TechOnTip Weblog

Run book for Technocrats

Archive for the ‘Windows 2012’ Category

Microsoft DirectAccess Group Policy WMI Filter Explained

Posted by Jason Heisley on June 18, 2013

Click here for other Direct Access related articles.

So when you setup DirectAccess by default it applies to only Laptops. In the documentation it states that this is done by a WMI filter but that’s it. So digging a bit deeper I found that it creates a WMI filter in Group Policy called “DirectAccess – Laptop only WMI filter” and adds the “DirectAccess Client Settings” GPO to that filter. Below I break down what the filter is and give some information on how you can create your own WMI filter for Group Policies.

This is the WMI Group policy created by DirectAcess:

The first Part selects only laptops.

Namespace: root\CIMV2

select * from Win32_ComputerSystem where PCSystemType = 2

The second part filters OS Types and Product SKUs.

Namespace: root\CIMV2

Select * from Win32_OperatingSystem WHERE (ProductType = 3) OR (Version LIKE ‘6.2%’ AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 72 OR OperatingSystemSKU = 84)) OR (Version LIKE ‘6.1%’ AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 70 OR OperatingSystemSKU = 1 OR OperatingSystemSKU = 28 OR OperatingSystemSKU = 71))

So the filter evaluates to: laptops “PCSystemType = 2” and server “ProductType = 3″ or
Windows 2012, Windows 8 “Version LIKE ‘6.2%’” and Enterprise Edition “OperatingSystemSKU = 4″ or Enterprise N or Server Enterprise (evaluation installation) or Enterprise N (evaluation installation) or Windows 2008 R2, Windows 7 “Version LIKE ‘6.1%'” and Enterprise Edition or Enterprise N or Enterprise E or Ultimate or Ultimate N or Ultimate E.

So I am not sure why they are including server maybe just in case we have it installed on a laptop and want to use DirectAccess but never the less this is how it evaluates out.

How I got this information:

Below is where I found this info. I have put it here mainly for my own reference because I have not found another blog site where all this is all in the same place.

PCSystemType:

Source link

Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0, and Windows Me/98/95: This property is not available.

Value Meaning
0 (0x0) Unspecified
1 (0x1) Desktop
2 (0x2) Mobile
3 (0x3) Workstation
4 (0x4) Enterprise Server
5 (0x5) Small Office and Home Office (SOHO) Server
6 (0x6) Appliance PC
7 (0x7) Performance Server
8 (0x8) Maximum

ProductType:

Source post

Value Meaning
1 Work Station
2 Domain Controller
3 Server

Version:

This was pieced together from various sources on the internet.

Windows 10 Insider Preview  = 10.0%
Windows Server Technical Preview = 10.0%
Windows 8.1 = 6.3%
Windows Server 2012 R2 = 6.3%

Windows Server 2012 or Windows 8 = 6.2%

Windows Server 2008 R2 or Windows 7 = 6.1%

Windows Server 2008 or Windows Vista = 6.0%

Windows Server 2003 = 5.2%

Windows XP = 5.1%

Windows 2000 = 5.0%

OperatingSystemSKU:

So I pieced this together from this MSDN post and this incomplete post by converting the Hex numbers to decimal.

Stock Keeping Unit (SKU) number for the operating system.

Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This property is not available.

Version

OperatingSystemSKU

An unknown product

0

Ultimate

1

Home Basic

2

Home Premium

3

Enterprise

4

Home Basic N

5

Business

6

Server Standard

7

Server Datacenter (full installation)

8

Windows Small Business Server

9

Server Enterprise (full installation)

10

Starter

11

Server Datacenter (core installation)

12

Server Standard (core installation)

13

Server Enterprise (core installation)

14

Server Enterprise for Itanium-based Systems

15

Business N

16

Web Server (full installation)

