Home » Posts tagged 'Windows Server 2012R2'

Tag Archives: Windows Server 2012R2

Advertisements

Best Practices AnalyzerWindows Server 2012 R2

Did you know that the BPA is build-in in windows server 2012. In the old days you need to download al the BPA

http://www.microsoft.com/en-us/download/details.aspx?id=15556

But now in 2012 the BPA is build-in this is a great feature but did you know this I see al lot of items and some IT admins did not know the BPA feature.

You can check the BPA in powershell or in the GUI

The gui verson :

Go to the service manager and check local server  ( this is my test demo server so plenty of errors here )

image image

Click on task ans click the BPA scan. and the output will be a nic listing of config items.

image

 

 

 

 

 

But there is more did you know you can do this with powershell .

Find the BPA Models are available

image

 

 

 

 

 

 

 

 

Get-BpaModel | Select Id

Id

Microsoft/Windows/ADRMS
Microsoft/Windows/CertificateServices
Microsoft/Windows/DHCPServer
Microsoft/Windows/DirectoryServices
Microsoft/Windows/DNSServer
Microsoft/Windows/FederationServices
Microsoft/Windows/FileServices
Microsoft/Windows/Hyper-V
Microsoft/Windows/LightweightDirectoryServices
Microsoft/Windows/NPAS
Microsoft/Windows/RemoteAccessServer
Microsoft/Windows/TerminalServices
Microsoft/Windows/UpdateServices
Microsoft/Windows/VolumeActivation
Microsoft/Windows/WebServer

SO all these models can be run on your server build-in easy and quick some scans are quick and some take a little time.

Invoke-BpaModel Microsoft/Windows/WebServer

image

 

 

 

 

View a summary of the BPA results by Severity

Get-BpaResult Microsoft/Windows/DNSServer| Group Severity

image

 

 

 

 

 

 

 

 

 

You will see a list with all the items in the console.

View the details for all results with “Warning” severity level :

Get-BpaResult Microsoft/Windows/DNSServer| ? Severity -eq "Warning"

image

 

 

 

 

 

 

 

 

 

and if you want to exclude items

Set-BPAResult -IdSpecified Model Id-Exclude $true

these are just samples on how to start more options are available

yes easy if you know all the Command lets.

it is not that hard to start

get-comand *bpa*

image

 

 

 

 

 

 

these are all the commands you can use for BPA.

Cmdlet          Get-BpaModel                                      BestPractices
Cmdlet          Get-BpaResult                                      BestPractices
Cmdlet          Invoke-BpaModel                                 BestPractices
Cmdlet          Set-BpaResult                                      BestPractices

But what about remote computer ?

easy enter :

Enter-PSSession Yourcomputer -Credential administrator

the line is change now and will start with the server you used.

[mvpdc01]: PS C:\Users\Administrator.000\Documents> Get-BpaModel

Source: https://robertsmit.wordpress.com/2013/10/31/1978/

Advertisements

Rename Domain Name in Windows Server 2012

For Server Admin who familiar with Windows Server 2000 & 2003, you maybe still remember about RENDOM utility, which is this use to rename Windows 2000 @ 2003 domain name and have to install manually.

But in Windows Server 2012 domain you don’t have to separately install “Rendom” utility.

It gets installed as part of “Active Directory Domain Services” role when you promote a server to the DC role. And It can be found here : %windir%\system32\rendom.exe.

For this time Simple Guide, I will show you all how to rename domain name in Windows Server 2012, the process is straightforward.. but as usual.. backup any necessary information @ Server before you proceed & I always advice especially to my students, please do this exercises in LAB Environment (Hyper-V).  Don’t simply take any risk by doing this is production environment unless you have to!!.

For this exercises, I’m using MCT courseware from 20410B (Installing and Configuring Windows Server 2012).

The existing domain is ADATUM.COM and I will rename it to CPX.LOCAL.

** for those who want to built your own AD and try this exercises, please refer to my previous post https://mizitechinfo.wordpress.com/2013/06/09/simple-guide-how-to-built-active-directory-in-windows-server-2012/.

So, let get started…

1 – Open your System Properties and check your existing domain name, if you see from my Windows Server 2012 system properties, my existing domain name isAdatum.com. This will be change to cpx.local in the short while.

1

2 – Next, open your Server Dashboard, go to Tools & click DNS to open DNS Manager..

2

3 – on the DNS Manager, you must create the New DNS Zone (cpx.local), this is to make sure that after whole process successfully, your member server @ Windows clients can join to new Domain name.

