Author: devstime

Windows Server 1709 & Docker Container Micro services – Deployment Part 1

devstime Containers

Introduction

Windows Server, version 1709 is the first release to ship in Semi-Annual Channel. It is a new cadence of release which is supported for 18 months and will have the new versions released every 6 months, which is different from the standard Microsoft Long-term servicing Channel (LTSC).

Windows Server, version 1709 that runs only in server code mode contains variety of enhancements and new features. This version is all about innovations on applications, particularly those build in containers and micro-services. Since this version concentrates on specific scenarios, it is available only in Standard and Data-center editions.

Windows Server 1709 features

Following listed are the major features and enhancements on the version.

  1. Updated Server core container OS
  2. Nano server available as container OS
  3. Reduction in image size of Server core and Nano container
  4. Support for Linux Containers with Hyper-V isolation
  5. Project Honolulu, modern management

P1

 

System Requirements

System requirements remains same as in Windows Server 2016.  Following are the minimum requirements.

Processor:

  • 4 GHz 64-bit processor
  • Compatible with x64 instruction set
  • Supports NX and DEP
  • Supports CMPXCHG16b, LAHF/SAHF, and PrefetchW
  • Supports Second Level Address Translation (EPT or NPT)

RAM:

  • 512 MB (2 GB for Server with Desktop Experience installation option)
  • ECC (Error Correcting Code) type or similar technology

Storage and disk space

  • 32 GB

Network adapter

  • An Ethernet adapter capable of at least gigabit throughput
  • Compliant with the PCI Express architecture specification.
  • Supports Pre-boot Execution Environment (PXE).

 

Windows Server 1709 Setup

In this section, you’ll find how to install Windows Server 1709 in Azure and run docker containers with the IIS web service.

  Getting started with 1709 version

Following is the procedure to create a new virtual instance in azure with Windows Server 1709 version.

  • Login to the azure portal and navigate to Virtual instances. Click on Add
  • On the compute window, type “Windows Server, version 1709” and search. You will get a list of versions among which select “Windows Server, version 1709 with containers”

P2

  • Choose the deployment model -> Provide other details on the virtual instance configuration such as Name, VM Disk type, Username, password, Resource group, Size, Location, etc.
  • On the Summary page, accept the terms of use and Click Create
  • Once the virtual instance is created, Connect and login to the server
  • Once you login, you will experience core mode welcome screen

p3

  • On the command prompt, type “docker version” to get the version information

p4

  • Before proceeding further, make sure that the server is installed with the latest updates
  • Execute command “sconfig” and type the option as “6” to download and install the updates

C1.png

  • Type “A” and enter to search for all the updates

C2.png

  • Type “A” and enter to install all the listed updates as per the system

B1.png

  • Once the machine is installed with the updates, execute the command “docker images” to list the images available on the server

B2

  • As per the above screenshot, we could see that there are two images, which are Microsoft/servercore and Microsoft/nanoserver.

We will further see how to create new container with the image and configure services.

Deploying container and configure IIS Micro services

We will use the existing the server core image to create a new container.

  • Note down the image ID of the servercore. As per the screenshot, it is fc3e0de7ea04. Execute the command as mentioned below to create new container with the image

docker run –name IISWebserver –it –p 80:80 fc3e0de7ea04 cmd

(Creates new container IISWebserver with the image windowservercore and enables port 80 on the same. Parses cmd process to the container and runs it”)

B4.png

  • Command prompt on the container will be launched on successful completion
  • You could verify the status of the container by executing the command “docker ps”(docker ps –a lists all the created/exited containers)

D1

You could verify the hostname and IP addresses of the container

D2.png

  • Type “powershell” to change the mode and use the “Install-Windowsfeature web-server” command to install the IIS role on the container

D3

D4.png

D5.png

Note: You are configuring service on the container that you have created upon the server.

  • Web server role is successfully installed on the container
  • Now, access the server IP address from Internet explorer. You will receive the IIS default webpage.

Z1.png

  • Import the Webadministration PowerShell module and administer your websites through the same

Z2.png

  • Example of hosting a website
  • Copy any html file to the C:\inetpub\wwwroot path or create new one with test content

1.png

  • Access the webpage by adding the respective html file name

2.png

  • To stop the container, execute the command “docker stop <container ID>”

3.png

  • To start connect to the container again, execute the commands

docker start <container ID>

docker exec -it <container ID> cmd

4.png

In the next Part, will see how we can create & run multiple docker containers with different services using 1709 to understand the containers capabilities.