17

HPC Edition

18

Windows Storage Server 2008 R2 Essentials

19

Storage Server Express

20

Storage Server Standard

21

Storage Server Workgroup

22

Storage Server Enterprise

23

Windows Server 2008 for Windows Essential Server Solutions

24

Small Business Server Premium

25

Home Premium N

26

Enterprise N

27

Ultimate N

28

Web Server (core installation)

29

Windows Essential Business Server Management Server

30

Windows Essential Business Server Security Server

31

Windows Essential Business Server Messaging Server

32

Server Foundation

33

Windows Home Server 2011

34

Windows Server 2008 without Hyper-V for Windows Essential Server Solutions

35

Server Standard without Hyper-V

36

Server Datacenter without Hyper-V (full installation)

37

Server Enterprise without Hyper-V (full installation)

38

Server Datacenter without Hyper-V (core installation)

39

Server Standard without Hyper-V (core installation)

40

Server Enterprise without Hyper-V (core installation)

41

Microsoft Hyper-V Server

42

Storage Server Express (core installation)

43

Storage Server Standard (core installation)

44

Storage Server Workgroup (core installation)

45

Storage Server Enterprise (core installation)

46

Starter N

47

Professional

48

Professional N

49

Windows Small Business Server 2011 Essentials

50

Server For SB Solutions

51

Server Solutions Premium

52

Server Solutions Premium (core installation)

53

Server For SB Solutions EM

54

Server For SB Solutions EM

55

Windows MultiPoint Server

56

Windows Essential Server Solution Management

59

Windows Essential Server Solution Additional

60

Windows Essential Server Solution Management SVC

61

Windows Essential Server Solution Additional SVC

62

Small Business Server Premium (core installation)

63

Server Hyper Core V

64

Starter E

66

Home Basic E

67

Home Premium E

68

Professional E

69

Enterprise E

70

Ultimate E

71

Server Enterprise (evaluation installation)

72

Windows MultiPoint Server Standard (full installation)

76

Windows MultiPoint Server Premium (full installation)

77

Server Standard (evaluation installation)

79

Server Datacenter (evaluation installation)

80

Enterprise N (evaluation installation)

84

Storage Server Workgroup (evaluation installation)

95

Storage Server Standard (evaluation installation)

96

Windows 8 N

98

Windows 8 China

99

Windows 8 Single Language

100

Windows 8

101

Professional with Media Center

103

What the letters mean at the end of Windows products:

Source link

Windows 7 N:

Meant for European market, and includes the same functionality as Windows 7, except that it does not include Windows Media Player and related technologies such as Windows Movie Maker.

Windows 7 K:

Meant for Korean market, and includes the same functionality as ordinary Windows 7, except that it includes links to a Media Player Center Web site and a Messenger Center Web site.

Windows 7 KN:

Meant for Korean market, and includes the same functionality as Windows 7 K, except that it does not include Windows Media Player and related technologies such as Windows Movie Maker, links to download Windows Live Messenger, or links to a Media Player Center Web Site and a Messenger Center Web site.

Windows 7 E:

Meant for European Commission countries, including UK, and includes the same functionality as ordinary standard flavor of Windows 7, except that it does not include Internet Explorer 8 (IE8)

Posted in Direct Access, Windows 2012, WindowsServer | Tagged: , , | 6 Comments »

Windows 7 Direct Access Client Troubleshooting Commands

Posted by Brajesh Panda on March 13, 2013

Click here for other Direct Access related articles.

Windows 7

  1. Check IPv6 enabled Interfaces

Netsh interface ipv6 show interface

  1. Determine if Direct Access client is inside or outside of network

Netsh dnsclient show state


  1. Verify Name Resolution Policy Table

Netsh namespace show policy
(same output while in Corporate or Outside Network)

Netsh namespace show effectivepolicy

  • Shows active policy while outside network & output is same as above command
  • While client is intranet it will give below message because no active policies are there

    DNS Effective Name Resolution Policy Table Settings

    Note: DirectAccess settings would be turned off when computer is inside corporate network

