Overblog Suivre ce blog
Administration Créer mon blog
31 juillet 2013 3 31 /07 /juillet /2013 16:47

I'll briefly outline Windows Server 2008 R2 Password recovery in a special context, where the password has been saved by the RDP client but is forgotten/lost.

It can so that we are able to login as an administrator, but can't recover the password.

here is the basic solution. Do take notice that some datas will be lost in the process ( encrypted files, saved passwords, ... ) :

 

1. Login using an administration account

2. Create a second administrator account+password

3. Allow this second administrator account in RDP access.

4. Login using this new administrator account

5. Change the first administrator password :

 

            Computer Management ) Local Users and Groups ) Users

 

            Right click on the the first andministrator account ) set password

 

WS11a.gif

 

 

Some datas will be definitively unuseable : Encrypted files, Web Browser saved passwords ....

 

To avoid this, a password recovery key needs to have been created before.

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
31 juillet 2013 3 31 /07 /juillet /2013 10:18

We'll see here the Reverse DNS delegation mechanism in full details, the practical Reverse DNS implementation, as well as the debugging techniques. Please be sure to have read the first two parts, as they lay som basic principles : part1 part2 .We'll only see some Reverse DNS Specifics here.

 

WS10a

 

 

The Reverse DNS authority delegation

 

WS10b

 

The Reverse DNS authority delegation follows the IP scopes address delegation. The IANA gives a scope of addresses to a RIR. This RIR handles a subset of this scope to an ISP or Tunnel Broker. Finally, the ISP / Tunnel Broker handles a sub-subset of that scope the custommer. [ The scope portions depicted here are fictionnary and illustrative only ) :

 

WS10c

 

 

 

Reverse DNS Practical Delegation

 

In a case of a single public IP, either IPv4 or ' IPv6 WAN ' ( CPE WAN or IPv6 Tunnel Endpoint ), the ISP/Tunnel Broker usually only allows settings through its management interface ( webpage ).

 

In case of a full scope ( which is quite common with IPv6 ), the ISP/Tunnel Broker may allow external control of the Reverse DNS through a DNS Servers duo. The requierments are the same as with domain zone delegation ( link ) :

 

. 2 NS Records in the ISP DNS Servers

. at least 1  Glue record related to these 2 NS Records at the ISP DNS Servers

. 2 Network-topologically distinct DNS Servers with the same zone record :

      . 1 SOA Record

      . 2 NS records

      . A or AAAA records for the Name Servers :

 

WS10d

 

 

 

Reverse DNS NSLOOKUP verifications

 

 

 

( to be completed )

 

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
30 juillet 2013 2 30 /07 /juillet /2013 17:08

Here we'll see precisely and completely the domain name delegation mechanism. We'll see how to setup the domain NS records, how to setup public authoritative DNS Servers, and how to check NS records throughout the Internet DNS hierarchy. We'll focus especially over IPv6

 

In the usual way of naming, NS ( Name Server ) and DNS Server have the same meaning, although the right naming is Name Server.

Likewise, domain name are zone have the same meaning, althought the right naming is zone.

 

 

The Domain Name Authority Delegation

 

 

Here is the Domain Name authority chain :

 

WS9a.gif 

 

 

While granting authority over a domain name, access to the associated NS records is granted.
The access to the NS records is granted by means of the NS records access in the TLD ( top level domain ). These NS records state which NS servers are authoritative for this domain name.

Please notice that the Registrar is acting as a proxy : He is delagated the authority over the domain example.com to handle it to the custommer. The custommer has acces to the TLD example.com NS settings through the registrar management page. The registrar is a proxy :

 

WS9b.gif

 

The other setting in the TLD records that is accessible to the custommer is the glue records ( A or AAAA records : example.com DNS Servers hostname to IP address résolution ).

 

There are at least 2 authoritative DNS Servers for a zone ( ie domain name or subdomain name) : A primary Name Server ( Master ) and a Secondary Name Server.

 

 

The DNS servers which are given authority over this example.com domain must comply to a set of rules. They are :

. 2 distinct DNS Servers ( one primary and one secondary), located on topologically distinct networks ( ie different origin automomous system in the BGP routing table )

. they each contain one SOA record, 2 NS records, and the A/AAAA records coresponding to the two NS records.

. The SOA records and NS records are identical throughout the zone ( zone = domain name )

 

. At least 1 glue record must be on the TLD records

Here is the basic DNS Servers implementation :

 

WS9c

 

 

 

3 possibilities of DNS Servers Delegations

 

There are 3 possibilities for DNS Delegation :

 

1. Registrar hosted DNS :

 

In this case, the registrar hosts a DNS server that the custommer has acces to. Only one DNS server is represented here :

 

WS9d.gif

 

 

2. Third-party hosted DNS

In this case, the DNS hosting is performed by a third party. The NS records point to this third-party DNS servers.

