LOCAL NETWORK Windows Server 2012 R2 van Bas

Vereisten: 4 computers, een netwerk (switch, router) en een internetverbinding.

1: Installatie Server 2012 R2 (1-3 uur)

Boot en installeer evaluatie DVD en selecteer location .

Geeft Administrator wachtwoord op en verander Computernaam.

Geef vast IP, subnet, gateway en DNS op.

Disable NETBIOS, LMHOST lookup en IPv6.

Installeer de updates.

DISM /online /Set-Edition:ServerStandard /ProductKey:xxxxx-xxxxx-xxxxx-xxxxx-xxxxx /AcceptEula <-- key!

Check of alle updates er op staan! reboot en check again!

2: Installatie Domein Controller (1-3 uur)

Installeer Server 2012 R2 volgens handleiding 1.

Controleer of de computer de juiste naam heeft en installeer AD DS.

Promoveer tot domein controller in new forest + Global Catalog, geef DSRM wachtwoord op.

Installeer een tweede DNS server op een andere computer voor replication.

Controleer of de computer de juiste naam heeft en installeer AD DS.

Promoveer tot domein controller in existing forest + Global Catalog, geef DSRM wachtwoord op.

Controleer of de replicatie werkt.

Installeer eventuele updates.

Controleer de logboeken of alles goed gaat.

Hoe wis ik alle logbestanden in Windows?

Sla onderstaande regel op als clearlog.ps1:

wevtutil el | Foreach-Object {Write-Host "Clearing $_"; wevtutil cl "$_"}

Sla onderstaande regel op als clearlog.bat en voor uit als administrator:

PowerShell.exe -NoProfile -Command "& {Start-Process PowerShell.exe -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""%~dpn0.ps1""' -verb RunAs}"

3: Installatie DHCP server

Installeer DHCP.

Configureer DHCP server, vul scope en server options in.

Configureer DNS, Timeserver en Router.

Controleer of de instellingen werken.

Controleer de logboeken of alles goed gaat.

4: Installatie Routing en Remote Access

Installeer Server 2012 R2 volgens handleiding 1.

Controleer of de computer de juiste naam heeft maak server lid van het domein.

Installeer DNS en Routing & Remote Access.

Configureer VPN.

Geef je inet nic externe ipconfig en je lan nic interne ipconfig.

Kijk of inet Public Network en lan Domain Network heeft.

Zet op je externe nic IPv6 aan voor IPv4 transition.

Stel de DHCP Relay Agent in op wijzend naar je DHCP server.

Zet bij IGMP je externe nic op Proxy en je interne nic op Router.

Enable IPv4 Router voor LAN en IPv4 RAS.

Vink IKEv2 aan.

Enable IPv4 forwarding , enable broadcast name resolution.

Disable externe nic MAC adres in je DHCP server als DHCP client.

Check of alles up en running is.

VPN over PPTP werkt nu.

Log remote in met een account die remote access rechten heeft. In AD Users en Computers bij user properties allow acces bij dial in. En kijk of het lukt.

Kijk YouTube voor VPN over L2TP.

https://www.youtube.com/watch?v=LuWGuU2LW24

Kijk YouTube voor VPN over SSTP.

https://www.youtube.com/watch?v=inRfk0r7Pgo

https://www.youtube.com/watch?v=ExR-sjpTB_8

https://www.youtube.com/watch?v=jyUgPESQfCE

5: Installatie MDT2013

Lees getting started with windows deployment for windows server 2012 using microsoft deployment toolkit

Edit bootstrap.ini:

UserLocale=nl-NL

KeyboardLocale=0413:00020409

TimeZoneName=W. Europe Standard Time

6: Install & Capture Server 2012 R2 Image

Boot PXE en druk op F12.

Selecteer tasksequence.

7. Installeer SQL Server 2012

Installeer server met tasksequence.

Zet firewall uit om waarschuwingen te voorkomen.