  1. Check current Windows Firewall Profile

Netsh advfirewall monitor show currentprofile

  1. Check Direct Access connection security rules thru Windows Firewall Advance Security Settings

Wf.msc

  1. Check current Windows Security Associations (while successfully connected to Direct Access).
    1. Windows Firewall Advance Security Main Mode or use use “netsh advfirewall monitor show mmsa

  1. Windows Firewall Advance Security Quick Mode or use use “netsh advfirewall monitor show qmsa”

  1. Generate Troubleshooting Logs if Direct Access is not connecting

Right Click Direct Access Connectivity Assistant & click Advance Diagnostics

8. Check NSLOOKUP for corporate network

nslookup -q=aaaa <fqdn intranet resource> <ipv6 DNS server>

Note: IPv6 DNS server is the IPv6 Address you got from “netsh namespace show effectivepolicy”

Posted in Direct Access, Windows 2012 | 3 Comments »

Windows 2012 Direct Access – Windows 7 Client Testing

Posted by Brajesh Panda on March 10, 2013

Click here for other Direct Access related articles.

In last article I have discussed how to test Windows 8 Direct Access Clients with and without computer certificate. In this article let’s test a Win 7 computer. To read other Windows 2012 Direct Access articles visit Direct Access tab on the home page of the blog.

  • Install Windows 7 Enterprise or Ultimate version of client Computer
  • Join it Contoso. Local Domain
  • Add the Computer Account to “Contoso\DirectAccessClients-Win7” security group
  • As Computer certificate is necessary for Windows 7 “Contoso\DirectAccessClients-Win7” group has been configured for auto enrollment of computer certificates
  • Make sure computer certificate is installed in Windows 7 Client Certificate store
  • Enable Windows 7 Access in Remote Access Server Management Console

  • Make sure GPO is applied to the computer. To validate run “Gpresult /r” and make sure direct access client policy is applied under computer configuration
  • Move the computer to public internet and disconnect from corporate network. Check IPConfig & make sure it got IP-HTTPS IP address
  • Try to ping tunnel end points & direct access server IPv6 Address
  • Try to ping Contoso. Local & other internal corporate servers
  • Try to access RDP & \\UNC path for internal resources
  • Check advance firewall console for created tunnels “wf.msc”
  • Check corporate DNS server for dynamic registration of IP-HTTPS interface IP address for Win 7 client.
  • However in Windows 7 there is NO inbuilt Network Connectivity Assistant
    to troubleshoot or disconnect or use local name resolution. So we have to install Direct Access Connectivity 2.0
    tool & configure related settings as per DCA 2.0 guide.
  • Download Direct Access Connectivity Assistant 2.0 Package to Windows 7 client & extract. Package contains below files

  • As per OS version (x64/x86) install respective MSI file. Installer will download Windows Update KB2666914
    from internet and install on the Windows 7 machine. Need internet connection.
  • After DCA 2.0 installation, Existing Network Connectivity Assistant GPO settings will not get applied to it & it will still give error saying Corporate Connectivity is not working. Even inside the corporate network it will throw the same error. If we generate diagnostic logs it will say it is not configured correctly.
  • So Copy GPO ADML & ADMX files as per below in the machine where you configure GPO – may be a domain controller or same DA Server.
    • Copy the DirectAccess_Connectivity_Assistant_2_0_ GP.admx file to the folder %systemroot%\PolicyDefinitions.
    • Copy the DirectAccess_Connectivity_Assistant_2_0_ GP.adml file to the folder %systemroot%\PolicyDefinitions\language. For example, for US English, copy the file to %systemroot%\PolicyDefinitions\en-us.
  • Open Group Policy Management Console & copy respective settings from DirectAccess Client Experience Settings
    to DirectAccess Connectivity Assistant. In below picture from Green to Red.

  • Connect the Win 7 client to corporate network & Gpupdate. After Gpupdate you should able to see DCA is working fine.