Only one DNS server is represented here :

 

WS9e.gif

 

3. Locally hosted Public DNS Servers :

 

In this case, the DNS Servers are hosted locally. Only one DNS Server is represented here :

 

WS9f.gif

 

Here is the full Network Map, with the minimum 2 DNS Server set required :

 

WS9g.gif

 

 

 

 

A Public DNS Servers set Setup

 

 

 

a few notes :

There is one primary server and at least 1 secondary server.
The secondary servers automatically update to the primary server.
They all contain the same basic information :

. same SOA record
. same NS records
. same A or AAAA records for the NS records hostnames resolution
. TCP and UDP ports 53 must be accessible ( DNS querries and Servers sync )

WS9g

 

 

please note that all Name Servers have records that list all Name Servers for that zone ( ie ns1 has both ns1 and ns2 NS records, ns2 has both ns1 and ns2 records)



The SOA record


The SOA record states authoritative informations about a DNS zone.

. primary name server
. email of domain admin
. domain serial number
. timers related to zone refresh.


here is a typical SOA record :



example.com SOA 86400 ns1.example.com hostmater.example.com
2013072004 3600 600 86400 3600

here is the meaning :

[zone] SOA [Primary NameServer] [E.mail of domain admin]
[Serial Number] [T1] [T2] [T3] [T4]


[zone] is the domain name ( or subdomain )

[TTL] is the zone records time to live for outside DNS servers

[Primary NameServer] is the FQDN of the primary Name Server of the zone

[E.mail of domain admin] is noted with a dot instead of a '@'

[Serial Number] is an incremental number, upped at each of the Primary NameServer record change.It states to the secondary Name Servers of the zone the records have changed, and that they should sync.
It is written in the form [Year][Month][Day][Number]

[T1] Refresh time : time before the Secondary Name Servers recheck the Zone Serial Number ( in seconds )
[T2] Retry time : time before a Secondary Name Servers retries a zone transfert after a failed one ( in seconds )
[T3] Expire time : time of failed zone transfert, before a Secondary Name Servers expires its zone file, and stop answering querries ( in seconds )
[T4] minimum TTL : how long outside DNS servers should keep the zone datas in their caches.



NSLOOKUP and Name Servers Querries

To check the Name Servers records, we can use the NSLOOKUP command.
It is especially usefull, to check the contend of the TLD records, as well as differences between the TLD records and the authoritative Name Servers records.

let's check the example.com NS records :

nslookup -q=ns .

nslookup -q=ns com a.[root NS]

nslookup -q=ns example.com [.com NS]



explaination :

first, we check the querry for the NS records of the root zone :

nslookup -q=ns .


we get answered with a list of valid NS records. Let's call [root NS] one of these answers.



then, we ask one of the returned root servers the authoritative NS records for the .com TLD :
 
nslookup -q=ns com [root NS]

we get answered with a list of valid NS records for the .com TLD.
Let's call [com NS] one of these answers

finally, we querry one of the returned .com name server for the example.com record :

nslookup -q=ns example.com [com NS]



This is the complete sequence. A shorter, and less prefect one, might be :

nslookup -q=ns com
nslookup -q=ns example.com [com NS]



We can compare it with our local [NS] records, making a direct querry :
nslookup -q=ns [Primary Name Server IP]



Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
27 juillet 2013 6 27 /07 /juillet /2013 15:52

The Internet is a great architecture, with two basis : IP addresses and Host Names.
The way these two aspects connect may seem complexe, but it is quite simple. Let's
go with simple steps.

 

 

The IANA


The IANA ( Internet Assigned Numbers Authority ) oversees :
. the root zone of the DNS
. the Global IP addresses allocation
. The Autonomous Systems numbering allocation

 

 

 

The IANA and the Domain Name authority delegation

 

from the root zone of the DNS, domain name authority is delagated downward by the IANA, to the gtld level ( general topl level domain : .com, .net, .org, ...

 

from the gtld level, a domain name authority is delagated to a requiring registrar :
ex: example.com is delegated by the .com gtld to the registrar
the authority is then handed by the registrar to the customer.


example of authority delegation of the example.com domain :

 

WS8a.gif

 

 

 

 

The IANA and the Reverse DNS authority delegation

 

DNS-wise, the IANA oversees the delegation of IP address pools to the RIRs ( Regional Internet Registries : ARIN, RIPE NCC, APNIC, AFRINIC and LACNIC ).


The authority over subsets of these IP address pools is then delagated to ISPs or Tunnel Brokers.


Lastly, the authority over a sub-subset IP address pool is delagated to the customer by the FAI or the Tunnel Broker.
example of IP address authority delegation to a customer of the [G]:/48 IPv6 subnet :

 

WS8b

 

 

 

Here is the whole picture :

 

WS8c.gif

 

Of course, in the case of a customer of both the example.com domain and the [G]:/48 IPv6 subnet, there is a one only customer ( ie box at the bottom of the picture ), so the picture is actually this :

 

WS8d.gif

 

But it's important to outline the fact that the domain name authority and the IP addresse pool authority delegation follow different paths.

 
Authority delegation from the Registrar to the Customer


First, a domain name is registered.

having registered it, we have authority over this domain. this authority is this :
you can set the (NS) records. The NS records specify which DNS Servers are responsible for a domain. We setup these NS records at the registrar's level ( Registrar's management webpage for this domain name ).
we have three options :


1. We let them pointed to a name server hosted by the Registrar. We will then manage the example.com domain from the Registrar's management page. This is the default setup, and the most usual.

2. We set them up to point to a third-party, hosted DNS server. There are free and non-free hosted DNS services on the Internet. We will manage our DNS records at this DNS host management page.

