If this patch is not installed you will net be able to see the modules you have installed.

Installing DSC Resources

There are some default resources installed by default:

File
Archive
Environment
Group
Log
Package
Registry
Script
Service
User
WaitForAll
WaitForAny
WaitForSome
WindowsFeature
WindowsOptionalFeature
WindowsProcess

If you want to install other modules (for instance Wave 9) you just download them and extract them to the folder C:\Program Files\WindowsPowerShell\Modules

Verifying the install

To verify the install run the following command

Get-DSCReource

In the next part we will look at how you actually use DSC to create server configurations

/Johan

Links

http://blogs.msdn.com/b/powershell/archive/2014/12/17/another-holiday-present-from-the-powershell-team-dsc-reskit-wave-9.aspx
http://support.microsoft.com/kb/2883200

Active Directory Based Activation

In Windows 2012 there is a new method of activating Windows Servers/Clients and Office. The method is called Active Directory Based Activation and is an alternative to KMS and MAK activation. It works by adding a Activation Object to Active Directory which activates computers joined to the domain.

  1. First we need to install the Volume Activation Tools from Server Manager (Volume Activation Tools is just the tool to create the activation objects in AD. Active Directory Activation does not require any server components)
  2. Second we need to add the KMS key. And activate it

    SNAGHTMLe915e53

  3. To install an office key you will need to download and install Microsoft Office 2013 Volume License Pack
  4. When the install is done the Volume Activation tool will pop up and allow you to add the key

Note 1: The Windows Server 2012 R2 key will also activate clients

Note 2: Active Directory based activation works for Windows 8/8.1, Windows Server 2012 / 2012 R2 and Office 2013. For older versions you will need a KMS server.

Note 3: Since the activation object is stored in AD it is replicated to all DCs which means that all DCs can act as an activation server

Links

http://support.microsoft.com/kb/2781538
http://blogs.technet.com/b/askpfeplat/archive/2013/02/04/active-directory-based-activation-vs-key-management-services.aspx
http://blogs.technet.com/b/odsupport/archive/2012/11/07/how-to-setup-active-directory-based-activation-host-for-microsoft-office-2013.aspx

Password Reset in RDWeb

Today I will take a short look at enabling password reset using the rdweb component in Windows Server 2012.

This functionality is built in to Remote Desktop but it it not enabled by default. In this article we will look at enabling it and also creating a link to it on the login page

We start of by enabling the Password Reset feature.

  1. Start IIS Manager on your RDWeb Server
  2. Browse to [Server Name] – Sites – Default Web Site – RDWeb – Pages
  3. Open Application Settings
  4. Change the property PasswordChangeEnabled to true
  5. To test the password reset functionality browse to
    https://[Servername]/RDWeb/Pages/en-US/password.aspx
    and you will se this

    image 

When  a user tries to log in using an expired password they will get this:

Now, to enable the link on the login page…

  1. Using an elevated notepad (or tool of your choice) edit the file

    C:\Windows\Web\RDWeb\Pages\en-US\login.aspx

  2. Go down to line 583 and add the following line

    <a href=https://[ServerName]/RDWeb/Pages/en-US/password.aspx>Password Reset Utility</a>

  3. Save the page
  4. Browsing to the login page for RDweb and verify the change

/Johan

Links

http://ryanmangansitblog.com/2013/03/11/add-password-reset-feature-to-remote-desktop-web-access-2012/
http://blogs.msdn.com/b/rds/archive/2014/06/04/failed-logons-due-to-expired-passwords-password-change-functionality-in-rd-web-access.aspx

ADFS 3.0 with Windows XP (??) Clients

Today I spent the day at a customers looking at a XP computer (I know they are supposed to be extinct) having problems authenticating using ADFS. As we know XP is using IE8 and IE8 in combination with XP does not support Server Name Indication. Turns out SNI is on by default in ADFS 3.0… bummer

Fortunately it is fixable:

Start by getting information about the SST Certificate using:

netsh http show sslcert

The we bind the IP:port combination to the SSL cert using (in an elevated command prompt):

netsh http add sslcert ipport=[ipaddress : port from above] certhash=[Certificate Hash from above] appid=[appid from above] certstorename=MY

These steps needs to be taken on both the ADFS server and the Web Application Proxy

IMPORTANT: This works as long as the Web Application proxy is not doing anything else but working as a “ADFS Proxy”

Link:
http://hindenes.com/trondsworking/2014/03/25/adfs-3-0-windows-xp-fail/