  • Reconnect the Win 7 client to Internet & make sure client is getting IPV6 address on IP-HTTPS interface & Direct Access connection is working fine.
  • As you updated the GPO, make sure you Gpupdate the Windows 8 clients too

Posted in Direct Access, Windows 2012 | 9 Comments »

Windows 2012 Direct Access – Windows 8 Client Testing

Posted by Brajesh Panda on March 10, 2013

Click here for other Direct Access related articles.

In last two articles I have demonstrated how to Install, Configure & Verify Direct Access installation. In this article we will test & verify using a Windows 8 Client. For Windows 7 clients check out my next article. Visit Direct Access
tab on the home page for other Windows 2012 Direct Access articles.

  • Install Windows 8 Enterprise Client Computer
  • Join it Contoso. Local Domain
  • Check certificate store to ensure no computer certificate is installed in this machine
    • Note: Remember certificate is not mandatory and we have not selected to use computer certificate in configuration section. We will test with certificate later in this article
  • Add the Computer Account to “Contoso\DirectAccessClients-Win8” security group
  • Make sure GPO is applied to the computer. To validate run “Gpresult /r” and make sure direct access client policy is applied under computer configuration
  • You will able to see Direct Access Connection in the Network List
    • On Windows Start bar click on the network Icon
    • You should able to see “Contoso DA Connection
  • Make sure Windows Firewall is NOT stopped
  • Check windows firewall advance setting rules – “wf.msc

  • Open properties of “DirectAccessPolicy-ClientToCorpSimplified” policy & from Authentication tab check authentication method.

  • Let’s disconnect the computer from Contoso.Local LAN network & start the external wireless connection and observe what is happening
  • Observe network connection list; you will Contoso DA Connection is connected

  • In Advance Windows firewall console and check out Main Mode Security Associations or tunnels. You can observe 1st Computer Account is used & User Account for authentication.

  • Check out IPConfig details in Windows 8 computer. You will find both IP-HTTPS and Teredo interfaces has been assigned IPv6 addresses.
  • Just note if IP-HTTPS interface has an IP address, it means system is using IP-HTTPS technology. DA Client by default tries Teredo connection 1st with its auto address & if connection is not successful it tries IP-HTTPS. So in below picture we see an IP address for Teredo interface. However as IP_HTTPS interface has IP address we can assume it is using IP-HTTPS. Technically permanently we can disable the Teredo Interface to avoid confusion.

  • Try to Ping Corporate servers.

  • Try to access corporate resources like RDP & \\UNC path for fileshare
  • In domain controller check DNS for dynamic host entries for this client. There are two entries one for IP-HTTPS and other for Teredo interface. Teredo interface can be disabled in client to stop registering in DNS unnecessarily – “netsh interface Teredo set state disabled

  • In Direct Access Server management console check Remote Client Status for details. You will find connection information.

  • Till now we have NOT used Computer Certificate. But if we have Win 7 clients & if we need few other advance functionalities we need to have computer certificate based authentication.
  • To use computer certificate
    • We have to issue computer certificate to the windows 8 machine
    • And we have to enable the same from Remote Access Management console
  • After PKI infrastructure get configured certificates can be installed manually or using auto enroll option. I have already configured PKI infra and auto enroll, you may like to check out here to know how.
  • After certificate get installed on the client make sure you verify the same to ensure all is okay.
  • On Server Side; Make sure your Enterprise or Standalone Root CA cert is installed.
  • Open Remote Access Management Console on Step 2 “remote access server” configuration click on configure; On 3rd Authentication window select use computer certificates & click on browse and select root CA certificate


  • Go back to the connected Windows 8 client and do “gpupdate /force” to apply the policy
  • And to check new firewall policies open advance windows firewall console using “wf.msc”.

  • Double click and open properties of “DirectAccessPolicy-ClientToCorp”, click Authentication Tab & under method click customize. You can see 1st Authentication method has been changed to “Computer Certificate”

  • Now disconnect the client from corporate network and hook it up to internet. You can observe Two Tunnels are created for the connection using computer certificate.


