Manage IIS on Server Core remotely

I’ve started to mange server core installations more and more. I recently required to manage on that was utilize IIS. While I’m fairly used to IIS manager, I wasn’t exactly quite sure how remote management worked.

At first I thought it was a part of RSAT, nope, but fret not it is a feature of Windows, just not enabled by default.

As I expected there to be a bunch of configuration  BS required figured I’d google how to do it instead of googling errors. 😀  I found this really nice right tot the point YouTube video. Luckily this made my life easy.

So on the Core server:

#Install the required service
Install-WindowsFeature -Name Web-Mgmt-Service

#enable IIS remote management
reg add HKLM\SOFTWARE\Microsoft\WebManagement\Server /v EnableRemoteManagement /t REG_DWORD /d 1

#Enable service at boot
Set-Service WMSVC -StartupType Automatic

#Enable Service
Start-Service WMSVC

On the Client Machine (Windows 7-10)

#Enable IIS management tools
Programs and Features -> Turn Windows Features on or off -> IIS -> (check off all items under Web Management Tools, you may not need them all but to be safe doesn’t hurt to add them)

#Open IIS Manager
Either through Server Manager -> manage -> IIS
Or Under the Star menu -> Admin Tools -> IIS Manager

*NOTE* Don’t bother adding the IIS manager Snap-in to an existing MMC session, I found it’s missing the top menu bar.

*NOTE 2* You also need to install IIS Manager for Remote Administration 1.2 (Cause you know this isn’t bundled with RSAT, cause… reasons)
Else you’ll be missing the connect to server option under the file menu.

*NOTE 3* You have to prepend the admin user name with the domain name, else the connection will failed stating unauthorized.

Thanks SSmith!

RSAT MMC CA “Install CA Certificate” Bug

I plan on releasing a 3 part series blog post on configuring a new CA infrastructure, in an existing one where an Enterprise root CA has already been configured. In my series I decided to utilize core servers, these provide an additional layer of issues as managing them is a little more difficult as it usual requires more cmd based knowledge or better yet PowerShell whenever there are such options available. Turns outs in this case even more so then ever.

I won’t go over too much details here, as I’ll save that for my series. Basically one step requires me to import the signed certificate into the Sub Enterprise CA, being core I have to use the RSAT MMC CA snap-in (funny enough even if you have desktop experience it’s the same tool and snap-in used).

What I discovered is when I’d use the RSAT tool on and remote client system loading my actual CA server when loading the nap-in, it would never actually load the input wizard.

I’d right click my CA, select the option to install a CA certificate:

Then it simply act as if it’s reloading the snap-in…

Then nothing… So I asked about it on Technet. Lucky for me Mark Cooper the Master PKI guy came to my rescue.

The solution: On the Sub CA

certutil -installcert <your certificate file name here>

Get your Free ESXi here!

Get ’em while they’re hot. Fresh from the bunnums of the internet!

Now I love my ESXi, and I recently converted my old gaming rig into a hypervisor with non other than my favorite beast ESXi! I first played with 6.5, and don’t get me wrong the fact it was a direct login to the host right from a fresh install is such a thing of beauty. With a plugin available for a smoother console experience from the web driven one.  While the HTML5 based web interface is very slick, the console isn’t exactly 100% real time. With the plugins it’s a nice way around that, however the host management tasks are all locked down to the hosts HTML 5 web interface. So long goes any chance of using the old phat (.Net based) client. I have to say thats sad cause I LOVE the phat client, it is by far the smoothest of all management interfaces, in my experience.

Anyway, logging into my personal host… I see this

This of course doesn’t surprise me. However believe it or not you can continue to run ESXi completely free. It’s generally enough for most peoples needs, there however some limitations.

  • No support
  • Free ESXi cannot be added to a vCenter Server
  • 2 physical CPUs
  • Unlimited cores per CPU
  • Unlimited physical Memory
  • max. 8 vCPU per VM

I won’t go over the details too much but the basics steps are as follows:

  1. Sign up to VMware.com
  2. Goto the vSphere Download Center 6.5 or 5.5.
  3. Register, Download your ISO and grab your Key.

Free ESXi 6.5 – How to Download and get License Keys

 

USB 3.0 Support on Windows 7 Guest VM

In Short, it’s not supported. If you’re running Workstation 9 or above, there’s this trick.

Now this guy goes into the real nitty gritty, and I love that! I however was working with ESXi 5.5 u3b. Now VMware did the same thing with the ESXi hypervisor and introduced USB 3.0 support via the xHCI controller. However the exact same limitation apply.

1) Drivers of USB 3.0 Host Controller are not provided by VMware Tools.

