Installing Docker on 2016 Server

The first step is to do all the windows updates

This takes as long as it takes so if you can use an image that already has the updates use that.

install-module -Name dockermsftprovider -Repository psgallery -Force

press enter to install the nuget provider if asked.

find-package docker | install-package

after the package has been installed restart the computer and check if the service has started.

with get-service docker

 

 

Note: If you are doing this from AWS or Azure there are images that already have docker installed.

 

Using Group Policy to assign WSUS server as windows update location

 

 

Open the Group Policy Editor

1

2

Expand down to the Group Policy Objects container, right click and select New

3

Name it according to whatever standards you are using and click OK.

4

Right click on it and select Edit.

5a

5b

Group Policy Management Editor opens. Navigate down to

Computer Configuration => Administrative Templates => Windows Components => Windows Update. Then look for configure Automatic Updates and double click it.

6

Click enabled and choose the installation method that is appropriate for you.

7

Then double click on Specify intranet Microsoft update service location.

 

8

Click on enabled. Then enter the WSUS server and statistics server and click ok.

Finally link the group policy to the OU that you want to apply it to

9

10

 

 

Installing and configuring WSUS

 

 

Log on to the member server that you want to install WSUS on and open Server Manager

13

Click Add Roles and Features

14

15

Select Windows Server Update Services

16

17

Add Features then click next

18

Click next at the features window

19

 

20

there is the option here to use the Windows Internal Database or another database. I am choosing the WID and clicking next.

21

Select the path where you want to install updates. I am using c:\wsus but a larger storage area on a different disk or network share might be more appropriate.

22

23

click next accepting the defaults.

24

finally click install and give it some time to install.

Once it does install go back to server manager and click on the tools menu

26

Select Windows Server Update Services

28

Click Run

29

Let the task run for a while as it says it might take a few minutes.

30

After it completes click close

31

Update Services opens.

If the windows server configuration tool does not open automatically you can start it from the options menu

32

33

Read the before you begin menu and click next

34

choose whether or not to join the improvement program and click next

This is the upstream server so I am choosing to update with Microsoft Update

35

if you need to use a proxy server configure it here.

36

Click next

37

Click Start Connecting this takes some time.

38

 

Click next

39

The default is to download updates in all languages this can take up a lot of extra space it is better to download only the languages you need. In my case english.

Click next

40

Under the list of products to update. Be sure to only include the ones you need. You should be able to remove Windows 2000 for example.

When you are satisfied click next.

41

select the update classifications that you want to download. And click next

42

you can select how you want synchronization to occur manually or automatically at a certain time and how many times a day.

When you have decided click next.

43

You can now choose to begin the initial synchronization by checking begin then clicking next.

44

Now you can review the final steps and click Finish.

 

Next go to Update Services console and click on updates.

45

Select the updates that you want to approve right click on them and select Approve.

All of the settings to be configured can be found under Options.

46

Click on any of the links and you can make configuration changes here.

 

 

 

 

 

 

How I study for Microsoft Certification

When I study for Microsoft certification I use the following resources:

 

First I use CBT Nuggets. I start by watching the videos in double time. Then in single time I go through and make notes using OneNote. I find it good to paste from the screen straight into OneNote, make my own notes and create links to relevant resources like Technet.

Next where there are procedures I go through and do them on servers that I provision on AWS. I used to use VMware for this but I am limited on how many servers I can bring up at the same time. Having said that I do use VMware for anything relating to hyper v as it is not possible to install on an AWS instance.

After I have made my notes from CBT Nuggets and done the examples I go and buy a practice exam. Whatever questions I get wrong I make notes on and anything that involves a procedure I make sure that I do on a virtual machine.

When I am scoring around 95% consistently then I go sit the exam.

 

Creating and event viewer subscription

 

 

The server that you want to collect the event viewer entries on is the collector.

The server that you want to sent events to is the forwarder.

The first step is to open event viewer on the collector

1

from event viewer click on subscriptions.

2

You are prompted to start the event collector service click yes.

From a command or PowerShell prompt type:

 wecutil.exe qc

3

You will be prompted to proceed typeto proceed

4

Now on the forwarding computer you need to run winrm quickconfig

A quick way to do that is with PowerShell remoting. From the all servers section of Server Manager right click on the forwarding computer and select PowerShell.