** to create new DNS Zone, Right Click Forward Lookup Zone, and click New Zone

3

4 – On the Welcome to the New Zone Wizard, just click Next button..

4

5 – On the Zone Type, Click Primary Zone and click Next..

5

6 – On the Active Directory Zone Replication Scope, click button To all DNS servers running on domain controllers in this domain:Adatum.com and click Next…

6

7 – In the Zone Name, key in your new Domain Name, my new Domain Name iscpx.local

7

8 – On the Dynamic Update, Click Allow only secure dynamic updates (recommended for Active Directory), and click Next…

8

9 – On the completing the New Zone Wizard, click Finish to complete the process.

9

10 – On DNS Manager, you can see my new Domain Name is listed (cpx.local)

10

11 – Next, open Command Prompt, run as administrator..

11

12 – In CMD, type rendom /list and press enter – this command use to generate a state file named Domainlist.xml. This file contains the current forest configuration.

12

13 – Next, open computer and browse to C:\Users\Administrator folder to get your Domainlist.xml.

13

14 – Once you see the Domainlist.xml, right click the file name & choose Edit.. I going to change the DNSname and NetBiosName in this  Domainlist.xml file.

14

15 – Once the  Domainlist.xml open, you can see there are few existing Domain name, change this existing domain name to new domain name.. refer to picture:

15

16 – once you change to new Domain name, make sure you save the  Domainlist.xml file..

16

17 – After you save the  Domainlist.xml file, close it and return to CMD. On the CMD, type rendom /showforest. This is to show the potential changes; this step does not make any changes.

17

18 – Next, type rendom /upload. This is to upload the rename instructions (Domainlist.xml) to the configuration directory partition on the domain controller holding the domain naming operations master role.

18

19 – Next, type rendom /prepare. This use to verify the readiness of each DC in the forest to carry out the rename instructions. This should contact all DC’s successfully and return no errors before proceed to next process.

19

20 – Next, type rendom /execute. This is to verifies readiness of all DC’s and then preforms the rename action on each one.

** Remember also there will be a service interruption during this process. Once the process successful, your DC Server will be restarted.

20

21

21 – Once your DC Server restarted, log in using the new Domain name as administrator.

22

22 – Next, after you successfully log in, open System Properties and check your old Domain Name is now gone.. replace by new Domain name…

23

23 – Next, open CMD again, and type gpfixup /olddns:adatum.com /newdns:cpx.local. This is to refresh all intradomain references and links to group policy objects.

24

24 – Next, type gpfixup /oldnb:lon-dc1 /newnb:cpx..

25

25 – Next, type rendom /clean. This is to remove references of the old domain name from AD.

26

26 – Next, type rendom /end. This is to unfreeze the forest configuration and allow further changes. This was frozen during the rendom /upload step.

27

27 – Next, Open DNS Manager, click your new created domain (cpx.local), here you can see your own IP listed but we still have long way to go to make sure this DNS Zone is working..

28

28 – Next, turn on your client PC, for this exercise I’m using Windows 8 as a client. Open System Properties and join to new Domain (cpx.local). in case you getting an error, don’t get scared!!.. just click OK and you Windows Security box will show up and now key in administrator and domain password and click OK (Welcome to the cpx.local domain). Refer pictures..

29

30

31

29 – After your Windows 8 restart, log in as a domain administrator.

32

30 – Once you log in, double check Windows 8 System Properties. Now yourWindows 8 successfully join in to new Domain (cpx.local).

33

31 – Now, go to the Server 2012 and open DNS Manager, you can see now yourWindows 8 Client is listed in DNS.

34

32 – You can also check in Active Directory Users & Computers that your Windows 8 Client now also listed.

35

Source: https://mizitechinfo.wordpress.com/2013/06/10/simple-guide-how-to-rename-domain-name-in-windows-server-2012/

Manage File Server using FSRM File Screening in Windows Server 2012 R2

In this post, lets go through a step by step on how to manage our Office File Server using FSRM File Screening in Server 2012 R2.

Before we start, let’s understand first what Is FSRM & File Screening Management?

FSRM (File Server Resource Manager) is a set of tools that allow administrator to understand, control, and manage the quantity and type of data stored on your servers.

Using FSRM, you can place quotas on storage volumes, screen files and folders, generate comprehensive storage reports, control the file classification infrastructure, and use file management tasks to perform scheduled actions on sets of files.

