System Center Orchestrator – Running Powershell

I’ve had a lot of trouble with SCORCH and PowerShell, primarily because Orchestrator will always call PowerShell 2.0. Here’s how I get things done.

Reference: RUNNING AND DEBUGGING POWERSHELL SCRIPTS WITH ORCHESTRATOR 2012

  1. Add two new variables
    1. Powershell Scripts Username
    2. Powershell Scripts Password
  2. ‘Encrypt’ the password variable.
  3. Copy the PowerShell script you’d like to run to C:\Scripts on your target system.
  4. Add a ‘Run Script’ activity to your Runbook.
  5. Use the following code template, but replace username/password with variable subscriptions, and replace the PowerShell script name and path.
    $ErrorActionPreference = "Stop"
    try
    {
        $targetComputer = "server.contoso.com"
        $username = "{Scripts Username}"
        $password = "{Scripts Password}"
        $securePassword = $password | ConvertTo-SecureString -AsPlainText -Force
        $creds = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$securePassword
        $retval = Invoke-Command -Credential $creds -ComputerName $targetComputer -ScriptBlock {& "C:\Scripts\Generate-VMHostGuestInfoReport.ps1"}
    }
    Catch
    {
        Throw $_.Exception
    }
    

Getting data back out is a bit of a problem, so I’ve just been writing data to a file inside my target script, and then reading the file with Orchestrator. It’s a bit of a cludge, but it works.

Advertisements

Intel vPro – Configuration – Part 2 – PKI Installation

vPro Series of Posts


At this point in the series, our goal is to set up the simplest possible configuration to get vPro working as a proof-of-concept. Since the proof-of-concept will be using a self-signed certificate, we will need to install a Certificate Authority. Since it’s unsafe to use a single-tier PKI with vPro, we will install a two-tier PKI.

This post will cover the following:

  1. Installing the Offline Standalone Root CA
  2. Installing the Online Enterprise Subordinate (Issuing) CA

Installing the Offline Standalone Root CA

Requirements

You will need two VM’s:

  • Standalone root CA: Windows Server 2008 Standard or better.
  • Enterprise subordinate CA: Windows Server 2008 Enterprise or better.

Concepts

Please read the following blog post a couple times in order to learn the concepts behind PKI. Without this information, it will be difficult to continue.

In our case, we will configure IIS on the enterprise subordinate CA and use it as the AIA and CDP locations for both the offline standalone root and the online enterprise subordinate issuing CA.

Procedure

  1. Install Windows Server 2008 Standard or above on the VM.
  2. Download the following scripts from my blog post titled Server 2008 R2 Standalone Root CA Install Script and store them on the VM at the folder C:\Install_Files.
    1. capolicy.inf
    2. SetupCA-RootCA.ps1
    3. Install-StandAloneCA.cmd
  3. Modify capolicy.inf.
    1. Remove the following lines:
      [LegalPolicy]
      URL = "http://certs.chemistry.ohio-state.edu/CertData/cps.docx"
    2. Change the line ‘renewalkeylength’ from 4096 to 2048. vPro doesn’t support keys larger than 2048.
  4. Modify SetupCA-RootCA.ps1 line 351.
    1. Replace -CAName with a friendly-name for your CA (you get to choose this).
    2. Change -DNSuffix to match the distinguished name of your domain. You can find this by running the following command in powershell:
      ([adsi]'').distinguishedname
    3. Finally, change -HashAlgorith from SHA256 to SHA1. vPro doesn’t support SHA256 certificates.
  5. Modify Install-StandAloneCA.cmd
    1. Insert your domain’s distinguished name on line 9.
    2. On line 20, replace the entire line with the following code. Replace the URL with the FQDN of your future Enterprise Subordinate CA.
      certutil -setreg CA\CRLPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://cdp.yourdomain.com/Certdata/%%3%%8%%9.crl"
    3. On line 23, replace the entire line with the following code. Replace the URL with the FQDN of your future Enterprise Subordinate CA.
      certutil -setreg CA\CACertPublicationURLs  "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://aia.yourdomain.com/CertData/%%1_%%3%%4.crt"
  6. After placing all three files into C:\Install_Files, launch a command prompt as administrator and type the following commands:
    cd C:\Install_Files
    Install-StandAloneCA.cmd
    certutil -crl

Enterprise Subordinate Issuing CA

Now that your Offline Root CA is configured, it’s time to install the Enterprise Issuing CA.

