Miklos Cari Blog

Yes, finally after months and months of news about it, Windows 7 and Windows Server 2008 R2 are now RTM (Released to Manufacturing). The big question right now is when you can get it, so there is nice post from Windows Team Blog, that explains when you can get it, for example if you are an IT Pro with the Technet Subscription, then you will be able to get it since August 6th, if you are a Developer with MSDN Subscription, then you will be able to get it by August 6th as well (just in English) and all the remaining Languages by October 1st!, for Microsoft Partner Program Gold/Certified Members will be able to download by August 16th, and so on, check for more details, but in any case remember that the GA (General Availability) date will be October 22, so if you are not in those groups don't worry you will get it later!!, more information about this big milestone find in the Windows Server 2008 R2 blog and Windows 7 blog.

Well, if you were using the Net Print command (you know that this command was very used in Windows 2003 to display information about the specified print queue or to control a specific print job) that was present on Windows Vista and Windows 2008 as well. So take care now, since in Windows 7 and Windows Server 2008 R2 this command was deprecated, in order to perform the same functions you will need to use WMI or Powershell as alternatives. In any case the Windows team will release a KB as soon the versions becomes available. So meanwhile take care!

Some people asked me of how to use IPSec with Windows 2008, well the IPSec has changed compared to Windows 2003 and XP, well that changed a little bit, since we now manage from another console (plus the Windows Advanced Firewall). To begin with this let’s say that you have the Machine "A", and want to use IPSec for the communication that is between port 3389, we will use the ‘non recommended procedure’, but the good thing is that you can configure this very quickly and test it in your non production environment. So let’s begin:

1. Create an IPsec Negotiation policy on Computer "A"

1.　　　 On Computer "A", click Start, click All Programs, click Administrative Tools, and then click Local Security Policy.

2.　　　 Right-click the IP Security Policies on Local Computer node, and then click Create IP Security Policy.

3.  　　 On the Welcome screen of the IP Security Policy Wizard, click Next.

4.　　　 In the Name box, type Secure3389. In the Description field, type Policy to encrypt SMB, and then click Next.

5.  　　 If you will NOT have in your environment machines earlier than Windows Vista then ensure that Activate the default response rule is not selected and go to step 7, and then click Next.

6.　　　 In the Default Response Rule Authentication Method, choose the option: Use this string to protect the key exchange (preshared key): and type $ecrET

7.  　　 In the Completing the IP Security Policy Wizard dialog box, ensure that Edit properties is selected, and then click Finish.

8.　　　 In the Secure3389 Properties dialog box, click Add.

9.  　　 In the Welcome to the Create IP Security Rule Wizard, click Next.

10.            In the Tunnel EndPoint dialog box, click This rule does not specify a tunnel. Click Next.

11.      In the Network Type dialog box, click All network connections, and then click Next.

12.            In the IP Filter List dialog box, click Add.

13.      A new dialog box called IP Filter List appears. Type Secure3389TCP, and then Add.

14.            On the Welcome screen of the IP Filter Wizard, click Next.

15.      In the Description text box, type 3389 IPsec Filter. Click Next.

16.            In the IP Traffic Source dialog box, click Any IP Address, and then click Next.

17.      In the IP Traffic Destination dialog box, click Any IP Address, and then click Next.

18.            In the IP Protocol Type dialog box, click TCP in the drop-down list, and then click Next.

19.      In the Protocol Port dialog box, select From this port, type 3389 in the text box, select To Any port, and then click Next.

20.            On the Completing the IP Filter Wizard screen, click Finish, and then click OK.

21.      In the IP Filter list, select Secure3389TCP, and then click Next.

22.            In the Filter Action dialog box, click Add.

23.      In the Filter Action Wizard dialog box, click Next.

24.            In the Filter Action Name dialog box, type Secure3389Filter, and then click Next.

25.      In the Filter Action General Options dialog box, select Negotiate Security, and then click Next.

26.            In the Communicating with computers that do not support IPsec dialog box, select Do not allow unsecured communications, and then click Next.