5

6

Now you need to add the Collecting computer to the event log readers local security group on the forwarding computer. This can be done with PowerShell remoting again by entering the following command:

net localgroup “event log readers” dc01$ /add

7

Just to confirm and demonstrate the GUI of doing things I have opened computer manager on the forwarding machine and double clicked on event log readers DC01 is listed as a member. If you want to do this the other way click on the add button and search for the computer.

Now go back to the collecting computer right click on subscriptions and click Create Subscription.

9

10

I am doing collector initiated but you could choose Source computer initiated.

Add the computer or computers as your case may be and it is a good idea to click test just to see that it works

11

12

13

You should select which events that you want to collect.

14

Pick whatever you want to filter on I have chosen the application log.

click OK and OK and the subscription is created.

 

 

 

 

Querying Active Directory with PowerShell tools

 

 

With Windows Server 2012 when you install Active Directory the system also installs the Active Directory PowerShell module.

The other PowerShell tool and it is my prefered one in some ways is the Quest ActiveRoles Management Shell for Active Directory it is a free download and has the advantage of being able to query and manipulate legacy Domains back to 2003 and it can be run from an XP workstation not even in a domain.

For a complete listing of AD commands type get-command get-ad*

1

The main commands that I seem to use are:

Get-ADComputer

NAME
Get-ADComputer

SYNOPSIS
Gets one or more Active Directory computers.
SYNTAX
Get-ADComputer [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize
<Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] -Filter
<String> [<CommonParameters>]

Get-ADComputer [-Identity] <ADComputer> [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Partition
<String>] [-Properties <String[]>] [-Server <String>] [<CommonParameters>]

Get-ADComputer [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize
<Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>]
-LDAPFilter <String> [<CommonParameters>]
DESCRIPTION
The Get-ADComputer cmdlet gets a computer or performs a search to retrieve multiple computers.
Get-ADUser

NAME
Get-ADUser

SYNOPSIS
Gets one or more Active Directory users.

SYNTAX

Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize
<Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] -Filter
<String> [<CommonParameters>]

Get-ADUser [-Identity] <ADUser> [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Partition <String>]
[-Properties <String[]>] [-Server <String>] [<CommonParameters>]

Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize
<Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>]
-LDAPFilter <String> [<CommonParameters>]
DESCRIPTION
The Get-ADUser cmdlet gets a user object or performs a search to retrieve multiple user objects.
Get-ADGroup
NAME
Get-ADGroup

SYNOPSIS
Gets one or more Active Directory groups.
SYNTAX
Get-ADGroup [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>]    [-SearchScope <ADSearchScope>] [-Server <String>] -Filter
<String> [<CommonParameters>]

Get-ADGroup [-Identity] <ADGroup> [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Partition <String>] [-Properties <String[]>] [-Server <String>] [<CommonParameters>]

Get-ADGroup [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>]   [-SearchScope <ADSearchScope>] [-Server <String>]
-LDAPFilter <String> [<CommonParameters>]
DESCRIPTION
The Get-ADGroup cmdlet gets a group or performs a search to retrieve multiple groups from an Active Directory.
Get-ADGroupMember

NAME
Get-ADGroupMember

SYNOPSIS
Gets the members of an Active Directory group.
SYNTAX
Get-ADGroupMember [-Identity] <ADGroup> [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Partition <String>] [-Recursive [<SwitchParameter>]] [-Server <String>] [<CommonParameters>]
DESCRIPTION
The Get-ADGroupMember cmdlet gets the members of an Active Directory group. Members can be users, groups, and computers.
Get-ADDomainController

NAME
Get-ADDomainController

SYNOPSIS
Gets one or more Active Directory domain controllers based on discoverable services criteria, search parameters or by providing a domain controller identifier, such as the NetBIOS name.
SYNTAX
Get-ADDomainController [[-Identity] <ADDomainController>] [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Server <String>] [<CommonParameters>]

Get-ADDomainController [-AuthType <ADAuthType>] [-AvoidSelf [<SwitchParameter>]] [-DomainName <String>] [-ForceDiscover [<SwitchParameter>]]                                          [-MinimumDirectoryServiceVersion <ADMinimumDirectoryServiceVersion>]
[-NextClosestSite [<SwitchParameter>]] [-Service <ADDiscoverableService[]>]                 [-SiteName <String>] [-Writable [<SwitchParameter>]] -Discover [<SwitchParameter>] [<CommonParameters>]

Get-ADDomainController [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Server <String>] -Filter <String> [<CommonParameters>]
DESCRIPTION
The Get-ADDomainController cmdlet gets the domain controllers specified by the parameters. You can get domain controllers by setting the Identity, Filter or Discover parameters.

