Archive for January, 2017

NIC Teaming, also known as load balancing and failover (LBFO), allows multiple network adapters on a computer to be placed into a team for the following purposes:

  • Bandwidth aggregation
  • Traffic failover to prevent connectivity loss in the event of a network component failure

In this example we’ll create virtual switch,add this switch to VM and enable NIC teaming for new switch:

On Hyper-V console click Virtual Switch Manager

1.png

Create Virtual switch

1

Choose Switch type

External:Gives virtual machines access to a physical network to communicate with servers and clients on an external network,also it communicates connections between Hyper-V VM’s on the same Hyper-V server

Internal:Allows communication between virtual machines on the same Hyper-V server, and between the virtual machines and the management host operating system.

Private:Only allows communication between virtual machines on the same Hyper-V server.

And click create Virtual Switch

1.png

Choose adapter,click apply and ok

1.png

Now when we added Neywork adapter to Hyper-V switch,let’s add it to VM

Right-Click VM-Settings

1.png

Add Hardware-Network Adapter-Add

1.png

Specify Virtual Switch-Apply-Ok

1.png

Select adapter-Advanced-Enable this network adapater to be part of team

1.png

Powershell:

Creating new Switch:

New-VMSwitch -Name External -NetAdapterName 'ethernet'

Adding New Network adapter to VM:

get-vm -VMName dc | Add-VMNetworkAdapter -SwitchName 'external'

Enabling NIC teaming for VM:

Set-VMNetworkAdapter -VMName dc -AllowTeaming on

In this blog we’ll create VPN server wich will be leveraging IPsec Tunnel Mode with Internet Key Exchange version 2 (IKEv2).With the functionality provided by the IKEv2 Mobility and Multihoming protocol (MOBIKE), this tunneling protocol offers inherent advantages in scenarios where the client moves from one IP network to another (for example, from WLAN to WWAN).For example, this permits a user with an active IKEv2 VPN tunnel to disconnect a laptop from a wired connection, walk down the hall to a conference room, connect to a wireless network, and have the IKEv2 VPN tunnel automatically reconnected with no noticeable interruption to the user.

 

 

Installing Certificates to VPN server and VPN client 

Creating certificate templates

In Certification Authority (CA),from CA console,right click Certificate Templates-Manage

1 (1)

 

 

Right-Click IPSec template-Duplicate template

 

1.png

On Request Handling tab click Allow private key to be exported

 

2.png

Click Extension tab-Application Policies-Edit

 

1-1

 

Remove IP Security IKE intermediate

 

1-1

 

then click Add and choose Server Authentication

 

1-1.png

 

Click Key Usage-Edit

 

1-1

Ensure that Digital signature is selected. If it is, click Cancel. If it is not, select it, and then click OK.

1-1.png

In the security tab-click Object Types-Computers-Add Domain Computers

 

3

Make sure Read,Enroll and Auto-Enroll is selected

 

4

In General tab give template a name

 

5.png

Now,right click Certification Template-New-Certificate Template to issue

 

6

 

Choose new template

 

7.png

 

Enrolling certificate on VPN server

On VPN server:start-run-mmc-Add/remove snap-in

 

1-1

Click Certificates-Add-Computer Account

 

8.png

 

Right click Personal-All tasks-Request New Certificate

 

1-1.png

 

Check certificate templates-Properties

 

10

Click Subject tab-Subject Name-Common name (from drop-down menu)-FQDN for VPN server-Add

Alternative Name-choose DNS-set FQDN for VPN server-ADD

 

11

New certificate should be created

 

12.png

 

This certificate should be exported and then imported to client machine

 

Exporting certificate

Right-click certificate-All tasks-Export

 

1-1.png

 

Export private key

 

1-1.png

 

Set password and specify file in which certificate should be saved.

Copy file to client computer

 

Importing file on client machine

This certificate should be imported to Trusted Root Certification Authority on client.