WannaCry – Already Crying!! – if you cant patch!

devstime Uncategorized

Already the news is all over, internet of ransomware. Below are the quick steps to action if you cant get the downtime of machines or etc..etc reasons (It’s running Windows and it only affects Windows.).

And the most important phrase for few days – Trust no one. Literally never open attachments in emails from someone you don’t know.

  1. Disable SMB1.0 / CIFS file sharing support from the windows features. (since it targets through SMB)

GUI:

PowerShell:

Windows Powershell as Administrator

Note :

  • If infected and do not have backups for critical data ( (Disconnect the object from network immediately). DO NOT delete your encrypted files. A decryptor may be possible within a few days
  • As Microsoft download servers seem busy or overloaded DON’T make the mistake of downloading patches from blurry sites.

Ref:

In order to prevent infection, users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010.

https://technet.microsoft.com/library/security/MS17-010

 

Nano Server – The Future of Modern Datacenter

devstime Nano Server

Windows without Windows –

Nano Server is the new headless deployment option for Windows Server 2016. It’s just Headless, but not brain less. 🙂 it’s an excellent solution for modern micro service architecture.

Most of the contents were extracted from Jeffrey Snover interview in Microsoft Mechanics.

The Lightest and Fastest:

The Nano Server is similar to the Windows Server Core mode, but the configuration size of the OS is way smaller compare to GUI one.

Key highlights: What makes Nano server unique?

  • Very few OS updates
  • Faster Reboots (In-fact, very less reboot)
  • Improved resource utilization
  • Install Components what your application needs and nothing else (So less process – Hence quick reboots)
  • Highly customizable
  • No to MSI support, Graphical Stack,  RDP (Highly secured, no much option for attackers :))
  • Fewer ports need to be opened.
  • And its remotely administered server operating system optimized for private clouds and data-centers.
  • Package based installation
    • You can Customize by creating an image or package using PS or DSC – Like,.
      • Hyper- V compute package
      • Web -IIS package
    • Installation of package can be done through either of following ways,
      • Local
      • UNC

 

Nano1

And the stats here:

nano2

The two main scenarios where NANO solution concentrating are,

  • Cloud and Private Infrastructure
  • Cloud and Application Platform

I have not included the steps on how to do it, since this post is more about exploration.

How do I Install Nano server?

Installation of Nano server is very simple and goes PS way. Import the PS file from 2016 image folder and convert the wim image file to VHD. You are done.

How do I Manage Nano server?

Nano Server is a remotely administered server operating system optimized for private clouds and data centers. Yes, it’s via PowerShell and WMI.

Also, you can remotely manage via existing tools and a new web-based remote management.

Further, offline management can be achieved via the new Nano Server Recovery Console – it’s a local interface.

Local interface will give options to mange the following,

  • Firewall
  • Network Components.

Nano server in Azure?

Microsoft had introduce Azure based remote server management tool, where you can manage nano in Azure portal with very good graphical representation of monitoring components like, CPU, Memory, Network etc.

Including, Device manager for that matter.

Can I install DNS in Nano?

Yes off course, but the DNS server thus created cannot be a domain controller.

The Nano server does not support running a domain controller in Windows Server Technical Preview 4

For more updates on Nano server : Follow the blog

https://blogs.technet.microsoft.com/nanoserver/2015/05/12/welcome-to-the-new-nano-server-blog/

 

ADFS 3.0 – SSL CERTIFICATE RENEWAL

devstime ADFS

INTRODUCTION:

Active Directory Federation Service (ADFS) is a component introduced by Microsoft in server operating system to provide federation and single-sign on as a service which helps an organization to connect with different partners applications in a secured manner. In simple terms, AD FS allows an organization to provide facility to the users to login into multiple applications with one-time login.

Certificate plays an important factor in terms of AD FS Service. It is the key which provides a connection to get the users into the necessary data in a much secured way restricting the unauthorized access to it. AD FS uses both public and “self-signed” certificates.

This article provides information on different types of certificates used in AD FS and also methods to renew the SSL certificate.

ADFS CERTIFICATES:

Before explaining on the types of certificates being used, let us see a short note on the keys being used on the certificates for the security purpose.

  • Public Key – Key which is available to any application that requests for communication to encrypt the messages.
  • Private Key – Secret key which is known only to the users who are involved in the communication.
  • Session Key – Combination of public and private key data to establish the communication

There are majorly three certificates being used by AD FS for Single-Sign on

  • Service Communications/SSL Communications:

As the name implies, this certificate is the one which is responsible for encrypting the connectivity of client to AD FS Servers. It encrypts all the data between client and AD FS Servers which is being parsed for establishing the connection to the application. (Username, password)

  • Token-Signing

Certificate which signs all the security tokens that AD FS produces so that the resources (Web Server) verifies and identifies the token being transmitted are from the authorized AD FS.

