Install and configure ADDS on Windows Server 2022 Core in Azure (Part 2)

A question I often get is ‘why should I use Windows Server Core edition’? This is difficult to manage and I do not like a server without a graphical interface.

The first thing I always tell you is, you DON’T HAVE to do anything, but my advice is to do it. Especially for a number of crucial server roles.

Some advantages of Windows Server Core edition at a glance:

· It’s faster (less services running, no overhead, no graphical user interface)

· More secure

· It’s modern

· Less disk space required

· Smaller footprint

· Smaller attack surface

· Faster deployment

Difference in installed services:

On Windows Server 2022 with a graphical user interface, there are 210 installed services. On the Windows Server Core edition, there are just 127 installed services. That’s a big difference of 83 services.

image

image

Defference in running services:

On Windows Server 2022 with a graphical user interface, there are 73 running services. On Windows Server Core edition, there are just 66 running services. That’s a difference of 7 servies.

image

image

Used diskspace on the C drive

On Windows Server 2022 with a graphical user interface, the installation of the operating system uses around the 13 GB of space.

image

The Windows Server Core edition, just uses arount the 9 GB of space for the operating system.

image

Performance (CPU and memory)

In performance, there is a little difference on ‘normal’ usage of the server. The memory usage on Server Core edition is around the 1,6 GB and 2,1 on the graphical version. The CPU load is also a little less as you can see.

image

image

Summary:

The choice of whether or not to deploy Windows Server Core within the infrastructure depends on a number of things. First of all, the workload or application must be suitable to run on Server Core. This is certainly not the case for all applications or server roles.

Especially for crucial server roles, such as domain controllers, it is advisable to use Server Core. It offers a number of advantages, which contributes to a more stable and secure environment.

And with Remote Server Administration Tools (RSAT), Microsoft Management Console (MMC), Windows Admin Center or Arc, a Windows Server with core edition is easy to manage.

Install and configure ADDS on Windows Server 2022 Core in Azure (Part 1)

Today, I’m going to show you how to install and configure Active Directory Domain Services on Windows Server 2022 Core edition on Azure.

I’ve used some ARM templates to deploy my two domain controllers in Azure, based on Windows Server 2022 Core edition. These servers are in a separate subnet within my Azure environment. In this example, Í’ve two domain controllers, mss-dc-core001 and mss-dc-core002.

The first step is to configure the following things:

  • Machine name
  • Static IP from the Azure Portal (NOT within the VM)
  • Static DNS from the Azure Portal (NOT within the VM)
  • Date and Time
  • Install all the latest updates

image

image

image

After logging in to the first domain controllers, there’s just one big black screen with ‘SCONFIG’ open, that’s all!

image

The next step is to prepare the data partition on our second disk to place the ADDS database, NETLOGON and SYSVOL directories. For this configuration, we are using DISKPART. We have created a new volume on the second disk It’s drive D: with 16 GiB storage and disk caching is disabled.

image

After the first configuration of the servers, we are ready to start the installation of the necessary services and features. Press ‘15’ to enter Powershell.

Install-windowsfeature -name AD-Domain-Services -IncludeManagementTools

image

Install-ADDSForest -DomainName "network.lab" -DomainMode 7 -ForestMode 7 -DatabasePath "D:\NTDS" -SYSVOLPath "D:\SYSVOL" -LogPath "D:\Logs"

image

image

Because we are using Windows Core edition, we don’t have any graphical management tools on the domain controllers. Therefore, we have installed the Remote Server Administration Tools or RSAT on a management server.

image

Here we can start ‘Active Directory Users & Computers’ to take a look into our new created Active Directory environment.