Procedure

  1. Install Windows Server 2008 Enterprise or above on the VM.
  2. Create partitions on the server like the following:
    • C:\, 25GB, boot
    • D:\, 5GB, cert db
    • E:\, 5GB, logs
    • F:\, 5GB, inetpub
  3. Download the following scripts from my blog post titled Server 2008 Enterprise Subordinate CA Install Scripts and store them on the VM at the folder C:\Install_Files.
    1. capolicy.inf
    2. Setup-IssuingCA1.ps1
    3. Install-ADCS.cmd
  4. Modify capolicy.inf.
    1. Remove the following lines:
      [LegalPolicy]
      URL = "http://certs.chemistry.ohio-state.edu/CertData/cps.docx"
    2. Change the line ‘renewalkeylength’ from 4096 to 2048. vPro doesn’t support keys larger than 2048.
  5. Modify Setup-IssuingCA1.ps1 line 351.
    1. Replace -CAName with a friendly-name for your CA (you get to choose this).
    2. Change -DNSuffix to match the distinguished name of your domain. You can find this by running the following command in powershell:
      ([adsi]'').distinguishedname
    3. Finally, change -HashAlgorith from SHA256 to SHA1. vPro doesn’t support SHA256 certificates.
  6. Modify Install-ADCS.cmd
    1. Insert your domain’s distinguished name on line 9.
    2. On line 20, replace the entire line with the following code. Replace the URL with the FQDN of your future Enterprise Subordinate CA.
      certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n65:F:\inetpub\wwwroot\certdata\%%3%%8%%9.crl\n6:http://cdp.yourdomain.com/Certdata/%%3%%8%%9.crl"
    3. On line 23, replace the entire line with the following code. Replace the URL with the FQDN of your future Enterprise Subordinate CA.
      certutil -setreg CA\CACertPublicationURLs  "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n1:F:\inetpub\wwwroot\certdata\%%1_%%3%%4.crt\n2:http://aia.yourdomain.com/CertData/%%1_%%3%%4.crt"
  7. After placing both files into C:\Install_Files, launch a command prompt as administrator and type the following commands:
    cd C:\Install_Files
    Install-ADCS.cmd

Fixing Certificate Validation

Before we continue, we need to configure the AIA and CDP points so that certificate validation will pass. Otherwise, the subordinate CA won’t trust the root when we try to link them.

  1. Download the following scripts from my blog post titled Server 2008 Enterprise Subordinate CA Install Scripts – Part 2 – IIS and store them on the VM at the folder C:\Install_Files.
    1. Install-SubCA-IIS.cmd
    2. MoveIISRoot.cmd
  2. Open a command prompt as administrator and type the following commands:
    cd C:\Install_Files
    Install-SubCA-IIS.cmd
  3. Login to the Standalone Root CA and copy the files located at C:\Windows\System32\certsrv\certdata to the Subordinate CA’s path F:\inetpub\wwwroot\CertData. These files are the CA Certificate and the initial blank CRL, needed for the CDP and AIA locations.

Linking the two CA’s

You might notice that after running Install-ADCS.cmd, the script gives you an error that the Enterprise Subordinate CA does not have a CA certificate and thus cannot start. Here’s how we fix that.

Step 1 – Establish Trust

In order for the servers to have a parent-child relationship, the child CA must trust the parent CA.

  1. Login to the Subordinate CA.
  2. Start -> Run (or Windows+R) -> “mmc”
  3. File -> Add Snap-in -> Certificates -> Local Computer -> Computer Account.
  4. Expand until you see ‘Trusted Root Certificate Authorities’.
  5. Right-click ‘Trusted Root Certificate Authorities’ and choose ‘Install Certificate’.
  6. Follow the wizard, selecting the file at F:\inetpub\wwwroot\CertData\ that was copied from the Standalone CA.

Step 2 – Generate a CA Certificate for the Subordinate CA

  1. Look on the C drive of the Enterprise Subordinate CA. You will see a certificate request file. Copy this file to your Standalone Root CA.
  2. Login to the standalone root CA and launch the Certificate Authority snap-in from ‘Administrative Tools’.
  3. Right-click the Standalone Root CA and choose ‘All Tasks’ -> ‘Submit New Request’.
  4. Open the request file saved from the C drive of the Enterprise Subordinate CA.
  5. Navigate to ‘Pending Requests’.
  6. Right-click the Pending Request for the Enterprise Subordinate CA’s certificate and choose ‘Approve’.
  7. Navigate to ‘Issued Certificates’.
  8. Double-click the Enterprise Subordinate CA’s certificate.
  9. Navigate to the ‘Details’ tab.
  10. Choose ‘Copy to File…’
  11. Follow the wizard, accepting the defaults. Save the file and copy the file to the Enterprise Standalone CA.

Step 3 – Install the Subordinate CA’s CA Certificate

  1. Login to the Enterprise Subordinate CA and launch the Certificate Authority snap-in from ‘Administrative Tools’.
  2. Right click the Enterprise Subordinate CA and choose ‘Install CA Certificate’.
  3. Select the certificate file copied from the Standalone Root CA.
  4. Right-click the Enterprise Subordinate CA and choose ‘All Tasks’ -> ‘Start Service’.

Verification

Both certificate servers should now be theoretically working and can issue and verify certificates. To test this, login to the Enterprise Subordinate CA and run the command ‘PKIView.msc’. It should enumerate your PKI and there should be no errors.

Congrats! Your PKI is now installed. Look to the next post for configuring your PKI for Intel AMT.

SCCM 2012 Dev Installation – Scripted

I have SCCM 2012, but I wanted to be able to quickly spin up development versions of our environment to test new features. I’ve put together some files and scripts to be able to do this quickly, and would love to share ’em with you. There may be a few steps missing, because the post is based off of my internal documentation. However, the script will get you 90% of the way there.

Overview

  1. Gather the Required Files
  2. Create a Slipstreamed SQL Install
  3. Install a Dev Domain
  4. Install the Offline Root CA
  5. Run the SCCM script for the CAS
  6. Run the SCCM script for the Site Server

Download the Required Files

Install the Dev Domain

Follow the instructions on my previous blog post: Installing a Server 2008 Dev Domain – Scripted.

Create SQL 2008 R2 SP2 Slipstreamed Media

Follow the instructions on my previous blog post: Optimizing SQL 2008 R2 Install.