Start-run-mmc-add Certificate snap-in-local computer

Right click Trusted Root Certification Authorities-All task-import

 

1-1.png

 

Browse to copied file and enter password

 

Installing Roles

 

On Server install Network Policy Server and Remote Access roles

 

1-1.png

Open Routing and Remote Access console-right click server icon-Configure and Enable Routing and Remote Access

 

 

13

Remote access (dial-up or VPN)

 

14

 

Check VPN

 

15

 

Select internet facing interface

 

16.png

 

Define VPN address pool

 

17

 

 

18

We are not using RADIUS,intead we’ll use NPS

 

19

 

Right click Remote Access Logging-Launch NPS

 

20.png

Click Network Access Policies

 

21

Right click Connections to Microsoft Routing and Remote Access Server-Properties

22.png

Check Grant access

23

Click Constraints-Select Microsoft:Secured password (EAP-MSCHAP v2)

 

24

If it’s not selected add it

 

1-1.png

 

Enable user VPN access

In ADUS right click user-Dial-in-Allow access

 

1-1.png

 

Client setting

In hosts file add entry for VPN server (name must be equal to one specified in SSL certificate)

1-1.png

Creating VPN client connection

 

1-1.png

 

1-1.png

Use my insternet connection (VPN)

 

1-1.png

 

I’ll set up an internet connection later

 

1-1.png

In Internet address type VPN server name

 

1-1.png

Specify username/password

 

1-1.png

In Security tab,for Type of VPN select IKEv2-Data encryption-Require encryption-Authentication:Microsoft:Secured password (EAP-MSCHAP v2)

 

1-1

We can see that IKEv2 is used,client got address from our VPN pool (10.10.10.3)

 

1-1.png

 

 

1-1

 

Nano Server is a remotely administered server operating system optimized for private clouds and datacenters,it  has no local logon capability.In this post we create basic nano server image,without going deep in configuration,in this one we’ll configure DNS server in Nano server

Import nano server CMD-lets

From Windows Server 2016 installation disk browse to NanoServer\NanoServerImageGenerator,

Set-ExecutionPolicy RemoteSigned
Import-Module .\NanoServerImageGenerator.psm1

Create Nano Image (with DNS packages) 

New-NanoServerImage -MediaPath d:\ -BasePath C:\nano\ -TargetPath C:\nano\nano_dns.vhdx -Package microsoft-nanoserver-dns-package -InterfaceNameOrIndex ethernet -Ipv4Address 192.168.0.20 -Ipv4SubnetMask 255.255.255.0 -Ipv4Gateway 192.168.0.1 -DeploymentType guest -E
nableRemoteManagementPort -Ipv4Dns 127.0.0.1 -Edition Datacenter -MaxSize 10GB -ComputerName nano_dns -AdministratorPassword (ConvertTo-SecureString "Pass
word01" -AsPlainText -Force)

All available packages are available in Windows Server 2016 installation DVD,Nanoserver\Packages folder

Capture.PNG

Create Hyper-V VM and start it

New-VM -Name 'nano-dns' -MemoryStartupBytes 1gb -VHDPath 'C:\nano\nano_dns.vhdx' -Generation 2 -switchname 'new virtual switch'

start-vm nano-dns

Establish connection to Nano Server and Extract the DNS Role

set-item wsman:\localhost\client\trustedhosts "192.168.0.20"
Enter-PSSession -ComputerName 192.168.0.20 -Credential administrator
Enable-WindowsOptionalFeature -Online -FeatureName dns-server-full-role
Import-Module DnsServer

Creating Forward lookup zone and A record

Add-DnsServerPrimaryZone -ZoneName test.com -ZoneFile test.com.dns
Add-DnsServerResourceRecordA -Name www -ZoneName test.com -IPv4Address 192.168.0.21

From client computer (where Preferred DNS server is set as Nano Server),test DNS resolution:

 

Capture.PNG

This lab consists of:

Remote desktop gateway server (rd.gateway.test.com) – server which enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client

Remote Desktop Web Access server (rd-web.test.com) – enables users to access RemoteApp and Desktop Connection through a Web browser

Remote Desktop Connection Broker server (rd-broker.test.com) server allows users to reconnect to their existing sessions in a load-balanced RD Session Host server farm,enables users to evenly distribute the session load among RD Session Host servers in a load-balanced RD Session Host server farm,povides users access to virtual desktops hosted on RD Virtualization Host servers and to RemoteApp programs hosted on RD Session Host servers through RemoteApp and Desktop Connection.

Remote Desktop Session Host server (rd-sh.test.com) – hosts Windows-based programs or the full Windows desktop for Remote Desktop Services clients. Users can connect to an RD Session Host server to run programs, to save files, and to use network resources on that server.