3. We set them up to point to our own, locally hosted, DNS servers. This is the rarest, and less easy to deal with case. ( See this posts for explainations about why local and authoritative DNS server is not the best choice : post 1 post 2 post 3 )

on these DNS servers ( at least 2 for redundancy ), we will register different things :


. NS records : they refer to the DNS server itself. It is a confirmation. It says ' I AM resposible for this domain. There is no error here '.
. A and AAAA records : they reply with IP addresses to name queries
. PTR records : they reply with FQDNs to IP addresses queries
. MX record, CNAME record, Ressource record, ....


 

Authority delegation from the ISP/Tunnel Broker to the Customer

At the ISP/Tunnel Broker level, we may get the reverse DNS delegation.
The ISP ( or Tunnel Broker ) holds too NS records. These NS records point to the Name Servers authoritative over an IP address or address scope.
Here too, we have three options :


1. We let them pointed to a name server hosted by the ISP/Tunnel Broker. We manage the [G]:/48 IPv6 scope from the ISP/Tunnel Broker management page. This is the default setup, and the most usual

2. We set them up to point to a third-party, hosted DNS server. There are free and non-free hosted DNS services on the Internet. We manage our PTR ( reverse DNS ) records from here

3. We set them up to point to our own, authoritative and locally hosted, DNS servers. This is the rarest, and less easy to deal with case. ( See this post and the two following )

This DNS server will only contain PTR records ( Reverse DNS ).

 

 

 

The Glue Record

In the case of a locally hosted authoritative Name Server, a question arises. Look at this sequence :

( Client ) :                            . Hello, I am from the outside world. What is the IP address of  host1.example.com ?
( Registrar ) :                      . Ask ns1.example.com
( Client ) :                            . What is the IP address of ns1.example.com ?
( Registrar ) :                      . I don't know. ask ns1.example.com ...

we're in a loop here ! And the solution is glue record. A glue record, located at the registrar's level, contains the IP of the nameserver ns1.example.com. So this happens now :

( Client ) :                            . Hello, I am from the outside world. What IP is host1.example.com ?
( Registrar ) :                      . Ask ns1.example.com. It's IP address [IP]
( Client ) :                            . Hello [IP], what is the IP address of host1.example.com ?
( ns1.example.com ) :      . host1.example.com is at [IP2]

 

 

 

A few more notes

In the case of IPv4, you probably have one only public IPv4 address. So delegation is useless. Eventually, you may be able to customize this Reverse DNS record at the ISP admin page.


In the case of IPv6, things get more complexe. The endpoint IPv6 address ( CPE WAN IP address, or IPv6 tunnel endpoint ) is managed the same way as the IPv4 public IP : It is at the ISP ( or tunnelbroker ) level. You may be able to customise it.


The subnet ( /64 or /48 as an example ) IPv6 addresses reverse DNS may be delagated, depending on the FAI. Hurricane Electric allows /64 or /48 IPv6 addresses Reverse DNS delegation. To have the subnet Reverse DNS delegated, you fill two (NS) records at the ISP/Tunnel Broker admin page, pointing to our DNS Server ( either hosted or local ).

Managing PTR records benefit is that your reverse DNS records are reachable fom the outside, which is necessary in some situations ( for managing an internal mail server : it's a security feature )

Usually, we don't need locally delegated DNS authority, so we keep :


DNS Server at the registrar level, or using a third-party DNS hosting.
rDNS ( Reverse DNS ) authority at the ISP level, or using a third-party DNS hosting.

Please notice that DNS delegation and rDNS delegation are separate things. We can get one delagated, and leave the other to its originating authority ( Registrar or ISP/Tunnel Broker in this case ).
Notice too that as they follow a different authority path and apply to different fields, we can use distinct third-party hosted DNS servers for the domain name and for the ISP/Tunnel Broker ( ie different NS records at the Registrar and at the ISP/Tunnel Broker's level ).

A good option for full DNS authority delegation is to use a hosted DNS. We then get the benefits of full DNS Server control, without the weights ( managing physical and IT security : Server redundency, DNS flooding and poisoning issues .... )

All said and understood, the easiest and most logical way of doing things is to have a locally-authoritative DNS server for the private subnets, and to use the Registrar DNS and the ISP/Tunnel Broker rDNS for public access services ( Web Server, FTP Server, ... )




Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
25 juillet 2013 4 25 /07 /juillet /2013 16:42

We'll see here how to setup a lightweight mail server ( hMailServer ), with public access. We'll see the networking and DNS setup, with a special focus over IPv6. I'm installing the hMailServer on a Windows Server 2008 R2, but hMailServer works with any Windows OS ( Client or Server ).
Here is the network map :

WS7b.gif

hMailServer can't provide both IPv4 and IPv6 service. So here, we'll only see an IPv6 setup.
hMailServer doesn't support starttls, but it does support SSL/TLS. As we don't want to use and plain-text logging ( no encryption of password exchange, no encryption of mail exchanges ) which is totally insecure, we'll use SSL/TLS.

 

Previous post is about Creating a Self Signed SSL certificate, it takes just 15 minutes to install the software and generate the couple Certificate/Private Key : How to create a self-signed SSL certificate

 

We'll be using a self-signed certificate, so we'll have to use temporary or permanent exceptions when there are Thunderbird or Antivirus warnings.

 

 

hmail server installation and setup

hMailServer is very easy to install, leaving the default options. A password is created to access the management interface.