Install ADCS on AD1 – Enterprise Root

Many domains have a pre-existing single-tier PKI installed despite the fact that this is, in general, not the best practice. We will replicate this condition on our domain controller so that we have to work-around it.

  1. Open AD1, the ADDS\DNS\DHCP VM.
  2. Open Server Manager -> Roles -> “Add Roles”.
  3. Under “Select Server Roles”, check the box next to “Active Directory Certificate Services” and click “Next”.
  4. Under “Select Role Services”, check the box next to “Certificate Authority” and click “Next”.
  5. For “Specify Setup type”, choose “Enterprise” and hit next.
  6. For “Specify CA Type”, choose “Root CA”.
  7. For the “Set Up Private Key” step, choose “Create a new private Key”, and click “Next”.
  8. For “Configure Cryptography for CA”, leave everything to default (RSA) and click next.
  9. For “CA name”, leave defaults and click next.
  10. For “Set Validity Period”, keep it at 5 years and click next.
  11. Keep the default database and log locations, and finish the wizard.

Build the Offline Root VM

Settings:

  • Name: DEV-CA0
  • HD: 40 Thin
  • Nics: 1 nic, vmxnet3, on the private VLAN.
  • IP Address: 192.168.0.20 (Private VLAN)

Install ADCS on CA0 – Standalone Root

  1. Make two folders on your C: drive named “certdb” and “certlog”
  2. Download the following scripts from the John Puskar Github Repo and place them in C:\Install_Files
    • SetupCA-RootCA.ps1
    • Install-StandAlone.cmd
  3. Modify the last line of SetupCA-RootCA.ps1 and replace the CADNSuffix parameter.
  4. Modify the DN, CDP, and AIA lines of the install-standalone.cmd script to fit your dev environment.
  5. Open a command prompt as administrator and run the script named ‘Install-standalone.cmd’.

Build the CAS VM

Settings:

  • Name: DEV-SCCM-CAS
  • HD’s (all thin)
    • C: – 40GB
    • D: – 40GB
    • E: – 22GB
    • F: – 100GB
  • Nics: 1 nic, vmxnet3, on the private VLAN.
  • IP Address: 192.168.0.30 (Private VLAN)

Prep and Install the CAS

  1. Login to the John Puskar Github Repo and download the following files. Place them in C:\workingtemp.
    • AD-Functions.ps1
    • Install-Dev-CAS.PS1
  2. Copy the downloaded prereq files from the first step to C:\Install_Files
  3. Modify the variables at the top of the Install-Dev-CAS.ps1 script as necessary for your site.
  4. Open a powershell window as administrator and run the install-dev-cas.ps1 script.

Build the Primary Site Server VM

Settings:

  • Name: DEV-SCCM-TES
  • HD’s (all thin)
    • C: – 40GB
    • D: – 40GB
    • E: – 22GB
    • F: – 100GB
  • Nics: 1 nic, vmxnet3, on the private VLAN.
  • IP Address: 192.168.0.40 (Private VLAN)

Prep and Install the Site Server

  1. Login to the John Puskar Github Repo and download the following files. Place them in C:\workingtemp.
    • AD-Functions.ps1
    • Install-Dev-Site-Server.PS1
  2. Copy the downloaded prereq files from the first step to C:\Install_Files
  3. Modify the variables at the top of the Install-Dev-Site-Server.ps1 script as necessary for your site.
  4. Open a powershell window as administrator and run the install-dev-cas.ps1 script.

Alright! Your site should be up and running in HTTP mode at this point. You can streamline this process quite a bit after the first couple runs.

Scripting the Build of a Server 2008 R2 Test Domain

This information is probably a bit old, since Server 2012 is out. I haven’t played around with 2012 too much yet; ‘been focusing on SCCM instead. Server 2012 task sequences are the first thing I’m going to play with next week once we have SP1 installed though :).

Anyways, here we go. This post is about scripting the set-up of a test domain with the following services in the shortest number of steps possible. This post assumes that you want to separate routing out to it’s own VM.

  • Routing with NAT
  • DNS
  • DHCP
  • ADDS

Step 1 – Routing

Network Configuration

You need an IP boundary for your test domain. The easiest way to do this is to create a private network behind a NAT router. For this to work, you need a private network that is not connected to the internet. On a single host in VMWare ESX, this can be accomplished by creating a vSwitch with no physical adapters, then creating a VMWare Virtual Machine network inside the vSwitch.

Build the VM

Routing is a way of bridging two or more networks. Your virtual server needs to have two network interfaces: one on the private network, and one on a network that can access the internet. Build a VM and configure it this way.

Install and Configure Routing

The following procedure will configure the RRAS service to be a NAT’ing router.

