Category: Windows Server 2012

Smart Sizing the Remote Desktop – Pure love


This is a short post on a simple subject, not directly a SharePoint subject but like most of the Windows Server 2012 posts I have made, it is releated. As SharePoint geeks we never spend a day at work without fiddling with our test servers, these are usually kept as virtual servers in Hyper-V or VM-Ware. Either way, it is always, at least to me, a pain using a laptop with a small screen or any external display with a different resolution than your desktop on the remote server.

The days complaining about the #%&!&$ scrollbars are over!…we now have Smart Sizing, as I see it, it is a new feature in Windows Server 2012 and Windows 8. It was available Before, but only as a text command added to the .rdp file. (Correct me if I’m wrong here please)

So, what is it? It is a simple setting available in your Remote Desktop window that allows the window content to be automatically ‘stretched’ to fit the screen it is in. No more scrollbars is what it means! Thank you!
Do like this:

1. If you have these annoying scrollbars…like I have (Watch the righthand side…):

SS1x

ss2x

2. Click in the very top right corner of the RDP window and click on Smart Sizing to enable it:

ss4x

3. Thats it, no more scrollbars!

ss3

See?
Try it out, you will love this Little feature like I do!

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

A guide to Alternate Access Mappings Basics in SharePoint 2013


LabCenter-stamp-v2

Alternate Access Mapping Basics in SharePoint 2013

(This post is in its entirety valid for SharePoint 2010 as well)

Explains how you should look at Alternate Access Mappings – left to right.
Alternate Access Mappings is something that most SharePoint engineers or administrators struggles with. More often than not, you get it right in the end but we are not really sure why it works or if it really works the way we want it to.
This, is my attempt to make it easy to understand.

IMG_0430smallframed

Note: This is part 1 in a series, the next part will show how to configure DNS and a simple scenario adding a new NetBIOS name as URL to a Web Application.
Note: For the complete guide, with DNS steps and 4 different scenarios including https, download the free Whitepaper from TechNet: The final guide to Alternate Access Mappings

In order to make AAMs simpler to understand, look at it a bit differently, start with this simple table:

Left area            Internal URL’s
Right area          Public URL’s with a zone
Middle area        Zones, is what connects Internal URL’s to Public URL’s, many to one.

Internal URL redirects or transforms to a Public URL, from left, to right. The URL on the left, is what you enter in the address field in your browser, the Public URL on the right is what you will see once there, this goes for visible and invisible links as well.
Internal URL format: Protocol + URL (+non default port)

Public URL is the address of the Web Application for one of the five zones available. The ‘Default’ must be filled out and has some special properties/uses, the other four are optional. You can only have five Public URL’s per Web Application.
This is the URL that the browser will be redirected to in the end.
Public URL format: Protocol + URL (+non default port)

Zone is a label representing a Public URL, the zone is used to ‘connect’ an Internal URL to a Public URL. The zone names has no relation what so ever with the four Internet Explorer security zones (Internet, Local Intranet, Trusted sites and Restricted sites) and could just as easily been named 1,2,3,4 and 5. A zone can also represent an authentication provider.
Zones: Default, Intranet, Internet, Custom, Extranet

Example:

AAMTable1

Note: Based on the Zone selected for every Internal URL, they will be connected to a Public URL.

From left – to right…
The zones might as well be represented by numbers:

AAMTable2

Note: Try to always use the most used URL as   the default Public URL. This is what will be used by other services, like   crawl and in certain other links.

Translated to SharePoint GUI, this same setup would look like this:

AAM1

AAM2

Note: Filtered on this Web Applications   Alternate Access Mapping Collection only.
Same Alternate Access Mappings as in the Example table above.

You will see that if you click on any of the ‘Internal URLs’ that you can select zone, and with the zone, the Public URL it will be connected to:

AAM3
In addition to the actual Alternate Access Mapping in SharePoint Central Administration, you also have to add a Binding in IIS, contrary to what many believe, except for the initial hostheader when you create the web application, SharePoint does not do that for you, so you have to do it manually.
The example above would show up in IIS Bindings like this:

AAM4

As you can see, in IIS 8.0 and Windows Server 2012, the https binding does show up as a hostname, in IIS 7.5 and Windows Server 2008 R2, the hostname is determined by the name configured in certificate used when adding that binding and hidden in this view.

That’s it! When you have configured your AAM’s and Bindings correctly, given that you have name resolution and IP addresses in order and connectivity from the client to the server(s) and all other aspects in order, you can now start to use the URL’s you want.


_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

How to disable IE Enhanced Security in Windows Server 2012


Have you seen this? Or similar in SharePoint 2010?

