Wednesday, 21 October 2015

Trust relationship between two different domains


 Trust relationship between two different domains




A relationship between different domains or forests that allow sharing of resources between them.

Trust can be transitive or non-transitive.
  • Transitive Trust: Trust which can be extended to other domains in the forests.
  • Non- Transitive Trust: Trust which cannot be extended to other domains in the forests, it is only between the two domains of different forests.
Types of Trusts

Ø  External Trust: Trust between only two domains in different forests, it is a non-transitive trust.

Ø  Forest Trust: Trust between the forest root domains and it allows other domains in the forest to share resources, it is a transitive trust.

Ø  Shortcut Trust: It is a kind of trust which allows users from different domains within the same forest to access resources faster.

Ø  Realm Trust: It allows windows active directory network to trust Unix-based network.

Direction of Trust

  • One-way Trust: Network A trusts network B, and then network B can access network A only.
  • Two-way Trust: Network A trusts network B, and vice versa, then both networks A and B can access each other.
Posted by at No comments:

CMD commands for adding, removing ports, programs, configure ICMP, set logging in windows servers

The netsh advfirewall firewall command-line context is available in Windows Server 2008 and in Windows Vista. This context provides the functionality for controlling Windows Firewall behavior that was provided by the netsh firewall context in earlier Windows operating systems.

This context also provides functionality for more precise control of firewall rules. These rules include the following per-profile settings:
  • Domain
  • Private
  • Public
The netsh firewall command-line context might be deprecated in a future version of the Windows operating system. We recommend that you use the netsh advfirewall firewall context to control firewall behavior.

Note The netsh firewall command line is not recommended for use in Windows Vista.

This article describes how to use the netsh advfirewall firewall context instead of the netsh firewall context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista.
Important If you are a member of the Administrators group, and User Account Control is enabled on your computer, run the commands from a command prompt with elevated permissions. To start a command prompt with elevated permissions, find the icon or Start menu entry that you use to start a command prompt session, right-click it, and then click Run as administrator.

Some examples of frequently used commands are provided in the following tables. You can use these examples to help you migrate from the older netsh firewall context to the new netsh advfirewall firewall context.

Additionally, the netsh advfirewall commands that you can use to obtain detailed inline help are provided.

Example 1: Enable a program

Old commandNew command
netsh firewall add allowedprogram C:\MyApp\MyApp.exe "My Application" ENABLEnetsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes
netsh firewall add allowedprogram program=C:\MyApp\MyApp.exe name="My Application" mode=ENABLE scope=CUSTOM addresses=157.60.0.1,172.16.0.0/16,LocalSubnet profile=Domainnetsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=domain
netsh firewall add allowedprogram program=C:\MyApp\MyApp.exe name="My Application" mode=ENABLE scope=CUSTOM addresses=157.60.0.1,172.16.0.0/16,LocalSubnet profile=ALLRun the following commands:

netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=domain

netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=private
For more information about how to add firewall rules, run the following command:
netsh advfirewall firewall add rule ?

Example 2: Enable a port

Old commandNew command
netsh firewall add portopening TCP 80 "Open Port 80"netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
For more information about how to add firewall rules, run the following command:
netsh advfirewall firewall add rule ?

Example 3: Delete enabled programs or ports

Old commandNew command
netsh firewall delete allowedprogram C:\MyApp\MyApp.exenetsh advfirewall firewall delete rule name=rule name program="C:\MyApp\MyApp.exe"
delete portopening protocol=UDP port=500netsh advfirewall firewall delete rule name=rule name protocol=udp localport=500
For more information about how to delete firewall rules, run the following command:
netsh advfirewall firewall delete rule ?

Example 4: Configure ICMP settings

Old commandNew command
netsh firewall set icmpsetting 8netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
netsh firewall set icmpsetting type=ALL mode=enablenetsh advfirewall firewall add rule name="All ICMP V4" protocol=icmpv4:any,any dir=in action=allow
netsh firewall set icmpsetting 13 disable allnetsh advfirewall firewall add rule name="Block Type 13 ICMP V4" protocol=icmpv4:13,any dir=in action=block
For more information about how to configure ICMP settings, run the following command:
netsh advfirewall firewall add rule ?