  1. Start -> Run -> ‘control netconnections’
  2. Rename the interface connected to the internet so that it reads ‘Public Interface’.
  3. Rename the interface connected to the private network so that it reads ‘Private Network’
  4. Configure the Private Interface so that it uses the following IP information:
    IP: 192.168.1.1
    Netmask: 255.255.255.0
    Gateway: <none>
    DNS: <none>
  5. Open PowerShell as administrator, and run the following command.
    Import-Module ServerManager
    Add-WindowsFeature NPAS-RRAS, NPAS-Routing
  6. Save the following code as C:\Install_Files\config-rras-nat.txt :
    #========================
    # Interface configuration
    #========================
    pushd interface
    popd
    # End of interface configuration
    
    # ----------------------------------
    # IPHTTPS Configuration
    # ----------------------------------
    pushd interface httpstunnel
    reset
    popd
    # End of IPHTTPS configuration
    
    # ----------------------------------
    # IPv4 Configuration
    # ----------------------------------
    pushd interface ipv4
    reset
    set global icmpredirects=disabled
    popd
    # End of IPv4 configuration
    
    # ----------------------------------
    # IPv6 Configuration
    # ----------------------------------
    pushd interface ipv6
    reset
    popd
    # End of IPv6 configuration
    
    # ----------------------------------
    # ISATAP Configuration
    # ----------------------------------
    pushd interface isatap
    popd
    # End of ISATAP configuration
    
    # ----------------------------------
    # 6to4 Configuration
    # ----------------------------------
    pushd interface 6to4
    reset
    popd
    # End of 6to4 configuration
    
    # ----------------------------------
    # ISATAP Configuration
    # ----------------------------------
    pushd interface isatap
    popd
    # End of ISATAP configuration
    
    #========================
    # Port Proxy configuration
    #========================
    pushd interface portproxy
    reset
    popd
    # End of Port Proxy configuration
    
    # ----------------------------------
    # TCP Configuration
    # ----------------------------------
    pushd interface tcp
    reset
    set global rss=enabled chimney=automatic autotuninglevel=normal congestionprovider=ctcp ecncapability=disabled timestamps=disabled netdma=disabled dca=enabled
    popd
    # End of TCP configuration
    
    # ----------------------------------
    # Teredo Configuration
    # ----------------------------------
    pushd interface teredo
    set state type=client servername=teredo.ipv6.microsoft.com. servervirtualip=0.0.0.0
    popd
    # End of Teredo configuration
    
    # ----------------------------------
    # 6to4 Configuration
    # ----------------------------------
    pushd interface 6to4
    reset
    popd
    # End of 6to4 configuration
    
    # ------------------------------------
    # End of Bridge configuration
    # ------------------------------------
    pushd ipsecdosprotection
    reset
    popd
    
    # ----------------------------------------
    # Wired LAN Configuration
    # ----------------------------------------
    pushd lan
    popd
    # End of Wired LAN Configuration.
    
    # ==========================================================
    # Health Registration Authority configuration
    # ==========================================================
    pushd nap hra
    popd
    # End of NAP HRA configuration
    
    # ==========================================================
    # Network Access Protection client configuration
    # ==========================================================
    pushd nap client
    
    # ----------------------------------------------------------
    # Trusted server group configuration
    # ----------------------------------------------------------
    reset trustedservergroup
    
    # ----------------------------------------------------------
    # Cryptographic service provider (CSP) configuration
    # ----------------------------------------------------------
    set csp name = "Microsoft RSA SChannel Cryptographic Provider" keylength = "2048"
    
    # ----------------------------------------------------------
    # Hash algorithm configuration
    # ----------------------------------------------------------
    set hash oid = "1.3.14.3.2.29"
    
    # ----------------------------------------------------------
    # Enforcement configuration
    # ----------------------------------------------------------
    set enforcement id = "79617" admin = "disable" id = "79619" admin = "disable" id = "79621" admin = "disable" id = "79623" admin = "disable"
    
    # ----------------------------------------------------------
    # Tracing configuration
    # ----------------------------------------------------------
    set tracing state = "disable" level = "basic"
    
    # ----------------------------------------------------------
    # User interface configuration
    # ----------------------------------------------------------
    reset userinterface
    popd
    # End of NAP client configuration
    
    # -----------------------------------------
    # Remote Access Configuration
    # -----------------------------------------
    pushd ras
    set authmode mode = standard
    delete authtype type = PAP
    delete authtype type = MD5CHAP
    delete authtype type = MSCHAPv2
    delete authtype type = EAP
    delete authtype type = CERT
    add authtype type = MSCHAPv2
    add authtype type = EAP
    delete link type = SWC
    delete link type = LCP
    add link type = SWC
    add link type = LCP
    delete multilink type = MULTI
    add multilink type = MULTI
    set conf confstate = enabled
    set type ipv4rtrtype = lanonly ipv6rtrtype = none rastype = none
    set wanports device = "WAN Miniport (SSTP)" rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 5
    set wanports device = "WAN Miniport (PPTP)" rasinonly = disabled ddinout = enabled ddoutonly = disabled maxports = 5
    set wanports device = "WAN Miniport (PPPOE)" ddoutonly = enabled
    set wanports device = "WAN Miniport (L2TP)" rasinonly = disabled ddinout = enabled ddoutonly = disabled maxports = 5
    set wanports device = "WAN Miniport (IKEv2)" rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 5
    set user name = Administrator dialin = policy cbpolicy = none
    set user name = Guest dialin = policy cbpolicy = none
    set ikev2connection idletimeout = 5 nwoutagetime = 30
    set ikev2saexpiry saexpirytime = 480 sadatasizelimit = 100
    popd
    
    # End of Remote Access configuration.
    
    # -----------------------------------------
    # Remote Access Diagnostics Configuration
    # -----------------------------------------
    pushd ras diagnostics
    set rastracing component = * state = disabled
    set modemtracing state = disabled
    set cmtracing state = disabled
    set securityeventlog state = disabled
    set loglevel events = warn
    popd
    # End of Remote Access Diagnostics Configuration.
    