2) VMware USB 3.0 Host Controller will work only if your Virtual Machine OS has Native USB 3.o Support. Examples of such OS are – Windows 8, Windows Server 2012 and Linux Kernel 2.6.31 and above.

He goes on to say he’s screwed, but I’ve found the older EHCI +UHCI controller works for USB 1.1 and 2 devices I haven’t fully tested all case scenarios however. .For a Windows Server 2016 VM, on a HP Gen9  server with ESXi 5.5. My findings were as follows:

  1. Installed xHCI usb controller, via VM settings.
  2. Guest OS picked up hardware change and installed driver without issue.
  3. Plugged in USB 2.0 device, showed up in Host, as USB device became available to add to VM via VM settings, so added device.
  4. Guest OS didn’t see the USB device connected.
  5. Removed device via VM settings, then disconnected from host.
  6. Connected USB 3.0 Stick into host, added to VM via VM settings.
  7. Device was seen on Guest VM, and performance was equal to that of the sticks specs. (18~20  MB/s write, 100+MB/s Read)

I wasn’t sure why the USB 2.0 Device didn’t show up, so I simply removed the xHCI USB controller, and instead installed the EHCI +UHCI. Re-Connected the USB 2.0 devices and added it to the VM, this time the device did show up. I can’t remember the exact performance counters. I’ll update this post when I do some better analysis. My plan is to script some I/O tests using diskspd and PowerShell. Stay tuned. 😀

I’m also going to see if I can connect the same USB device via hardware pass-through instead of utilizing the USB controllers and Devices VM settings options.  I’ve manly done this with RDM’s and storage controllers with storage type VM’s (FreeNas mostly).

As for the main point of this post… I figured the main link I posted and this one here as well form the VMware forms that I’d be able to get a way to make the xCHI controller work on the Windows 7 VM guest.  The answer is basically grab the Intel xCHI drivers for Windows 7/2008R2 from Intel and install it manually, not via the setup.exe.

To my dismay I couldn’t get it to work, the wizard simply couldn’t locate the device (since the hardware IDs didn’t match) and installing the otherwise the device wouldn’t start.

I even decided to try and use double driver (extracts drivers) against a newer guest OS. This also failed. I simply couldn’t get it to work.

Lame mans V2V

This one will be short n sweet.
V2V a VMDK to a VHDX

Get this.

DO this:

Import-Module ‘C:\Program Files\Microsoft Virtual Machine Converter\MvmcCmdlet.psd1’

ConvertTo-MvmcVirtualHardDisk -SourceLiteralPath (Drive):\VM-disk1.vmdk -VhdType DynamicHardDisk -VhdFormat vhdx -destination (Drive):\vm-disk1

Don’t Squat on my Name

I found this interesting, I was checking out my DNS server to make some new static host records for my newly networked Test environment/sandbox. To my surprise I found these weird new records DHCID (Dynamic Host Configuration Identifier) I wasn’t sure what was up with these but I did notice them paired along with an A host record (same name, different value). A quick google search revealed this nice old MS gem.

While it states “Name squatting occurs when a non-Windows-based computer registers in Domain Name System (DNS) with a name that is already registered to a Windows-based computer.” and even Susie Long pretty much states the same thing from this TechNet Post.

What I found in my case was it was created for only a couple users and it was from their iPhones after I had renewed them with new iPhones and updated their phones by using iTunes to make a backup and copy their contents to their new phones. I’m assuming cause the same name already existed in DNS from the old phones DHCP request, and the new phone had the same device name after the restore. In my case I knew they weren’t important records since noone would ever need to access their phones via DNS name, lol. So I simply deleted them. We’ll see if they come back.

I already knew all about DHCP and DNS scavenging but this was a new one for me. 😀

SharePoint User Full Control – Site has not been shared with you

I’ll keep this one short. After my recent SharePoint migration (ahem, 1 web app out of 6 I have yet to complete), I noticed my standard user account was not able to add pages to my new 2016 site. A little different then this Blog post about unable to edit, however the fix was exactly the same.

  1. First ensure you have site collection admin rights on the site collection in question.
  2. Load the site with this account (I noticed there’s only logout, and no longer sign in with another user under the user hamburger menu, so open a browser as the user with site collection admin rights).
  3. Go to Site Settings -> Master pages and page layouts
  4. In his case, as well as mine then library had unique permissions (not sure why I have yet to log into my old SharePoint page and see if it was like this from before the migration). Simple make it inherent permissions from the root site.

I was able to find this info from TechNet. I’m on there quite frequent, feel free to check out some of my posts. 😀 Maybe there’s a way I can add my TechNet profile to the word press social links. 😀 stay tuned.