Installeer .NET 3.5 Role.

Installeer SQL 2012 vanaf ISO of DVD.

Installeer SQL 2012 ServicePack 2 en 3.

8. Installeer WSUS Server

Installeer WSUS en geef een pad voor downloads (100 GB).

Geef Network Service Full Control op de WSUSContent map.

Geef Network Service Full Control op de C:\Windows\Temp map.

Geef Network Service Full Control op de C:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files map.

Geef Network Service Read op de map waar de WSUSContent map in zit.

Achteraf pad wijzigen doe je hier:

HKLM\Software\Microsoft\Update Services\Server\Setup

Opstartvolgorde van servers:

Eerst een van de domeincontrollers. Wacht tot de server volledig opgestart is. Start dan de tweede domeincontroller. Wacht tot de server volledig opgestart is, reboot dan de eerste. Wacht tot de server volledig opgestart is, reboot dan de tweede. Start de RRAS server. Wacht tot de server volledig opgestart is. Start de rest.

Event ID's bij opstarten en afsluiten van servers:

10149 Windows Remote Management

4013 DNS-Server-Service

2886 ActiveDirectory_DomainService

6038 LsaSrv (NTLM Authentication)

5002 DFSR, DFS Replication

5008 DFSR, DFS Replication

5014 DFSR, DFS Replication

Event ID's die ik verder ben tegengekomen:

Event ID 121 123 en 131: DeviceSetupManager oftewel installeer de drivers voor je hardware.

Een paar voorbeelden:

Metadata staging failed, result={8597C375-D321-5136-A583-6E4B52E5267A} for container '0x80070490'

Device 'Canon Inkjet MP520 series'({8597c375-d321-5136-a583-6e4b52e5267a}) has been serviced, processed 1 tasks, wrote 92 properties, active worktime was 10729 milliseconds.

Metadata staging failed, result={4EEBCAD0-CAE7-11E5-80BD-00261840A025} for container '0x80070490'

Device 'Microsoft XPS Document Writer' ({4eebcad0-cae7-11e5-80bd-00261840a025}) has been serviced, processed 1 tasks, wrote 34 properties, active worktime was 10979 milliseconds.

Metadata staging failed, result={E86543E6-CAE6-11E5-80BC-806E6F6E6963} for container '0x80070490'

Device 'USB TO IDE' ({e86543e6-cae6-11e5-80bc-806e6f6e6963}) has been serviced, processed 4 tasks, wrote 0 properties, active worktime was 9625 milliseconds.

Task Scheduler -> Microsoft -> Windows -> Device setup and run the Metadata Refresh task

of in adminCMD schtasks /run /TN "\Microsoft\Windows\Device Setup\Metadata Refresh

You can go to Event Viewer -> Applications and Services Logs ->Microsoft -> Windows -> DeviceSetupManager -> Admin and check an Information entry that appears right after an Error entry for a given device GUID. This should provide the device name.

Time-Service

Event ID 12 Time-Service

Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external timesource. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

Oplossing:

Net Stop W32Time

w32tm /config /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org" /syncfromflags:MANUAL

Net Start W32Time

w32tm /resync (check of het lukt)

w32tm /query /status (dubbelcheck)

Event ID 144: Time-Service

The time service has stopped advertising as a good time source.

Gevolgd door Event ID 35 dus het gaat gewoon goed.

The time service is now synchronizing the system time with the time source 0.pool.ntp.org

Event ID 129, Time-Service

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

adminCMD:

W32TM /resync

W32TM /query /status

Ok? Dan gaat het gewoon goed.

Event ID 20499 TerminalServices-RemoteConnectionManager

Remote Desktop Services has taken too long to load the user configuration from server \\server1.lan.local for user Administrator

1.Open RegEdit on the Windows Server machine.

