Technical

Windows Server 2016 Core: Active Directory Domain Services

To lower my memory footprint in my home lab I decided to move from into Windows Server 2016 Core.  That said running Active Directory Domain Service seems to be the perfect candidate to start with my new architectured lab environment.

There are several prerequisites required for enabling ADDS, but I am not going to get into those here as if your reading this, there is a good chance you already know what those are.

We will be installing what is commonly referred to as a new forest/domain.

Step 1: Validate your hostname, IP address, and DNS settings

  1. Log into the console of your Windows Server 2016 Core System
    You need to log in as an administrator and should arrive at a command prompt
  2. Enter the command Sconfig and press enter
    The Server Configuration tool interface should be displayed
  3. Use the setting options to validate your host’s configuration

 

Step 2:  Installing Domain Services 

  1. From the Windows Server 2016 Core command prompt type: powershell then press enter.
    This will change your shell mode to PowerShell allowing you to use additional commands.
  2. Type Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
    This will install the ADDS roles on the Windows Server 2016 Core System
  3. When completed type: Install-ADDSForest -DomainName yourdomain.tld
    Here is where you choose the name of your domain to be installed.
  4. You will be required to provide a recovery password, please enter one and take note of it
  5. Next, you will be asked to confirm the pending changes and allow the server host to be restarted
    Click yes to continue
  6. Your server will be restarted and return as a Domain Controller

 

Step 3: Validate DC Services

  1. From the Windows Server 2016 Core command prompt type: powershell then press enter.
    This will change your shell mode to PowerShell allowing you to use additional commands.
  2. Issue the following command line: Get-Service adws,kdc,netlogon,dns
    This will return details on the installed services 
  3. Issue the command Get-SmbShare
    This returns details about available shares, specifically the systvol and netlogon shares
  4. Use the get-eventlog command to review logs
    Example: get-eventlog “Directory Service” | select entrytype, source, eventid, message

 

Windows Server 2016 Core: Apply Windows Updates, with SCONFIG

In my previous post ‘Windows Server 2016 Core Configuration, with SCONFIG‘ I stepped through how to use the sconfig tool to modify settings on Windows Server 2016 Core.  In this post, I will introduce you to how to go about running Windows Updates and applying them to your server.

Here are the steps I used:

  1. Log into the console of your Windows Server 2016 Core System
    You need to log in as an administrator and should arrive at a command prompt
  2. Enter the command Sconfig and press enter
    The Server Configuration tool interface should be displayed
  3. Select 6 from the Server Configuration List
    This opens the Windows update software, allowing you to search for updatable software
  4. Select from the list of results the software update that you would like to download and install.
    You can choose a single update or update them all
  5. Depending on the update you may be required to reboot your system, select yes to restart

That’s it – Congrats you have updated your Windows Server 2016 Core Server

Windows Server 2016 Core Configuration, with SCONFIG

Windows Server 2016 Core has a built-in configuration tool named Sconfig.  This tool is used to configure and manage several aspects of Server Core installations. This simplifies tasks such as changing settings such as network, remote desktop, hostname and domain memberships, etc.

To use the Server Configuration Tool

  1. Log into the console of your Windows Server 2016 Core System
    You need to log in as an administrator and should arrive at a command prompt
  2. Enter the command Sconfig and press enter
    The Server Configuration tool interface should be displayed

 

Note: You can use Server Configuration Tool in 2016 Server Core and 2016 Server with Desktop Experience installations.

ISP Redundancy Link Interface Cannot Be Created

While setting up ISP Redundancy on a Check Point cluster I ran into an issue preventing me from proceeding with my configuration.  I was eventually able to resolve this and felt that I would share with you and my future self the steps taken.

 

What is ISP Redundancy

ISP Redundancy enables reliable Internet connectivity by allowing a single or clustered Check Point Security Gateway to connect to the Internet via redundant Internet service provider (ISP) connections. If both links are active, connections pass through one link, or both links, depending on the operating mode. If one of the link fails, new connections are handled by the second link.

 

Configuration Steps

  1. Open the network object properties of the Security Gateway or cluster.
  2. Click Other > ISP Redundancy.
  3. Select Support ISP Redundancy.
  4. Select Load Sharing or Primary/Backup.
  5. Configure Links – Primary and Backup Connections
  6. Set tacking mode for Link failure and recovery
  7. Click OK — This is when I encounter my error

 

Error: Check Point SmartDashboard

At least one of your ISP Links lack a next hop IP Address configuration.
Note: next hop IP Address is also used to automatically monitor the ISP Link^s availability.

Error: Check Point SmartDashboard

ISP Redundancy configuration on clusters requires that the interfaces which lead to your ISPs, have the same names as the corresponding physical interfaces on the cluster^s members.

 

Resolution Steps Taken:

Discovered that the the interfaces in the topology tab did not have the same name on the vip (Virtual IP), so I changed to name so that all interfaces were matching.

After introducing the changes to the interface name of the vip, I retried the setup for ISP Redundancy and the issue resolved.

 

Cannot remediate host because it is part of HA Admission Control enabled Cluster

Recently my team and I ran into incident with and error while patching esxi servers using VMware Update Manager(VUM).  When attempting o remediate the following error message was shown:

“cannot remediate host because it is part of HA Admission Control enabled Cluster”

Cause:

vCenter Server uses admission control to ensure that sufficient resources are available in a cluster to provide failover protection and to ensure that virtual machine resource reservations are respected.

Admission control imposes constraints on resource usage and any action that would violate these constraints is not permitted. If an automated process needs to take actions, it might temporarily violate the failover constraints.

 

Solution:

Before patching of the ESXi Servers that are part of the HA Cluster, make sure you have disabled “Admission Control”. Once server has been patched you can re-enable Admission Control on the cluster.

 

Steps to disable Admission Control

  • Right-click the cluster and click Edit Settings.
  • Under Cluster Features, click VMware HA.
  • Under Admission Control, select Disable: Power on VMs that violate availability constraints.
  • Click OK

This can also be disabled in the VMware Update Manager remediation wizard. When you remediate check the option “Disable High Availability admission control if it is enabled for any of the selected clusters.