License server (rd-license.test.com) provides Remote Desktop Services client access licenses (RDS CALs) for users or computers that are connecting to the RD Session Host server

Installing Remote Desktop roles 

Add all servers to server group

1-1.PNG

Add roles-Remote Desktop Service Installation

1

Standard deployement

2.PNG

Session-based desktop deployement

3.PNG

In RD connection broker windows-choose RD broker server,click arrow to add it to the right

4.PNG

Do the same for RD Web access server

5.PNG

and repeat procedure for RD Session Host

6.PNG

7.PNG

PowerShell alternative:

Import-Module RemoteDesktop
New-SessionDeployment -ConnectionBroker rd-broker.test.com -SessionHost rd-sh.test.com -WebAccessServer rd-web.test.com

Adding Licenseing Server

After installing click Server Manager-Remote Desktop Service-Overview

8.PNG

Select Licensing server

9.PNG

Or use PowerShell:

add-RDServer -Server rd-license.test.com -Role RDS-LICENSING -ConnectionBroker rd-broker.test.com

Add RD Gateway server

Click RD Gateway and select Gateway server

10

11.PNG

With Powershell:

Add-RDServer -Server 'rd-gateway.test.com' -Role RDS-GATEWAY -ConnectionBroker rd-broker.test.com -GatewayExternalFqdn rd-gateway.test.com

-GatewayExternalFqdn specifies SSL certificate name (during adding RD Gateway server self-signed SSL certificate will be created)

Configure RD Deployement

In Overview window-Click Task-Edit Deployement Process

12.png

13.PNG

Select Licensing mode

14.PNG

15.PNG

Creating certificates

I used self signed SSL certificates,for every server i clicked Create New Certificate

Untitled.png

Specify certificate name (do the same for all remaining servers)

16.PNG

Transfering RD Connection Broker database to SQL database

By default,RD Connection Broker database is stored in Windows Internal Database (WID),now we’ll create configure our Remote Desktop Service into SQL database.

Create AD Security Group and add RD Broker server to it,then on RD Broker server (rd-broker.test.com) install SQL Server 2012 SP1 Native Client (ENU\x64\sqlncli.msi).

Untitled.png

On SQL server expand Security-Login-New Login

Untitled.png

Select Windows Authentication-Object Type-Group-Location-your domain,enter AD Security Group where RD Connection Broker is added.We now gave RD Connection Broker login rights to SQL server

Untitled.png

Create new empty Database

In SQL Server management studio click new query and enter following query

use master
go
create database RDP

Database named RDP will be created

Untitled.png

Right Click RD Connection Broker-Configure High Availability

17

Dedicated Database Server

18.PNG

In DNS name specify DNS name of RD Connection Broker server

Connection String:DRIVER=SQL Server Native Client 11.0;SERVER=sql\remote_services;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=RDP

SERVER=sql\remote_services (SQL is server name,remote_services is SQL instance name-created during SQL Server installation)

Folder to store database (this is default database location for SQL Server 2014):

C:\Program Files\Microsoft SQL Server\MSSQL12.REMOTE_SERVICES\MSSQL\DATA

19.PNG

After wizard finishes,we’ll see next picture

20.PNG

Creating RD policy

If this task is performed remotely (not directly in RD Gateway server) we need to install RSAT

Install-WindowsFeature  RSAT-RDS-Tools -IncludeManagementTools -IncludeAllSubFeature

In server manager click Remote Desktop Services-Servers-Right click RD Gateway server-RD Gateway manager

21.png

Click Resource Authorization Policies-Disable all existing policies

22.PNG

Click Manage Local Computer

23

Create Group

24

In Network resources specify RD Connection server and RD Session host server

25.PNG

Remote clients will now be able to reach session host server when accessing from outside network

Right click Resource Authorization Policies-Create New Policy-Custom

26.png

In User Groups specify AD Group whose members will be connection through RD Gateway

27

In Network resource tab,select Resource group we just created

28.PNG

Creating Remote Desktop Session Collection

In order to publish desktop connection to remote users we need to publish it first.

