Category Archives: Active Directory

How To: Windows 2008R2 to 2012R2 upgrade for IIS Servers [CONFIRMED VALID UPGRADE]

How To: Upgrade from Windows 2008R2 to Windows 2012R2 running IIS and Windows Services

We’ve been tasked with upgrading all our 2008R2 Windows Servers to Windows 2012R2. This is due to Microsoft removing support for Windows 2008R2 in January 2020. We’ve performed this upgrade on all our non prod servers first to iron out the issues with 2008 upgrades. I’ll post the errors I ran into when I gather them up but once you go through the steps, it’s VERY easy to upgrade if you follow these simple steps:

Read through this multiple times before you start. There are verification steps you should follow before you start.

2012R2 Upgrade Procedures:

  1. Verify your backup of your server. In a perfect world (which I live in), your 2008R2 will be a virtual machine running on VMware and the backups are automatic the evening before.
  2. Create a local administrator. This is to ensure that if your 2008 upgrade to 2012 doesn’t go well, or it gets removed from the domain, you still have a local user that you’re confident works to get you into the server
  3. Check the C: drive size of the computer. You will need to expand it to have somewhere like 40GB of free space for the upgrade
  4. Check the system log and app logs for errors. You want to have a baseline of any errors occuring on your system so you’re aware of what errors are due to the upgrade to Windows 2012 and what was existing. Please don’t skip this step
  5. Take a snapshot of your server. Yes, you have a backup but a snapshot will ensure that if you need to roll back from Windows 2012R2 back to Windows 2008R2, you can do it immediately. You also won’t have to bother your backup administrator either 🙂
  6. If your servers are part of a load balanced system, Remove it from traffic. Drain and halt the server and verify no traffic is going to it. You should also verify that you can hit the servers websites prior to doing the upgrade as well. We use HOSTS files for this and it works fairly well. Also, if you terminate SSL/TLS at the load balancer, you should also add a VIP with the same SSL/TLS certificate on it so you can mimic your traffic like production. Many people try and hit their server directly and if you’re terminating traffic in front of your server and pass traffic back on port 80, chances are, your browser won’t allow you to do this due to HSTS implemented by your developers. Here is a document explaining HSTS of you need to know more: https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/
  7. Perform the upgrade to 2012R2. Depending on the server’s power (CPU’s and Memory) along with how much data is on it. This upgrade will take around 2 – 5 hours to complete Also, do this from VMware console and NOT from RDP. I repeat… Do this from VMware console and NOT from RDP. If you don’t understand this, you need to before you start this upgrade.
  8. Once the upgrade is complete. Run updates over and over and over until all updates are installed. At this point, if .NET 4.8 isn’t installed, you will get lots of errors running Server Manager and IIS. Things just won’t work correctly. This is to be expected
  9. Perform POST installations of required software. These include:
    1. .NET 4.8 (Download from here: https://docs.microsoft.com/en-us/dotnet/framework/deployment/deployment-guide-for-developers)
    2. HTTP Platform Handler (Download from here: https://www.iis.net/downloads/microsoft/httpplatformhandler)
    3. .net-hosting 2.2.7 (If your sites use this) (Download from here: https://dotnet.microsoft.com/download/dotnet-core/2.2)
    4. URL Rewrite (Download from here: https://www.iis.net/downloads/microsoft/url-rewrite)
    5. Enable the SchUseStrongCrypto property in the Windows registry: If your server does TLS SSL connections outbound to API’s like UPS, Paypal, Braintree or any other site, you will need to force your .NET software to connect using TLS 1.1 or TLS 1.2. To do this, there is a simple registry entry that needs to be added.
      1. Start Regedit and navigate to:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v4.0.30319
      2. Right click in the right pane and create a new DWORD (32-bit) value and name it SchUseStrongCrypto
      3. Enter the Value in the data field of 1 and it should be Hexadecimal. Click on OK
      4. Repeat steps 1-3 for the following WOW6432Node located here:
        HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319
  10. Reboot the server
  11. Check system logs for new errors
  12. Check Application logs for new errors
  13. Verify IIS and Windows services are running
  14. Verify Domain membership is valid. If it isn’t, re-add it to the domain
  15. Perform smoke testing to your server. Again, if you’re load balanced, you would have created smoke vips on your load balancer to point to the new server. Use the HOSTS file entries to smoke test your server.
  16. Request end to end testing from your Software Quality Engineers or Test Engineers
  17. Check the size of your C: drive again. Make sure you’re not out of space
  18. If there are any servers that connect to this server via UNC or via API’s, you should consider rebooting them now. Also, check these servers for connection errors. We’ve seen our servers that connect via \\server\share can’t connect until you reboot them. Do this now!
  19. Once your verification is complete, swap in your new server in your load balancer and pull out the others that haven’t been upgraded. Run and test. A few days.
  20. Remove snapshots when you’re comfortable
  21. Remove the Temporary Admin account that you created
  22. Rinse and Repeat

Conclusion:

I’ve performed this upgrade process for Windows 2008R2 to Windows 2012 many times and these are the gold standard for upgrading a server that is running IIS and Windows Services. Make sure you have a roll back plan and perform that roll back on your development servers FIRST. So, upgrade, test, roll back. Then Upgrade again.