    # -----------------------------------------
    # Remote Access IP Configuration
    # -----------------------------------------
    pushd ras ip
    delete pool
    set negotiation mode = allow
    set access mode = all
    set addrreq mode = deny
    set broadcastnameresolution mode = enabled
    set addrassign method = auto
    set preferredadapter
    popd
    
    # End of Remote Access IP configuration.
    
    # -----------------------------------------
    # Remote Access IPv6 Configuration
    # -----------------------------------------
    pushd ras ipv6
    
    set negotiation mode = deny
    set access mode = all
    set routeradvertise mode = enabled
    set prefix prefix = ::
    popd
    # End of Remote Access IPv6 configuration.
    
    # -----------------------------------------
    # Remote Access AAAA Configuration
    # -----------------------------------------
    pushd ras aaaa
    set authentication provider = windows
    set accounting provider = windows
    delete authserver name = *
    delete acctserver name = *
    popd
    # End of Remote Access AAAA configuration.
    
    # Routing Configuration
    pushd routing
    reset
    popd
    # IP Configuration
    pushd routing ip
    reset
    set loglevel error
    add preferenceforprotocol proto=LOCAL preflevel=1
    add preferenceforprotocol proto=STATIC preflevel=3
    add preferenceforprotocol proto=NONDOD preflevel=5
    add preferenceforprotocol proto=AUTOSTATIC preflevel=7
    add preferenceforprotocol proto=NetMgmt preflevel=10
    add preferenceforprotocol proto=RIP preflevel=120
    add interface name="Private Network" state=enable
    set filter name="Private Network" fragcheck=disable
    add interface name="Public Interface" state=enable
    set filter name="Public Interface" fragcheck=disable
    add interface name="Internal" state=enable
    add interface name="Loopback" state=enable
    popd
    # End of IP configuration
    
    # ----------------------------------
    # DNS Proxy configuration
    # ----------------------------------
    pushd routing ip dnsproxy
    uninstall
    popd
    # End of DNS proxy configuration
    
    # ----------------------------------
    # IGMP Configuration
    # ----------------------------------
    pushd routing ip igmp
    uninstall
    install
    set global loglevel = ERROR
    # IGMP configuration for interface "Private Network"
    delete interface name="Private Network"
    add interface name="Private Network" igmpprototype=IGMPRTRV3 ifenabled=enable robustvar=2 startupquerycount=2 startupqueryinterval=31 genqueryinterval=125 genqueryresptime=10 lastmemquerycount=2 lastmemqueryinterval=1000 accnonrtralertpkts=YES
    # IGMP configuration for interface "Public Interface"
    delete interface name="Public Interface"
    add interface name="Public Interface" igmpprototype=IGMPPROXY ifenabled=enable
    popd
    # End of IGMP configuration
    
    # ----------------------------------
    # NAT configuration
    # ----------------------------------
    pushd routing ip nat
    uninstall
    install
    set global tcptimeoutmins=1440 udptimeoutmins=1 loglevel=ERROR
    #NAT Configuration For Interface Private Network
    add interface name="Private Network" mode=PRIVATE
    #NAT Configuration For Interface Public Interface
    add interface name="Public Interface" mode=FULL
    #NAT Configuration For Interface Internal
    add interface name="Internal" mode=PRIVATE
    popd
    
    # ----------------------------------
    # DHCP Relay Agent configuration
    # ----------------------------------
    pushd routing ip relay
    uninstall
    popd
    # End of DHCP Relay configuration
    
    # ----------------------------------
    # RIP configuration
    # ----------------------------------
    pushd routing ip rip
    uninstall
    popd
    # End of RIP configuration
    
    # ----------------------------------
    # Router Discovery Configuration
    # ----------------------------------
    pushd routing ip routerdiscovery
    uninstall
    add interface name="Private Network" disc=disable minint=7 maxint=10 life=30 level=0
    add interface name="Public Interface" disc=disable minint=7 maxint=10 life=30 level=0
    add interface name="Internal" disc=disable minint=7 maxint=10 life=30 level=0
    add interface name="Loopback" disc=disable minint=7 maxint=10 life=30 level=0
    popd
    
    # ----------------------------------
    # DHCP Allocator Configuration
    # ----------------------------------
    pushd routing ip autodhcp
    uninstall
    popd
    # End of DHCP Allocator Configuration
    
    # IPv6 Configuration
    pushd routing ipv6
    set filter name="Private Network" fragcheck=disable
    set filter name="Public Interface" fragcheck=disable
    popd
    # End of IPv6 configuration
    
    # ----------------------------------
    # DHCPv6 Relay Agent configuration
    # ----------------------------------
    pushd routing ipv6 relayv6
    uninstall
    popd
    # End of DHCPv6 Relay configuration
    
    # -----------------------------------------------------------------------
    # Remote Access Demand Dial Configuration
    # -----------------------------------------------------------------------
    pushd ro demanddial
    
    # -----------------------------------------
    # WinHTTP Proxy Configuration
    # -----------------------------------------
    pushd winhttp
    reset proxy
    popd
    
    # End of WinHTTP Proxy Configuration
    popd
    
    popd
    exit
  7. Run the following commands to configure RRAS.
    sc config remoteaccess start= auto
    netsh -f C:\Install_Files\config-rras-nat.txt
    net start remoteaccess
    netsh -f C:\Install_Files\config-rras-nat.txt

For some reason, I can’t figure out how to configure RRAS NAT’ting from the command line without having to import the configuration, then start the service, then import the same configuration again. If I skip the second import, then RRAS doesn’t actually pass traffic. I should really spend more time on this, but meh — it works.