 

One thing to note when using these commands is that filter does not always work the way you might think it should.

here is an example

PS C:\Users\Administrator> Get-ADUser -Filter {name -like “*admin*”}
DistinguishedName : CN=Administrator,CN=Users,DC=example,DC=com
Enabled : True
GivenName :
Name : Administrator
ObjectClass : user
ObjectGUID : f19d3d13-169f-4dab-94dd-dc6786d12359
SamAccountName : Administrator
SID : S-1-5-21-771749751-4163724236-1264096806-500
Surname :
UserPrincipalName :

 

PS C:\Users\Administrator> Get-ADUser -Filter {distinguishedname -like “*admin*”}

if you filter name like *admin* you get users with admin in there name but distiguishedname is either -eq the entire Distinguished name or nothing

PS C:\Users\Administrator> Get-ADUser -Filter {distinguishedname -eq ‘CN=Administrator,CN=Users,DC=example,DC=com’}
DistinguishedName : CN=Administrator,CN=Users,DC=example,DC=com
Enabled : True
GivenName :
Name : Administrator
ObjectClass : user
ObjectGUID : f19d3d13-169f-4dab-94dd-dc6786d12359
SamAccountName : Administrator
SID : S-1-5-21-771749751-4163724236-1264096806-500
Surname :
UserPrincipalName :

Another thing to note is that not all properties are passed on to the pipeline unless              -properties * is added. This can be good because you can control what properties are passed.

All of the following properties can be passed through the pipeline:

AccountExpirationDate
accountExpires
AccountLockoutTime
AccountNotDelegated
adminCount
AllowReversiblePasswordEncryption
BadLogonCount
badPasswordTime
badPwdCount
CannotChangePassword
CanonicalName
Certificates
City
CN
codePage
Company
CompoundIdentitySupported
Country
countryCode
Created
createTimeStamp
Deleted
Department
Description
DisplayName
DistinguishedName
Division
DoesNotRequirePreAuth
dSCorePropagationData
EmailAddress
EmployeeID
EmployeeNumber
Enabled
Fax
GivenName
HomeDirectory
HomedirRequired
HomeDrive
HomePage
HomePhone
Initials
instanceType
isCriticalSystemObject
isDeleted
KerberosEncryptionType
LastBadPasswordAttempt
LastKnownParent
lastLogoff
lastLogon
LastLogonDate
lastLogonTimestamp
LockedOut
logonCount
logonHours
LogonWorkstations
Manager
MemberOf
MNSLogonAccount
MobilePhone
Modified
modifyTimeStamp
msDS-User-Account-Control-Computed
Name
nTSecurityDescriptor
ObjectCategory
ObjectClass
ObjectGUID
objectSid
Office
OfficePhone
Organization
OtherName
PasswordExpired
PasswordLastSet
PasswordNeverExpires
PasswordNotRequired
POBox
PostalCode
PrimaryGroup
primaryGroupID
PrincipalsAllowedToDelegateToAccount
ProfilePath
ProtectedFromAccidentalDeletion
pwdLastSet
SamAccountName
sAMAccountType
ScriptPath
sDRightsEffective
ServicePrincipalNames
SID
SIDHistory
SmartcardLogonRequired
State
StreetAddress
Surname
Title
TrustedForDelegation
TrustedToAuthForDelegation
UseDESKeyOnly
userAccountControl
userCertificate
UserPrincipalName
uSNChanged
uSNCreated
whenChanged
whenCreated

 

Not all of them can be filtered but you can search for them with the where-object cmdlet. It is better to use filter when you can and only pass the properties that you need as this can speed up querying dramatically.

The following examples do the same thing but the first one is a better practise.

2

For all these get commands there are correspond set commands. Each get command can be piped to a set command.

For example if I wanted to change the postal code to 4219 from 4218 I can do the following:

Get-ADUser -Properties postalcode -Filter {postalcode -eq “4218”} |

Set-ADUser -PostalCode “4219”

3

And the postal code changed.

 

Now using the Quest Active Directory Tools.