Install-windowsfeature -name AD-Domain-Services, DNS -IncludeManagementTools

image

Install-ADDSDomainController -DomainName "network.lab" -DatabasePath "D:\NTDS" -SYSVOLPath "D:\SYSVOL" -LogPath "D:\Logs" -Credential (Get-Credential "network.lab\azlocadmin")

image

image

Now we have two active domain controllers in our Active Directory environment, based on Windows Server 2022 Core edition.

image

Create a Central Store for your group policy ADMX and ADML files. Copy all the files from:
”C:\Windows\PolicyDefinitions” to “\\network.lab\SYSVOL\network.lab\Policies\PolicyDefinitions”.

image

Open the Group Policy Editor again and see if the policy definitions are loaded from the Central Store.

image

Wrap up:
We have created two domain controllers in Azure, based on Windows Server 2022 Core edition (no graphical user interface). We have created a new Active Directory Forest with a single domain ‘network.lab’. And last we have created the Central Store for storing the group policy definitions (ADMX and ADML) files.

In the next parts we are going to harden some security settings, configure Log Analytics for monitoring and configure Azure Backup for Back-up and Disaster Recovery.

How to: Install Exchange 2019 on Windows Server 2019 Core Edition

In this blogpost I’m going to show you the steps to install Microsoft Exchange Server 2019 on Windows Server 2019 Core Edition. When you’re working with Windows Server Core the first time, it’s a little different then managing Windows with a GUI (Graphical User Interface).

Windows Server Core is just a command line interface, that’s all. There’re many advantages of using Windows Server Core edition, for example:

* Small footprint
* Less Windows Updates to install
* Less reboots needed after Windows Updates
* Reduced attack surface
* Less disk space required
* Reduced management

With the release of Exchange Server 2019, Windows Server Core is also supported!! YEAH!!!

Install Windows Server 2019 Core Edition

This step is really easy. Just hit next, next, next and finish!

image

Hit CTRL+ALT+DELETE, type the local administrator password and login to your server. After this, you can start configuring the server using SCONFIG.

image 

Network settings

Configure the network configuration using SCONFIG or Powershell.

Assign a static IP:

New-NetIPAddress -InterfaceIndex 6 -IPAddress 172.16.1.100 -PrefixLength 16 -DefaultGateway 172.16.1.101



Configure a DNS Server:

Set-DNSClientServerAddress -InterfaceIndex 6 -ServerAddress "172.16.1.100"



Enable Remote Desktop:

cscript C:\Windows\System32\Scregedit.wsf /ar 0

 

Windows features

Use the following PowerShell command to install the OS component required for Microsoft UCMA 4.0 and the OS component required for Active Directory Preparation.

Don’t forget to switch to powershell

Install-WindowsFeature Server-Media-Foundation, RSAT-ADDS


image

image

Download necessary software

From an admin workstation, download the following software and copy it over to the Server Core we are preparing for the Exchange installation (for example C:\_Install)

* Visual C++ Redistributable Packages for Visual Studio 2013

image

image

Install UCMA (Microsoft Unified Communications Managed API 4.0)

image

image

The UCMA installable is present on the Exchange Server 2019 media itself. Use the following PowerShell command to mount the Exchange Server media:

The UCMA installable is located under the “UCMARedist” folder on the Exchange Server 2019 .ISO. Start the UCMA installation:

Do not reboot the server just yet; join the computer to an AD domain and then reboot it.

Joining the computer to AD domain

* Rename the computer to 2019-EX01

* Add the computer to domain homelab.local

image

Add-Computer -DomainName homelab.local -NewName 2019-EX01 -DomainCredential homelab\administrator

Restart the server

Use the following PowerShell command to restart the computer:

Restart-Computer –Force

Exchange installation

After rebooting the server mount the Exchange .ISO image.

Use the following command to start Exchange Server installation. The PowerShell command will also install the required OS components for Exchange:

image    image

image    imageimage    image image   image image   image image   image image   image

image

.\Setup.exe /m:install /roles:m /IAcceptExchangeServerLicenseTerms /InstallWindowsComponents

Once Exchange is installed, you can launch the Exchange Management Shell using LaunchEMS command from the command line.

You can also start the Exchange Management Console from a different server using the URL below:

https://2019-EX01.homelab.local/ecp

image

Microsoft Ignite 2016 Slidedeck and Video downloader

MSIgnite_Atlanta_Skyline_Jan20_TW

Have you missed the Microsoft Ignite 2016 event…..no problem!! MVP Michel de Rooij has created a script to download all the content (videos and slidedecks). So you can watch all the content again.

