DefinIT

Unable to access admin shares (c$, d$, ADMIN$, IPC$) on Windows Server 2008 in a Workgroup

If you have a Windows Server 2008 box in a workgroup that you require access to one of the admin shares, it can be a little more complicated than with Server 2003. In my case, we had a SQL server on the back end which was trying to access the web server in the DMZ using PSExec.exe to remotely run a process. Executing PSExec and passing the correct credentials failed with “Access is Denied”.

Similarly, when I tried to access the c$, ADMIN$ shares on the server, it would deny me access, and would lock out my admin account when I tried. Creating a separate share would allow me access, but that’s no good for PSExec. To further confuse things, when I accessed the \\server\c$ share from the server, it worked.

Checking the share properties using “net share c$” shows that the settings are all correct, Everyone has FULL access (this is default, it uses NTFS permissions to restrict access):

image

This issue does not affect domain member servers, I was able to browse to the c$ shares of several Windows Server 2008 servers on the domain.

The problem is caused by UAC and the elevated privileges required to access the administrative shares. This Microsoft KB article (951016) describes the issue in Windows Vista

To better protect those users who are members of the local Administrators group, we implement UAC restrictions on the network. This mechanism helps prevent against "loopback" attacks. This mechanism also helps prevent local malicious software from running remotely with administrative rights.

and the steps to resolve it, open a new PowerShell window as administrator:

New-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -name "LocalAccountTokenFilterPolicy" -value "1" -propertyType dword

A word of caution: this is opening up a security hole and it should only be done with careful consideration of the risks. The need to use PSExec to remotely run a process was an important part of the deployment, however the same result could be achieved using PowerShell remoting. Until it’s tested and we’re ready to deploy that, I’ll be using this method.

Migrating the HP Systems Insight Manager 6.x database

| 15/04/2010 | Tags: , ,

We run to monitoring systems where I work, the first is HP SIM and the second is Microsoft System Center Operations Manager. Currently, they and their databases all reside on a single rather battered server, “MONITOR1”.

I’ve installed a new SQL Server 2008 server “SQL1” on Windows Server 2008 to take some of the load, and take advantage of the 64-bit OS and SQL installation.

Both servers are part of the domain “DOMAIN”

The process goes something like this:

  1. Add the user that SIM runs as to the SQL server logins. For me that’s “DOMAIN\Insight.Manager”
  2. Create a new database on SQL1 with exactly the same name as the MONITOR1 database for SIM. Since my 6.x install is an upgraded 5.x install, the database is called “Insight_v50_0_16732390”.
  3. Add the SIM user account to the new database with DBO permissions.
  4. Stop the HP SIM service on MONITOR1
  5. Right click “Insight_v50_0_16732390” on MONITOR1 and Export. Export all the tables to SQL1…and wait a long time for the data to transfer.
  6. While you’re waiting, you can edit the following files (c:\Program Files\HP\Systems Insight Manager\Config\) – database.props and database.admin. Change any references for MONITOR1 to SQL1.
  7. Once it’s completed, stop the SQL server on MONITOR1 and start the HP SIM services again – fire up the SIM homepage to check everything is running OK.
  8. If it all checks out, remove the old database and if it’s no longer needed, uninstall the SQL server too.

Configuring Server 2008 R2 Core Series: Management Tasks

| 24/03/2010 | Tags: , ,

So, you’ve installed a new server with Server 2008 R2 Core – what next? Logging on, you’re presented with a shiny command prompt, you can run notepad or regedit…but aside from that, where do you go from there? In the next few series of posts I’ll hopefully point out the basics, and some not so basics!

I’m going to look at some management tasks – the bread and butter of being a Windows admin.

Activating Server 2008 Core

Activating Server 2008 Core is done via a pre-packaged script called slmgr.vbs -  “Windows Software Licensing Management Tool”

Firstly, you have to install a Product Key (unless it was done during your install)

cscript C:\windows\system32\slmgr.vbs /ipk <Product Key>

image

After that, it’s just a case of automatic activation, assuming you have internet access

cscript C:\windows\system32\slmgr.vbs /ato

 

If you’ve not got internet access for the server you can use the /dti option to get the Activation ID, call the Microsoft Licensing and Activation line and tap it in. Then use the /atp option to enter the response and activate.

 

Windows Updates

If you read the last post in this series, Configuring Server 2008 R2 Core Series: Network Settings, you may have seen the option in sconfig.cmd to set Windows Update settings. That’s the first, interactive, way to configure Windows Updates. It’s worth noting that the easiest way to do this is via your Group Policies, if you’re on a domain.

===============================================================================
                         Server Configuration
===============================================================================

1) Domain/Workgroup:                    Domain:  MCGEOWN.LOCAL
2) Computer Name:                       ServerCore2008
3) Add Local Administrator
4) Configure Remote Management

5) Windows Update Settings:             Manual
6) Download and Install Updates
7) Remote Desktop:                      Disabled

8) Network Settings
9) Date and Time

10) Log Off User
11) Restart Server
12) Shut Down Server
13) Exit to Command Line

Enter number to select an option: 5

Windows Update currently set to: Manual
Select (A)utomatic or (M)anual updates: A

Enabling Automatic updates...

