Monday, September 30, 2013

Windows Server 2012 - DHCP - Part 1 - installation of the role (command line)


DHCP


First, a brief review before examining DHCP in Windows 2012...



DHCP (Dynamic Host Configuration Protocol) allocates IP addresses to client machines (desktops, laptops, hand-held devices, even printers) so manual configuration is not necessary. This is an obvious advantage when hundreds or even thousands of devices require an IP address or a change in IP settings.

 
Let's imagine that the IP address of the DNS server(s) or default gateway changes. Without DHCP, this change would have to be manually adjusted on a multitude of clients (or scripted in some way).
 
DHCP clients initiate contact with the DHCP server by broadcast, using their MAC address. The process follows four steps that one can remember as "DORA".


  • Discover - the client attempts to discover a DHCP server.
  • Offer - the DHCP server offers (from a pool of addresses) an available IP address to the client.
  • Request - the client requests the IP address in question.
  • Acknowledgement - the server sends a packet with configuration information to the client.


DHCP in Windows 2012


Much more can be said about DHCP in general but let's concentrate on DHCP on Windows 2012 and in particular, how it can be configured at the command line.
 
The "traditional" command-line tool for DHCP was netsh.
 
With Windows 2012, we can configure DHCP with Powershell.
 
I will use Powershell for the most part but use some netsh for purposes of comparison.
 
 
I will also use some screenshots to illustrate the results obtained with the command line cmdlets.



Installation of the DHCP role


We first need to install the DHCP role. In Windows 2008/R2, this was accomplished - at the command line - with the servermanagercmd commands (or the ocsetup commands in Server Core).

These commands are deprecated and unavailable in Windows 2012.

So... we will use the Add-WindowsFeature cmdlet (or Install-WindowsFeature).


First, let's see if the role is installed already:

Get-WindowsFeature

Display Name    Name    Install State

------------              ----       -------------

[...]

[ ] DHCP Server   DHCP   Available



Conclusion: The DHCP role is not installed but the binaries are available for installation.

Let's install the role. The cmdlet is very simple (too simple?):

Add-WindowsFeature DHCP

But here, I forgot something...

When I open the GUI to verify the results... I cannot find "DHCP" among the "Tools" in Server Manager.







The solution? We need to execute this command:


Add-WindowsFeature DHCP -IncludeManagementTools

 

Now we can configure DHCP...


At some point, we will need to:

  1. Authorize the DHCP server (unless it is also a domain controller in which case this step is - supposedly - not necessary).
  2. Activate the scope(s).

We cannot activate the scopes until we have created them but we can authorize the DHCP server.

Currently no servers are authorized, as shown respectively by PS and netsh cmds:


PS C:\> Get-DhcpServerInDC

PS C:\>

PS C:\> netsh dhcp show server

0 Servers were found in the directory service:


This is what we would see in the GUI:





The netsh command does not seem to function in Windows 2012:

PS C:\> netsh dhcp server 10.1.1.10 initiate auth

Command completed successfully.

Yet...

PS C:\> netsh dhcp show server

0 Servers were found in the directory service:


Note: the GUI still shows the "Authorize" option meaning, logically, that the DHCP server is not authorized.


The PS cmdlet seems to work, as verified below":

PS C:\> Add-DhcpServerInDC


PS C:\> Get-DhcpServerInDC

IPAddress DnsName

--------- -------

10.1.1.10 dc-001.machlinkit.biz


PS C:\> netsh dhcp show server

1 Servers were found in the directory service:

Server [dc-001.machlinkit.biz] Address [10.1.1.10] Ds location: cn=dc-001.machlinkit.biz


For those that prefer a little more color, the DHCP Manager confirms the changed setting as well:






If the option is to "Unauthorize" the DHCP Server, then logically it is in an authorized state.

Elementary...
  

Although it may not be visible in the command line output or the screenshots, this server is also a domain controller and a DNS server (it was used in a previous post about promoting a server to the domain controller role). Even so, it was not authorized as a DHCP server by default.


At this point, I was about to configure - and activate - a scope. However, I noticed a warning message stating that the DHCP configuration needed to be finished:



The details are here (there is a "Configure DHCP configuration" link not visible in the screenshot):


 
So, it appears that installing the DHCP role at the command line does not create the "DHCP Administrators" Group or the "DHCP Users" group.
 
The existence of these groups in not absoutely necessary since domain administrators can perform all necessary operations and even some that DHCP administrators cannot.
 
Even so, this might be desirable in scenarios where delegation of roles is an objective.
 
Before configuring scopes and options for the scopes, I want to see if the two groups in question can be created at the command line - and with all the proper attributes. Of course, simply creating two groups with the respective names "DHCP Administrators" and "DHCP Users" would not assign members the proper permissions.
 
If you have that information, please do not hesitate to post a comment!





 

Monday, September 16, 2013

Windows Server 2012 - promotion of a domain controller (command line)

Promotion of a server to domain controller
and creation of a domain


There's all kinds of aspects of Windows 2012 to examine. In this second post on the subject, I want to take a look at the creation of a domain controller.

The process is quite different from previous Windows server versions: dcpromo is no longer used.

Since there are numerous articles on the subject concentrating on the GUI, I want to configure the domain controller strictly from the command line. I'm not the first person to do this either, but I discovered a number of changes that might interest the reader.