This script will download all the Ignite 2016 slidedecks and videos that are available from Techcommunity via the OneDrive URL on the session page. Video downloads will leverage a utility which can be downloaded from https://yt-dl.org/latest/youtube-dl.exe, and put it in the same folder as the script. The script itself will try to download the utility when the utility is not present.

Special credits goes to:
Original scraper for slidedecks by Mattias Fors, http://deploywindows.info.
Adjusted for video downloading by Michel de Rooij, http://eightwone.com
Enhancements by Scott Ladewig http://ladewig.com

Download the script here.

2016-10-12_14h14_44

 

How to: Change computername in Windows Explorer on Windows Server 2012 R2

When you’re are using a lot of virtual machines or environments, it’s somethimes realy usefull to see in what environment or on what server you’re logged in. If created a really nice solution for my servers, basically Remote Desktop Services in different environments, that does exact my I need! I’ve changed the displayname in Windows Explorer to the value “user on server”, for example: “mark on prod-rds-01”.

You can set this new value with Group Policy Preferences or some other scripting.

1.) Create a new GPO in the Group Policy Management Console
2.) Navigate to “User Configuration / Preferences / Windows Settings / Registry
3.) Create a new registry item and browse to the following registry key:
HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/CLSID/{20D04FE0-3AEA-1069-A2D8-08002B30309D}
4.) Change the default REG_SZ value to “%username% on %computername%”
5.) Login to the specific server where you targeted the GPO and open Windows Explorer
6.) The name of your computer has changed to “username on computername”

2015-12-04_11h19_20    2015-12-04_11h20_16    2015-12-04_11h20_48

2015-12-04_11h21_11    2015-12-04_11h21_40    2015-12-04_11h37_48

How to: View configured mailbox quota’s in Exchange 2010/2013 using Out-GridView

When you’ve configured mailbox quota’s within your Exchange 2010/2013 environment, you’ve to check the configuration sometimes. Using Microsoft PowerShell, you can watch the current configuration within a few second, so this is extremely powerfull!! But, when you have to query for some specific user or result, it’s not that easy.

There’s a very usefull command within PowerShell that I’m using almost for all my scripts….Out-GridView. When using the parameter Out-GridView, the results are not showing within the PowerShell screen, but in a separate window! Within this window, you can very easy add some search criteria….for example: specific user, quota or an overview per database.

One requirement is that the Windows Feature “Windows PowerShell Integrated Scripting Environment (ISE)” is installed on the Exchange servers or mangement server from where you’re running the commands.

1.) Open the Exchange Management Shell (EMS)
2.) For an overview of the current mailbox quota, use the following command.
Get-Mailbox -Identity mswinkels | ft Name, IssueWarningQuota, ProhibitSendQuota, ProhibitSendReceiveQuota
3.) The results of this command is shown within the PowerShell window
4.) Now we’re running the same command, but replace “ft” (format-table) with “select” and add the parameter “Out-GridView”
Get-Mailbox -Identity mswinkels | Select Name, IssueWarningQuota, ProhibitSendQuota, ProhibitSendReceiveQuota | Out-GridView
5.) Now the results are in a separate window! Extreme usefull when you’ve have to search for a specific result or results.

25-06-2015 10-11-47    25-06-2015 10-13-47    25-06-2015 10-15-00

25-06-2015 10-16-22    25-06-2015 10-20-51    25-06-2015 10-21-12

How to: Deploy packages using collection variable with ConfigMgr 2012 R2

During a OS deployment you don’t want to deploy all your packages and software to every workstation. You can deploy the software after a full OS deployment, but you can also deploy packages during the OSD using collection variables. Now it is possible to deploy packages only if a specific machine is a member of a collection. This collection can be query based, for example OU membership or Active Directory security group, or it can be static (direct membership).

