Draining sessions from Remote Desktop Session Hosts / Terminal Servers

Maintaining terminal servers (or remote desktop session hosts as they are known now) in today’s world when users require access 24/7 is a challenge. Setting up an RDS farm, with a session broker will give you load balancing and fault tolerance. (I will write more about remote desktop server farms and session brokers in another article)

However notice I say “Fault Tolerance” this doesn’t mean that you can reboot session hosts without affecting users, it just means that your system will tolerate the failure of a session host. The users who were connected to the rebooted (or failed) session host will lose what they were working on and will have to reconnect.

The nature of a session broker is that it will try to distribute sessions evenly across all members of a farm; this is great, apart from when you want to reboot a session host without annoying your users.

There is no “live migration” of RDS sessions, once a user is on a host, that’s where they will stay until they log off. 

So how do you free up a session host to perform maintenance on it? Firstly you will need to plan your work in advance.

You can then use the “chglogon” command to begin “draining” sessions. There are many ways sessions can be drained, but it basically means the session host will stop accepting new connections. Eventually once your users have logged off, they will not be able to establish a new log onto the draining session host, so will establish a new connection on another session host, which mean eventually the session host you are draining will have no users logged into it.

There are four switches for the chglogon command:

/query – this will tell you what mode the session host is currently in

/enable – allows users to establish connections to the session host

/disable – doesn’t allow any new connections, or reconnections to an existing session.

/drain – doesn’t allow any new connections, but does allow users to reconnect to an existing session

/drainuntilrestart – does the same as /drain, but reverts to /enable after a reboot

NOTE: when using the /disable switch, this will prevent you reconnecting to the server via RDP. You need to ensure you have access to the console via another method other than RDP, or use the RD configuration utility from another RDS server to change the setting.

These commands could be utilised to help with automated updates. You could configure RDS1 to automatically install updates on a Saturday at 6PM, then create a scheduled task to run on a Friday at 6AM to run the chglogon /drainuntilrestart command.

This would hopefully mean by Saturday at 6PM there were no users left on RDS1 and it would be safe to automatically reboot after an update installation.

You could then use the same method with RDS2, RDS3 etc, but on different days to ensure 100% uptime of your RDS farm

Using dsget and dsrm to delete users who are a member of a group from active directory.

I use the “DS” set of commands almost daily, they are a very powerful set of tools, which allow the output to be piped between them.

In this example, we are going to use the dsget command, to retrieve a list of users from a security group, then pipe the result into dsrm to delete them.
This can be useful in an educational environment where lots of users leave at once, and hundreds of accounts need removing. Or in the current corprate climate, when an entire department disappears!

Before jumping in at the deep end, I recommend seeing what results you are going to pipe into a dsrm, so run the dsget command on its own.

Dsget group “cn=year13,ou=groups,ou=myschool,dc=domain,dc-suffix –members -expand

This will return the members of a group called “Year13” which is in an OU called “Groups”, which is within an OU called “myschool” which is in the domain domain.suffix.

You are telling the dsget command that it is looking at a group by specifying “group” after dsget. the switches at the end are also important.


-members tells dsget to return the members of the group
-expand returns all members of the group, if this isn’t used it is limited to 100

If you are happy with the results returned, you can pipe the results into DSRM. Piping is just like typing something into a command yourself, only you’re letting the previous command do the work.

To get the pipe character, hold shift and press your backslash key

Dsget group “cn=year13,ou=groups,ou=myschool,dc=domain,dc-suffix –members –expand | dsrm –noprompt

The –noprompt commant prevents dsrm from asking you to confirm before deleting each object. If your deleting a large amount of objects this well worth using (as long as you are confident the results being outputted by dsget are correct)

Error code 0xC004C020 when activating windows

When activating windows using a MAK key, if you receive the error code 0xC004C020 it means you have ran out of activations using that key.

You can login into the Microsoft licensing website to check how many activations you have remaining on your MAK keys, and also find the contact information to get additional keys if required.
https://www.microsoft.com/licensing/servicecenter/

Further information on activation error codes can be found here:

http://support.microsoft.com/kb/938450

Implementing AppLocker – some important steps before you start!

AppLocker is a feature within Windows 7 and Server 2008 R2 which uses rules and properties of files to provide access control for applications.
In an environment where you want to prevent the use of certain applications, or even to deny all applications and only allow the applications you name, AppLocker is the solution for you.

Before you get started, there are some pre requisites which aren’t so obvious. Without configuring the prerequisites detailed in this article, although your be able to configure AppLocker policy’s, and a gpresult will show them as being applied, they will not be.

The first step is to enable AppLocker Rule enforcement. To do this, edit the group policy object which you wish to use to apply the AppLocker policys, and navigate to

Computer Configuration | Policies | Windows Settings | Security Settings | Application Control Policies | Applocker

Select “Configure rule enforcement”

Select all three configured boxes (ensuring that enforce rules is selected from the drop down boxes) and click ok. This now means any policies you put in place will be applied for executable applications, windows installers and scripts.

The next stage is to ensure the “application identity service” is running
This can be done manually on all your workstations, as part of a generic build or via group policy preferences. Group policy is by far the most effective way of doing this so it is detailed here.

Edit the group policy object which you want to use to configure the service, this GPO must apply to all computers you wish to have AppLocker policies applied on

Services can be configured by using Group Policy Preferences, to configure this navigate to:
Computer Configuration | Preferences | Control Panel Settings | Services
Right click ion services and select New | Service

Modify the start-up to be "Automatic" and browse for the service named “Application Identity” ensure the service action is “Start Service” then click ok

Because these are all machine policies, the workstations may need to be rebooted twice for them to take effect.

Essential tools for today’s admins and where to download them

These are the tools i use pretty much every day, so i thought i would share them and where to get them from:
(click on the name to be taken to the download page)

Remote Server Administration Tools

Install these on your Windows 7 Client, within the turn windows features on or off feature in control panel, a new option called "remote server administration tools" will exist. install this to get tools such as Active Directory Users and Computers, Hyper-V Manager etc

Putty

A great SSH, Telnet and console client all in one


Remote Desktop Connection Manager

If you manage a lot of servers via RDP, this tool is a god send. you can add multiple computers to one console, and group them into different roles, you can also right click on an entire group of servers (e.g. Domain Controllers) and log into them all at once. Many clicks are saved!

Notepad ++

Does what it says on the tin. if you edit any kind of code (XML etc) this is essential

ImgBurn

Although Windows 7 has burning features built in, it still lacks some of the required functionality. This tool has a tiny footprint, some great functionality and some cool sound effects!

Installing a System Centre Essentials 2010 agent manually

You may come into a situation where you need to manually install the SCE agent, here is how.

Run setupsce.exe and click on install essentials agent

Specify the FQDN of your SCE server, and the management group name (by default this is SCEServername_mg)

You will also need the update services SSL certificate and the code signing certificate, you can find these on the SCE server in:

C:\program files\system center essentials\certificates

Copy these to the PC you are installing the agent on, and then browse to them in the installer setup window.

Once the agent is successfully installed, it will need to be manually approved in the SCE management console

Launch the SCE management console and select the administration section, then expand device management | pending management

Under pending management, you should see a section called “Manual Agent Install”, simply right click on the computer listed and click approve

Your agent should now check in.

SAN Certificates – a great way to get more for your money

When it comes to SSL certificates, you have two choices, go for a standard SSL certificate for a single domain, or get a wildcard cert for *.yourdomain.com

I’ve always been a fan of wildcard certificates; I believe in the long run these are cheaper as a single certificate will cater for all of your SSL needs; however wildcard certificates come at a price.

When using IIS or ISA/TMG you have the ability to host multiple domains on a single IP address or Web listener using host headers, however this only applies to HTTP traffic. When using SSL only one SSL certificate can be applied to an IP address.

This causes a problem, do you apply lots of different IP addresses to your web server or ISA/TMG server and use a certificate for each domain, or do you buy a wildcard certificate.

In the environment I work in, we are able to get certificates for pennies, but this doesn’t cover wildcard certificates. This means its difficult to justify a wildcard certificate.

However, there is a way! You can create what is known as “Subject Alternative Name” certificates. This is just like a normal certificate, but it is valid for any other domain you specify.

For example, I could request a SAN cert for:

Webmail.yourdomain.com
Portal.yourdomain.com
Crm.yourdomain.com
Anythingelseyouwant.yourdomain.com

To request a SAN cert, open an mmc and add the certificates snap in to it (ensure you select local computer)

Expand Certificates | Personal | Certificates

Right click on certificates and select All Tasks | Advanced Operations | Create custom request

Click next on the first two prompts, then select the web server template and click next.

Click the details button to expand the web server certificate template, and then click properties.

Add the normal subject names such as Organisation and country. Then add as many common names (domains) as you like!

Follow the rest of the wizard until completion; you will then have a CSR to upload to your certificate provider. This certificate will be valid for all of the domains you specified. If you think far enough in the future and specify some domains you think you may need in the future, it will save even more money!

Configuring shibboleth IdP to talk to an Active Directory

For those of you implementing a shibboleth IdP in an Active Directory environment, here is how the login.config and LDAP configuration within attribute-resolver.xml should look
When implementing our IdP I found lots of conflicting information on how it should be setup, we run a Windows Server 2008 R2 forest and domain functional level where all domain controllers are also global catalogues. I can confirm these settings work:

LDAP configuration in attribute-resolver.xml

    <!-- Example LDAP Connector -->
    <resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
        ldapURL="ldap://domain.suffix:3268" baseDN="dc=domain,dc=suffix" principal="idpserviceaccount@domain.suffix"
        principalCredential="passwordgoeshere">
        <FilterTemplate>
            <![CDATA[
                (samAccountName=$requestContext.principalName)
            ]]>
        </FilterTemplate>
    </resolver:DataConnector>

LDAP authentication configuration in login.config

// Example LDAP authentication
// See: https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass
   edu.vt.middleware.ldap.jaas.LdapLoginModule required
      host="domain.suffix"
      base="dc=domain,dc=suffix"
   port="3268"
   userField="sAMAccountName"
      subtreeSearch="true"
   serviceUser="serviceaccount@domain.suffix"
   ServiceCredential="passwordgoeshere";

Shibboleth IdP – Getting the eduPersonScopedAffiliation attribute from Active Directory using security groups

I have implemented a Shibboleth IdP which authenticates users against our Server 2008 R2 forest and domain functional level Active Directory

We are a member of the UK Access Management Federation for Education and Research, which require the following attributes to be available:

eduPersonScopedAffiliation:                      user's organisational affiliation

eduPersonTargetedID:                                persistent user pseudonym for personalisation

eduPersonPrincipalName:                           persistent user id across multiple services

eduPersonEntitlement:                               extensible list of URIs for extra properties

Using the attribute-resolver.xml file, eduPersonPrincipalName is linked to the sAMAccountName attribute in our directory service, and the eduPersonEntitlement is linked to an extension attribute in the directory. eduPersonTargetedID is a computed value using the objectGUID  attribute in our directory and encrypted using a salt.

eduPersonScopedAffiliation is an interesting one. Originally we had planned to link it to another extension attribute in the directory, and reconfigure our management tool to add the staff or student value as well as the member value to the attribute. This worked as long as there was only one entry specified in the extension attribute, as soon as we tried any number of different combinations of staff and member for example, the attribute wasn’t released.

After extensive research and trying different methods I came up with, I contacted the UK federation service desk. They are really great guys and worked relentlessly to find a solution to our problem. Specifically Sara and Steve (thanks to the both of you!)

We found a script (link below) which will generate the eduPersonScopedAffiliation based on OU. This in most cases would be ideal (specify the students OU and the staff OU) unfortunately our directory structure doesn’t separate staff and students by OU (not my design!) therefore this would not work.

Never the less here is the link

https://spaces.internet2.edu/display/SHIB2/ResolverScriptAttributeDefinitionExamples#ResolverScriptAttributeDefinitionExamples-ex2

What we do have, is a security group for staff, and a security group for students. Steve decided he would use the script as a template and modify it to look at groups instead. Steve made a good start and handed over to Sara when he went on vacation.

We were having problems getting the script to see the group membership, we come across this document which detailed how someone else had setup the eduPersonScopedAffiliation, although it wasn’t what we needed,  it turned out their syntax was pretty useful and Sara go the script working!

http://wiki.rscwmsystems.org.uk/images/1/11/Shibboleth2_IdP_Setup_Win2k.pdf

This script looks for group membership that CONTAINS the specified words. Therefore your security groups only need to contain the words you specify.

The users need to be an explicit member of the group, unfortunately it doesn’t work for nested groups, however the script is pretty simple to expand by copying and pasting, so If you had two groups you wanted to use,  instead of nesting them into one main group, just specify them both in the script.

The first step is to uncomment the eduPersonAffiliation attribute, this will be used as a source attribute for the eduPersonScopedAfailiation attribute and is where the script magic happens. It should be as follows:

 <resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              id="eduPersonAffiliation">

    <!-- Dependency that provides the source attribute. -->
    <resolver:Dependency ref="myLDAP" />

    <!-- SAML 1 and 2 encoders for the attribute. -->
    <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                 name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
    <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                 name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
                               friendlyName="eduPersonAffiliation" />

    <!-- The script, wrapped in a CDATA section so that special XML characters don't need to be removed -->
    <Script><![CDATA[
        importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);

        eduPersonAffiliation = new BasicAttribute("eduPersonAffiliation");

        // If the user has group membership
        if (typeof memberOf != "undefined" && memberOf != null ){

            for (i=0; memberOf != null && i < memberOf.getValues().size(); i++) {

                value = memberOf.getValues().get(i).toLowerCase();

                if (value.contains("teachers")) {
                    eduPersonAffiliation.getValues().add("staff");
                    eduPersonAffiliation.getValues().add("member");
                }

                if (value.contains("students")) {
                    eduPersonAffiliation.getValues().add("student");
                    eduPersonAffiliation.getValues().add("member");
                }