 

once installed, we login into the management interface, and first add a domain :

 

WS7a.gif

 

we add the domain example.com

( the Names tab is optionnal, it creates an alias for dual internal/external domain and loging, like example.net/example.com network design. we can add name example.net here :

  WS7f.gif)

 

We then add e.mail accounts :

 

WS7e.gif

 

( accounts : add )




We have to setup the Server IP/port servicing :

 

SMTP                 2001:db8:4b17:1::200          port : 465
POP3                 2001:db8:4b17:1::200          port : 995

WS7r.gif

 

WS7q.gif

 

 

We set the hMailServer own IP ( ::1 ) :

 

WS7t.gif

 

We next have to change the allowed client IP address range, to allow IPv6 :

0:0:0:0:0:0:0:0        FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

 

WS7p.gif

 

 

( This is a allow all, so the Mail Server is accessible by anybody on the Internet. To limit the Mail Server use to our /48 subnet hosts only, we can narrow it down to 2001:db8:4b17:2:0:0:0:0             2001:db8:4b17:ffff:ffff:ffff:ffff:ffff :

WS7o.gif)


we allow logging ( usefull at the beginning, for troubleshooting ) :

 

WS7s.gif

 

We finally copy our SSL Private Key / Public Certificate in the folder :

 

C:\Program Files (x86)\hMailServer\Externals\CA\

 

and add these certificates in hMailServer management interface :

 

WS7k.gif

 

WS7l.gif

 

We're done to the hMailServer Setup for now. We'll see the SPAM-prevention further down this post

 

 

Windows OS and Network Routers Firewall settings

 

 

We have to create two incoming rules in our Windows OS Firewall, using the Advanced Firewall :

 

WS7h.gif

 

 

We have to create too the same incoming rules in our Internet Gateway IPv6 Firewall :

 

WS7u.gif

 

The :: is a 'allow-all'.

 

 

Mail Clients setup

 

Using Thunderbird, the clients configuration is very easy and straightforward.

We just add a new account using this settings :

 

WS7n.gif

 

The username has to be the full something@example.com, for the logging to work. Here are the POP3 and SMTP settings for reference :

 

WS7i.gif

 

WS7j.gif

 

And we're done with the Email Client setup

 

 

DNS Setup

 

For our hMailServer to be accessible from the outside, we need to have it registered in the Internet DNS.

We have to create a two AAAA records :

 

2001:db8:4b17:1::200                      pop3.example.com

2001:db8:4b17:1::200                      smtp.example.com

 

We too have to create a MX record ( Mail Exchange record ) pointing to our smtp server :

 

smtp.example.com                           preference=1

 

why do we need a MX record ? Because someone mailing to john@example.com doesn't know what is is Mail Server FQDN or IP address. So he first queries the example.com domain for a MX record, which returns smtp.example.com.

He can then make a DNS querry to smtp.example.com to get its IP.

 

So we have to make these three DNS records, at our registrar's level :

 

WS7d.gif

 

( for why we do it at the registrar's level, see this posts on this blog : post1 post2 post3 )

 

we have to wait for the DNS changes to propagate, checking out :

nslookup pop3.example.com

nslookup smtp.example.com

 

until we get the right answer ( ie 2001:db8:4b17:1::200 here )

 

 

Reverse DNS for inter-domain mail exchanges

 

If we want to have our hMailServer able to exchange mails with Mail Servers from other domains ( ISPs webmails, etc ...) we need to have a working reverse DNS to smtp.example.com : this is a security feature.

 

for this, we have to make a PTR record ( ie a Reverse DNS record ) at the ISP / Tunnel Broker level. Not all ISPs allow to do this, or to have the reverse DNS delegated. The Network / DNS map looks like this then :

 

WS7m.gif

 

to test the good working reverse DNS, type :

nslookup 2001:db8:4b17:1::200

 

you should get smtp.example.com as answer

 

please make sure to read the last part of this post, about SPAM prevention settings, for a working inter-domains mails exchange, with example.com e.mails being accepted by other domains mail servers

 

 

SPAM prevention settings

 

We want our hMailServer to be protected from outside SPAM, and we want other domains Mail Servers to accept our e.mails as legitimate. Here is how we do this :

 

To prevent out hMailServer to receive SPAM, we can tick the ' Use SPF ' and ' Check that senders has DNS-MX records' :

 

WS7v.gif

This provides a basic SPAM prevention.

 

To have other domains Mail Servers to accept our e.mails as legitimate, we need :

. a DNS-MX record

. a working reverse DNS of our Server IPv6 address pointing to smtp.example.com

. a DNS-SPF record.

 

The first two have been explained higher on this post, so we just have the DNS-SPF record left to see.

 

SPF ( SPAM Prevention Framework ) is a DNS record, aimed at avoiding the use of spoofed domain names by SPAMs.

It is registered at the domain name DNS ( example.com in this case ) and clarifies which Mail Servers have to be considered as validly acting in the name of this domain name ( example.com here ).