These tools help you monitor existing storage resources, and aid in planning and implementing future policy changes.

File Screening Management allows you to create file screens to block types of file from being saved on a volume or in a folder tree.

A file screen affects all folders in the designated path. You use file groups to control the types of files that file screens manage. For example, you might create a file screen to prevent users from storing audio and video files in their personal folders on the server. Like all components of FSRM, you can choose to generate email or other notifications when a file screening event occurs.

For this demo, as usual I will be using my DC01.comsys.local, SVR01.comsys.local and my Surface01.comsys.local client PC.

So, let’s get started…

1 – Before you started using FSRM and manage it, you need to install the FSRM

On the SVR01.comsys.local (this is my File Server), open Server Manager, on the Dashboard click Add Roles and Features, and click 2 times until you reach Select server roles box…

On the Select server roles box, expand File and Storage Services (Installed), expand File and SCSI Services, and then select the File Server Resource Manager check box then click Add Features…

1

2 – Next, On the Select server roles box click Next to proceed…

2

3 – On the Select Features box, click Next to proceed…

3

4 – On the Confirm installation selections box, click Install and wait few minutes for installation to be completed…

4

5

5 – When the installation completes, click Close

6

6 – Next, open File Server Resource Manager…

7

7 – In the File Server Resource Manager console, expand File Screening Management, and then click File Group, Right Click File Group and click Create File Group…

8

8 – In the Create File Group Properties window, in the File group name box, type Comsys Media Files, then in the Files to include box, type *.mp* and *.torrent, and then click Add, in the Files to exclude box, type *.docx and *.xlsx, click Add, and then click OK.

9

9 – Verify that Comsys Media Files available in the File Group list…

10

10 – Next, let’s create a File Screen Template, right click File File Screen Template, and click Create a File Screen Template…

11

11 – In the Create File Screen Template box, under Template name:, type Comsys Media, then under File Group, select Comsys Media Files check box and next click Event Log tab…

12

12 – Once you click Event Log tab, click Send warning to event log (this require us to check the event viewer in later exercise) and click OK to continue…

13

13 – Verify that Comsys Media is listed in the File Screen Template…

14

14 – Next step is to create File Screen, right-click File Screens, and then click Create File Screen…

15

15 – In the Create File Screen box, in the File screen path text box, type C:\HR(you can point to any folder that you wish to screen the files), then under Derive properties from this file screen template (recommended) drop-down list box, and then click Comsys Media and then click Create….

16

16 – Next, verify that the File Screen is pointing to your selected folder…

17

17 – Next, let’s test the file screen function, log in to your client PC, and and try copy any MP3 file to HR folder that located in the SVR01 server, you should get a pop up saying that access denied…

18

If you have any *.docx or *.xlsx file, please give it a try, since in this demo I exclude *.docx file extension, when my domain users copy any *.docx file, it can be copied into the HR folder…

19

18 – Lastly, log in to SVR01 server and open Event Viewer, browse to Windows Logs and click Application, notice that you had the Warning stated User Comsys\Thava attempted to save C:\HR\*.mp3 to C:\HR on the SVR01 server.

Verify also the Event ID is 8215.

20

Source: https://mizitechinfo.wordpress.com/2013/08/20/step-by-step-manage-file-server-using-fsrm-file-screening-in-windows-server-2012-r2/

Deploy DFS in Windows Server 2012 R2

Today, let’s go through a step by step on how to deploy Distributed File System (DFS) in Wndows Server 2012 R2, but before we start, you should know what is DFS all about.

What Is DFS?

Normally for domain users, to access a file share, they might use Universal Naming Convention (UNC) name to access the shared folder content.

Many large company have 100 of file servers that are dispersed geographically throughout an organization.

This is very challenging for users who are trying to find and access files efficiently.

So by using a namespace, DFS can simplify the UNC folder structure. In addition, DFS can replicate the virtual namespace and the shared folders to multiple servers within the organization. This can ensure that the shares are located as close as possible to users, thereby providing an additional benefit of fault tolerance for the network shares.

Orait, that’s a just a bit of DFS introduction, for more information, please do refer to http://technet.microsoft.com/en-us/library/jj127250.aspx, or for those who interested to “feel” the hands-on on the DFS, please do join my Server 2012 training, please refer to my website for more information : http://compextrg.com/

So, enough said, lets get started with our DFS deployment.