  • You can conduct same set of corporate access testing as we did in 1st section of this article without certificate

Check out next article for Windows 7 client testing.

Posted in Direct Access, Windows 2012 | 1 Comment »

Convert Windows 2012 User Interface between Server Core, Minimal GUI & Full GUI

Posted by Brajesh Panda on January 17, 2013

Windows 2012 brings in another user interface for use; GUI, Server Core & Something in-between called Minimal Server Interface

  1. Server Core – always installed and enabled; the baseline feature for all Windows Servers
  2. Server Graphical Management Tools & Infrastructure – functionality for Minimal Server Interface
  3. Server Graphical Shell – equivalent to Server with a GUI

Key thing is you can change between this interfaces whenever you want.

Complete GUI = Server Core + Graphical Management Tools & Infrastructure + Graphical Shell

We can use powershell to change from Full Graphical to Minimal Interface & Back.

Conversion need server reboot. For minimal server interface we can use below commands to install and uninstall server-gui-shell feature.

Install-WindowsFeature Server-GUI-Shell

Uninstall-WindowsFeature Server-GUI-Shell

But if we want to convert from Server Core, we need to define the path to server WIM image files, else Features On Demand will be looking for interent to download them; size of data is too large i.e. more than 4GB.

You can set a local path or network path for this and use below command to install.

Install-WindowsFeature <featurename> -Source wim:<path>:<index>,

To find the Index

Here is the full command to install ServerDataCenter, with Index 4

Posted in Windows 2012 | Leave a Comment »

Offline Domain Join: Computer provisioning failed: 0x80094800

Posted by Brajesh Panda on October 23, 2012

In my Direct Access lab I was trying test Offline Domain Join feature. Here is the Official TechNet Article

Just to summarize, Offline domain join feature was introduced in Windows 2008 R2 & can be used by Windows 7 client computers to join domain when they are not directly connected to corporate AD network. In Windows 2012 it has been enhanced to push Direct Access Client Setting GPOs, Root CA Certificates & the Computer Certificate along with Domain Join Meta data. But this enhanced version is limited to Windows 8.

DJOIN.EXE is the tool which is used for this exercise. This tool is inbuilt to Win 2012 & 8 Operating System.

Here is the complete list of Djoin.exe options

So In my Direct Access test lab I have already configured Direct Access Server & related eco system. I would like to add Windows 8 remote (off domain) laptop to automatically join to my test domain & should able to connect using direct access feature. To do this I have a Direct Access Client GPO as “DirectAccess Client Settings” and a Certificate template “DirectAccess IPSec Clients”.

To create “PandaLaptop6” computer account in my Contoso.local domain I compiled my Djoin syntax like bellow;

Djoin /provision /domain Contoso.local /machine PandaLaptop6 /dcname contoso-dc01.contoso.local /rootcacerts /policynames “DirectAccess Client Settings” /certtemplate “DirectAccess IPSec Clients” /savefile c:\Provisions\PandaLaptop6.txt

And it failed with below error.

Provisioning the computer…

Failed to provision [PandaLaptop1] in the domain [Contoso.local]: 0x80094800.

It may be necessary to specify /REUSE when running

djoin.exe again with the same machine name.

Computer provisioning failed: 0x80094800.

The requested certificate template is not supported by this CA.

Even after failure message it is able to create a computer account in AD. So I thought may be only GPO or certificate part of syntax is not working. Verified in CA console; Template name is same; so there should not be any issue.


A thought came to mind to check the template names using certutil tool; so used “certutil –template” and searched for my template.

Woooo – here is the problem, All of these template DON’T have SPACE in their names. Check out those template common names in below screen shot.


Now I corrected my syntax & it worked like expected. It created a metadata TXT file, created the computer account in AD & issued Certificates.

Djoin /provision /domain Contoso.local /machine PandaLaptop6 /dcname contoso-dc01.contoso.local /rootcacerts /policynames “DirectAccess Client Settings” /certtemplate “DirectAccessIPSecClients” /savefile c:\Provisions\PandaLaptop6.txt

Provisioning the computer…

Successfully provisioned [PandaLaptop6] in the domain [Contoso.local].