 

Let's say our hMailServer received an e.mail written by john@example.com and sent to tim@example.org

 

example.com Mail Server contacts example.org Mail Server

example.org Mail Server checks for any example.com SPF record in the Internet DNS

if a SPF record is found, example.org Mail server checks if there is a valid entry for Example.com Mail Server IP address in the SPF record

if so, Example.com Mail Server is considered valid, and the e.mail is accepted by example.org Mail Server

 

here are some basics SPF records here :

 

record :                          example.com in spf "v=spf1 -all"

effect :                            no mail should be accepted by other domains Name Servers

 

record :                          example.com in spf "v=spf1 ip6:2001:db8:4b17:1::200/128 -all"

effect :                            only mail originating from IP address 2001:db8:4b17:1::200 should be accepted by other

                                        domains Mail Servers

 

here is the the network / DNS map using the second example :

 

WS7w.gif

 

a few more notes about the SPF records :

 

1. historically, a TXT record was used before a SPF record was specified and RFCed. Some Mail Servers still check for TXT 'SPF' records, so the best practice is to register both a TXT and a SPF record. ex :

 

example.com in txt "v=spf1 ip6:2001:db8:4b17:1::200/128 -all"

example.com in spf "v=spf1 ip6:2001:db8:4b17:1::200/128 -all"

 

2. the SPF record syntax is quite subtle. Please see www.openspf.org/SPF_Record_Syntax for complete details.

As an example : the SPF record can refer to FQDNs or MX records instead of plain IP addresses for more flexibility, they'll get resolved to IP addresses.

Or you can explicit a looser policy.

 

3. registering the TXT ' SPF ' and the SPF records prevents our domain name to be spoofed, and thus considered dubious and blacklisted by other domains Mail Servers.

 

4. There are some scripted SPF records generation tools on the Internet. Microsoft's one is interesting. Just google ' Sender ID framework SPF Recor wizard '

 

 

hMailServer tips

 

e.mail folder location :


C:\Program Files (x86)\hMailServer\Data

 

 

 

client mail messages deletion :

 

if thunderbird settings are right, deleted messages are deleted at the next pop3/smtp request

 

.

to clear all messages of an account in the server :

 

hMailServer Manager ) account ) advanced ) empty account

 

 

to screen a particular port communication using Wireshark, type in the filter box :

tcp.port eq 995        filters tcp port 995
tcp.port eq 465        filters tcp port 465

 

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
25 juillet 2013 4 25 /07 /juillet /2013 16:21

We're going to see here how to create a self-signed SSL certificate, so that we can use it for various tasks ( Remote Desktop Connection, Web Server, EMail Server, etc ... )

We will use OpenSSL for this task. I'll explain the software installation and the certificate creation tasks using a Windows 7 x64 OS

As it is self-signed, it is cryptographically strong (AES256 / RSA4096 ), but can be compromised by a high-grade attack ( needing either physical access to the server or Man in the middle attack ).
So purchasing a real authored certificate may be a good professionnal choice, if such a level of attack is to be feared.


Installing OpenSSL

If you don't want to build OpenSSL yourself, there are some ready binaries.
I use this one :

 

http://www.slproweb.com/products/Win32OpenSSL.html

 

which is linked from the official www.openssl.org webpage.


For a little ease of mind, a virus total scan is possible.

We only need the Light version, and it has an installer.
The latest version for x64 is Win64OpenSSL_Light-1_0_1e at the time of this writing.
We probabaly need the Windows 2008 redistributable, so we get it too, the link is on the same webpage( vcredist_x64 here )


If you get a warning trying to install OpenSSL, first install the 2008 Redistributable



Creating a certificate and private key with OpenSSL


we launch the command line with admin rights

we navigate to the OpenSSL bin folder ( likely C:\OpenSSL-Win64\bin\ )



we generate the Private Key :

type :
openssl genrsa -des3 -out certificate.key 4096


take good note of your passphrase ( let's call it [passphrase1] )




we create the Certificate Signing Request :

type :

openssl req -new -key certificate.key -out certificate.csr
the first question about [passphrase1]



we create the certificate :
type :

openssl x509 -req -days 365 -in certificate.csr -signkey certificate.key -out certificate.crt
the first question is about [passphrase1]


if we want to remove the password from the Private Key :
type :


openssl rsa -in certificate.key -out certificate.key

( the asked password is [passphrase1] )



We can now go to the \OpenSSL-Win64\bin\ folder and get :

the Certificate ( certificate.crt )
the Private key ( certificate.key )




We're using Self Signed Certificates, so softwares and antivirus will rightfull try to make us not using them. So we have to use temporary or permanent exceptions to deal with this.

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
23 juillet 2013 2 23 /07 /juillet /2013 14:49

We'll see here how to setup a public accessible Web Server using Windows Server 2008 R2, the nework settings, and DNS issues, with a special focus over IPv6


Our web server will have the GUA 2001:db8:4b17:2::200 for this exemple.
Here is the network map :

 

WS6a.gif

 

 

 

Web Server Installation

 

First, we add the Server Role in the Server Manager :

 

WS6c.gif

 

Add Roles ) Web Server ( IIS ) :

 

WS6d.gif

 

We can leave all the default optionst.