This is just a quick guide to disabling the setting that makes Internet Explorer unbarable in a labb or test environment. Often, you do use the browser on the lab, dev or test server to quickly verify functionality or in SharePoint, to access Central Administration web site and make the first initial configurations. When IE ESC is eneabled, you get popups all the time and you are asked to add every new url to the IE trusted sites zone.
So, on a dev, test or lab server, it is ok to disable it, at least if you ask me. As long as you are aware of what you are doing and that it after all does provide an extra layer of security.
At the end of this post, I have added what all the settings in IE ESC really does, one by one.

Updated 2013-02-06 – Added link menu



Server2012_Logo_small Disable IE ESC using the GUI – Graphical User Interface
powershell_logo_small Disable IE ESC using PowerShell
Server2012_Logo_small General Information about IE ESC




GUI – Graphical User Interface

The steps:

1. On the Windows Server 2012 server desktop, locate and start the Server Manager.

2. Select Local Server (The server you are currently on and the one that needs IE ESC turned off)

3. On the right side of the Server Manager, you will by default find the IE Enhanced Security Configuration Setting. (The default is On)

4. You have two settings that can be disabled, one only affects the Administrators and the other all users. The preferred method when testing (if for example SharePoint) is to use a non-admin account and if that is the case, disable the IEESC only for users. Using a local administrator account would cause an additional threat to security and it will also often not give you the required result in tests, since the administrator has permissions where a normal user do not.
Make your selection to Off for Administrators, Users or both.

5. In this example, I have selected to completely disable Internet Explorer Enhanced Security. When your seelction is made, click OK.

6. Back in the Server Manager, you will see that the setting has not changed at all. Press F5 to refresh the Server Manager and you wil see that it is changed to Off.

Done, open up a IE browser windows and try to access any internal site to test the setting, you will notice that you no longer are prompted in the same way.
Back to top



PowerShell

(Best I can do, if you know of any OOB CMDlets that does the trick, please drop a comment and let me know:
Put the code below in a textfile and save it with a ps1 extension i.e. Disable-IEESC.ps1
(This will disable both Administrator and User IE ESC)

function Disable-IEESC
{
$AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}”
$UserKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}”
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
Set-ItemProperty -Path $UserKey -Name “IsInstalled” -Value 0
Stop-Process -Name Explorer
Write-Host “IE Enhanced Security Configuration (ESC) has been disabled.” -ForegroundColor Green
}
Disable-IEESC
(You have to hit enter twice after pasting the script if you paste it directly into a PS prompt)
 
Powershell
Done!
Back to top



IEESC General Information

IMPORTANT! Do NOT disable IE ESC on any production servers or servers with live data on them, to disable IE ESC is to reduce the security and can potentially expose the server to attacks. By the way, on a production server: IE shall not be used at all!

More on IE ESC from Microsoft help:
(From Windows Server 2008R2 helkp, 2012 help leads to an empty web page!)

Internet Explorer Enhanced Security Configuration Overview

Windows Internet Explorer Enhanced Security Configuration (IE ESC) configures your server and Internet Explorer in a way that decreases the exposure of your server to potential attacks through Web content and application scripts. This is done by raising the default security levels on Internet Explorer security zones and changing the default settings.

Enabling or disabling IE ESC

IE ESC can be enabled or disabled by using Server Manager for members of the local Administrators group only or for all users that log on to the computer.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

Note:   If Internet Explorer is open when IE ESC is enabled or disabled, you must   restart Internet Explorer for the IE ESC changes to become active.
Note: IE ESC will   automatically be disabled if Terminal Services or Remote Desktop Services is   installed on a computer that has IE ESC enabled, but it can be enabled again   by using Server Manager.

Default settings for IE ESC

When IE ESC is enabled on Windows Server 2008 R2, the security levels for several built-in security zones are changed. The following describes these changes.

Internet
High
All Web sites are assigned to this zone by default. Web pages might not display as expected, and applications that require the Web browser might not work correctly because scripts, ActiveX controls, and file downloads have been disabled. If you trust an Internet Web site, you can add that site to the Trusted sites zone.

Trusted sites
Medium
This zone is for the Internet sites whose content you trust.

Local intranet
Medium-Low
When visiting Web sites on your organization’s intranet, you might be repeatedly prompted for credentials because IE ESC disables the automatic detection of intranet Web sites. To automatically send credentials to selected intranet sites, add those sites to the Local intranet zone. Additionally, access to scripts, executable files, and other files in a shared folder are restricted unless the shared folder is added to this zone.

Restricted sites
High
This zone contains sites that are not trusted, such as malicious Web sites.

Internet Explorer maintains two different lists of sites for the Trusted sites zone: one list when IE ESC is enabled and a separate list when it is disabled. When you add a Web site to the Trusted sites zone, you are adding it only to the list that is currently being used.

If you attempt to browse a Web site that uses scripting or ActiveX controls, Internet Explorer with IE ESC enabled will prompt you to consider adding the site to the Trusted sites zone. You should add the Web site to the Trusted sites zone only if you are sure that the Web site is trustworthy. If this prompt is disabled, it can be enabled again by selecting the Display enhanced security configuration dialog check box in the Advanced tab of the Internet Options dialog box. For more information about adding Web sites to Internet Explorer security zones, see Security zones: adding and removing websites (http://go.microsoft.com/fwlink/?LinkId=81287).