Spectre Meltdown

If you’re reading this then chances are more than likely you’re looking up information on the two biggest vulnerabilities to be announced since Heartbleed.

Now there is just a ton of people talking about these vulnerabilities, I’m going to try and avoid all the real technical mumbo jumbo.

First things first… are you affected?!

*Shakes 8 ball* Most Likely.

Now you might be wondering, “How can that be?!” Well first let’s talk about Meltdown. Meltdown apparently affects Intel chips only. In short it’s a weakness in memory handling with the CPU. Do you have an Intel chip running your computer? chances are more than likely, running Windows? Well you’re in luck, Microsoft is making sure your OS is safe, but at what cost? Maybe a slower system than ever… no AMD then? well OK you may be safe from Meltdown, but you’re still vulnerable to Spectre, and guess what? Microsoft isn’t able to help you get patched either, well apparently if you happen to be running an old AMD chipset.

Not sure how well Intel will do following this, but the odd shares sales by the CEO def don’t look like good signs…

Alright, now back to Spectre.

Well to start off, to say it simply… never assume, it makes an ass of of you and me. Now you’ve probably heard this saying before, and you probably might be wondering why I’m even saying it. Well this vulnerability revolves around the CPU’s algorithm (Speculative Execution) to assume a result based on repetition of previous outcomes of the same operation.

Crazy how these are totally physical based vulnerabilities (At the CPU chip) which affects them all going back super far.. how far back? Well i had to dig a lil deeper into the interwebs via google. (So they know what I’m all about lol). and discovered that the Pentium Pro was the first. Now I’m simply going on the authors words here, but finding sources from so long ago even today can be rather difficult so I’ll simply take his word for it. The blog is actually a great read and covers the aspect of the vulnerability very well. However he goes on to say it’s all about Meltdown, when it might be about Spectre?

Either way… it’s a Spectre Meltdown.

If anyone’s running a HP Spectre laptop with an Intel chipset, and it starts melting down. That be quiet the coincidence. 😛

Happy hacking! Start writing some javascript based if code to exploit these assuming chips 😉

Clearing the DNS cache

This one will be nice and short. I was working on a DNZ zone migration, from one domain to another. Since the zone wasn’t the parent zone of the AD domain it was in I had two options.
One make the new domain authorative for the zone, once trust is established they would take over for the zone.
Or in this case since there were only a few records and the new AD domain was already created with the same domain anem as the zone I was attempting to migrate, I figured I’d simply recreate the records manually.
Basically setup your conditional forwarders to the new domain DC’s which will be authorative for the new zone. Generally allow UDP (TCP as well if you want to be extra safe) on port 53 through the firewall, and records should resolve just fine.
In this case you’ll clearly notice that resolving the record for the transferred zone from the orginal domain now replies with non-authorative answer.
This is to be expected as the domain’s DC that you are associated with (and generally your DNS settings configured to via DHCP of course) are no longer controlling the zone (adding/removing/editing records).
Again as to be expecting these are now managed via the new domain which teh zone was transferred to.

So low and behold I messed u one of the records IP addresses. So sure it’s super fast to adjust and force replication, however replication would be domain/forest wide. Which even though I did on both domains i found my previous DC’s would update the non-authorative answer.
I tripple checked all systems in teh new domain could get the proper reply from the DC/DNS servers. So what gives why were the old DC’s DNS servers replying with the old IP address, when the conditional forwarders were setup to query the proper DNS servers and they were 100% holding the correct IP address?
The answer? Cache? yup the lovely blessing and nightmare that is cache. so what does any regular workstation admin try… yeah you guessed it “ipconfig /flushdns” (cmon were talking AD here which is Microsoft specific AFAIK). Do a query from your old domain DC’s and yet the record is still the old IP adress?!?!
What gives? Well… in this case ipconfig /flushdns is only used for clients. You maybe wondering isn’t the old DC a client in this case? Yes/No It’s still a DNS server, and it still needs to answer queries it recieves, the command provided would help if simply doing a query (yes we are doing a query but for a record it needs to hold a record for to reply with).
Just to stop beating around the bush, as a DNS server it needs to clear its own cache, the records to retains to provide to requesting clients. this is a different command. in this case it’s dnscmd /clearcache.
That’s it, do another lookup and find your old DC DNS servers showing a non-authorative answer of the new IP address. Of course you could have also simply waited for cache to clear and replication to occur naturally… but ain’t no body got time for that!

 1) To Clear Dns from a client system (Windows): ipconfig /flushdns
 2) To clear non-authoritative DNS servers cache:	 dnscmd /clearcache