The server manager automatically creates an inbound rule for HTTP ( TCP port 80 ) on the Server :

 

WS6e.gif

 

 

 

We can test the default website from our client PC ( PC1 ), typing its IPv6 address in brackets in the browser :

 

WS6n.gif 

 

 

 

FQDN Resolution

Here we want our web server to be accessible by its FQDN ( www.example.com ). There are 4 options here:

 

1. Use our host file :

                                        . not very convinient

                                        . no public name  resolution


2. Use a local DNS Server not authoritative to the Internet :

                                        . no public name resolution


3. Use a local DNS Server authoritative to the Internet :

                                        . too heavy daily management task, not suited ( see previous posts )


4. Use our registrar of example.com, and add an A and a AAAA record :

                                        . light task, suited

                                        . public name resolution

The last choice is what we want to do. This way, the admin task is light, public access to our web server is possible thanks to its FQDN being resolved on the Internet, and our local network PCs can resolve its name by regular DNS querry out to the Internet ( DNS querry forwarding in our local DNS Server ). ( more infos here :   Domain name choice and design for DNS and Active Directory setup  )

The network / DNS maps looks like this then :

 

WS6b.gif


We just have to login in our registrar web admin page :

 

. we clean any A, AAAA, or CNAME record refering to www.example.com

 

. we add A and AAAA records for the host www.example.com :


A record :             www.example.com                 [ Public IPv4 Address ]
AAAA record :      www.example.com                 [Web server IPv6 address ]

We just have to wait a little while to the changes to propagate in the DNS servers of the Internet, untill we can check the name résolution is right :


nslookup www.example.com

 

 

 

Internet Gateway setup

 

We have to do a port forwarding at our Internet Gateway, to forward port 80 ( HTTP ) to the private IPv4 of our Web Server, if we want the Web Server to be reachable over IPv4.


We too have to create an IPv6 firewall rule, so to allow IPv6 port 80 to pass through the IPv6 Firewall :

 

WS6m.gif

 

 

 

Web Server websites management

 

The default website is at :
C:\inetpub\wwwroot\

Using the server manager IIS Manager, we can add websites, manage them, their listening IPs and their listening port.

Remember that an [ IP address/port ] combinaison can be used by only one website.

 

as an example, to add a site :

 

WS6f.gif

 

To stop a website :

 

WS6k.gif

 

To edit a website bindings ( IP / port combinaison ) :

 

WS6g.gif

 

 

WS6h.gif

 

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
21 juillet 2013 7 21 /07 /juillet /2013 10:42

We'll see here the essentials of Windows Server 2008 R2 System Backup and Restore.

 

 

Adding the Server Backup Feature

 

First, we need to add the Windows Server Backup Feature :

 

Server Manager ) add features ) Windows Server Backup Features ( including both subordinate items : Windows Server Backup, Command-line Tools

 

 

 

 

Doing a Full Server Backup

 

The Full Server Backup is performed using Administrative Tools ) Windows Server Backup :

 

WS5a.gif

 

Then, we can do a first backup of our server, using either a local HDD or a Network Share. Of course, in the case of a local HDD, as we're doing a full server backup, the local HDD has to be excluded from the save.

 

WS5b.gif

 

 

WS5c.gif

 

 

The Server Backup Feature offers many backup types, options, and fine-grain. Here we want to perform a System Backup, so we choose ' Full Server Backup '. It's a complete server image, ie like a Norton Ghost.

 

 

 

Doing a Full Server Restore

 

To perform a Full Server Restore, we need to boot with the Windows Recovery Environment. It can be done either by :

 

. using the OS Install DVD

 

. or rebooting and pressing F8 ) Repair Your Computer

 

 

Please note that the Full Server Restore will replace all folders and documents with the one being present at the time of the backup. It's a time machine, so remember to save and export current important datas.

 

 

 

Doing a System State Restore

 

System state seems to recover the system, in a close to ghost way, but doesn't change the installed softwares, their settings and the user documents.
MS is not very clear about the level of system restoration of this recovery. It does seem to fit between restore-point and ( bare-metal / recovery of the Operating System )

 

System State Restore is usefull when you're using Remote Desktop to the Server and/or need a quick fix.

To do a System State Restore, we use the same Administrative Tools ) Windows Server Backup :

 

WS5a

 

and choose Recover :

 

WS5f

 

 

 

The different restore levels in details

 

 

Here is a sum-up of the different levels of system restore :

 

Online ( Using the booted Windows Server OS ) :

 

                 . System State recovery

 

Offline ( Using either the install DVD or F8 ) :

 

                 . Bare metal Recovery

                 . OS Recovery

                 . Full Server recovery

 

 

Full Server Recovery is a 'all Server Disks ' imaging including documents and applications.

The difference between Bare metal Recovery and OS Recovery is not clear

System State Recovery seems even less complete than the two laters, but the difference is still not clear.

 

Here is some official Microsoft Documentation :

 

WS5e.gif

 

 

What doesn't help to sort all of this out is that MS documentation lists what System State Recovery saves, instead of what it doesn't save. I'll add better infos here as soon as I'll manage to clear all this up

 

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
18 juillet 2013 4 18 /07 /juillet /2013 15:11

We'll see in this post using GUA ( Global Unicast Addresses ) for our DNS Server and what it involves compared to ULA.
See previous post about the basics of DNS Server, using ULA.

 

WS3a.gif

 

As stated during the two previous posts, our DNS Server will only be authoritative upon our local network. We'll leave our public servers DNS management at the registrar level. See the two previous posts for explainations and details.