  • Token-Decryption

AD FS uses the token decryption certify to decrypt the security token with the private key for communicating with the claim providers.

Among the above mentioned certificates Token-signing and Token-Decryption are self-signed by default wherein secure communication is public.

PRE-REQUISITES:

We will further see how to renew different AD FS Certificates with a lab setup explained. Please make sure you have the following prerequisites checked before proceeding with the certificate renewal.

  • AD FS Infrastructure architecture (Primary Secondary details of ADFS Servers)
  • New Certificate from the Certificate Authority
  • Permissions available for the current certificates

Note: This document contains information only on AD FS 3.0 version.

LAB SETUP EXPLAINED

Following is the architecture of the lab setup in which we are going to perform the SSL renewal activity.

Server Name IP Address Role
TSTADFS01 192.0.0.6 Primary ADFS Server
TSTADFS02 192.0.0.7 Secondary ADFS Server
ADFSWAP01 192.0.0.4 ADFS Proxy Server
ADFSWAP02 192.0.0.5 ADFS Proxy Server
TSTLB01 192.0.0.1 Load Balancer Node 1
TSTLB02 192.0.0.2 Load Balancer Node 2
Adfs.test.com 192.0.0.3 VIP for ADFS

In this lab setup, ADFS 3.0 is been deployed as a farm and in total the farm has four servers, two backend or main ADFS servers and two WAP or proxy servers for public or internet access.

For redundancy, both ADFS and ADFS proxy servers are being paired. In addition to this the

External traffic is being routed through the load balancer.

ADFS

Application configuration

  • On the ADFS servers, the ADFS Role will be installed.
  • On the ADFS Proxy servers, the Web Application Proxy will be installed.
  • On All servers, KB2919355, which is a major update for WS2012R2, adds the new capability for alternate login ID will be installed

SSL CERTIFICATE RENEWAL – PROCEDURE:

As mentioned earlier, Service communication certificates are public and it is been published by trusted Certificate Authority. Since our lab environment contains more than one AD FS Server, we will perform the following steps only on primary server since the changes will get replicated to other servers in the farm.

Renewal with same private key

In order to renew the certificate with same private key, we need to retrieve the current private key from the SSL certificate.

To retrieve the private key, use the following steps.

  1. Install OpenSSL on the server where you will be performing the renewal process.
  2. Click Start, Run prompt and type in exe”
  3. Click File and select “Add/Remove snap-in”
  4. Select Certificates, Select Computer account”, then This Computer”, Click Add” and then “OK”
  5. In the Personal Container, right click the old SSL certificate, Select All Tasks” and then Export”
  6. Export with the option “Include all certificates path if possible” and “Export all extended properties”. Provide the name as “Privatekey” and export it.

ADFS3

Note: If “Yes, export the private key” option is disabled then you cannot renew the certificate with the same private key since the certificate authority has generated the certificate with the option “non-exportable”. Hence you need to further check with CA to resolve it.

  1. Run the following command to export the private key from the certificate file(.pfx)

Openssl pkcs12 –in Privatekey.pfx –nocerts –out pkey.pem

  1. Make sure you have new certificate, exported private key file and OpenSSL installed. Run the following command to create a new certificate file with the private key and new certificate

Openssl pkcs12 –export –in new.crt –inkey pkey.pem –out newsslcert.pfx

  1. Import the newly created certificate file to the Computer accounts personal container with the option “Mark this key as exportable. This will allow you to back up or transport your keys at a later time” and “Include all extended properties” selected.

Remaining steps to set the new certificate for AD FS will be explained in the next section. (Refer steps (ii) to (vii))

Renewal with new private key

(i)Import new certificate in ADFS Primary Server

  1. Click Start, Run prompt and type in “mmc.exe”
  2. Click File and select “Add/Remove snap-in”
  3. Select “Certificates”, Select ”Computer account”, then ”This Computer”, Click Add and then OK”
  4. In the Personal Container, import your new certificate.

(ii)Set permissions for the new certificate

  1. In Certificates console, Right click the new certificate, Select “All tasks” and then “Manage Private keys”
  2. Add Read access to the service accounts which is being used to run the AD FS Service

(iii)Set new Certificate in AD FS

  1. Open AD FS Management console, Expand Services and select Certificates
  2. Select the new certificate and click “Set service Communications Certificate” in the action pane
  3. You will be presented with a list of certificates that are valid for Service Communications. If you find that your new certificate is not being presented in the list, you need to go back and make sure that the certificate is in the local computer Personal store with private key.