2.Navigate to this registry key in the tree on the left:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

3.Right-click on the right side, and add a new DWORD (32-bit) Value

4.Set the value name to DisableTaskOffload and the value data to 1

In powershell:

Get-Command -Module NetTCPIP

Get-NetOffloadGlobalSetting

Set-NetOffloadGlobalSetting -TaskOffload Disabled

En het helpt allemaal geen zak. Logon gaat supersnel dus melding is bullshit.

Op andere servers dan de domein controllers:

Event ID 10154, Windows Remote Management

The WinRM service failed to create the following SPNs: WSMAN/servernaam.lan.local; WSMAN/servernaam.

Additional data the error received was 1355.User action: the SPNs can be created by an administrator using setspn.exe utility.

In adminCMD: setspn -R servernaam

Standaard Event ID's bij het opstarten van een server:

Event ID 6038: LsaSrv

Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server. NTLM is a weaker authentication mechanism. Please check: Which applications are using NTLM authentication? Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication? If NTLM must be supported, is Extended Protection configured? Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

Standaard Event ID's bij het afsluiten van een server:

Event ID 10149 Windows Remote Management:

The WinRM service is not listening for WS-Management requests.

Standaard Event ID's bij het opstarten van een domein controller:

Event id 4013: DNS-Server-Service

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

Event ID 2886: ActiveDirectory_DomainService

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server. Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923. You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.

Standaard Event ID's bij het rebooten van de andere domein controller:

Event ID 4015, DNS-Server-Service

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

5002 DFSR DFS Replication

The DFS Replication service encountered an error communicating with partner Server2 for replication group Domain System Volume.

The service will retry the connection periodically.

5008 DFSR DFS Replication

The DFS Replication service failed to communicate with partner Server2 for replication group Domain System Volume.

This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.

The service will retry the connection periodically.

5014 DFSR DFS Replication

The DFS Replication service is stopping communication with partner Server2 for replication group Domain System Volume due to an error.

The service will retry the connection periodically.

Standaard Event ID's bij het afsluiten van de HYPER-V server:

Event ID:14100, Hyver-V-VMMS

Shut down physical computer. Stopping/saving all virtual machines...

Standaard Event ID's bij het opstarten van de DHCP server:

Event ID:10020, DHCP-Server

This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

Is gelul dus ik negeer hem

Event ID:1070, DHCP-Server

Iashlpr initialization failed: The DHCP service was unable to access path specified for the audit log.

, so DHCP server cannot talk to NPS server. It could be that IAS service is not started.

Dit klopt ook hij is nog aan het opstarten

Issue met WID en WSUS server:

The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:

Logon failure: the user has not been granted the requested logon type at this computer.

Service: MSSQL$MICROSOFT##WID

Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID

This service account does not have the required user right "Log on as a service."

User Action:

Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.

If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.

This can be implemented via GPO.

Go to your group policy management console,edit default domain policy

Computer Configuration-Policies-Windows Settings-Security Settings-Local Policies-User Rights Assignment

Note: It is not mandatory to edit the default domain Policy to enable this setting.You can also create new GPO and ensure to have Enforced (running on Server 2012) option is selected which can not be overwritten by Default Domain Controller.

Event ID 8193, VSS

System Writer en NPS VSS Writer

VSS EventID 8193 is logged when you restart the Cryptographic Services service after you install the DHCP role on a computer that is running Windows Server 2012 R2

Symptoms:

You install the DHCP role on a computer that is running Windows Server 2008 R2. When you restart the Cryptographic Services service, the following event is logged in the Application log: Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...) hr= 0x80070005, Access is denied.

Although this event is recorded, Volume Shadow Copy and DHCP Server continue to function as expected. Although this event is logged as an error, the event should not be considered a critical failure that affects the correct functioning of VSS. The registry key is mentioned for diagnostic purposes.

Cause:

When the DHCP server role is installed, the permissions of the following registry key (and all subkeys) are overwritten when the DHCP Service account is added:

HKLM\CurrentControlSet\Services\VSS\Diag

When this occurs, the Network Service account is removed.