Provisioning data was saved successfully to [c:\Provisions\PandaLaptop6.txt].

Computer provisioning completed successfully.

The operation completed successfully.

Copied TXT Meta data file to my newly installed Windows 8 Computer & ran below syntax to join domain.

djoin /requestODJ /loadfile c:\PandaLaptop6.txt /windowspath %SystemRoot% /localos

Succeffull

Then rebooted my Remote Win8 computer. As this computer is already having internet connectivity; Direct Access got activated & I was able to login to Contoso.local domain. Isn’t it beautiful??

Watch out for other 2012 Direct Access Articles.

Posted in Remote Access, Windows 2012 | Tagged: , | 3 Comments »

No DCPromo in Windows 2012

Posted by Brajesh Panda on October 16, 2012

Hmm – No DCPromo in Windows 2012 ;-(

http://technet.microsoft.com/en-us/library/hh472162.aspx#BKMK_GUI

Posted in Windows 2012 | Tagged: | Leave a Comment »

Windows 2012: Cut, Copy, Delete “Pause & Resume” Feature

Posted by Brajesh Panda on July 18, 2012

While using Windows Server 2012 & Windows 8 observed I can pause & resume cut, copy or delete operations. Isn’t it nice?

Another beauty; this feature lists all those running tasks in a single window rather than multiple windows! So no toggling hassle between windows 😉

Appreciate this long pending feature.

Posted in Windows 2012 | Leave a Comment »

Windows 2012: Deduplication

Posted by Brajesh Panda on July 16, 2012

  • Here are my testing results of Deduplication. There is a nice Technet blog article, where you can find all theoretical details.
  • Dedup can be managed from server manager or PowerShell
  • There is a free tool “ddpeval.exe” comes with Windows 2012 to evaluate how much space we will save if we enable Dedup. You can copy to another computer (2008 or 7 family) and run it.
    • I am using 2012 release candidate build 8400
    • Supports only NTFS file system (No ReFS Support yet)
    • For my testing I have copied two install.wim files of 2.9GB each to F Drive

  • Enable Dedup by right clicking the volume & selecting configure deduplication or “enable-dedupvolume f:”
  • Then attach a schedule when you like to run the Dedup process on file system
  • If you want to start immediately run “start-dedupjob f: -type optimization”

  • After completion of job here is the server manager screenshot showing how much space we save. We can use “get-dedupstatus”
  • Wow we are saving 49%, isn’t awesome 😉

Posted in Windows 2012 | 1 Comment »

Upgrade Windows 2008 R2 Standard to Enterprise/DataCenter without Media

Posted by Brajesh Panda on April 5, 2012

Using Windows Edition-Servicing Command-Line Options We can upgrade Windows 2008 R2 Standard to Enterprise or higher (Lower to Higer) edition of the operating system without using Operating System Media.

Upgrade Scenario;

Windows Server 2008 R2 Standard -> Windows Server 2008 R2 Enterprise -> Windows Server 2008 R2 Datacenter

Windows Server 2008 R2 Standard Server Core -> Windows Server 2008 R2 Enterprise Server Core -> Windows Server 2008 R2 Datacenter Server Core

Windows Server 2008 R2 Foundation -> Windows Server 2008 R2 Standard

To determine the installed edition, run:

DISM /online /Get-CurrentEdition

To check the possible target editions, run:

DISM /online /Get-TargetEditions

To Start upgrade;

DISM /online /Set-Edition:<edition ID> /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Where XXXXX-XXXXX-XXXXX-XXXXX-XXXXX is the product key. If your environment use KMS server. You have to use KMS keys. You can find KMS keys from here;

Here is the screenshot for my lab server; upgrading to enterprise edition;

Posted in Windows 2012 | 1 Comment »

 
%d bloggers like this: