You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Table of Contents

Technologies

Microsoft Windows Server 2000

Microsoft Windows Server 2003 (R2)

Setup IAS Radius Server for 802.1x Auth

Great Article with Step by Step:

Install Radius Server

  1. open "Add remove programs" from your control panel
  2. select "Add remove windows components".
  3. scroll down to "Network Services" highlight it and hit the "Details" button.
  4. scroll down and just check off "Internet Authentication Service"

Add Clients

  1. launch IAS from your Administrative Tools either from the control panel or from the start menu
  2. right click on "RADIUS Clients" and select "New RADIUS Client"
  3. set the RADIUS* type and RADIUS secret**.

*The RADIUS type is almost always set to "RADIUS Standard". Cisco devices are the exception and you must select "Cisco" for the "Client-Vendor" field if you want your Cisco devices to work. There are exceptions like Cisco wireless switches because the switches were acquired from Airespace in 2005. Airespace wireless switches use "RADIUS Standard" like everyone else in the industry.
**The "shared secret" is the secret shared between the RADIUS server and the access device. Try to make the secret 10 characters or more comprised of random numbers and letters. Avoid spaces and special characters since that might have incompatibilities in some devices and software and you'll have a rough time troubleshooting.

Add Remote Policies

  1. right click on "Remote Access Policies" and click "New Remote Access Policy"
  2. Give your policy a name and use the wizard. Hit "Next"
  3. Choose "Wireless" and hit "Next"
  4. Here you'll need to grant access to your users and computers. Hit "Add"
    • Choose the domain you're trying to authenticate to and hit "Ok"
    • Type "Domain Users" and "Domain Computers"* and separate them with a semicolon.
    • Then click on "Check Names" to force it to underline and validate your entries

Note that "Domain Computers" is used to authenticate your computer for "machine authentication" which connects your wireless PC before the user even logs in. This is a very useful and unique benefit of the Windows Wireless Client since it emulates the full wired experience for wireless users

How to reserve a range of ephemeral ports

Reference Links:

  1. Start Registry Editor (Regedit.exe).
  2. Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  3. On the Edit menu, point to New, and then click Multi-string Value.
  4. Right-click the new value, click Rename, type ReservedPorts, and then press ENTER.
  5. Double-click the ReservedPorts value, type the range of ports that you want to reserve, and then click OK.
    • Note You must type the range of ports in the following format: 
      xxxx-yyyy
    • To specify a single port, use the same value for x and y. For example, to specify port 4000, type 4000-4000.
    • Warning If you specify the continuous ports separately and if one port is reserved and not used, the next port is not correctly reserved, and it is used.
  6. Click OK.
  7. Quit Registry Editor

Microsoft Windows Server 2008 (R2)

Setting up FTP Server

  • MS FTP 7.0, 530-User cannot log in, home directory inaccessible

In IIS, click on the FTP site. Choose FTP authorizations. In the right panel, select "Add Allow Rule..." The key now is that you have to click on "Specified Users" half way down the dialog, add the specific user name, allow read/write, and then apply. Once you do this, the user can get in. Allowing access to "All Users" would do the trick too

Notes

Self Signing Certifcates from CLI

Sign a certificate 
In order to sign a certificate using the Active Directory Certificate Services it's recommended to use the standard Certreq.exe command-line tool:

  1. Open an elevated command prompt with domain administrative permissions.
  2. Execute the following command line: 
    certreq -submit -attrib "CertificateTemplate: WebServer" visualsvn.req visualsvn.cer
  3. Choose the appropriate Certification Authority in the dialog box and press the OK button.
  4. If you have domain administrator access permissions, the issued certificate will be saved in a file named visualsvn.cer.

Microsoft Update Catalog

http://go.microsoft.com/fwlink/?LinkID=66676

To remove protection that prevents an OU from accidental deletion

  1. Log on to the computer as a member of the Domain Admins group.
  2. Open Active Directory Users and Computers.
  3. Click View, and then click Advanced Features.
  4. First, clear permissions on the OU for which you want to remove protection. To do this, right-click the OU, and then click Properties.
  5. In OU Properties, click the Security tab, and then click Advanced.
  6. In Permission Entries, select the Deny entry for the Everyone group, and then click Remove.
  7. Click OK to close the Advanced Security Settings, and then click OK to close OU Properties.
  8. Second, clear permissions on the parent container of the OU for which you want to remove protection. To do this, right-click the parent container, and then click Properties.
  9. In ContainerProperties, click the* Security* tab.
  10. In Group or user names, select the Everyone group, and then clear the Deny check box for Delete All Child Objects, and then click OK to close Container Properties

How to delay loading of specific services

Reference link: Article ID: 193888 - Last Review: July 2, 2010 - Revision: 3.0

The Registry subkeys for services are located in the following path and can control how services are loaded.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<Service name>

To create a new dependency, select the subkey representing the service you want to delay, click Edit, and then click Add Value. Create a new value name "DependOnService" (without the quotation marks) with a data type of REG_MULTI_SZ, and then click OK. When the Data dialog box appears, type the name or names of the services that you prefer to start before this service with one entry for each line, and then click OK.

The name of the service you would enter in the Data dialog box is the exact name of the service as it appears in the registry under the Services key.

When the computer starts, it uses this entry to verify that the service or services listed in this value are started before attempting to start the dependent service.

  • For example, you may want to ensure that your Server service loads before the Windows Internet Name Service (WINS). If you select the WINS key in the registry, you will notice that the DependOnService value already exists in the WINS key. In a default installation, WINS is already dependent on both RPCSS (Remote Procedure Call) and NTLMSSP (Windows NT LanMan Security Support Provider) services. To add the Server service to this list, double-click the DependOnService value. In the Multi-String Editor, on the line below NTMLSSP, add the entry "LANMANSERVER" (without quotation marks), and then click OK.

In addition, Windows 2000 and Windows 2003 Active Directory needs to find and use the DNS Server service. The Netlogon service can be delayed to ensure that the DNS Server service is up and running for Dynamic DNS registration and query for existing Active Directory domain controllers that are in the DNS server database. Use the DependOnService in the Netlogon and add DNS to the list of LanmanWorkstation and LanmanServer. This delays Netlogon from starting until the DNS Server service on that same computer is started and ready.

  • Note Only delay the Netlogon service for DNS on a Windows 2000 or Windows 2003 Server when the DNS service is on the same Windows 2000 or Windows 2003-based server.
  • Note Entries in this field are NOT case-sensitive.
  • Warning Adding this entry manually may prevent the system from starting properly if you establish a "circular dependency." In its simplest form, such a problem would occur when you make two differing services dependent on one another. Neither service would be able to start as they would both require the other to be started first.
  • Note If you have a service that needs to start late in the boot cycle but you do not have a specific service dependency, as explained above, then choose one of the services which startup last as the data value for the value "Depends on Service". Services commonly selected are Spooler and Messenger.

How to restart services that require a restart otherwise

Reference link: Restarting Terminal Services Without Reboot

  1. DRAC or get console access to the server
  2. go to http://live.sysinternals.com and download procexp.exe
  3. open process explorer
  4. open the "View" menu and click on, "Select Columns" and choose "Command Line"
  5. sort by "Process" and look for the "svchost.exe". If you expand the "Command Line" column, you will see a line *"svchost.exe -k termsvcs"
  6. End this "svchost.exe" process by right clicking and "Kill Process".
  7. Now you can just go to "services.msc" and restart Terminal Services!

note: In 2008 you will have to start procexp.exe with "Administrator rights" in order to kill processes.

  • No labels