(iv)Restart the Active Directory Federation services

  1. Open Powershell as administrator and run the following command

Restart-Service adfssrv

(v)Execute Powershell cmdlets to change the configuration file

  1. To complete the configuration change, run the following commands in Powershell

Get-AdfssslCertificate

(Make a note of the thumbprint of the new certificate)

Set-AdfsSslCertificate –Thumbprint <Thumbprintofnewcertificate>

(vi)Restart the Active Directory Federation services

  1. Open Powershell as administrator and run the following command

Restart-Service adfssrv

(vii)Update Certificate in WAP Server

  1. Import the new certificate to the server as in step 1 to 4
  2. Run the following commands(in Powershell) in AD FS WAP proxy Server

Get-WebapplicationProxyApplication

(Make a note of the thumbprint of th(e new certificate)

Set-WebApplicationProxySslCedrtificate –Thumbprint <Thumbprintofnewcertificate>

  1. All of your publishing rules defined in the WAP need to be updated with the thumbprint of the new certificate. Use Powershell for updating them with the new thumbprint. Run the following command

Get-WebApplicationProxyApplication –Name “WebAppPublishingRuleName” | Set-WebApplicationProxyApplication –ExternalCertificateThumbprint “<Thumbprintofyourcertificate>”

  1. Restart the Web Application Proxy services to complete the configuration

TOKEN-SIGNING & TOKEN-DECRYPTING RENEWAL

Since Token-signing and token-decrypting are self-signed, by default the certification lifetime is set to 365 days.

Verify the settings in your AD FS configuration which is required for the renewal by running the following command

Get-ADFSProperties

This command will display all the configuration properties of ADFS among which we require the information of only the following properties

 AutoCertificateRollover

  • CertificateDuration
  • CertificateGenerationThreshold
  • CertificatePromotionThreshold
  • CertificateRolloverInterval

These properties help us to find whether the ADFS is set to automatically manage the certificate renewal and expiry process

ADFS4

As per the above settings,

  • ADFS will be aware that the certificates will be expiring within 20 days
  • Creates new certificates valid for 365 days and set the new certificates as secondary certificate
  • After 5 days updates the new certificate as primary.

If the AutoCertificateRollover property is set to false, we need to manually rollover the certificates.

Note: AD FS service outage incurred when the Token-Decrypting or Token-Signing certificates are updated because the relaying parties must update their configuration to expect the new certificates.

Run the following command to force the AD FS to generate the new certificates and promote them as primaries immediately

Update-ADFSCertificate –CertificateType “Token-Signing” –Urgent

Update-ADFSCertificate –CertificateType “Token-Decrypting” –Urgent

Other simplest way would be to extend the “CertificateDuration” Property with the following command.

Set-ADFSProperties -CertificateDuration <Numberofdaystoextend> -AutoCertificateRollover $true

 Example: Set-ADFSProperties -CertificateDuration 1825 -AutoCertificateRollover $true

This command will set the certificates to last for 5 years

Domain Controller in VM is unable to authenticate the users

devstime Uncategorized
Findings in Windows events during this kind of scenarios:
 
1.       A NetoLogon service is getting paused.
2.       Unable to rollback operation on NTDS Database.
3.       An attempt to write the edb.log return failed.
Directory Service Logs:

ESX Logs:
Observed below events in the VM logs at same point of time prior to the net logon service pause.

Why this behavior?

Based on the events, active Directory database is encountering problems with respect to read and write operations to the NTDS database.
 A sequence of events is observed indicating a possible AD database corruption. After multiple failures to update the directory database it results in a condition wherein users cannot logon to AD, and as a proactive measure the NetLogon service is paused by AD. This causes users or machines to unable to authenticate and logon to the server or domain.
Suspected Causes:
Possible causes can be,
·         Database Corruption
·         Snapshot process causing the performance hit, freezing the system, especially the disk IO.
·         Antivirus scanning the database and corresponding files
Also this issue can happen due to unsuccessful P2V conversion of the DC or DC is restored from a snapshot.
Suggestions and Recommendations:

  • Offline defragmentation of AD database
  • Check with application team if any specific tasks are running which is interfering with the snapshot backup process rendering the system to be non-responsive.
  • Confirm that Antivirus scan timings and also it excludes NTDS and other AD related folders from the scan selection list.
I recommend to create another DC (VM) and move all roles to the new DC, then demote the OLD DC and if required promote it as a DC again. This is to avoid situations like offline defragmentation, repair and restore of the database.