I have installed the pssnapin on my member server to load the snapin run the command:

Add-PSSnapin Quest.ActiveRoles.ADManagement

If you are going to used these tools it is a good idea to put this command in your profile that way it will load every time you open PowerShell. To Get a listing of all the commands type:

Get-Command get-qad*

CommandType Name
———– —-
Cmdlet Get-QADCertificate
Cmdlet Get-QADCertificateRevocationList
Cmdlet Get-QADComputer
Cmdlet Get-QADDiagnosticLogStatus
Cmdlet Get-QADGroup
Cmdlet Get-QADGroupMember
Cmdlet Get-QADInactiveAccountsPolicy
Cmdlet Get-QADLocalCertificateStore
Cmdlet Get-QADManagedObject
Cmdlet Get-QADMemberOf
Cmdlet Get-QADObject
Cmdlet Get-QADObjectSecurity
Cmdlet Get-QADPasswordSettingsObject
Cmdlet Get-QADPasswordSettingsObjectAppliesTo
Cmdlet Get-QADPermission
Cmdlet Get-QADPKIObject
Cmdlet Get-QADProgressPolicy
Cmdlet Get-QADPSSnapinSettings
Cmdlet Get-QADRootDSE
Cmdlet Get-QADUser

I find these commands easier to use. As an example get-qaduser will give me a listing of all users in the directory.

4

filtering is easier to I can just use name go* and it gives me every user starting with go

5

And a simple | fl * will give me all the attributes

6

I find the following easier to do with Quest than with the AD cmdlets

7

And the Post code is changed back.

8

 

Using Performance monitor

 

 

Performance monitor can be opened by typing perfmon.msc or from the tools menu.

1

Under monitoring tools you have performance monitor. By default it monitors CPU usage only but you can add counters by pressing the green +.

2

3

Click on what you want to measure then click add.

It is common to use counters for Disk CPU and Memory.

Collect the counters that you want and click Ok.

4

To get a better view of a particular counter click on it and press control h on your keyboard and it appears highlighted. This is good because some of the counters are hard to see individually.

5

You can change the graph view by pressing the highlighted button.

6

The choices are line (the default)

Histogram Bar

7

And report which is good for showing actual values.

Performance monitor is good for showing live values.

For monitoring over a period of time it is better to use data collection sets.

There are two types of data collections user defined and system.

You can start a data collection set by right clicking on it and clicking start.

8

Once it has been run you can view the results from the report section.

9

Creating a user defined data collector set

10

right click user defined > New > Data Collector Set

11

Give it a name and choose from template or manually. I am doing manually.

12

click Add to add counters

13

14

Select counters that you want to measure and click Ok.

15

Select a sample interval that suits your purpose and click next.

Select where you want to keep the data and click next.

16

17

You can choose who you want the set to run as and and you can choose to open the properties, run the collector set now, or just save it.

18

I would normally add a description here.

19

The Schedule tab allows you to create a schedule to run this collector set. You might want to run it at a particular time of day.

20

The stop condition determines how long you want to run this set.

and the task tab allows you to run a task like a script after the set finishes.

21

You can start it by right clicking and selecting start.

22

this should run for 45 seconds in line with the stop condition.

23

There is a visual indicator that it is running.

24

When it finishes you can view the report.

 

Creating a Domain in AWS using EC2 classic security groups

The first step is to create a security group or groups.

For this demonstration I am creating one security group and I am provisioning one Domain Controller and one member server which I am joining to the domain example.local.

You could create more than one security group but you would then need to create routes between them.

To create a security group open the EC2 Dashboard click on Security Groups and then click Create Security Group

Screen Shot 2014-07-11 at 11.42.06 am

1

Create a meaningful Name for the Security group and an optional description. Then click on add rule.

The first rule should be to create an RDP session to your ip address or subnet as the case may be it is best not to allow everybody RDP access.

Then click create

3

If you have a dynamically assigned IP address you can still do this just remember to alter the security group rule to My IP whenever you need to.

4

Instances that are in the same security group have full access to each other so there should be no need to create any more rules unless you have a specific need.

So now we need two instances. I am going to use spot instances as they are much cheaper. You should use whatever instance is right for you.

Requesting a spot instance go to Spot Requests and select Request Spot instances.

5

Select the spot instance you want in this case I am selecting 2012 R2 base

6

Choose an instance type that suits you and click Next

7

Enter an amount equal to or greater than the current price. In this case 2 cents an hour.

8

and click next

I am leaving storage at the default and clicking next

9

Add and appropriate tag or don’t

10

It is important to select the correct security group because you can not change it after the instance is built. (You can change the rules but not the security group). If you miss this step you might as well start again.