27.      In the IP Traffic Security dialog box, select Integrity and encryption, and then click Next.

28.           On the Completing the IP Security Filter Action Wizard screen, click Finish.

29.      In the Filter Action dialog box, select Secure3389Filter, and then click Next.

30.            In the Authentication Method dialog box, select Use this string to protect the key exchange (preshared key), type $ecrET and then click Next.

31.      On the Completing the Security Rule Wizard screen, click Finish.

32.             In the Secure3389 Properties dialog box, click OK.

Task 2: Assign the Policy

Since you already have the policy created this is still not active until you activate it, so to do it, you need to:

1.　　　 On Computer "A", click Start, click All Programs, click Administrative Tools, and then click Local Security Policy.

2.　　　 Go to the IP Security Policies on Local Computer node and in the right pane right click the Secure3389 Policy and select Assign.

You are done!, you configure IPSec under the 3389 port, now let’s see how you need to configure the clients in order to be able to communicate between them.

Windows Vista or Machine "B"

In Windows Vista client, the process is similar to the one that I presented before, so you can execute the steps 1 trough 32 and then you will be able to connect, or you can export the policy from windows 2008 and import it on Windows Vista, with this procedure:

1.　　　 In the Local Security Policy Microsoft Management Console (MMC) console, right-click IP Security Policies on Local Computer, click All Tasks, and then click Export Policies.

2.　　　 In the Save As dialog box, type C:\IPSecPolicy\IPsecurityPolicy3389.ipsec, and then click Save. (and then save that ipsec policy on a USB key)

Import the security policy to Windows Vista machine (Machine "B"):

1.　　　 On Windows Vista machine, open the local security policy. To do this, click Start, click the Start Search dialog, and then type: gpedit.msc.

2.　　　 Navigate to Computer Configuration  Windows Settings  IP Security Policies on Local Computer.

3.　　　 Right-click IP Security Policies on Local Computer, click All Tasks, and then click Import Policies.

4.  　　 Is good to Read the IP Security Import warning, after that click Yes.

5.　　　 In the Open dialog box, navigate to the USB key (where you should have the file), and then double-click IPsecurityPolicy3389.ipsec.

We finish!, of course if you have access (in a LAN) to the file you can share in a directory and copy more easily.

Now you can try, and have the 3389 communication protected under IPSec!

Another thing is the enforcement, for that you need to use the Advanced Windows Firewall and configure a Security Association with this procedure:

Configure a Security Association rule in the Windows Firewall with Advanced Security MMC

1.　　　 On Computer "A", click Start, click Administrative Tools, and then click Windows Firewall with Advanced Security.

2.　　　 Select and then right-click Connection Security Rules, and then click New Rule.

3.  　　 In the New Connection Security Rule Wizard, select Server-to-server, and then click Next.

4.　　　 In the Endpoints dialog box, select Any IP Address for both options, and then click Next.

5.　　　 In the Requirements dialog box, select Require authentication for inbound and outbo und connections, and then click Next.

6.　　　 In the Authentication Method dialog box, select PreShared key, type $ecrET in the text box, and then click Next.

7.　　　 On the Profile page, verify that the Domain, Private, and Public options are selected, and then click Next.

8.　　　 In the Name box, type SecureServerAuthenticationRule, and then click Finish.

9.  　　 Perform steps 1 through 8 on Computer "B".

And now you are completely done… enjoy your IPsec connection between them

I frequently get asked about how to install Windows 2008 Server Core on a new computer (that is not the tough part), however the "difficult" part could be to configure the Server Core in order to make it work for you properly.

So, I will show you all the steps required in order that you can have a Windows Server 2008R2 Beta Server Core machine with a DNS and Active Directory, the good thing to have all that machine is:

1. It uses just 2.65GB all the machine with the Active Directoy, DNS and DHCP working
2. It uses just 400MB of RAM (in fact right now is using 385MB!) for all the mentioned roles
3. It works really fast!