The second method is the more command-line, scripting method. This sets it to download automatically and install at 3am every day (“/au 1” disables, “/au /v” shows current value):

Cscript c:\windows\system32\scregedit.wsf /au 4

 

Enabling Remote Management

Similarly to Windows Updates, remote management can be configured via sconfig.cmd or command line. Here’s how:

Enter number to select an option: 4
--------------------------------
  Configure Remote Management
--------------------------------

1) Allow MMC Remote Management
2) Enable Windows PowerShell
3) Allow Server Manager Remote Management
4) Show Windows Firewall settings

5) Return to main menu

Enter selection: 1

Enabling MMC firewall exceptions and Virtual Disk Service...

Enter selection: 2

Enabling Windows PowerShell...
Setting Windows PowerShell execution policy to remotesigned...

[Server requests a reboot here - you can't enable Server Manager until it's done]

Enter selection: 3

Setting Windows PowerShell execution policy to remotesigned...
Enabling Server Manager cmdlets...

Configuring Remote Server Manager settings...

 

If you need to do this via the command line, it happens like this…

Enable WinRM:

C:\Users\Administrator> winrm quickconfig
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:
Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
Make these changes [y/n]? y
WinRM has been updated for remote management.
Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.

Fire up PowerShell (powershell.exe) and set the execution policy to RemoteSigned

Set-ExecutionPolicy RemoteSigned

Then enable the Remote Administration rules on the firewall:

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

To configure management by Remote Desktop, you can run the now-familiar sconfig.cmd and select option 7, or you can issue the following commands:

cscript c:\windows\system32\scregedit.wsf /ar 0

netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes

Bear in mind that your RDP session will need TLS authentication and will not give you a desktop or GUI, just the command line interface. If you need to disable TLS for older clients (e.g. XP) you have to disable it with the following command:

cscript C:\Windows\System32\Scregedit.wsf /cs 0

Can you manage?

With all those steps completed, you should be able to connect to your server with Remote Server Administration Tools on any Server 2008 or Windows 7 computer.

This is my Windows 7 PC connected via “Server Manager”image

To connect via WinRS (Windows Remote Shell) and execute remote commands, use:

winrs -r:<server name> <command>

e.g:

winrs –r:<Server Name> cmd

Allows me access to the command shell on that server.

Finally, this is what RDP to the same server looks like:

image

Hopefully that gives you a few options for managing your Windows Server 2008 Core machine!

Windows Server 2003 Admin tools under Vista

If, like me, you want to administrate your Windows 2003 servers from your Vista workstation, you may find that you recieve an “MMC could not create snap in” error when you open one of the admin tools, it also manifests as corrupted graphics within some MMC Add-ins.

It appears that the dlls are not registered correctly, there’s a KB article from Microsoft that contains a script to reregister the dlls. It’s a simple fix:

  • Copy and paste the following script into a text document, save it as RegisterAdminPack.cmd
  1. @echo off
  2. REM RegisterAdminPak.cmd
  3. REM (c) 2006 Microsoft Corporation. All rights reserved.
  4. set filelist=adprop.dll azroles.dll azroleui.dll ccfg95.dll
  5. set filelist=%filelist% certadm.dll certmmc.dll certpdef.dll certtmpl.dll
  6. set filelist=%filelist% certxds.dll cladmwiz.dll clcfgsrv.dll clnetrex.dll
  7. set filelist=%filelist% cluadmex.dll cluadmmc.dll cmproxy.dll cmroute.dll
  8. set filelist=%filelist% cmutoa.dll cnet16.dll debugex.dll dfscore.dll
  9. set filelist=%filelist% dfsgui.dll dhcpsnap.dll dnsmgr.dll domadmin.dll
  10. set filelist=%filelist% dsadmin.dll dsuiwiz.dll imadmui.dll lrwizdll.dll
  11. set filelist=%filelist% mprsnap.dll msclus.dll mstsmhst.dll mstsmmc.dll
  12. set filelist=%filelist% nntpadm.dll nntpapi.dll nntpsnap.dll ntdsbsrv.dll
  13. set filelist=%filelist% ntfrsapi.dll rasuser.dll rigpsnap.dll rsadmin.dll
  14. set filelist=%filelist% rscommon.dll rsconn.dll rsengps.dll rsjob.dll
  15. set filelist=%filelist% rsservps.dll rsshell.dll rssubps.dll rtrfiltr.dll
  16. set filelist=%filelist% schmmgmt.dll tapisnap.dll tsuserex.dll vsstskex.dll
  17. set filelist=%filelist% w95inf16.dll w95inf32.dll winsevnt.dll winsmon.dll
  18. set filelist=%filelist% winsrpc.dll winssnap.dll ws03res.dll
  19.  
  20. for %%i in (%filelist%) do (
  21.  echo Registering %%i …
  22.  regsvr32 /s %%i
  23. )
  24. echo.
  25. Echo Command Completed
  • Run a command prompt under admin privileges (Start menu > All Programs > Accessories > Right click Command Prompt and select “Run as administrator”)
  • Navigate to where you saved RegisterAdminPack.cmd, and run it.

Simple as that. Some people find that the admin tool shortcuts aren’t installed under administrative tools, that didn’t happen to me, but you can either reinstall the tools or manually create the shortcuts by opening a new MMC window (Start > Run > mmc) and then adding the relevant snap-in. You can then save your console and create a shortcut wherever you desire.