Windows 2012 Direct Access – Windows 7 Client Testing

In last article I have discussed how to test Windows 8 Direct Access Clients with and without computer certificate. In this article let’s test a Win 7 computer. To read other Windows 2012 Direct Access articles visit Direct Access tab on the home page of the blog.

• Install Windows 7 Enterprise or Ultimate version of client Computer
• Join it Contoso. Local Domain
• Add the Computer Account to “Contoso\DirectAccessClients-Win7” security group
• As Computer certificate is necessary for Windows 7 “Contoso\DirectAccessClients-Win7″ group has been configured for auto enrollment of computer certificates
• Make sure computer certificate is installed in Windows 7 Client Certificate store
• Enable Windows 7 Access in Remote Access Server Management Console

• Make sure GPO is applied to the computer. To validate run “Gpresult /r” and make sure direct access client policy is applied under computer configuration
• Move the computer to public internet and disconnect from corporate network. Check IPConfig & make sure it got IP-HTTPS IP address
• Try to ping tunnel end points & direct access server IPv6 Address
• Try to ping Contoso. Local & other internal corporate servers
• Try to access RDP & \\UNC path for internal resources
• Check advance firewall console for created tunnels “wf.msc”
• Check corporate DNS server for dynamic registration of IP-HTTPS interface IP address for Win 7 client.
• However in Windows 7 there is NO inbuilt Network Connectivity Assistant
  to troubleshoot or disconnect or use local name resolution. So we have to install Direct Access Connectivity 2.0
  tool & configure related settings as per DCA 2.0 guide.
• Download Direct Access Connectivity Assistant 2.0 Package to Windows 7 client & extract. Package contains below files

• As per OS version (x64/x86) install respective MSI file. Installer will download Windows Update KB2666914
  from internet and install on the Windows 7 machine. Need internet connection.
• After DCA 2.0 installation, Existing Network Connectivity Assistant GPO settings will not get applied to it & it will still give error saying Corporate Connectivity is not working. Even inside the corporate network it will throw the same error. If we generate diagnostic logs it will say it is not configured correctly.
• So Copy GPO ADML & ADMX files as per below in the machine where you configure GPO – may be a domain controller or same DA Server.
  • Copy the DirectAccess_Connectivity_Assistant_2_0_ GP.admx file to the folder %systemroot%\PolicyDefinitions.
    
  • Copy the DirectAccess_Connectivity_Assistant_2_0_ GP.adml file to the folder %systemroot%\PolicyDefinitions\language. For example, for US English, copy the file to %systemroot%\PolicyDefinitions\en-us.
    
• Open Group Policy Management Console & copy respective settings from DirectAccess Client Experience Settings
  to DirectAccess Connectivity Assistant. In below picture from Green to Red.

• Connect the Win 7 client to corporate network & Gpupdate. After Gpupdate you should able to see DCA is working fine.

• Reconnect the Win 7 client to Internet & make sure client is getting IPV6 address on IP-HTTPS interface & Direct Access connection is working fine.
• As you updated the GPO, make sure you Gpupdate the Windows 8 clients too

47.606209 -122.332071

Windows 2012 Direct Access – Windows 8 Client Testing

In last two articles I have demonstrated how to Install, Configure & Verify Direct Access installation. In this article we will test & verify using a Windows 8 Client. For Windows 7 clients check out my next article. Visit Direct Access
tab on the home page for other Windows 2012 Direct Access articles.

• Install Windows 8 Enterprise Client Computer
• Join it Contoso. Local Domain
• Check certificate store to ensure no computer certificate is installed in this machine
  • Note: Remember certificate is not mandatory and we have not selected to use computer certificate in configuration section. We will test with certificate later in this article
    
• Add the Computer Account to “Contoso\DirectAccessClients-Win8” security group
• Make sure GPO is applied to the computer. To validate run “Gpresult /r” and make sure direct access client policy is applied under computer configuration
• You will able to see Direct Access Connection in the Network List
  • On Windows Start bar click on the network Icon
  • You should able to see “Contoso DA Connection“
• Make sure Windows Firewall is NOT stopped
• Check windows firewall advance setting rules – “wf.msc“

• Open properties of “DirectAccessPolicy-ClientToCorpSimplified” policy & from Authentication tab check authentication method.

• Let’s disconnect the computer from Contoso.Local LAN network & start the external wireless connection and observe what is happening
• Observe network connection list; you will Contoso DA Connection is connected

• In Advance Windows firewall console and check out Main Mode Security Associations or tunnels. You can observe 1^st Computer Account is used & User Account for authentication.