11

Check your setting and click launch.

12

select a pem file and click request spot instance.

13

Repeat this process to build the member server. Make sure you select the same security group.

Wait a while while these requests are fulfilled.

when the instances are fulfilled.

14

Click on instances and when 2/2 checks are complete you can get the password and log on to the servers.

15

Click on your instance and click connect

16

Then click get password

Click on choose path navigate to where your pem file is click ok

17

Then click Decrypt Password

18

At this point I like to copy the Public DNS username and Password to notepad so that I can quickly copy and paste from there.

Public DNS ec2-54-89-145-221.compute-1.amazonaws.com
User name Administrator
Password @H.Fp*uFjD;

Do the same for the other server and log on with RDP using the credentials provided.

Now promote the domain controller.

After the domain controller is online log on to it and collect it’s private IP address.

Log on to the member server.

It is a good idea to rename it something logical use the powershell command

Rename-Computer MS01 -Restart

If you want to do that the fastest way.

36

From the Member Server test connectivity to the DC.

In this case it did not work until I created a firewall rule in the security group

With EC2 classic you don’t really have any control over what private IP address they give you so to cover the entire 10.X.X.X range I used 10.0.0.0/8 as my custom IP subnet.

37

As I don’t care what traffic travels between my two servers I have chosen 10.anything for all TCP, UDP, and ICMP.

Now I can ping the DC by IP address but not the FQDN

PS C:\Users\Administrator> ping dc01
Ping request could not find host dc01. Please check the name and try again.
PS C:\Users\Administrator> ping dc01.example.local
Ping request could not find host dc01.example.local. Please check the name and try again.

To do this you need to adjust the network settings on the network adapter.

38

39

40

41

42

It is tempting to just assign a static IP address. DO NOT DO THAT you will lose your connection and you will have to terminate your instance and start again.

what to do here is do ipconfig /all to find out the assigned DNS server and make a note of the IP address of your domain controller.

Click Use the following DNS server addresses radio button and for prefered DNS server use your DC and as alternate use Amazons DNS server.

43

 

Now you should be able to ping using the DNS name.

 

44

 

Now you are ready to join the domain.

45

PS C:\Users\Administrator> Add-Computer -DomainName example.local

cmdlet Add-Computer at command pipeline position 1
Supply values for the following parameters:
Credential
WARNING: The changes will take effect after you restart the computer MS01.
PS C:\Users\Administrator> Restart-Computer

And now the Server has joined the Domain.

If you prefer to use the GUI you can do it this way.

 

 

 

 

 

 

 

Setting up DFS

I am setting up active directory integrated DFS on two servers DC01 and DFS01.

I am also setting up the optional remote differential compression feature on both servers.

Install the DFS role

1

2

3

4

5

6

7

8

Now that DFS is installed open DFS management from the tools menu.

9

and create a new name space

10

Enter the name of namespace server in this case DC01

11

click next

12

enter a name for the namespace in this case Public and click on Edit Settings.

13

Here you can edit the shared folder permission as required.

14

here you can choose between stand alone and domain based name spaces check 2008 mode unless you have some reason to use 2003. Then click next.

15

16

17

18

19

20

 

Select a shared folder that you created previously (or Now)

 

 

 

 

21

click ok and ok

22

23

Now is a good time to install DFS on the other server DFS01

After that it is time to set up replication

24

25

26

browse for the replica server and share to use as a target.

 

27

click ok

and ok again

28

Click ok to create a replication group

29

30

31

Select the primary member this should be the share that has data in it. If they both do the data in the primary member will copy to the secondary and the data in the secondary will be erased. So make sure the secondary does not contain anything you need.

32

choose the topology a mesh is fine for a few servers but if you have many you might want to consider a hub and spoke topology.

33

you can adjust the schedule and bandwidth as appropriate here but I am leaving it at the defaults.

34

35

36

Now anyone who has permission can see files in \\example.local\public

 

Creating a file classification with FSRM

You can create a classification with File Services Resource Manager.

The first thing is to install File Services Resource Manager.

j1

j2

j3

 

j4

install additional features

j5

j6

The install took about three minutes and restarted the server.

open file server resource manager from the tools menu

j7

j8

The first thing is to create a property

j9

I am creating a restricted property

j10

Now if you right click on a document and select properties

j11

You can see a classification tab.

j12

From here you can see the classification that we just created and you have the option to apply it to the file.

j13

Now the file has the classification of restricted.