How to set screen saver lock screen local policy on a non domain server

After being tasked to set up a screen saver password or a lock screen for inactivity on servers that are not joined to a domain, I decided to post this so it’s easier to find when others are searching for this.

To be PCI compliant, this is a requirement for any servers that are in-scope for your payment system.

For Microsoft Windows 2008 and 2012, it is easy to do but you have to set all three settings below for it to become active. This will enable a screen saver policy that locks your screen after a set time of inactivity. For PCI controlled servers, this is a requirement and must be less than 15 minutes.

This is easily done if the computer is part of an Active Directory domain but not as easily done if they are members of a workgroup.

How to Set the Screen Saver Lock Screen

The procedure is to open MMC snapin and add the Local Computer Policy snapin. To do this, click on the Windows button, and then simply type in MMC. For Windows 2012, select MMC snapin (mmc.exe) and not the Embedded Lockdown Manager.

Then navigate to User Configuration >> Administrative Templates >> Control Panel >> Personalization (as seen in the graphic I’ve attached).

Set the following settings:
Enable Screensaver: Enabled
Password protect the screen saver: Enabled
Screen saver timeout: Enabled with a value of 600

No need to reboot. Just log out and back in and the setting will be applied. Then wait 10 minutes to verify that your screen locks.

Here is a graphic of what needs to be set:

How to set a local policy to activate the lock screen on servers.

How to add a AD CA certificate to Windows 2012 RDP for PCI compliance

For PCI compliance, a requirement is to have RDP port 3389 connect with TLSv1.1 or TLSv1.2 and have the certificate have the same name as the server. Most servers issue self signed certificates which is not acceptable with PCI compliance.

To fix this, you have to re-issue new certificates from a trusted CA. You should use an internal CA within your company to avoid the cost of purchasing and maintaining certificates for RDP services.

How to issue and import a certificate:

Issue a certificate from your Root CA. You can go through the process I’ve outlined to create a certificate using OpenSSL

Import the certificate to the store using MMC and add the Certificates snapin

Move the Root and Intermediate to the correct store

Get the SHA1 thumbprint off of the certificate by opening up the certificate, go to the “Details” tab and scroll down to below the Thumbprint algorythm and selecting the “Thumbprint”
highlight the thumbprint
copy the thumbprint into a Command Shell and remove the spaces and the hidden character at the beginning.

Put the thumbprint in this command and run it on the server

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="<EnterSHA1ThumbprintHere>"

Restart Remote Desktop Services Note: this will disconnect you from your RDP session.

Log back in and you should not be prompted.

Retest by scanning your computer with Nessus or another approved scanning software.

PowerShell How To: Find all users where account is inactive

I was recently asked asked to find all the users in Active Directory where their account was inactive.

There is a PowerShell commandlet called Search-ADAccount that you can use to find if the account is inactive by using the parameter -AccountInactive.

This is kind of crude but works well. I couldn’t figure out how to get the headers into the csv so I simply did a write-output for the first section.

#######################
# Ed Rockwell
# Free to use
# Version 1.0
# 8/7/2017
#######################
$time = 90 # Days since last login
$users = Search-ADAccount -AccountInactive -UsersOnly -TimeSpan $time # Get all users within that timeframe with AccountInactive Property greater than $time
$path = "C:\Powershell\AccountInactive" # Where to write file

#File Name
new-item $path\users.csv -Force

# Set the header of csv (Change this if you add to the write-output below)
write-output "$("SamAccountName"),$("Enabled"),$("PasswordExpired"),$("LastLogonDate"),$("OU Location")"  | add-content -path $path"\users.csv"

# Find users 
foreach ($user in $users) 
    {
        If ($user.DistinguishedName -notmatch 'OU=Disabled Users' -and $user.DistinguishedName -notmatch 'OU=Service Accounts' -and $user.DistinguishedName -notmatch 'CN=Microsoft Exchange System Objects')
            {
                $DN = $user.distinguishedname -split ',' 
                $container = $DN[1]
                write-output "$($user.SamAccountName),$($user.Enabled),$($user.PasswordExpired),$($user.LastLogonDate),$($container)" | add-content -path $path"\users.csv"
            }
    }