• Check out IPConfig details in Windows 8 computer. You will find both IP-HTTPS and Teredo interfaces has been assigned IPv6 addresses.
• Just note if IP-HTTPS interface has an IP address, it means system is using IP-HTTPS technology. DA Client by default tries Teredo connection 1^st with its auto address & if connection is not successful it tries IP-HTTPS. So in below picture we see an IP address for Teredo interface. However as IP_HTTPS interface has IP address we can assume it is using IP-HTTPS. Technically permanently we can disable the Teredo Interface to avoid confusion.

• Try to Ping Corporate servers.

• Try to access corporate resources like RDP & \\UNC path for fileshare
• In domain controller check DNS for dynamic host entries for this client. There are two entries one for IP-HTTPS and other for Teredo interface. Teredo interface can be disabled in client to stop registering in DNS unnecessarily – “netsh interface Teredo set state disabled“

• In Direct Access Server management console check Remote Client Status for details. You will find connection information.

• Till now we have NOT used Computer Certificate. But if we have Win 7 clients & if we need few other advance functionalities we need to have computer certificate based authentication.
• To use computer certificate
  • We have to issue computer certificate to the windows 8 machine
  • And we have to enable the same from Remote Access Management console
• After PKI infrastructure get configured certificates can be installed manually or using auto enroll option. I have already configured PKI infra and auto enroll, you may like to check out here to know how.
• After certificate get installed on the client make sure you verify the same to ensure all is okay.
• On Server Side; Make sure your Enterprise or Standalone Root CA cert is installed.
• Open Remote Access Management Console on Step 2 “remote access server” configuration click on configure; On 3rd Authentication window select use computer certificates & click on browse and select root CA certificate

• Go back to the connected Windows 8 client and do “gpupdate /force” to apply the policy
• And to check new firewall policies open advance windows firewall console using “wf.msc”.

• Double click and open properties of “DirectAccessPolicy-ClientToCorp”, click Authentication Tab & under method click customize. You can see 1^st Authentication method has been changed to “Computer Certificate”

• Now disconnect the client from corporate network and hook it up to internet. You can observe Two Tunnels are created for the connection using computer certificate.

• You can conduct same set of corporate access testing as we did in 1^st section of this article without certificate

Check out next article for Windows 7 client testing.

47.606209 -122.332071

Convert Windows 2012 User Interface between Server Core, Minimal GUI & Full GUI

Windows 2012 brings in another user interface for use; GUI, Server Core & Something in-between called Minimal Server Interface

1. Server Core – always installed and enabled; the baseline feature for all Windows Servers
2. Server Graphical Management Tools & Infrastructure – functionality for Minimal Server Interface
3. Server Graphical Shell – equivalent to Server with a GUI

Key thing is you can change between this interfaces whenever you want.

Complete GUI = Server Core + Graphical Management Tools & Infrastructure + Graphical Shell

We can use powershell to change from Full Graphical to Minimal Interface & Back.

Conversion need server reboot. For minimal server interface we can use below commands to install and uninstall server-gui-shell feature.

Install-WindowsFeature Server-GUI-Shell

Uninstall-WindowsFeature Server-GUI-Shell

But if we want to convert from Server Core, we need to define the path to server WIM image files, else Features On Demand will be looking for interent to download them; size of data is too large i.e. more than 4GB.

You can set a local path or network path for this and use below command to install.

Install-WindowsFeature <featurename> -Source wim:<path>:<index>,

To find the Index

Here is the full command to install ServerDataCenter, with Index 4

47.606209 -122.332071

Offline Domain Join: Computer provisioning failed: 0×80094800

In my Direct Access lab I was trying test Offline Domain Join feature. Here is the Official TechNet Article

Just to summarize, Offline domain join feature was introduced in Windows 2008 R2 & can be used by Windows 7 client computers to join domain when they are not directly connected to corporate AD network. In Windows 2012 it has been enhanced to push Direct Access Client Setting GPOs, Root CA Certificates & the Computer Certificate along with Domain Join Meta data. But this enhanced version is limited to Windows 8.

DJOIN.EXE is the tool which is used for this exercise. This tool is inbuilt to Win 2012 & 8 Operating System.

Here is the complete list of Djoin.exe options

So In my Direct Access test lab I have already configured Direct Access Server & related eco system. I would like to add Windows 8 remote (off domain) laptop to automatically join to my test domain & should able to connect using direct access feature. To do this I have a Direct Access Client GPO as “DirectAccess Client Settings” and a Certificate template “DirectAccess IPSec Clients”.