            }
        }
    ]]></Script>
</resolver:AttributeDefinition>

You then need to configure eduPersonScopedAffiliation to use eduPersonAffiliation as its source (uncomment it if need be)

<resolver:AttributeDefinition id="eduPersonScopedAffiliation"
  xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
  scope="yourdomain.com" sourceAttributeID="eduPersonAffiliation">

    <resolver:Dependency ref="eduPersonAffiliation" />

    <resolver:AttributeEncoder xsi:type="SAML1ScopedString"
      xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
      name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />

    <resolver:AttributeEncoder xsi:type="SAML2ScopedString"
      xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
      name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
      friendlyName="eduPersonScopedAffiliation" />

</resolver:AttributeDefinition>

We then used the UK Federation test SP’s session dumper to see what had been released.

https://sh2testsp1.iay.org.uk/index.html

Using servermanagercmd to automate the installation of common roles and features in Windows Server 2008 (inc R2)

I try to configure as many of the settings on a server via group policy. This not only saves time, but provides 100% consistency and a very simple way of making system wide changes. An example of this is I will configure SNMP settings via group policy.



This is all well and good, but many of the configuration settings are dependent on a “role” or “feature” that may not be installed (such as SNMP) there is no built in way to automatically install roles and features using group policy like there is to configure services, or firewall rules.


This is where servermanagercmd comes in. as you will probably gather this is a command line interface to the server manager GUI.


If you’re deploying a large amount of servers and you want to avoid manually installing a common role or feature, this is very useful, and will save hundreds of clicks!


Within the Active Directory design of the network I support, each server role has its own OU, which is under a generic servers OU. In most cases there is a group policy applied to each OU, so settings specific to a server role can be set.


Because of this, I can use group policy preferences to create a registry entry under the runonce key which will run servermanagercmd with the appropriate switches to install what I want based on the role of the server.


The runonce key is located:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Any REG_SZ string that is created under this key will be run once on startup (hense the name)


I typically install three features on most of the servers I look after, Telnet Client, SNMP Services and Failover clustering, these are the commands I use:

Servermanagercmd –install –telnet-client

Servermanagercmd –install snmp-services –allsubfeatures

Servermanagercmd –install failover-clustering

You will notice on the SNMP string, I have added –allsubfeatures, this installs all the sub features under the feature or role heading you have specified.


More information on the servermanagercmd as well as switches for other roles and features can be found here:


http://technet.microsoft.com/en-us/library/cc748918(WS.10).aspx


Other switches of servermanagercmd worth noting are:


-query this will output the current roles and features installed


-remove this does the opposite of add

Shibboleth IdP not writing logs to the logs directory

I’ve recently been tasked with implementing a Shibboleth IdP for the network I support. The service has been implemented on a Windows Server 2008 R2 server running Tomcat and fronted by Apache and Microsoft Forefront TMG 2010.



I will post more on the implementation of this later, but a quick bit of info to resolve an issue that had me pulling my hair out for most of a day.


Shibboleth has a logs directory within its installation directory, in my setup the shibboleth directory was c:\program files (x86)\shibboleth-idp


I found that the shibboleth logs directory wasn’t filling up with anything. I searched around for hours to discover the cause and eventually found the answer here:


https://spaces.internet2.edu/display/SHIB2/IdPLogging


Basically, the logging mechanism used by shibboleth IdP does not support a path with brackets in it, so on any x64 system by default this would fail.


To resolve that I changed the log paths in the logging.xml file in the shibboleth conf directory to point to c:\shiblogs


After bouncing the tomcat service, logs appeared.

Labelling those NIC’s

Tracing cables in a busy rack is a nightmare. Many people who share my switchport labelling OCD will always label up the port on the switch in a format such as “Link to MyServer01” and this is good. However it seems it’s not such common practise to label up where on the server the connection goes to, and then at the server end, where the connection goes to.


Most server’s today have PCI slots labelled in numerical form, and anyone with common sense will count the NIC’s from left to right. With the huge uptake of virtualisation, servers are now packed with NIC’s, Therefore my plea starts today, let’s start labelling server NIC ports in the same way we label switch ports.


The image below is a screenshot from one of the servers i look after. There are two quad port NIC’s installed in PCI slots one and two. Therefore I have adopted the naming convention “Slot X – NIC X – Link to Switchname giX-X” then on the switch side its reversed, the port is labelled as “link to MyServer01 NIC x\x . Implementing this method of labelling does take a bit of extra time and effort to keep up to date, but it will make yours and others life’s supporting the network so much easier. You can now tell exactly where a link goes from either the server or the switch end. I also add to the server NIC label what the NIC is used for eg “Slot X – NIC X – Link to switchname gix-x – Hyper-V Host Management” it’s a long label but your find it very useful!