Installing ADDS

Next, we’ll install a server to run ADDS, DHCP, and DNS. This should provide all the basic network services needed for clients to easily access the internet.

  1. Build a VM with a single network interface, connected to the Private Network.
  2. Configure the IP information as follows:
    IP: 192.168.1.10
    Netmask: 255.255.255.0
    Gateway: 192.168.1.1
    DNS: 192.168.1.10
  3. Open PowerShell and run the following commands:
    Import-Module ServerManager
    Add-WindowsFeature ADDS-Domain-Controller
  4. Save the following code to C:\Install_Files\ADDS-Unattend.txt. Reference: Server 2008 R2 dcpromo.
    [DCINSTALL]
    InstallDNS=yes
    NewDomain=forest
    NewDomainDNSName=devdomain.local
    DomainNetBiosName=devdomain
    SiteName=Default-First-Site-Name
    ReplicaOrNewDomain=domain
    ForestLevel=4
    DomainLevel=4
    DatabasePath="%systemroot%\NTDS"
    LogPath="%systemroot%\NTDS"
    SYSVOLPath="%systemroot%\SYSVOL"
    RebootOnCompletion=yes
    SafeModeAdminPassword=P@ssw0rd
    
  5. Run the following command from the command prompt, then wait for the PC to reboot. If it doesn’t seem like things are working, type “Echo %errorlevel%” and cross-reference the number returned with the table here: dcpromo exit codes.
    start /wait dcpromo /unattend:C:\Install_Files\ADDS-Unattend.txt
  6. Run the following commands to configure your DNS service to forward queries to upstream DNS servers. In the code below, I’m using the Google public DNS service. You may have to use the upstream DNS server of your ISP or organization instead. Ref: Server 2008 R2 dnscmd.
    dnscmd %computername% /resetforwarders 8.8.8.8 8.8.4.4 /timeout 3 /noslave
  7. Next, run the following commands from PowerShell to install the DHCP service:
    Import-Module ServerManager
    Add-WindowsFeature DHCP
  8. Run the following commands from the command prompt to configure DHCP. Reference: Installing DHCP in Server Core.
    sc config dhcpserver start= auto
    net start dhcpserver
    netsh dhcp add server %computername% 192.168.1.10
    netsh dhcp server 192.168.1.10 add scope 192.168.1.0 255.255.255.0 DevDomainScope
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 add iprange 192.168.1.100 192.168.1.200
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 set optionvalue 003 IPADDRESS 192.168.1.1
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 set optionvalue 006 IPADDRESS 192.168.1.10
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 set state 1

Now, any machines connected to your private network should get a DHCP address containing a working DNS server and gateway. You can test this by deploying a new windows VM and seeing if you can surf the internets.

SCCM Client Install VBS Script (Advanced)

My coworker and I put this script together after a lot of labor. It’s a heavily modified version of the original made by Jason Sandy found here.

Downloads

New Features

  • For Windows XP and 2003 machines, the certificate auto-enrollment legacy hotfix (KB968730) can now be installed by the script. New options are defined in the xml file for the legacy hotfix.
  • Input arguments are more flexible.
  • Logs can be copied to a central share.
  • Additional SCCM client arguments can now be specified in the XML.
  • CU’s now scan and install properly according to architecture.

What does it do?

  • The script will:
    • Install the SCCM 2012 client.
    • Maintain the health of the SCCM client.
    • Install Client and necessary Legacy OS hotfixes if the client is outdated.
  • This script does not fix WMI problems at this time. That’s a feature we’re still working on.

XML Options

See the github readme for additional options available in this version of the script.

Thanks!

Packaging Smart Notebook 10.8 with Galleries for SCCM

Hello again! Let’s get to it.