[G] represents our /48 GUA prefix throughout this post ( 2001:0DB8:0::/48 as an example )

 

Subnet design of the GUA network

 

As we're using GUA ( Global Unicast Addresses ), we need to use a clear separation between our authority and our non-authority zones. We'll use subnets for this :

WS3b.gif

 

 

the [G]:2::/64 and [G]:1::/64 subnets will be for our non-public network
the [G]:0::/64 will be for our public-access network

for this, we create two reverse-lookup zones :


new reverse lookup zone :

    Primary zone

    IPv6

    [G]:3::/64

    Net03GUA.dns

    do not allow dynamic updates



new reverse lookup zone :

    Primary zone

    IPv6

    [G]:2::/64

    Net02GUA.dns

    do not allow dynamic updates



we then add the AAAA records for our network nodes :


add AAAA records for PC1, PC2, vefsna, router1, Router2





Using both ULA and GUA on the non-public network


of course, we can register both the ULA and GUA non-public subnets. We just have to register both the ULA and GUA reverse-lookup zones, and both ULA and GUA AAAA records for the nodes.

the only point to choose is wether to register distinct hosts and routers  names for ULA and GUA.
[G] being our /48 GUA prefix and [H] being our /48 ULA prefix, we could have :

[G]:3::210    PC1
[H]:3::210    PC1

or

[G]:3::210    PC1gua
[H]:3::210    PC1

it is just a design choice.

 

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
15 juillet 2013 1 15 /07 /juillet /2013 12:41

Now that we know how to choose the right domain name, let's see the DNS Server implementation.
We'll use Windows Server 2008 R2 here, and keep a special focus over IPv6.

D7o.gif

 

 

Our DNS Server won't be authoritative over external Internet servers. This is a heavy task ( Having servers in distinct physical locations, facing flooding and DNS poisoning, ...) and is beyond the scope of this post. Further more, it only makes sense in very special cases or for big firms.

So our DNS server will be authoritative only over our local network. We'll use example.net as our domain name, but you can replace it with int.example.com if you wish, it's the same.

See previous post for more details about Domain name design and choice in DNS Server / Active Directory implementation.

PC1, PC2, VEFSNA and Router1 ( LAN ) are on the subnet 192.168.3.0 / fd07:44de:a327:3::/64

PC3 and Router2 ( LAN ) are on the subnet 192.168.2.0 / fd07:44de:a327:2::/64

Since we're using ULAs, we don't even have to think about DNS Server Authority. Our DNS Server will be authoritative over our local network and will forward all queries to an outside DNS Server.

 

 


Server preparation

 

We first clean up any previous DNS Server implementations in our WS2008 R2 by cleaning up the folders :

C:\Windows\System32\DNS
C:\Windows\System32\DNS\Backup

only leaving these two empty folders.

 

We can clean some previous DNS Server logs :

 

D7n.gif

 

In network connections, we set our interfaces DNS IPs to either :

 

                . [Server IP]

 

or            . Loopback ( 127.0.0.1 / ::1 )

 

 

In Advanced System Properties, we check our Server name and DNS sufix :

 

. computer name :                 [Server Name]
. dns sufix  :                             example.net

And we reboot

 

 

 

DNS Role installation and configuration

 

We then add the DNS Server Role : Server Manager ) Add Roles ) DNS Server

D7b

 

 

 

We will then configure our DNS Server expanding the Server Manager tree :

 

Server Manager ) Roles ) DNS Server ) DNS ) [ Server Name ] ) Right click : Configure a DNS Server :

 

D7c.gif

 

 

We will use these settings for the configuration :

 

       . Create a forward lookup zone
       . This server maintains the zone
       . Zone name : example.net
       . File name : default ( example.net.dns in this case )
       . Dynamic Updates : Do not allow dynamic updates                  ( there is no AD here )
       . Forward queries :    . Yes                                                                 
                                             . IPv4 ISP DNS or openDNS
    .

 

we use forward queries, because we want the DNS querie we are not authoritative upon to be directly forwarded to an outside DNS Caching Server or Recursive DNS Server.

 

 

 

Lookup Zones configuration

 

We will then configure our Reverse Lookup Zones, both for IPv4 and IPv6.

 

Server Manager ) Roles ) DNS Server ) DNS ) [ Server Name ] ) Reverse Lookup Zone ) Right click : new zone

 

D7d.gif

 

 

We use these settings for this IPv4 Reverse Lookup Zone :

 

    . Primary zone
    . IPv4 Reverse Lookup Zone
    . 192.168.3
    . zone file : new file ( default )                                                                     ( 3.168.192.in-addr.arpa.dns in this case )
    . Dynamic updates : Do not allow dynamic updates                             ( there is no AD here )

We then create a second Reverse Lookup Zone, for IPv6 this time ( Right click ) New Zone ) :


    . Primary zone
    . IPv6 Reverse lookup zone
    . fd07:44de:a327:3::/64
    . zone file : new file : net03.dns                                                                  (create your own name here)
    . Dynamic updates : : Do not allow dynamic updates                           (there is no AD here )

 

Do note two things about IPv6 in DNS Server :

 

    . You have to enter the zone subnet using a [prefix]/[prefix length] format :

 

D7e.gif

 

    . There is no default zone file created, so you have to make one up. I like to tag the subnet, so I use Net03.dns in this case ( because the subnet is fd07:44de:a327:3::/64 and I use the last hex quad for subnet tagging ). Just make it end with .dns :

 

D7f.gif

 

Normally, the NS and SOA fiels have been automatically filled with the right settings and host records have been automatically made for the Server IP addresses :

 

D7m.gif

 

Finally, we have to add PTR records ( Reverse Lookup ) for our Server own IP.