** as usual, for this DFS demo, I’m using 3 server 2012 (DC01, SVR01, COMSYS-RODC01) and Window Client (Surface01).

1

** I will install DFS into SVR01 and COMSYS-RODC01 Server

1 – Always be aware that to deploy DFS you need 2 Servers so that the Folder will replicate each other, so I will install DFS into SVR01 and COMSYS-RODC01 server, you can install DFS simultaneously.

To install DFS in Svr01 server, open Server Manager, on the Dashboard click Add Roles and Features

2

2 – In the Before you begin box, click Next

3

3 – On the Select installation type box, click Next to proceed (make sure Role-based or feature-based installation is selected)…

4

4 – On the Select destination server box, click Next to proceed…

5

5 – On the Select server roles page, expand File and Storage Services, expand File and iSCSI Services, and then select the DFS Namespaces check box, in the Add Roles and Features pop-up box, click Add Features…

6

6 – Next, make sure you select the DFS Replication check box, and then only click next to proceed…

7

7 – Next, on the Select features box, click Next

8

8 – On the Confirm installation selections box, click Install

9

9 – Wait for few minutes for the installation to complete and when the installation completes, click close…

10

11

** As I mentioned previously, you need to install DFS in another server also which is in my demo is a COMSYS-RODC01 server…

** Once you confirm both of the Server has been installed with DFS, please proceed with DFS namespace configuration.

10 – 1st, open DFS Management from Server Manager…

12

11 – Next, on the DFS console, right-click Namespaces, and then click New Namespace (A namespace is a virtual view of shared folders in your server)…

13

12 – In the New Namespace Wizard, on the Namespace Server page, under Server, type svr01, and then click Next…

14

13 – Next, on the Namespace Name and Settings box, under Name, type MarketingDocs, and then click Edit Settings…

15

14 – In the Edit Settings box, under Local Path of shared folder: type C:\DFSRoots\MarketingDocs and select Administrator have full access; other users have read and write permissions, then click OK…

16

15 – Next, on the Namespace Type box, verify that Domain-based namespace is selected. Take note that the namespace will be accessed by \\comsys.local\MarketingDocs, ensure also that the Enable Windows Server 2008 mode check box is selected, and then click Next…

17

16 – On the Review Settings and Create Namespace page, click Create

18

17 – On the Confirmation box, verify that the Create namespace task is successful, and then click Close…

19

18 – Next, you need to enable access-based enumeration for the MarketingDocs namespace.

To do so, under Namespaces, right-click \\comsys.local\MarketingDocs, and then click Properties…

20

19 – In the \\comsys.local\MarketingDocs Properties box, click the Advanced tab, then  select the Enable access-based enumeration for this namespace check box, and then click OK…

21

20 – Next, let’s add the Brochures folder to the MarketingDocs namespace…

To do that, right-click \\comsys.local\MarketingDocs , and then click New Folder

22

21 – In the New Folder box, under Name, type Brochures then click Add…

24

22 – In the Add Folder Target dialog box, type \\comsys-rodc01\Brochures, and then click OK…

25

23 – In the Warning box, click Yes

26

24 – In the Create Share box, in the Local path of shared folder box, type C:\MarketingDocs\Brochures, and select Administrator have full access; other users have read and write permissions, then click OK…

27

25 – In the Warning box, click Yes to proceed…

28

26 – Click OK again to close the New Folder dialog box…

29

27 – Next, I want to add the OnlineAdvert folder to the MarketingDocs namespace, so to do that, right-click \\comsys.local\MarketingDocs, and click New Folder, then In the New Folder box, under Name, type OnlineAdvert, and then, click Add…

30

28 – In the Add Folder Target box, type \\svr01\OnlineAdvert, and then click OK…

31

29 -In the Warning box, click Yes to create OnlineAdvert folder

32

30 – Next, in the Create Share box, in the Local path of shared folder box, type C:\MarketingDocs\OnlineAdvert, make sure also you select Administrator have full access; other users have read and write permissions, then click OK…

33

31 – In the Warning box, click Yes

34

32 – Click OK again to close the New Folder dialog box (verify that \\svr0\OnlineAdvert is listed) and also Brochures and OnlineAdvert folder is listed under \\comsys.local\MarketingDocs namespaces…

35

36

33 – Now lets verify our MarketingDocs namespace and its folder can be access using UNC, open RUN and type \\comsys.local\MarketingDocs, then in the MarketingDocs window, verify that both Brochures and OnlineAdvert is display.