Downloads

Procedure

  1. Install the Smart Install Manager.
  2. Extract galleryessentials.zip to the folder C:\Temp\.
  3. Extract lat2_0_1en.zip (lesson activities zip) to the folder C:\Temp\.
  4. Verify that you now have 2 folders in C:\Temp. They should be named ‘Lesson Activity Toolkit’ and ‘SMART Essentials for Educators’.
  5. Using WinRAR, create a self-extracting zip file (EXE\SFX) named SNGallery.exe containing the 2 folders listed in the previous step. Use the following parameters:
    Add Recovery Record: True
    Mode: Fastest
    Advanced SFX Options -> Modes -> Hide start dialog
    Advanced SFX Options -> Update -> Extract and replace files.
  6. Place SNGallery.exe and “SMART Education Software 2011.msi” in your preferred package folder.
  7. Save the following code as SN_with_Gallery.xml, and add your license keys as necessary.
    <?xml version="1.0" encoding="utf-8" standalone="yes" ?>
    <AdminCustomization version="1.0" source="C:\temp\educationsoftwareinstaller2011adminwin2\SMART Education Software 2011.msi" lastSaveFile="" productVersion="10.8.205.0" productName="SMART Education Software 2011">
        <properties>
            <property name="$AI_CONTENT_TARGET_PATH" widget="localdestedit"></property>
            <property name="$AI_CONTENT_TARGET_PATH" widget="galleryedit"></property>
            <property name="$AI_GALLERY_SELECTION" widget="bg"></property>
            <property name="$AI_MATH_PROD_KEY" widget="math_prod_key">PRODUCT KEY HERE!</property>
            <property name="$AI_MIXED_PROD_KEY" widget="mixed_prod_key"></property>
            <property name="$AI_RESPONSE_MIXED_VE_MODE" widget="mixedvemode"></property>
            <property name="$AI_RESPONSE_MODE" widget="resp_setup_tool_mode">8</property>
            <property name="$AI_RESPONSE_MODE_TEMP" widget="setresponsemode_temp"></property>
            <property name="$AI_SCHOOLFILE" widget="schooledit"></property>
            <property name="$AI_SYNC_NAMINGSERVERLOC" widget="server_name"></property>
            <property name="$AI_VALID_CLASS_PROD_KEY" widget="valid_class_prod_key">1</property>
            <property name="$AI_VALID_MATH_PROD_KEY" widget="valid_math_prod_key">1</property>
            <property name="$AI_VALID_MR_PROD_KEY" widget="valid_mixed_prod_key">1</property>
            <property name="$AI_VALID_NB_PROD_KEY" widget="valid_nb_prod_key">1</property>
            <property name="$AI_VALID_RESP_PROD_KEY" widget="valid_resp_prod_key">1</property>
            <property name="$AI_VALID_SYNC_PROD_KEY" widget="valid_sync_prod_key">1</property>
            <property name="$PKG_INSTALL_SPU" widget="hiddencheckboxspu"></property>
            <property name="ACTIVATE_LICENSE" widget="nb_act_now">1</property>
            <property name="ADMIN_CONTENT" widget="ADMIN_CONTENT">1</property>
            <property name="AR" widget="AR"></property>
            <property name="ARTS_CONTENT" widget="ARTS_CONTENT">1</property>
            <property name="CA" widget="CA"></property>
            <property name="CERTIFICATE_FOLDER" widget="certificatefolder"></property>
            <property name="CLASS_PROD_KEY" widget="class_prod_key"></property>
            <property name="CONTENT_SOURCE_PATH" widget="localsourceedit">C:\Temp\Gallery</property>
            <property name="CONTENT_TARGET_PATH" widget="targetpath"></property>
            <property name="CS" widget="CS"></property>
            <property name="CUSTOMER_LOGGING" widget="customerlogging">2</property>
            <property name="CY" widget="CY"></property>
            <property name="DA" widget="DA"></property>
            <property name="DE" widget="DE"></property>
            <property name="DESKTOP_ICONS" widget="shortcuts">1</property>
            <property name="DISALLOW_DOWNLOAD" widget="DISALLOW_DOWNLOAD">1</property>
            <property name="EL" widget="EL"></property>
            <property name="ENABLE_ADMINISTERED_CLASSLIST" widget="admin_class_list">0</property>
            <property name="ENABLE_CONNECT_STUDENTS_USING_CLS" widget="server_ip">0</property>
            <property name="ENABLE_MATH_TRIAL" widget="mathInstall"></property>
            <property name="ENABLE_MR_TRIAL" widget="realityInstall"></property>
            <property name="ENABLE_STPCS" widget="tabletpc"></property>
            <property name="ENGLISH_CONTENT" widget="ENGLISH_CONTENT">1</property>
            <property name="EN_GB" widget="EN_GB"></property>
            <property name="ES" widget="ES"></property>
            <property name="ES_MX" widget="ES_MX"></property>
            <property name="ET" widget="ET"></property>
            <property name="EU" widget="EU"></property>
            <property name="FI" widget="FI"></property>
            <property name="FILE_PORT" widget="fileport"></property>
            <property name="FR" widget="FR"></property>
            <property name="FULL_GALLERY" widget="FULL_GALLERY">1</property>
            <property name="GA" widget="GA"></property>
            <property name="GD" widget="GD"></property>
            <property name="GEOGRAPHY_CONTENT" widget="GEOGRAPHY_CONTENT">1</property>
            <property name="GL" widget="GL"></property>
            <property name="HE" widget="HE"></property>
            <property name="HISTORY_CONTENT" widget="HISTORY_CONTENT">1</property>
            <property name="HI_IN" widget="HI_IN"></property>
            <property name="HR" widget="HR"></property>
            <property name="HU" widget="HU"></property>
            <property name="INSTALLDIR" widget="installdir"></property>
            <property name="INSTALL_BOARD" widget="pdInstall"></property>
            <property name="INSTALL_CLASSSUITE" widget="classInstall"></property>
            <property name="INSTALL_DOCCAM_DRIVERS" widget="DocumentCamera">1</property>
            <property name="INSTALL_NOTEBOOK" widget="notebookInstall">1</property>
            <property name="INSTALL_RESPONSE" widget="responseInstall"></property>
            <property name="INSTALL_SPU" widget="spu_option">1</property>
            <property name="INSTALL_SYNC" widget="syncInstall"></property>
            <property name="INSTALL_UNSIGNED_DRIVERS" widget="unsigneddrivers"></property>
            <property name="IS" widget="IS"></property>
            <property name="IT" widget="IT"></property>
            <property name="JA" widget="JA"></property>
            <property name="KK" widget="KK"></property>
            <property name="KO" widget="KO"></property>
            <property name="LAT_CONTENT" widget="LAT_CONTENT">1</property>
            <property name="LOSU_BRDTOOLS" widget="toolsstartupgroup">1</property>
            <property name="LOSU_RDM" widget="installdesktopmenu">1</property>
            <property name="LT" widget="LT"></property>
            <property name="LV" widget="LV"></property>
            <property name="MATH_CONTENT" widget="MATH_CONTENT">1</property>
            <property name="MATH_PROD_KEY" widget="real_math_key"></property>
            <property name="MI" widget="MI"></property>
            <property name="MIXED_PROD_KEY" widget="real_mr_key"></property>
            <property name="MK" widget="MK"></property>
            <property name="MS" widget="MS"></property>
            <property name="MY_CONTENT" widget="mycontentedit"></property>
            <property name="NB" widget="NB"></property>
            <property name="NBPLUGIN_INSTALLED" widget="NotebookPlugin">1</property>
            <property name="NB_PROD_KEY" widget="nb_prod_key">SMART NOTEBOOK PRODUCT KEY HERE!</property>
            <property name="NETWORK_CONTENT" widget="networkinstall"></property>
            <property name="NL" widget="NL"></property>
            <property name="PEOPLE_CONTENT" widget="PEOPLE_CONTENT">1</property>
            <property name="PL" widget="PL"></property>
            <property name="PRINT_CAPTURE" widget="printCapture">1</property>
            <property name="PRODUCT_NOTIFICATION" widget="productnotification">1</property>
            <property name="PT_BR" widget="PT_BR"></property>
            <property name="PT_PT" widget="PT_PT"></property>
            <property name="RESPONSE_ACTIVATION" widget="regfile"></property>
            <property name="RESPONSE_MODE" widget="setresponsemode">8</property>
            <property name="RESP_PROD_KEY" widget="resp_prod_key"></property>
            <property name="RO" widget="RO"></property>
            <property name="RU" widget="RU"></property>
            <property name="SCHOOLFILE" widget="real_schooledit"></property>
            <property name="SCIENCE_CONTENT" widget="SCIENCE_CONTENT">1</property>
            <property name="SECURE_BASE_PORT" widget="securebaseport"></property>
            <property name="SK" widget="SK"></property>
            <property name="SL" widget="SL"></property>
            <property name="SPECIAL_CONTENT" widget="SPECIAL_CONTENT">1</property>
            <property name="SPORTS_CONTENT" widget="SPORTS_CONTENT">1</property>
            <property name="SPU_TIME_FRAME" widget="checkdays">30</property>
            <property name="SQ" widget="SQ"></property>
            <property name="SR" widget="SR"></property>
            <property name="START_SNMP_SERVICE" widget="launchsnmp"></property>
            <property name="SV" widget="SV"></property>
            <property name="SW" widget="SW"></property>
            <property name="SYNC_NAMINGSERVERLOC" widget="real_server_name"></property>
            <property name="SYNC_PROD_KEY" widget="sync_prod_key"></property>
            <property name="TEAM_CONTENT_PATH" widget="teamcontentedit"></property>
            <property name="TR" widget="TR"></property>
            <property name="UK" widget="UK"></property>
            <property name="VA" widget="VA"></property>
            <property name="ZH_CN" widget="ZH_CN"></property>
            <property name="ZH_TW" widget="ZH_TW"></property>
        </properties>
    </AdminCustomization>
    