Example 5: Set logging

Old commandNew command
netsh firewall set logging %systemroot%\system32\LogFiles\Firewall\pfirewall.log 4096 ENABLE ENABLERun the following commands:

netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log

netsh advfirewall set currentprofile logging maxfilesize 4096
netsh advfirewall set currentprofile logging droppedconnections enable

netsh advfirewall set currentprofile logging allowedconnections enable
For more information, run the following command:
netsh advfirewall set currentprofile ?
If you want to set logging for a particular profile, use one of the following options instead of the "currentprofile" option:
  • Domainprofile
  • Privateprofile
  • Publicprofile

Example 6: Enable Windows Firewall

Old commandNew command
netsh firewall set opmode ENABLEnetsh advfirewall set currentprofile state on
netsh firewall set opmode mode=ENABLE exceptions=enableRun the following commands:

Netsh advfirewall set currentprofile state on

netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound
netsh firewall set opmode mode=enable exceptions=disable profile=domainRun the following commands:

Netsh advfirewall set domainprofile state on

netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound
netsh firewall set opmode mode=enable profile=ALLRun the following commands:

netsh advfirewall set domainprofile state on

netsh advfirewall set privateprofile state on
For more information, run the following command:
netsh advfirewall set currentprofile ?
If you want to set the firewall state for a particular profile, use one of the following options instead of the "currentprofile" option:
  • Domainprofile
  • Privateprofile
  • Publicprofile

Example 7: Restore policy defaults

Old commandNew command
netsh firewall resetnetsh advfirewall reset
For more information, run the following command:
netsh advfirewall reset ?

Example 8: Enable specific services

Old commandNew command
netsh firewall set service FileAndPrintnetsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
netsh firewall set service RemoteDesktop enablenetsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh firewall set service RemoteDesktop enable profile=ALLRun the following commands:

netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain

netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=private
Posted by at No comments:

Friday, 16 October 2015

Installing Microsoft Service Center Configuration Manager(SCCM) 2012 SP1 onto Windows Server 2012 with SQL 2012 RTM CU 3

Here’s a guide for installing ConfigMgr 2012 SP1 onto Windows Server 2012 with SQL 2012 RTM CU 3.

Prerequisites:

  • Windows 2012 Domain Member
  • Windows Domain Controller (2008 or 2012 is acceptable)

Necessary Downloads:

I’ve put together a list of downloads required for the SCCM installation.

Windows Workstations:

The following Virtual Machines will need to be assigned and built:
Purpose OS for the LAB Usage and configuration recommendations for this LAB guide only
Domain Controller Can be Windows 2008 R2 or Windows 2012 The domain controller for your ConfigMgr SP1 Beta Site server
Primary Windows 2012 RTM Assign a minimum of 2GB of Memory, ideally 4GB Join this server to an existing lab AD domain
SQL Server Windows 2012 or 2008 SQL Server 2008 R2 or SQL Server 2012 CU3

***I’m assuming that you’re putting this into a working environment and you know that you need a domain controller for this project to be successful. If you need directions on how to create a domain controller, I’m sure that you can find resources elsewhere on the internet as this page will not walk you through that process.***

Install Windows Server 2012

  • I won’t screenshot the Server 2012 installation as there isn’t much too it, instead install Windows Server 2012 into your VM and log onto it
  • If you haven’t already, change the machine name
  • Give it a static IP address
  • Join it to your AD domain
  • Install WADK
  • Launch the WADK installer

  • I just accept default paths for all my installs, unless there is a known issue or a pretty good reason to not do so
  • Select Next

  • Select Yes
  • Select Next

  • Select Accept

  • Un-tick everything short of
    • Deployment Tools
    • Windows Preinstallation Environment (Windows PE)
    • User State Migration Tool (USMT)
  • Select Install

  • Select Close
  • Install OS prerequisites
  • Open a PowerShell prompt and type
    • Import-Module servermanager
    • Add-WindowsFeature BITS,RDC,Web-WMI,WDS
I’ve really cut this down, magic happens during the installs that results in what we need being switched on or installed