In this example I’ve created a realy simple deployment, Adobe Reader 11.0. I’ve two virtual machines, SCWIN81-01 and SCWIN81-02. Both machines are members of the collection “Deploy – Windows 8.1 Enterprise x64”, where the task sequence is deployed on. Machine SCWIN81-01 is also member of the collection “Install – Adobe Reader 11.0”. This collection has a limited collection of “Deploy – Windows 8.1 Enterprise x64”. Both machines are deployed on the same time, the only difference is that machine SCWIN81-01 has Adobe Reader 11.0 installed and machine SCWIN81-02 not. Why……based on the collection variable during the OSD 🙂

1.) First create the collections
2.) Make the specific machines members of the right collections (query based or direct membership)
3.) Open the properties of the collection “Install – Adobe Reader 11.0” and navigate to the “Collection Variables” tab
4.) Add one or more variables with some values. In this example the variable is “APP-AdobeReader” with the value “Yes”
5.) Open the task sequence and add a package installation step
6.) Add the package with the program and navigate to the “Options” tab
7.) Select “Add Condition” and select “Task Sequence Variable”
8.) Enter the collection variable you’ve created earlier with the same value. In my example:
Task Sequences Variable APP-AdobeReader equals “Yes”
9.) Select “Apply” and close the task sequence.
10.) Start the OSD on both machines and wait until the installation is done!
11.) Watch the differences between both machines, if everything is okay, one machine has Adobe Reader installed and the other not.

This is an extremely powerfull thing within ConfigMgr, and really helpfull is some scenario’s. For example VDI golden image deployments or hybrid environments with laptops/desktops or multiple organizations using one ConfigMgr environment. One main reason could be consolidation in task sequences. If you want, there should be only one task sequence for all you different deployments. This is why I’m loving collection varaibles! 🙂

2014-12-22_15h45_33    2014-12-22_15h46_26    2014-12-22_15h46_48

2014-12-22_15h47_23    2014-12-22_15h49_46    2014-12-22_15h50_15

2014-12-22_15h50_37    2014-12-22_15h51_16    2014-12-22_15h51_58

How to: Apply Windows updates during OSD with ConfigMgr 2012 R2

During a OS deployment with ConfigMgr 2012 R2, you definitely want to apply the latest Windows updates and patches, for example with Windows Server Update Service (WSUS). You can also integrate WSUS within ConfigMgr 2012 R2, but in this example WSUS is not integrated!!

This example is also very usefull to create a fully patches golden image in ConfigMgr 2012 R2 (Build & Capture). After the task sequence you’ve a fully patches Windows 8.1 machine that you can use for example VDI environments.

1.) Fist open your task sequence
2.) Create a new computer group “Desktops” within the WSUS console (or choose another name, for exmaple: servers, laptops, etc.)
3.) Add a custom group within the task sequence
4.) Add the following steps in your task sequence
Run Command Line:
reg ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /v WUServer /t REG_SZ /d http://wsus01.cloud.local:8530 /f
Run Command Line:
reg ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /v WUStatusServer /t REG_SZ /d http://wsus01.cloud.local:8530 /f
Run Command Line:
reg ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /v TargetGroup /t REG_SZ /d “Desktops” /f
Run Command Line:
reg ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /v TargetGroupEnabled /t REG_DWORD /d 1 /f
Run Command Line:
reg ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU” /v UseWUServer /t REG_DWORD /d 1 /f
Run Command Line:
wuauclt.exe /resetauthorization /detectnow
5.) Don’t forget to set the name of your WSUS server and computer group in the commands above!
6.) Create a new package in ConfigMgr 2012 R2 with the following two files in it, located in the MDT 2013 deployment share directory
ZTIUtility.vbs
ZTIWindowsUpdate.wsf
7.) Don’t create a program in this package, but you only have to distribute it to the distribution point(s)
8.) Add a new step “Run Command Line” to the task sequence with the following command:
cscript.exe ZTIWindowsUpdate.wsf
Select the package where the source files are located
9.) Deploy the task sequence to your client collection!

COAU_01    COAU_02    COAU_03

COAU_04    COAU_05    COAU_06

COAU_07    COAU_08    COAU_09

COAU_10    COAU_11    COAU_12