So this machine can help you to have a Windows 2008R2 AD machine (Server Core), so you have more 'RAM' to test the failover clustering or the new features that Windows2008R2 Beta has or Windows 7 with Windows2008R2, of course this procedure works on the Windows 2008 Core as well, just few screen changes but the commands are the same. Just remember that this procedure is for the server that will be the first forest, first tree, first domain on your environment, as I told you as testing procedure will work.

You just need the ISO image, and load this in your preferred Virtualization software and begin the installation, I will put in BOLD the general steps and with the numbers the detailed steps:

-1- Begin the installation of Windows Server 2008R2 Server Core with the default parameters.

1. Turn on your machine with the ISO image of Windows Server 2008R2 on it.
2. When the Install Windows Screen appears, press Next.
3. In the next screen press Install Now.
4. When the list of Select Operating Systems to Install appears, select Windows Server 2008 Enterprise (Server Core Installation) and press Next.
5. You must accept the license, you can read it, check the checkbox “I accept the license terms” and press Next.
6. In the screen Which type of installation do you want?, select Custom (advanced).
7. Notice that you should have just one drive (the one that you created), select it and press NEXT.
Note: Now, You are done!, let’s wait for the Windows 2008 Server Core to be installed this will take easily 10 min. or more.

-2- First Login - and enter a new password (example: P@SSW0rd)

1. Since this is the first time that we start the machine, we need to enter a password, so login as Administrator and password blank.
2. In the next screen enter as a new password: P@SSW0rd, and confirm it on the dialog box below. And after that You will be “in”
3. Now go back to your “Win2008Core” Configuration, and install the additions needed (for example in Virtual Server 2005 you need to install the “Virtual Machine Additions”)

-3- Basic configuration of Windows Server 2008 Core: host name: ServerDC1 and IP 192.168.0.1

1. Log on to the virtual machine as Administrator with the password P@SSW0rd.
2. Check the actual IP configuration, execute the command IPCONFIG /ALL. Check the current configuration and take note of the host name.
Note: In Windows 2008 the name is automatically configured, typically it starts with WIN-XXXXXXXXXXX (WIN- and 11 chars).
3. Configure your name of the machine. Run the command:
netdom renamecomputer WIN-XXXXXXXXXXX /newname:SERVERDC1
4. When prompted to Proceed, press Y.
5. Now we need to configure our network, run the command: netsh, once it loaded, write interface (enter), then ipv4 (enter), and write show interfaces
Note: That command will show you the current interfaces that you have right now the more important here is to get the right name of the interface to configure, another interesting command is the show ipaddresses.
6. Execute the following command:
set address name="local area connection" source=static address=192.168.100.1 mask=255.255.255.0
7. Verify that you configured correctly your address, and restart your computer using the command shutdown -r

-4- Install DNS Server on the Server Core Machine

1. To install the DNS Server on the Windows 2008R2 Server Core, just is needed to execute the following command:

start /w ocsetup DNS-Server-Core-Role

-5- Install the Active Directory on the Server Core, domain: testing.local

1. Execute the command "notepad unattend.txt".
2. You will be prompted to create a new file, press YES.
3. On the notepad write the following:
[DCINSTALL]
AutoConfigDNS=Yes
DomainNetBiosName=testing
NewDomainDNSName=testing.local
ReplicaOrNewDomain=Domain
NewDomain=Forest
ForestLevel=3
DomainLevel=3
SafeModeAdminPassword=P@SSW0rd
RebootOnSuccess=Yes
4. Launch the installation of AD with the following command:
dcpromo /unattend:unattend.txt
5. Machine will be restarted if all is successfully installed.

Note: You should have right now an AD+DNS machine, so you can start adding any windows client here, advisable is to have a Windows Vista machine to perform the remote administration and/or another Windows 2008 machine.

-6- Test your Active Directory and DNS installation

Some command that you can use to check if your AD is installed properly:
dsquery user
net share
dnscmd /enumzones
dcdiag /q
wevtutil qe system /c:5 /rd /f:text | more

 

 enjoy!!