Install SQL 2012

I don’t particularly recommend the installation of the SQL instance to be on the same server as your SCCM installation, but it CAN be done. I would really suggest that you install it on a separate server in order to keep the loads equalized and if you need to restart one server you don’t need to wait on all the services to come back online.
ConfigMgr 2012 SP1 supports SQL 2012 RTM with a minimum of CU 2 (But I HIGHLY recommend CU 3). ConfigMgr has very strict SQL collation requirement, pretty much across the entire System Center range, essentially only SQL_Latin1_General_CP1_CI_AS collation is supported. This has to be selected during installation if you are running a non-USA regionalsystem OS
Something handy to know ahead of the installs is that you can use CMTrace to view the resulting log files for the SQL 2012 RTM and CU 2 installations. Each execution creates a new folder on the following path called detail.txt:
C:Program FilesMicrosoft SQL Server110Setup BootstrapLog

The Installation Process

  • Launch the SQL 2012 RTM installer

  • Files are expanded …

  • Select Installation on the left navigation pane

  • Select New SQL Server stand-alone installation or add features to an existing installation

  • All rules will pass
  • Select OK

  • Select Specify a free edition and make sure Evaluation is the chosen option
  • Select Next

  • Tick Accept the license terms
  • Tick Send feature usage data
  • Select Next

  • I open the firewall later, hence the warning above
  • Select Next

  • Select SQL Server Feature Installation
  • Select Next

  • Select the following
    • Database Engine Services
    • Reporting Services – Native
      • You’ll need this for reporting services role within SCCM.
    • Management Tools – Basic
      • Management Tools – Complete
  • Select Next

  • Rules are good
  • Select Next

  • The default is Default instance, which we’ll accept along with the paths
  • Select Next

  • Select Next

  • By default each of the services will be configured using a service-specific user account, we need to revert back to using NT AUTHORITYSYSTEM
    • Do this for the SQL Server Agent, the SQL Server Database Engine and the SQL Server Reporting Services services
      • Click Account Name
      • Browse
      • Browse locally for SYSTEM and accept
      • Set the services Start-up Type to automatic
  • When done, Select the Collation tab

  • If SQL_Latin1_General_CP1_CI_AS is not shown, click Customize otherwise skip this part

  • Select SQL collation, used for backwards compatibility
  • Scroll down the list and choose SQL_Latin1_General_CP1_CI_AS
  • Select OK

  • Select Next

  • Add the current user and a domain user at this point. I usually add domain admins and the local administrator unless I want to be very specific about who gets what
  • Select Next

  • Select Install and configure
  • Select Next

  • Tick Send Windows and SQL Server Error Reports to Microsoft …
  • Select Next

  • Rules passed again
  • Select Next

  • SQL is ready to install, show time!
  • Note the Configuration file path, you can automate this part of SQL install by using this file next time
  • Select Install

  • Once it’s done we get success reported back for all the features being install

Install SQL 2012 RTM CU 3

It is important as a prerequisite that you install the Cumulative Update 3 pack on the SQL Server in order for SCCM to be “happy” with its own installation process.
  • Run the SQL 2012 RTM CU 3 installer

  • Unpack file time …

  • Tick I accept the license terms
  • Tick Send feature …
  • Select Next

  • The CU 3 detects a version it can upgrade
  • Select Next

  • No files in use, this is on a brand new install with no reboot yet, and none required before we patch. That’s cool
  • Select Next

  • That’s it, SQL 2012 with CU 3 both installed successfully
  • Select Close

Install WSUS

We’re going to install WSUS using Server Manager now. You can add this feature using PowerShell, but I’m passing through quickly and haven’t looked to see how you configure WSUS so that it uses the existing SQL installation and not WID
  • Open Server Manager
  • Select Add Roles and features

  • Select Next

  • Select Role-based or feature-based installation
  • Select Next

  • Select Select a server from the server pool
  • Select Next

  • Tick Windows Server Update Services
  • The following window will appear



  • Select Add Features

  • Select Next

  • Select Next

  • Select Next

  • Previously the WSUS installer wizard would be launched after we’d elected to install the role that would then allow us to configure the Database and Website settings. We now have this integrated pretty much into the role creation
  • Tick WSUS Services
  • Tick Database
  • Select Next

  • Enter a valid (as in the directory exists) path to store WSUS Content.
  • You should do this to get patch licensing files, otherwise licensed patches won’t install on the clients
  • Select Next