In Server Manager click Remote Desktop Services-Collection-Task-Create Session Collection

29.png

Specify name and RD Session host server

30.PNG

Specify AD Group whose users will have remote access

31

We can also specify User Profile Disk.User profile disks centrally store user and application data on a single virtual disk that is dedicated to one user’s profile. When the user logs on, their profile disk is attached to their session and detached when the user logs out. With this process, there is no copying of files on logon or logoff

32

PowerShell alternative:

New-RDSessionCollection -CollectionName 'test' -SessionHost rd-sh.test.com -ConnectionBroker rd-broker.test.com

Set-RDSessionCollectionConfiguration -CollectionName test -UserGroup 'test\domain users' -EncryptionLevel High -ConnectionBroker rd-broker.test.com -AutomaticReconnectionEnabled $true

 

We can edit collection clicking on it-Task-Edit Properties

 

32-1.png

 

Now,from client computer in web browser enter RD Gateway server address

https://rd-web.test.com/rdweb

 

33.PNG

 

34.PNG

 

Using RD Session Broker remote client has connected to RD Session host

 

Untitled.png

The Network Load Balancing (NLB) feature distributes traffic across several servers by using the TCP/IP networking protocol. By combining two or more computers that are running applications into a single virtual cluster, NLB provides reliability and performance for web servers and other mission-critical servers.

The servers in an NLB cluster are called hosts, and each host runs a separate copy of the server applications. NLB distributes incoming client requests across the hosts in the cluster.

In this example we’ll create NLB cluster from 2 nodes (nlb1 and nlb2) which will be hosting IIS site

Installing NLB Cluster and IIS roles

invoke-command nlb1,nlb2 {Install-WindowsFeature nlb -IncludeAllSubFeature -IncludeManagementTools}
invoke-command nlb1,nlb2 {Install-WindowsFeature nlb -IncludeAllSubFeature -IncludeManagementTools}

Creating NLB cluster

On any cluster node run following PowerShell command:

New-NlbCluster -InterfaceName ethernet -ClusterName 'iis_cluster' -ClusterPrimaryIP 192.168.0.10 -SubnetMask 255.255.255.0 -OperationMode Unicast

NLB cluster named IIS with IP 192.168.0.10,unicast mode is created

There are following operation modes:

Unicast – Each NLB cluster node replaces its real (hard coded) MAC address with a new one (generated by the NLB software) and each node in the NLB cluster uses the same (virtual) MAC

Multicast – NLB adds a layer 2 MAC address to the NIC of each node. Each NLB cluster node basically has two MAC addresses, its real one and its NLB generated address.

IGMP multicast  ensures that traffic intended for an NLB cluster passes through only those ports serving the cluster hosts and not all switch ports

Adding NLB node:

Add-NlbClusterNode -NewNodeName nlb1 -NewNodeInterface 'Ethernet' -InterfaceName 'Ethernet'

Setting NLB cluster ports and port filtering mode

Filtering modes:

The None option specifies that multiple connections from the same client IP address can be handled by different cluster hosts

The Single Direct traffic to a single host.

Multiple Hosts: Distribute traffic between the Network Load Balancing (NLB) cluster servers.

 

Get-NlbClusterPortRule | Set-NlbClusterPortRule -NewIP 192.168.0.10 -newProtocol tcp -NewStartPort 80 -NewEndPort 80 -newmode multiple

 

Setting load weight

The load weight applies only for the Multiple hosts filtering mode. When using the Multiple hosts filtering mode,the load weight specifies the relative amount of load-balanced network traffic that this node should handle for the associated port rule.
Allowed values range from 0 (zero) to 100. To prevent a host from handling any network traffic, set the load weight to 0 (zero).

Get-NlbClusterNode -NodeName nlb1 | Get-NlbClusterPortRule | Set-NlbClusterPortRuleNodeWeight -LoadWeight 50

Setting NLB node priority

Each cluster host is assigned a unique host priority in the range of 1 to 32, where lower numbers denote higher priorities.
The host with the highest host priority (lowest numeric value) is called the default host. It handles all client traffic for the virtual IP addresses
that is not specifically intended to be load-balanced.
This ensures that server applications not configured for load balancing only receive client traffic on a single host.
If the default host fails, the host with the next highest priority takes over as default host.

This command sets priority 32 for node nlb1

Set-NlbClusterNode -HostName nlb1 -HostPriority 32 -InterfaceName ethernet

 

The Affinity can be set only when Multiple hosts filtering mode is applied.