Using Server Manager ) Roles ) DNS Server ) DNS ) [ Server Name ] ) Reverse Lookup Zone :

 

We right click our IPv4 zone ( 3.168.192.in-addr.arpa here ) and choose ' new PTR record ' :

 

 

and then add our Server Name ( vefsna ) and IPv4 DNS address here :

 

 

We do it againg for the DNS Server IPv6 address.

We right click our IPv6 zone ( net03.dns here ) and choose ' new PTR record ' :

 

 

and then add our server Name ( vefsna here ) and IPv6 DNS address :

 

 

 

 

We can check our DNS server functionning by doing :

Roles ) DNS Server ) DNS ) [ Server Name ] ) right click ) nslookup :

 

D7p.gif

 

the DNS Server should be able to resolve its own name, IPv4 and IPv6 addresses. Further more, the field ' DNS Server ' should list our Server name ( vefsna in this case )

 

 

 

Adding DNS records for network hosts and routers

 

To add a record, we just have to add a new host in the Forward Lookup Zone. The PTR record will be created automatically. Please note that you have to create 2 records for each host : 1 IPv4 record and 1 IPv6 record.

 

Roles ) DNS Server ) DNS ) [ Server Name ] ) Forward lookup zone ) example.net ) right click :
new host ( A or AAAA ) :

 

D7g.gif

 

 As an example, for PC1, we create an IPv4 Record using these settings :

 

   PC1
    192.168.3.140
    Create associated PTR Record : yes
    Add Host ( click )

 

D7h.gif

 

 

 and we create an IPv6 record using these settings :

 

   PC1
    fd07:44de:a327:3::140
    Create associated PTR Record : yes
    Add Host ( click )

D7i.gif

 

We create records the same way for PC2 and Router1 (Lan IP).

We can test these records functionning using the Server Manager Nslookup Tool :

 

Roles ) DNS Server ) DNS ) [ Server Name ] ) right click ) nslookup

 

 

Client computers configuration

 

We have to make sure PC1 and PC2 get the Server DNS IP and domain prefix for DNS resolution :

 

. Either statically, using Network Connections ( for DNS IP ) and Advanced System Properties ( for domain sufix )

. Either dynamically, registering these two settings in Router1

 

 

 

Testing DNS resolution

 

We can test forward DNS resolution using these commands :

 

nslookup [name]                                                                           ( resolves [name] into its IPs )

nslookup [name] [DNS Server IP]                                              ( forces the use of a specific IP for DNS resolution )

 

 

We can test reverse DNS resolution using these commands :

 

nslookup [IP]                                                                                  ( performs a reverse-lookup over [IP] )

nslookup [IP] [DNS Server IP]

 

Please note these special commands :

 

ping -a [IP]                                                                                       ( performs a ping+reverse-lookup )

tracert -d [name]                                                                             ( tracert without intermediate nodes reverse-lookups )

tracert -d [IP]                                                                                    ( idem )

 

for example, here is a sequence to test DNS query, reverse lookup, sufix settings and DNS forwarding :


nslookup pc1.example.net fd07:44de:a327:3::210
nslookup pc1.example.net
nslookup pc1
nslookup www.wikipedia.org

 

nslookup fd07:44de:a327:3::140

 

 

Adding more zones

 

We might want to add more zones to our DNS Server. In this example, we will add the zone that contains PC3 and Router2 ( Lan IP ) :

 

D7o

 

This means adding two new reverse lookup zones :

. 192.168.2.0 subnet

. fd07:44de:a327:2::/64 subnet

 

we do it the same way we added the two first reverse lookup zones :

Server Manager ) Roles ) DNS Server ) DNS ) [ Server Name ] ) Reverse Lookup Zone ) Right click : new zone

 

we add a new IPv4 reverse lookup zone : 192.168.2

and a new IPv6 reverse lookup zone : fd07:44de:a327:3::/64

 

we now have 4 reverse lookup zones :

 

D7k.gif

 

 

we can now add new hosts records : PC3 and Router2
( using Roles ) DNS Server ) DNS ) [ Server Name ] ) Forward lookup zone ) example.net ) right click :
new host ( A or AAAA ) :

 

D7l.gif

 

 

we can now start experimenting with our two subnets, doing as an example :

tracert router2

 

we can see nodes reverse name resolution occuring on the fly.

we can login in our routers using router1 or router2 ( domain sufix is added on the fly )

we can even add more subnets to manage to our DNS Server

 

 

 

Registering our public-access services

 

 

D7o

 

We finally have to register our public-access services, which reside on our outside domain example.com.

 

Of course, the Web/FTP server and the Internet Gateway have to use Global Unicast Address.

 

To do this, we just have to login to our registrar page, and add A and AAAA records for both :

www.example.com

ftp.example.com

 

pointing to our public IPv4 IP for the A records                                                    ( Port forwarding needed for IPv4 )

pointing to our Web/FTP server IPv6 IP in the case of IPv6                               ( No port forwarding needed for IPv6 )

 

for our inside network hosts, www.example.com and ftp.example.com will be resolved by query forwarding

 

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens