September 13th, 2022 | Tags: ,

即使你不打算对CA做迁移,你也应该对CA做一个备份,CA的备份与我们通常所进行的备份时不同的,CA的备份需要通过以下的步骤实现:

如果你正准备备份一个企业CA,在CA控制台中点击证书模板,然后记录下证书模板中列出的名称。这些模板都是存储在AD域中的,所以你不需要对它们进行备份。你必须要清楚的知道进行迁移的模板有哪些是由CA发布的,因为你必须在迁移之后手动的添加这些模板。

在CA控制台,右键点击CA名称,选择”所有任务”,然后点击”备份CA”打开CA备份向导,在备份向导中,你需要选择备份CA的私钥,CA证书,证书数据库以及证书数据库日志。你还可以指定一个合适的备份内容的存放位置,考虑到安全性因素,最好设定密码对CA私钥进行保护。

在完成备份之后,你应该打开注册表编辑器,找到并导出以下的注册表的子键:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration

注意:我们推荐将该注册表键值的导出文件保存到CA备份的文件夹中。

做完上面的操作后,一旦你想将CA迁移到其他的电脑,你需要将CA从旧的服务器上卸载,然后将旧 服务器重命名或断开它的网络连接。
CA还原

CA的还原通常是在必须修复当前CA或需要迁移到其他服务器时进行的。

还原CA需按照以下步骤操作:

在目标计算机上安装AD CS角色。选择安装独立CA或者企业CA,这取决于你需要迁移的CA的类型。当你见到”指定私钥类型”页面时,点击”使用现有私钥”,然后选中”选择一个证书并使用其关联私钥”,这样可以让你在新的CA服务器上继续使用原来旧服务器的证书。

在”现有证书”页面,点击导入,输入备份CA时生成.p12文件的存储路径,接着输入备份时设定的密码,然后点击确认,当你被提示”公钥和私钥秘钥对”时,确保选中了现有秘钥,如果你想使用相同的根CA证书,这个步骤非常关键。

当你进入到”证书数据库”页面,指定一个和旧服务器相同的存放位置去存放证书数据库和证书数据库日志,这些步骤都完成后,点击”配置”,等待安装向导的执行完毕。

安装完成后,打开AD CS服务的服务插件,还原旧服务器的设置。

找到备份时导出的注册表文件,然后双击将它导入到注册表中。

还原了注册表设置后,打开CA管理控制台,右键点击CA名称,点击”所有任务”,接着点击”还原CA”,这时会出现CA还原向导,在向导中你可以选择”私钥和CA证书”和”证书数据库和证书数据库日志”,这里是为了指定你想要还原的对象。下一步就输入一个备份文件夹位置并确认还原的设置没有问题。还原设置中”颁发日志”和”挂起申请”应该是”显示”。

当还原完成后,选择重启AD CS服务。

如果你还原的是企业CA,你需要确认之前记录的AD域中保存的证书模板在新的CA上能够看到,并且是可用的。

September 2nd, 2022 | Tags:

Use of DCPROMO is still the proper way to remove a DC server in an Active Directory infrastructure. Certain situations, such as server crash or failure of the DCPROMO option, require manual removal of the DC from the system by cleaning up the server’s metadata. The following detailed steps will help you accomplish this:

Step 1: Removing metadata via Active Directory Users and Computers

    1. Log in to DC server as Domain/Enterprise administrator and navigate to Server Manager > Tools > Active Directory Users and Computers
    2. Expand the Domain > Domain Controllersmeta1
    3. Right click on the Domain Controller you need to manually remove and click Deletethumbnail image 1 of blog post titled Step-By-Step: Manually Removing A Domain Controller Server

Read more…

July 28th, 2022 | Tags:

Researching silent options is just a onetime effort for you and saves you lot of time. This script is useful for sys admins who prepare desktops, laptops or deploy servers.