The Network option specifies that NLB direct multiple requests from the same TCP/IP Class C address range to the same cluster host. Enabling Network affinity instead of Single affinity ensures that clients that use multiple proxy servers to access the cluster have their TCP connections directed to the same cluster host.

Get-NlbClusterPortRule | Set-NlbClusterPortRule  -NewAffinity single
Get-NlbClusterNode -NodeName nlb1 | fl * 
Invoke-Command nlb2 {get-nlbclusternode -NodeName nlb2 | fl * }

2.png

Because nlb2 has highest priority (1) requests are redirected this node

Test NLB:

on nlb1:

del C:\inetpub\wwwroot\iisstart.htm
echo "This page is hosted on nlb1 node :-)" > C:\inetpub\wwwroot\index.html

On nlb2:

del C:\inetpub\wwwroot\iisstart.htm
echo "This page is hosted on nlb1 node :-)" > C:\inetpub\wwwroot\index.html

 

 

3.PNG

Stop nlb2 node from nlb1

 

Invoke-Command nlb2 {Stop-NlbClusterNode -HostName nlb2}

 

4.PNG

With Role based access control we configure detailed control over what task users can perform in IPAM

Built-in IPAM roles:

 

Type Name Description
Role DNS record administrator Manages DNS resource records
Role IP address record administrator Manages IP addresses but not IP address spaces, ranges, blocks, or subnets.
Role IPAM administrator Manages all settings and objects in IPAM
Role IPAM ASM administrator Completely manages IP addresses
Role IPAM DHCP administrator Completely manages DHCP servers
Role IPAM DHCP reservations administrator Manages DHCP reservations
Role IPAM DHCP scope administrator Manages DHCP scopes
Role IPAM MSM administrator Completely manages DHCP and DNS servers
Access scope Global By default, all objects in IPAM are included in the global access scope. All additional scopes that are configured are subsets of the global access

 

Adding custom role

sometimes,built-in roles won’t meet our requirements,in that case we can create custom role.

Click Access Control-Right click Roles-Add user role

1.png

 

Enter role name and define what action can be done within that role,in this example user can create zone and invoke zone transfer and configure preferred DNS server.

 

2

 

Creating Access policy

Now map user to IPAM role:

Right click Access Policies-Add access policy

 

 

3

Click Add-select domain and add user (in my example this user is standard domain user with no specific privileges)

 

4.png

In Access Settings click new and choose role

 

5.png

Click Add settings

 

6

 

Optionally,we can specify Access Scope.

An access scope determines the objects that a user has access to. You can use access scopes to define administrative domains in IPAM. For example, you might create access scopes based on geographical location. By default, IPAM includes an access scope of Global. All other access scopes are subsets of the Global access scope. Users or groups that are assigned to the Global access scope have access to all objects in IPAM that are permitted by their assigned role.

In this example i didn’t create any access scope

Testing

Log in to IMAP server with user,according to role setting,user can create DNS zone,but can’t delete it

 

7

 

 

In this post  we installed IPAM,in this one we’ll perform some basic tasks

Adding DNS record

In IPAM console click DNS Zones-right-click zone-Add DNS record

1

New-Choose record type

2

Type value,optionally add PTR record-Add resource record

3

4

5

See zone details

In the left pane click Tree view-Forward lookup zone

6

Select zone in left pane,on Current view choose resource Records

7

Managing IP address

To find-out first available address,IPAM looks at DHCP range,in my case i have configured DHCP range 192.168.0.20-192.168.0.30,and one DHCP client.IPAM will provide next available address.

Click IP Address Range-Right click on DHCP range-Find and Allocate Available IP Address

8

 

 

9

Or by PowerShell:

Add-IpamAddress -IpAddress 192.168.0.22 -PassThru

Creating DNS Zone

On left pane click DNS And DHCP servers-Right click DNS server-Create DNS zone

 

10
Enter zone type (forward or reverse) and name

 

11

 

 

12

Delete IPAM database

Browse to one of the following locations: IP Address Blocks, IP Address Inventory, or IP Address Range Groups.
Click TASKS, and then click Purge Utilization Data.

 

13

The Purge Utilization Data dialog box opens.
In Purge all utilization data on or before, click Select a date.
Choose the date for which you want to delete all database records both on and before that date.
Click OK. IPAM deletes all the records that you have specified.

 

14