Supply the SQL Server Hostname

For this guide we’re just going to use the default SQL instance so no need to specify it above
  • Select Check connection
  • It should be able to reach back to SQL 2012 RTM with CU 3 and confirm connection is successful
  • Select Next

  • Notice that you can export configuration settings.
  • It has also put the Windows Internal Database (WID) into the list even though we haven’t selected it directly. I assume ticking Database during role creation induces this, I’ll see what that is about when I pass through here again once SP1 has released
  • Select Install

  • Select Close

Configure the firewall

This Primary won’t have a parent most likely, but if you do configure the beta in a hierarchy then you’ll need to open up the firewall ports or take the firewall down entirely
To open up the firewall ports that are needed by ConfigMgr for inter-site database replication

From Powershell or CMD prompt enter the following

netsh advfirewall firewall add rule name=”SQLServer” dir=in action=allow protocol=TCP localport=1433

netsh advfirewall firewall add rule name=”SQL Service Broker” dir=in action=allow protocol=TCP localport=4022

The rules should both be accepted with an OK message

Configure SQL 2012 Maximum server memory usage

Method 1

  • SQL will consume all your memory. It needs to be throttled back
  • Open SQL Server Management Studio and get the properties for the database up

  • Select Memory and change the maximum server memory setting

Method 2

  • Use OSQL to make the change to the maximum allowed memory
    • Note that this sets aside 1GB of memory for SQL to use before it “bottoms out” and begins paging. 1GB is enough for a small lab but if you encounter performance bottlenecks this is a place to revisit to increase the memory allocation.
  • Open a CMD prompt and type OSQL -E
    • Paste the following
      • sp_configure ‘show advanced options’, 1
      • GO
      • RECONFIGURE
      • GO
      • sp_configure ‘max server memory’, 1024
      • GO
      • RECONFIGURE
      • GO

Install ConfigMgr 2012 SP1 Beta

We’re ready to install ConfigMgr 2012 SP 1 Beta now
  • Launch the HTA from the installation media

  • Let’s check the server is ready before we get any further into the installer
  • Select Assess server readiness

  • Both of these benign warnings can be ignored
  • Configuration Manager requires SQL Server to reserve a minimum of 8 gigabytes (GB) of memory for the central administration site and primary site and a minimum of 4 gigabytes (GB) for the secondary site. This memory is reserved by using the Minimum server memory setting under Server Memory Options and is configured by using SQL Server Management Studio. For more information about how to set a fixed amount of memory, see http://go.microsoft.com/fwlink/p/?LinkId=233759.
  • The site server might be unable to publish to Active Directory. The computer account for the site server must have Full Control permissions to the System Management container in its Active Directory domain. You can ignore this warning if you have manually verified these permissions. For more information about your options to configure required permissions, see http://go.microsoft.com/fwlink/p/?LinkId=233190.
  • Select OK
  • Now let’s Install CM 2012 SP1 straight off the media with no recourse to RTM then SP1
  • Select Install from the HTA

  • Select Next

  • Select Next

  • Select Install the evaluation edition of this product or tap in a product key
  • Select Next

  • Select I accept these license terms
  • Select Next

  • Tick all three, SQL Server R2 Express, SQL server 2008 native client and Silverlight prerequisite licenses
  • Select Next

  • If you’ve already downloaded the prerequisites then Select Use previously downloaded files or let it down them into an existing folder now
  • Select Next

  • The components will be verified

  • Select Next

  • Select Next

  • Punch in some details, mine is Lab 2 Primary 1 which translates into L21
  • Select Next

  • Select Install the primary site as a stand-alone site
  • Select Next

  • Select Yes

  • Select Next

  • Select Next

  • Select Configure the communication method on each site system role
  • Select Next

  • Select Next

  • Select Join the Customer Experience Improvement Program
  • Select Next

  • Select Next

  • Prerequisite checker runs again, we know it’s all good
  • Select Begin Install

  • Dig out CMTrace from the installation media, open it and associate with log files
  • Click the View Log button in the dialog above to open up the installation log in real time, so that you can monitor the installation if you prefer looking at log files
  • You can return to the installer by clicking the following icon on the task bar


  • Install completed successfully
  • Select Close
  • Open the ConfigMgr 2012 SP1 Console

There we go. A functional installation of the SCCM 2012 product.
Posted by at No comments:
Subscribe to: Posts (Atom)