.csv file contains data in comma separated values format and looks like this…

Installer,Switch
Firefox Setup 72.0.2.msi,/qn
AnyDesk.exe,–install “C:\Anydesk” –start-with-win –silent –create-shortcuts –create-desktop-icon
7z1900-x64.msi,/qn
Chef-client-15.7.32-1×64.msi,/qn
Npp.7.8.3.Installer.exe,/S
ChromeSetup.exe,/silent /Install

I have attached sample .csv and script file for your reference.

If you see above list of software, they all have different silent options, but even the script works like a charm.

####################################################################################
# Author: Charan Baisetty                                                          #

# Purpose : To silently install any software on windows                            #

# Description: Place csv and software files in a share, do research for your apps  #
#               silent options and add them to csv file.                           #    
# Video for this script : www.youtube.com/c/netxopsvideos                          #   ####################################################################################

$path = "\\server\softwares\"
$softwares = import-csv "\\server\softwares\pkgs.csv" -Delimiter "," -Header 'Installer','Switch' | Select-Object Installer,Switch

foreach($software in $softwares){
 
    $softexec = $software.Installer
    $softexec = $softexec.ToString()

    $pkgs = Get-ChildItem $path$softexec | Where-Object {$_.Name -eq $softexec}


    foreach($pkg in $pkgs){
   
        $ext = [System.IO.Path]::GetExtension($pkg)
        $ext = $ext.ToLower()

        $switch = $software.Switch
        $switch = $switch.Tostring()

        if($ext -eq ".msi"){
        mkdir c:\Temp\Softwares -Force
        Copy-Item "$path$softexec" -Recurse c:\Temp\Softwares -Force
        Write-host "Installing $softexec silently, please wait...." -foregroundColor Yellow
        Start-Process "c:\Temp\Softwares\$softexec" -ArgumentList "$switch" -wait

        Remove-item "c:\temp\softwares\$softexec" -Recurse -Force
        Write-host "Installation of $softexec completed" -foregroundColor Green
       
        }
        else{
       
        mkdir c:\Temp\Softwares -Force
        Copy-Item "$path$softexec" -Recurse c:\Temp\Softwares -Force
        Write-host "Installing $softexec silently, please wait...." -foregroundColor Yellow
        Start-Process "c:\Temp\Softwares\$softexec" -ArgumentList "$switch" -wait -NoNewWindow

        Remove-item "c:\temp\softwares\$softexec" -Recurse -Force
        Write-host "Installation of $softexec completed" -foregroundColor Green
       
        }     
   
   
    }
}
July 28th, 2022 | Tags:

使用高级用户账户控制面板

1在运行中执行 netplwiz 命令

2此时将自动打开「高级用户账户控制面板」,在此你可以选中需要自动登录的账户名称 — 取消勾选「要使用本计算机,用户必需输入用户名和密码」选项 — 点击「应用」

高级用户账户控制面板

3在点击「应用」后会自动弹出「自动登录」窗口,在这里输入账户的密码以便在 Windows 10 自动登录时使用。

自动登录

当以上配置完成时,下次重启电脑之后便会用配置好的账户自动登录了。 Read more…

July 5th, 2022 | Tags: ,

Neither the Windows Settings app nor the Control Panel will let you configure multiple time-servers in Windows. You’ll need to execute some commands in the Command Prompt to get this set up. I’ll walk you through the whole process:

  1. Open an administrative Command Prompt by searching for “cmd” in the Start menu, right-clicking on the program, and choosing “Run as administrator”.
  2. Ensure that the time service is currently running by stopping and starting it by entering following command and pressing Enter:
    net stop w32time & net start w32time
  3. Configure your list of preferred time-servers by listing their IP or DNS addresses within the quotation marks in the following command; separating multiple servers with spaces:
    w32tm /config /update /manualpeerlist:"pool.ntp.org time.windows.com time.apple.com time.cloudflare.com"

The above example configures Windows to use time-servers operated by the NTP Pool Project, Microsoft, Apple, and Cloudflare. Note that there shouldn’t be any line breaks in the command; it’s all on one line.