Every time that the Cryptographic Services service is started, it initializes "System Writer" under the Network Service account and verifies read/write permission for the following registry key:

HKLM\CurrentControlSet\Services\VSS\Diag

Because the Network Service account is used to obtain access to this key, there is no permission for the Network Service. Therefore, VSS logs an "Access denied" event.

Resolution:

To resolve this issue, follow these steps:1.Download the SubInACL.exe tool from the following Microsoft website:

http://www.microsoft.com/downloads/en/confirmation.aspx?familyId=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displayLang=en

2.Restore the old permissions together with permissions for the DHCP Server:

C:\subinacl.exe /Subkeyreg System\CurrentControlSet\Services\VSS\Diag /sddl=O:SYG:SYD:PAI(A;;KA;;;BA)(A;;KA;;;SY)(A;;SDGRGW;;;BO)(A;;SDGRGW;;;LS)(A;;SDGRGW;;;NS)(A;CIIO;RC;;;S-1-3-4)(A;;KR;;;BU)(A;CIIO;GR;;;BU)(A;CIIO;GA;;;BA)(A;CIIO;GA;;;BO)(A;CIIO;GA;;;LS)(A;CIIO;GA;;;NS)(A;CIIO;GA;;;SY)(A;CI;CCDCLCSW;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191)

Note DHCP Server sddl:

(A;CI;CCDCLCSW;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191)

Of deze:

Resolve:

Determine the cause of the error condition and contact the appropriate vendor.

This event indicates that an unexpected Volume Shadow Copy Service (VSS) error has occurred.

To troubleshoot this error condition, you need to determine what caused it by using the Event Viewer and then contact the vendor that created the Vdata protection application that uses VSS. Also, you should check that the VSS service is enabled.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Open Event Viewer and view events related to VSS requester applications.

To open Event Viewer and view events related to VSS requester applications:

1.Click Start, click Run, type eventvwr.msc, and then click OK. If the User Account Control dialog box appears, ensure that the action it displays is what you want, and then click Continue

2.In Event Viewer, expand Windows Logs, and then click Application.

3.To filter the events so that only events with a Source of VSS are shown, in the Actions pane, click Filter Current Log. On the Filter tab, in the Event sources drop-down list, select the checkbox for VSS. Select other options as appropriate, and then click OK.

4.Click the Date and Time column heading to sort the events based on date and time.

5.Review the events that have a similar date and date as this event.

6.Click the related event, and then click Event Log Online Help at the bottom of the General tab.

7.Follow the instructions to resolve the error. If the error cannot be resolved, contact the vendor whose application caused the error. If the vendor is Microsoft, contact Microsoft Customer Service and Support. For more information, see http://go.microsoft.com/fwlink/?LinkId=102491. You should provide the entire event log message as it appears in the Event Viewer.

Check that the VSS service is enabled.

To check that the VSS service is enabled:

1.Click Start, point to Administrative Tools, and then click Services.

2.In the results pane, double-click Volume Shadow Copy.

3.Ensure that Startup type is set to Manual.

4.Click OK.

Verify.

To verify that the Volume Shadow Copy Service (VSS) is operating correctly, retry the previous VSS operation.

Handleiding 10 VPN server truuk voor fritzbox routers zonder bridgemode

Op Router: IPv4 DHCP Disabled. IPv6 DHCP Enabled

fritzbox Router: 192.168.178.1

Op Router: Exposed Host: 192.168.178.2

Op VPN SERVER:

192.168.178.2 (extern) + IPv6 + Externe DNS

192.168.178.5 (intern) + IPv6 + Interne DNS

Zet bij IGMP je externe nic op Router en je interne nic op Proxy.

Gebruik op lokale netwerk uitsluitend IPv4 anders loopt het door elkaar heen.