  8. Open Smart Install Manager and import the XML file saved in the previous step. Make any adjustments you deem important, then save the modifications as SN_with_Gallery.mst in your preferred package folder.
  9. Create a batch file with the following contents:
    @ECHO OFF
    ECHO Installing SMART Notebook 10.8 with Gallery
    ECHO Do not close this window. It will close when the install is finished.
    
    REM == Main Install ==
    SNGallery.exe
    msiexec /i "SMART Education Software 2011.msi" TRANSFORMS="SN_with_Gallery.mst" /qb
    

And…that should be all she wrote! Good luck ‘yall.

OCSP Scripting

I’ve been building scripts to automate the deployment of my production PKI servers, and I ran into a snag. There doesn’t seem to be an easy way to automate OCSP like there is NLB or DFS. I asked the AD Team, and they responded with the following. I know it isn’t much, but it’s a start for anyone out there looking into it.

Question:

ADS Team,
I can’t seem to find an answer to this question on google\technet. Are there any available Powershell, WMI, or command-line options for configuring an OCSP responder? I know that I can install the feature with the Add-WindowsFeature, but I’d like to script configuring the responder and creating the array.
Thanks for your time!

John Puskar

Response:

John
There are currently no command line tools or dedicated PowerShell cmdlets available to perform management tasks on the Online Responder. You can, however, use the COM interfaces IOCSPAdmin and IOSCPCAConfiguration to manage the revocation providers on the Online Responder.
1. Create an IOSCPAdmin object.
2. The IOSCPAdmin::OCSPCAConfigurationCollection property will return an IOCSPCAConfigurationCollection object.
3. Use IOCSPCAConfigurationCollection::CreateCAConfiguration to create a new revocation provider.
4. Make sure you call IOCSPAdmin::SetConfiguration when finished so the online responder gets updated with the new revocation configuration.

Because these are COM interfaces, you can call them from VBScript or PowerShell, so you have great flexibility in how you write your script.

Kind regards,
Jonathan Stephens, MCITP-EA
Customer Service and Support
Microsoft Corporation