37

34 – Now is the the second important task which is to configure DFS replication (DFS-R), but before that, why don’t we to create another folder target for Brochures…

Right-click Brochures, and then click Add Folder Target…

38

35 – In the New Folder Target box, under Path to folder target, type\\svr01\Brochures, and then click OK…

39

36 – In the Warning box, click Yes to create the shared folder on svr01 server…

40

37 – Next, in the Create Share box, under Local path of shared folder, type C:\MarketingDocs\Brochures, don’t forget to select  Administrator have full access; other users have read and write permissions, then click OK…

41

38 – In the Warning box, click Yes to create the folder on svr01 server…

42

39 – In the Replication box, click Yes. The Replicate Folder Wizard starts…

43

40 – Next, in the Replicate Folder Wizard, on both the Replication Group and Replicated Folder Name page, accept the default settings, and then click Next…

44

41 – On the Replication Eligibility page, click Next

45

42 – On the Primary Member box, I choose SVR01 server to be my Primary DFS server, and then click Next…

46

43 – On the Topology Selection box, select Full Mesh, and then click Next…

47

44 – On the Replication Group Schedule and Bandwidth, I choose Full and then click next…

48

45 – On the Review Settings and Create Replication Group box, click Create

49

46 – On the Confirmation box, click Close (verify that all status is Success)…

50

47 – In the Replication Delay box, click OK…

51

48 – Next, expand Replication, and then click comsys.local\marketingdocs\brochures, on the right pane, under Memberships tab, verify that both comsys-rodc01 and svr01 server is listed….

52

49 – To make sure all replication process is running without any issue and also to verify that our second server which is COMSYS-RODC01 server is having same function on DFS, log on into COMSYS-RODC01 server, open DFS and right click namespace and click Add Namespace to Display…

53

50 – In the Add Namespace to Display box, verify that domain is Comsys.local and under Namespace:, \\Comsys.local\MarketingDocs is listed and then click OK…

54

51 – Next, in the DFS console on the Comsys-RODC01 server, you should see that both Brochures and OnlineAdvert folder is listed…

55

52 – Lastly, log on into your client PC as any domain users, open RUN and type \\Comsys.local\MarketingDocs and press enter, and you should notice that marketingdocs folder is pop up with Brochures and OnlineAdvert folder is inside…

56

We done for now, as at this configuration, you now can start using DFS.

Souce: https://mizitechinfo.wordpress.com/2013/08/21/step-by-step-deploy-dfs-in-windows-server-2012-r2/

DHCP Failover in Server 2012 R2

DHCP failover is a new feature on the Windows Server 2012.

It provides the following features:

  1. Provide DHCP service availability at all times on the enterprise network
  2. If a DHCP server is no longer reachable, the DHCP client is able to extend the lease on its current IP address by contacting another DHCP server on the enterprise network

The DHCP server failover feature provides the ability to have two DHCP servers serve IP addresses and option configuration to the same subnet or scope.

DHCP failvoer in Windows Server 2012 provides support for a maximum of two DHCP servers, and the failover relationship is limited to IPv4 scopes and subnets.

So let begin with the process.. ** i assume most of you already know how to install DHCP Services on the Windows Server 2012 R2.**

1 – Right Click IPv4 and click Configure Failover…

1

2 – On the Configure Failover introduction page, confirm the Available scopes and click Next…

2

3 – Next, on the Specify the partner server to use for failover page, click Add Server and choose your 2nd DHCP Server.

3

4 – Next, confirm that 2nd DHCP Server IP address listed in the Partner Server box and click Next…

4

5 – On the Create a new failover relationship box, there are some configuration that you need to take point :

5

Relation name : Each relationship name is required to be unique on a server.

Maximum Client Lead Time : It defines the temporary lease period given by the failover server to a new client.

Mode : There are  two modes for DHCP failover which are “Hot Standby” and “Load balance“.

In hot standby mode, 2 servers operate in a failover relationship where an active server is responsible for leasing IP addresses and configuration information to all clients in a scope or subnet, while a secondary server assumes this responsibility if the primary server becomes unavailable. A server is primary or secondary in the context of a subnet.

In a load balance mode deployment, which is the default mode of operation, the two servers simultaneously serve IP addresses and options to clients on a given subnet. The client requests are load balanced and shared between the two servers.

Auto State Switchover Interval : A server that loses communication with a partner server transitions into a communication interrupted state. The loss of communication may be due to a network outage or the partner server may have gone offline. Since there is no way for the server to detect the reason for loss of communication with its partner, the server will continue to remain in communication interrupted state until the administrator manually changes the state to partner down. Alternatively, DHCP failover has a provision for automatic transition to partner down state based on a time out interval. This is a configurable element called the auto state switchover interval. The default value for auto state switchover interval is 10 minutes.

Enable Message Authentication : To configure message authentication, the DHCP failover setup wizard prompts the administrator to provide a shared secret. As part of the failover relationship creation, the failover setup wizard provisions the shared secret for message authentication to each of the servers in the failover relationship.

6 – Next, confirm the settings and click Finish.

6

7

7 – Now log in to both of the DHCP Server (in my demo OSI-ADDS01 and OSI-SVR01, which both Server hosted my DHCP). Confirm that both DHCP Services is running and you can have both Server having same settings.

8

8 – Next, log in to your client PC, in my demo i have Windows 8.1 machine and now open CMD and type ipconfig /all to get IP information.

— Confirm that your client machine is receiving IP from DHCP Server. in my demo the IP is coming from my OSI-SVR01 server (172.16.0.103)

— to test the DHCP Failover, disconnect the network on the 1 of the DHCP Server (in my demo it OSI-SVR01 server)

9

9 – now, release and renew the IP from your client machine (ipconfig /release.. ipconfig /renew).. please refer to pic..

10

10 – confirm that you now receive IP from another DHCP Server (in my demo its ADDS01 server with IP 172.16.0.101).

So it prove that our DHCP Failover is working

11

12 – now back to OSI-ADDS01 Server, right click DHCP scope, select “Properties..click Failover tab, and you can verify Failover status stated that “Lost contact with Partner”..

12

Source: https://mizitechinfo.wordpress.com/2014/06/29/step-by-step-guide-dhcp-failover-in-server-2012-r2/

Deploying an Enterprise Subordinate CA in Server 2012 R2

About Enterprise CA ;,

– An enterprise CA is typically used to issue certificates to users, computers, and services, and is not typically used as an offline CA

– An enterprise CA requires AD DS, which can be used as a configuration and registration database. An enterprise CA also provides a publication point for certificates issued to users and computers.

– Users can request certificates from an enterprise CA using the following methods:

> Manual Enrollment
> Web Enrollment
> Autoenrollment
> Enrollment agent

For more information on CA, please log in to : http://technet.microsoft.com/en-us/library/cc756989(v=ws.10).aspx

Orait, let get started, for this Enterprise Subordinate CA deployment demo, I will use my new Virtual Server which is ComSys-ADCS.comsys.local, DC01.comsys.local and SVR01.comsys.local.

I will deploy Enterprise Subordinate CA on this ComSys-ADCS.comsys.local server :

1

1- 1st, let me log in to my ComSys-ADCS.comsys.local server, and then open Server Manager, then on the Dashboard click Add roles and features…

2

2 – On the Before you begin box click Next to proceed…

3

3 – On the Select installation type box (verify that Role-based or feature-based installation is selected) then click Next

4

4 – On the Select destination server box (check on my Server, – Comsys-ADCS.comsys.local), click Next…

5

5 – On the Select server roles box, click Active Directory Certificate Services, then click Add Features and proceed with next

6

7

6 – On the Select features box, click Next

8

7 – On the Active Directory Certificate Services box, click Next

9

8 – On the Select role services box, verify that Certification Authority is selected and then select Certificate Authority Web Enrollment, then click Add Features, and click Next to proceed…

10

11

9 – Next, on the Web Server Role (IIS) box, proceed with next

12

10 – On the Select role services box, click next

13

11 – On the Confirm installation selections box, click Install

14

12 – After installation is successful, click Configure Active Directory Certificate Services on the destination server link…

15

13 – On the Credentials box, click Next

16

14 – On the Role Services box, select both Certification Authority and Certification Authority Web Enrollment, and then click Next

17

15 – On the Setup Type box, select Enterprise CA, and then click Next

18

16 – On the CA Type box, click Subordinate CA, and then click Next

19

17 – On the Private Key box, verify that Create a new private key is selected, and then click Next

20

18 – On the Cryptography for CA box,I did not change any configuration, I leave it asdefault and then click Next

21

19 – On the CA Name box, in the Common name for this CA text box, type Comsys-IssuingCA, and then click Next

22

20 – On the Certificate Request box, verify that Save a certificate request to file on the target machine is selected, and then click Next (you can change the file name if you wish to…)

23

21 – On the CA Database box, click Next

24

22 – On the Confirmation box, click Configure

25

23 – On the Results box, click Close (verify that Configuration succeeded) …

26

24 – Next, access to your Domain Server from Comsys-ADCS server (DC01.comsys.local), open Run and I type \\dc01\c$…

27

25 – Once you successfully access to domain server, copy the RootCA file (you should notice this RootCA file was created from my previous Demo “step by step on how to Deploy a Standalone Root CA in Server 2012 R2 Part 1)…

28

26 – Then paste the RootCA file in Comsys-ADCS C: drive…

29

27 – Right-click RootCA, and then click Install Certificate…

30

28 – In the Certificate Import Wizard, click Local Machine, and then click Next

31

29 – On the Certificate Store box, click Place all certificates in the following store, and then click Browse, then you need to click Trusted Root Certification Authorities, and then click OK…

32

30 – Click Next, and then click Finish

33

34

31 – When the Certificate Import Wizard window pops up, click OK

35

32 – Next, from the Comsys-ADCS server, access to DC01 domain server and copy both Certification Revocation List and Security Certificate (both of this file was created from previous Demo)…

36

33 – Next, on the Comsys-ADCS server, browse to your C drive and open inetpub folder and then open wwwroot folder, then create a new folder, and name it CertData…

37

34 – Paste the two copied files into that folder…

38

35 – Next, In the Certificate Authority console, right-click Comsys-IssuingCA, point to All Tasks, and then click Submit new request…

39

36 – In the Open Request File box, browse to (C:), click file Comsys-ADCS.comsys.local_Comsys- Comsys-IssuingCA.req, and then click Open…

40

37 – In the Certificate Authority console, right-click Comsys-IssuingCA, point to All Tasks, and then click Submit new request…

41

38 – In the Open Request File window, browse to \\comsys-adcs\c$, click file Comsys-ADCS.comsys.local_Comsys- Comsys-IssuingCA.req, and then click Open…

42

39 – In the right pane, right-click the request (with ID 2), point to All Tasks, and then click Issue…

43

40 – Next, click the Issued Certificates container then double-click the certificate, and then click the Details tab and click Copy to File…

** In the Certificate Export Wizard, on the Welcome page, click Next…

44

41 – On the Export File Format box, click Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B), click Include all certificates in the certification path if possible, and then click Next…

45

42 – On the File to Export box, click Browse (comsys-adcs server), then in the File name text box, type SubCA, and then press Enter.

46

43 – Then click Next to proceed…

47

44 – Click Finish, and then click OK

48

49

45 – Next, still in the Comsys-ADCS Server, in the Certification Authority console,right-click Comsys-IssuingCA, point to All Tasks, and then click Install CA Certificate…

50

46 – Navigate to (C:), click the SubCA.p7b file, and then click Open

51

47 – Wait for few second, then right click Comsys-IssuingCA, click All Tasks and click Start Service…

52

48 – Verify that the CA starts successfully…

53

49 – Next, you can start publish the root CA certificate to your infrastructure using Group Policy…

** On DC01 server, open Group Policy Management, then right-click Default Domain Policy, and then click Edit…

54

50 – In the Computer Configuration node, expand Policies, expand Windows Settings, expand Security Settings, expand Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import…

55

51 – In the Certificate Import Wizard, click Next…

56

52 – On the File to Import page, click Browse, in the file name text field, type\\comsys-adcs\c$, and then press Enter, then choose RootCA.cer, and then click Open…

57

53 – Click Next two times, and then click Finish

58

59

60

54 – When the Certificate Import Wizard window pops up, click OK

61

62

Finally, we done for now and at this moment, we have deployed and configured an enterprise subordinate CA…

Source: https://mizitechinfo.wordpress.com/2013/08/31/step-by-step-deploying-an-enterprise-subordinate-ca-in-server-2012-r2-part-2/

Install & Configure Work Folder in Windows Server 2012 R2

More and more our staff want to use their own gadget such as smart phones and tablets to access corporate data files while out of the office.

Work Folders in Server 2012 R2 / windows 8.1, allows our users to store and access work files from anywhere while complying with corporate policies.

Work Folders use a new synchronization protocol to synchronize corporate data to user devices from a centralized, on-premises server.

The corporate organization still maintains control of the data by implementing policies such as encryption.

Work Folders is a new role service of the File and Storage Services role and is available only in Windows Server 2012 R2.

When a user creates or modifies a file in a Work Folders folder on any device or PC, it is replicated automatically to the corporate file server’s sync share via Secure Sockets Layer (SSL) connections on port 443.