To create “PandaLaptop6″ computer account in my Contoso.local domain I compiled my Djoin syntax like bellow;

Djoin /provision /domain Contoso.local /machine PandaLaptop6 /dcname contoso-dc01.contoso.local /rootcacerts /policynames “DirectAccess Client Settings” /certtemplate “DirectAccess IPSec Clients” /savefile c:\Provisions\PandaLaptop6.txt

And it failed with below error.

Provisioning the computer…

Failed to provision [PandaLaptop1] in the domain [Contoso.local]: 0×80094800.

It may be necessary to specify /REUSE when running

djoin.exe again with the same machine name.

Computer provisioning failed: 0×80094800.

The requested certificate template is not supported by this CA.

Even after failure message it is able to create a computer account in AD. So I thought may be only GPO or certificate part of syntax is not working. Verified in CA console; Template name is same; so there should not be any issue.

A thought came to mind to check the template names using certutil tool; so used “certutil –template” and searched for my template.

Woooo – here is the problem, All of these template DON’T have SPACE in their names. Check out those template common names in below screen shot.

Now I corrected my syntax & it worked like expected. It created a metadata TXT file, created the computer account in AD & issued Certificates.

Djoin /provision /domain Contoso.local /machine PandaLaptop6 /dcname contoso-dc01.contoso.local /rootcacerts /policynames “DirectAccess Client Settings” /certtemplate “DirectAccessIPSecClients” /savefile c:\Provisions\PandaLaptop6.txt

Provisioning the computer…

Successfully provisioned [PandaLaptop6] in the domain [Contoso.local].

Provisioning data was saved successfully to [c:\Provisions\PandaLaptop6.txt].

Computer provisioning completed successfully.

The operation completed successfully.

Copied TXT Meta data file to my newly installed Windows 8 Computer & ran below syntax to join domain.

djoin /requestODJ /loadfile c:\PandaLaptop6.txt /windowspath %SystemRoot% /localos

Succeffull

Then rebooted my Remote Win8 computer. As this computer is already having internet connectivity; Direct Access got activated & I was able to login to Contoso.local domain. Isn’t it beautiful??

Watch out for other 2012 Direct Access Articles.

47.606209 -122.332071

No DCPromo in Windows 2012

Hmm – No DCPromo in Windows 2012 ;-(

http://technet.microsoft.com/en-us/library/hh472162.aspx#BKMK_GUI

47.606209 -122.332071

Windows 2012: Cut, Copy, Delete “Pause & Resume” Feature

While using Windows Server 2012 & Windows 8 observed I can pause & resume cut, copy or delete operations. Isn’t it nice?

Another beauty; this feature lists all those running tasks in a single window rather than multiple windows! So no toggling hassle between windows

Appreciate this long pending feature.

47.606209 -122.332071

Windows 2012: Deduplication

• Here are my testing results of Deduplication. There is a nice Technet blog article, where you can find all theoretical details.
• Dedup can be managed from server manager or PowerShell
• There is a free tool “ddpeval.exe” comes with Windows 2012 to evaluate how much space we will save if we enable Dedup. You can copy to another computer (2008 or 7 family) and run it.
  • I am using 2012 release candidate build 8400
  • Supports only NTFS file system (No ReFS Support yet)
  • For my testing I have copied two install.wim files of 2.9GB each to F Drive

• Enable Dedup by right clicking the volume & selecting configure deduplication or “enable-dedupvolume f:”
• Then attach a schedule when you like to run the Dedup process on file system
• If you want to start immediately run “start-dedupjob f: -type optimization”

• After completion of job here is the server manager screenshot showing how much space we save. We can use “get-dedupstatus”
• Wow we are saving 49%, isn’t awesome

47.606209 -122.332071

Upgrade Windows 2008 R2 Standard to Enterprise/DataCenter without Media

Using Windows Edition-Servicing Command-Line Options We can upgrade Windows 2008 R2 Standard to Enterprise or higher (Lower to Higer) edition of the operating system without using Operating System Media.

Upgrade Scenario;

Windows Server 2008 R2 Standard -> Windows Server 2008 R2 Enterprise -> Windows Server 2008 R2 Datacenter

Windows Server 2008 R2 Standard Server Core -> Windows Server 2008 R2 Enterprise Server Core -> Windows Server 2008 R2 Datacenter Server Core

Windows Server 2008 R2 Foundation -> Windows Server 2008 R2 Standard

To determine the installed edition, run:

DISM /online /Get-CurrentEdition

To check the possible target editions, run:

DISM /online /Get-TargetEditions

To Start upgrade;

DISM /online /Set-Edition:<edition ID> /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Where XXXXX-XXXXX-XXXXX-XXXXX-XXXXX is the product key. If your environment use KMS server. You have to use KMS keys. You can find KMS keys from here;

Here is the screenshot for my lab server; upgrading to enterprise edition;