I'm using the full installation (versus Server Core) so I can take snapshots of the results but the configuration itself will be 100% command line.

Here is my starting point...

I have installed Windows Server 2012 and have configured nothing else.

I open Powershell as shown:
 
 

Then I proceed as follows.



1. Configuring the IP address


I discover that the netsh command I use for IP address configuration does not work:


netsh interface ip set address "Local Area Connection" static 10.1.1.10 255.0.0.0 10.1.1.2

Failed to configure the DHCP service. The interface may be disconnected. The system cannot find the file specified.

 
Let's take a look at the interface. I enter the following text in the "run" box: ncpa.cpl

Windows 2012 names the network connection "Ethernet" rather than "Local Area Connection".




Note: if we insist on a command-line only approach, we can obtain the same information like this:


netsh interface ipv4 show interfaces

[...]
 
Name
.........
Loopback Pseudo-Interface 1
Ethernet


In any case, this command works:


netsh interface ipv4 set address "Ethernet" static 10.1.1.10 255.0.0.0 10.1.1.2



We can verify the results with ipconfig:


PS C:\> ipconfig

[...]

  • Link-local IPv6 Address . . . . . : fe80::20a2:f095:4940:cae%12
  • IPv4 Address. . . . . . . . . . . : 10.1.1.10
  • Subnet Mask . . . . . . . . . . . : 255.0.0.0
  • Default Gateway . . . . . . . . . : 10.1.1.2

(Bullets added)




2. Server Name


This command does not work as with past server operating systems:


PS C:\> netdom /renamecomputer %computername% /newname:DC-001

Unable to connect to the computer %computername%

The error code is 53.

The network path was not found.

The command failed to complete successfully.



But this does...


PS C:\> hostname

WIN-11LPCUEATPE

netdom /renamecomputer WIN-11LPCUEATPE /newname:DC-001

This operation will rename the computer WIN-11LPCUEATPE to DC-001.



The shutdown command still works for restart:

shutdown /r



Notes:


 
We cannot join the server to a domain since there is none at this point. Indeed, this server will be the first domain controller.

There is no need to configure DNS before - the AD DS installation process will trigger DNS installation (mandatory for Active Directory).



Let's compare the roles installed before and after.

Get-WindowsFeature | where {$_.InstallState -eq "Installed"}


 
The image is poor but we already have, in particular:

  • .NET Framework 4.5
  • Powershell 3.0



3. Installing files for Active Directory Domain Services


We must first install the AD DS role:

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools










  • Active Directory Domain Services
  • Group Policy Management


Note: DNS will be installed during the promotion of the server to a domain controller.

Note: Install-WindowsFeature is equivalent to (and replaces) the Add-WindowsFeature cmdlet:


Install-WindowsFeature




4. Promoting the server to a domain controller.


In this case, we are creating our first domain (and first forest) by promoting the server to a domain controller. In other scenarios, the parameters and values may differ. In this case, however, the command is rather simple and requires the following elements:


  • The cmdlet "Install-ADDSForest". Since this is the first forest, we will use this cmdlet.
  • The parameter "-DomainName". The domain (and in this case, forest) must have a name.
  • The parameter "-SafeModeAdministratorPassword".
  • The parameter  "-DomainMode"
  • The parameter  "-ForestMode"


 
Note: please see the references (end of post) for details on the many other options. Once again, my objective is to explore various aspects of Windows Server 2012 and share my experiences with it, rather than rewrite existing documentation.


PS C:\> Install-ADDSForest -DomainName mydomain.biz -SafeModeAdministratorPassword (read-host -prompt "Password:" -assecurestring) -DomainMode Win2008R2 -ForestMode Win2008R2

Password:: *********


The target server will be configured as a domain controller and restarted when this operation is complete.

Do you want to continue with this operation?

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A



Several messages display...



WARNING: Windows Server 2012 domain controllers have a default for the security setting named "Allow cryptographyalgorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions.For more information about this setting, see Knowledge Base article 942564
(http://go.microsoft.com/fwlink/?LinkId=104751).


WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "mydomain.biz". Otherwise, no action is required.


 
Indeed, no action is required. The setup program configures DNS as needed for AD.

ipconfig /all shows that setup designated the new domain controller as its own DNS server by entering the "loopback" address (both ipv4 and ipv6 for that matter):


[... snip]

Link-local IPv6 Address . . . . . : fe80::20a2:f095:4940:cae%12(Preferred)

IPv4 Address. . . . . . . . . . . : 10.1.1.10(Preferred)

Subnet Mask . . . . . . . . . . . : 255.0.0.0

Default Gateway . . . . . . . . . : 10.1.1.2

[... snip]

DNS Servers . . . . . . . . . . . : ::1

127.0.0.1



The results


If we look at "Roles and Server Groups" in Server Manager, we see that "AD DS" and "DNS" have been installed:







As expected, Active Directory Users and Computers is installed, with an interface similar to that in Windows 2008/R2:





And also DNS (with automatic configuration - it was not necessary to specify DNS settings above):






Lastly, Windows 2012 domain controllers include the Active Directory Administrative Center (ADAC), already present in Windows 2008, but now with a new interface:






 

References:


Microsoft Technet guide (Step-by-step):

Step-by-Step Guide for Setting Up Windows Server 2012 Domain Controller


Here is another Technet article with much greater detail:

Install a New Windows Server 2012 Active Directory Forest (Level 200)