  1. Lastly, we’ll tell Windows to resynchronize its time against the newly configured time-servers and finally show the new configuration to confirm that everything is working:
    w32tm /resync
    w32tm /query /peers

Note that these changes won’t show up if you go to inspect your internet time configuration in the Time and Date section of the Control Panel. You shouldn’t make any changes there to avoid overwriting your manual configuration.

June 17th, 2022 | Tags: ,
$computer = Get-Content "c:\users\path\to\my.csv"
Foreach($computer in $computer){
$NICs = Get-WMIObject Win32_NetworkAdapterConfiguration -computername $computer |where{$_.IPEnabled -eq “TRUE”}
}
  Foreach($NIC in $NICs) {
$DNSServers = “8.8.8.8",”192.168.40.119" # set dns servers here
 $NIC.SetDNSServerSearchOrder($DNSServers)
 $NIC.SetDynamicDNSRegistration(“TRUE”)
}
$computer = Get-Content "c:\users\path\to\my.csv"
$NICs = Get-WMIObject Win32_NetworkAdapterConfiguration -computername $computer |where{$_.IPEnabled -eq “TRUE”}
  Foreach($NIC in $NICs) {
$DNSServers = “8.8.8.8",”192.168.40.119"
 $NIC.SetDNSServerSearchOrder($DNSServers)
 $NIC.SetDynamicDNSRegistration(“TRUE”)
}
June 14th, 2022 | Tags:

To configure the certificate template

  1. On CA1, in Server Manager, click Tools, and then click Certification Authority. The Certification Authority Microsoft Management Console (MMC) opens.
  2. In the MMC, double-click the CA name, right-click Certificate Templates, and then click Manage.
  3. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane.
  4. In the details pane, click the RAS and IAS Server template.
  5. Click the Action menu, and then click Duplicate Template. The template Properties dialog box opens.
  6. Click the Security tab.
  7. On the Security tab, in Group or user names, click RAS and IAS servers.
  8. In Permissions for RAS and IAS servers, under Allow, ensure that Enroll is selected, and then select the Autoenroll check box. Click OK, and close the Certificate Templates MMC.
  9. In the Certification Authority MMC, click Certificate Templates. On the Action menu, point to New, and then click Certificate Template to Issue. The Enable Certificate Templates dialog box opens.
  10. In Enable Certificate Templates, click the name of the certificate template that you just configured, and then click OK. For example, if you did not change the default certificate template name, click Copy of RAS and IAS Server, and then click OK.
June 14th, 2022 | Tags:

Before you perform this procedure, you must configure a server certificate template by using the Certificate Templates Microsoft Management Console snap-in on a CA that is running AD CS. Membership in both the Enterprise Admins and the root domain’s Domain Admins group is the minimum required to complete this procedure.

Read more…

June 3rd, 2022 | Tags:

We need to confirm the following before we go ahead with the Microsoft LAPS configuration.

1. Client operating systems – Windows Server 2019, Windows Server 2016, Windows 10, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 7, Windows 8, Windows Vista, Windows 8.1
2. Active Directory – Windows Server 2003 SP1 or later
3. Management Tools – PowerShell 2.0 or later, .Net Framework 4.0 or later

Installing Microsoft LAPS

The next step of the configuration is to install Microsoft LAPS. To do that,
Read more…

June 3rd, 2022 | Tags:

Server 2019默认远程桌面连接数是2个用户,如果多余两个用户进行远程桌面连接时,系统就会提示超过连接数,可以通过添加远程桌面授权解决:

1.添加远程桌面授权服务

  • 第一步:服务器管理 – 添加角色和功能打开添加角色和功能向导窗口,选择基于角色或给予功能安装:
    M9RqQ9
  • 第二步:添加远程桌面会话主机和远程桌面授权功能:

    3nDwWk

Read more…