The changes in the sync share are then replicated securely to that user’s other devices if those devices also are configured to use Work Folders.

A sync share maps to a physical location on the file server where files are stored.

New folders or existing shared folders can be mapped to sync shares.

For more information, please log in to : http://technet.microsoft.com/en-us/library/dn265974.aspx

Now lets go through a step by step how you can install & configure Work Folder in Windows Server 2012 R2 & Windows 8.1

1 – 1st, we need to install Work Folders services in our Server, for this demo i will be using 2 server which are my Domain Server (OSI-ADDS01) and OSI-SVR01 server which is will hosted my Work Folder services…

On the OSI-SVR01 server, open Server Manager, click Add roles & features, clickNext 3 times and then on the Select server roles interface, under File an Storage Services, click Work Folders and then click Next

1

2 – On the Select features interface, click Next to proceed…

2

3 – On the Confirmation installation selections interface, click Install

3

4 – Wait for few second until installation successful, then click Close

4

5 – Open Server Manager, on the right side click File and Storage Services

5

6 – Click Work Folders, and then click “To create a sync share for Work Folders, start the New Sync Share Wizard“…

6

7 – On the Before you begin interface, click Next

7

8 – On the Select the server and path interface, under Server verify that you have your server which is in my case, OSI-SVR01 with Online status…

under location, click Enter a local Path : and the type E:\OSI-ITTech2014Report(this will be our new empty Work Folder that will share with domain Users), and then click Next

8

9 – Click OK (to create the E:\OSI-ITTech2014Report directory)…

9

10 – On the Specify the structure for user folders, click User alias and then clickNext

10

11 – On the Enter the sync share name interface, just click Next

11

12 – On the Grant sync access to group interface, click Add and then in the Enter the object name to select, type Domain Users and then click OK and click Next to proceed.. (for this demo, i allow all my domain users to have Work Folder function to sync to my OSI-SVR01 server…)

12

13 – On the Specify device policies interface, click Next

13

14 – On the Confirm selections interface, click Create

14

15 – On the View results, verify the sync share created successfully and then clickClose

15

16 – Next, switch to domain Server which is OSI-ADDS01 server, what are we going to now is to automate settings for our domain users by using Group Policy

On the  OSI-ADDS01 server, open Server Manager, click Tools and then clickGroup Policy Management

16

17 – In the Group Policy Management Console interface, go toForest:osi.local\Domains\osi.local, right click osi.local and then click Create a GPO in this domain, and Link it here

17

18 – In the New GPO dialog box, type OSI Work Folder Policy, and then click OK…

18

19 – Right-click the OSI Work Folder Policy GPO, and then click Edit

19

20 – In the Group Policy Management Editor interface, go to User Configuration\Policies\Administrative Templates\Windows Components\Work Folders, then double click Work Folders

20

21 – In the details pane, double-click Specify Work Folders settings

21

22 – On the Specify Work Folders settings interface, click Enabled, and then in Work Folders URL, type http://osi-svr01.osi.local, click Force automatic setup, and then click OK

22

23 – Close all open windows, open command prompt and then type gpupdate /force

23

24 – now lets log in to client PC so that we can try Work Folder function, on the OSI-Win8.1×64 PC, i log in as sten…

24

25 – in the Windows 8.1 PC, open Control Panel, and verify you have Work Folders

25

26 – for the purpose of lab testing, i will allow my Windows 8.1  running on unsecure connection before we start testing our Work Folders function, open CMD and type :

Reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WorkFolders /v AllowUnsecureConnection /t REG_DWORD /d 1

** By default, client always connect to the server using SSL, which requires the server to have SSL certificate installed and configured.

26

27 – now open Work Folders, if you get error stated “Sync stooped. A problem occurred. The data transferred isn’t in the proper format…”

27

28 – to solve this problem, you need to update your Window Server 2012 R2 & Windows 8.1, or you can download standalone General Availability Roll up (A)patches from microsoft.com…

28

29 – after you complete install the General Availability Roll up (A) patches, everything should work fine now…

29

30 – still in the Windows 8.1 client PC, open This PC explorer and then open Work Folders…

30

31 – to simulate the Work Folders sync function, create a few folders & Files…

32

32 – next, switch to OSI-SVR01 server, open E: drive and browse to domain users work folder, you will notice that synchronization is successful…

33

Source: https://mizitechinfo.wordpress.com/2014/08/08/ste-by-step-install-configure-work-folder-in-windows-server-2012-r2/