In addition to raising the default security level of each zone, IE ESC also adjusts Internet options to further reduce exposure to possible future security threats. These settings can be found on the Advanced tab of the Internet Options dialog box. The following describes the options that are changed when IE ESC is enabled.

Enable third-party browser extensions
Off
Disables Internet Explorer add-ons that might have been created by companies other than Microsoft.

Play sounds in Web pages
Off
Disables music and other sounds.

Play animations in Web pages
Off
Disables animations.

Check for server certificate revocation
On
Automatically checks a Web site’s certificate to determine if the certificate has been revoked.

Do not save encrypted pages to disk
On
Disables saving encrypted information in the Temporary Internet Files folder.

Empty Temporary Internet Files folder when browser is closed
On
Automatically clears the Temporary Internet Files folder when Internet Explorer is closed.

Warn if changing between secure and not secure mode
On
Displays a warning when a Web site is redirecting the browser from a Web site with security features implemented (HTTPS) to a Web site without security features implemented (HTTP).

The Internet Explorer home page location is changed when IE ESC is enabled or disabled. This change ensures that the home page will open without prompting the user to add it to the Trusted sites zone. This is done by changing the home page to an HTML file stored locally on the computer. If you want to change the home page when IE ESC is enabled, add this home page to the Trusted sites zone before making the change. The following lists the home page associated with each scenario.

IE ESC is enabled, and the user account is a member of the local Administrators group.
res://iesetup.dll/HardAdmin.htm

IE ESC is disabled, and the user account is a member of the local Administrators group.
res://iesetup.dll/SoftAdmin.htm

IE ESC is enabled, and the user account is not a member of the local Administrators group.
res://iesetup.dll/HardUser.htm

Note: If Internet Explorer   is customized by using the Internet Explorer Administration Kit, the home   page is not changed to one of the IE ESC home pages listed in the table when   IE ESC is enabled or disabled.

Caution

These changes reduce the functionality in Web pages, Web-based applications, local network resources, and applications that use a browser to display Help, support, and general user assistance.

When IE ESC is enabled, the following Web sites are added to the appropriate security zones:
The Windows Update and Windows Error Reporting Web sites are added to the Trusted sites zone.
Http://localhost
https://localhost
hcp://system
are added to the Local intranet zone.

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Windows Server 2012 Roadshow in Sweden and Denmark – December 10th-13th


This goes out  to all of the Swedish and Danish viewers…and all of you who might think it Worth to travel a bit..

Mikael Nyström(MVP), one of the leading minds on Windows Server and Deployment in the World, will do a road show in Sweden and Denmark this December.
Learn about all of the new features in Windows Server 2012, Hyper-V, Storage, DataDeDuplication, SMB 3.0, IPAM, PowerShell, VDI, Remote Desktop and Windows Server 2012 Server Deployment and then some…
It is a free event, and there are a limited number of seats available, so make sure to be one of the lucky ones and register NOW!

The show travels across Sweden, starting in Borlänge, then via Stockholm to Gothenburg,  to finaly end up in Denmark and Copenhagen.

Borlänge – 10/12
Stockholm – 11/12
Göteborg – 12/12
Köpenhamn – 13/12

For a few more details and to register, visit Mikaels blog:

the Deployment Bunny


_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

How to enable Ping in Windows Server 2012



Updated 2013-02-04 – Added link menu and corrected PowerShell command syntax

This is just a quick guide to enabling a server to respond to ping, the default setting in Windows Server 2012 is to not respond. This is how you do it:

The exact same steps apply to Windows Server 2012 R2

Click to choose your style…
Server2012_Logo_small Enable Ping using the GUI – Graphical User Interface
powershell_logo_small Enable Ping using PowerShell




GUI – Graphical User Interface

1. Open Control Panel, then select System and Security by clicking on that header

2. Select Windows Firewall

3. Advanced Settings

4. In ‘Windows Firewall with Advanced security’ click on ‘Inbound rules’

5. Scroll down to ‘File and Printer sharing (Echo request – ICMPv4-In)

6. Rightclick on the rule and select ‘Enable rule’

Make sure that it turns green

Done, close down the ‘Windows Firewall with Advanced Security’ windows and then the Control panel.
Verify functionality by pinging the servers own IP address from a command or PowerShell prompt.

Done!
Back to top



PowerShell
(This will enable the existing rule exactly as the instruction above does)

Import-Module NetSecurity
Set-NetFirewallRule -DisplayName “File and Printer Sharing (Echo Request – ICMPv4-In)” -enabled True
 
EnablePing

(ABove enables the existing rule, below will create a new rule that allows ICMPv4/Ping and enable it)

Import-Module NetSecurity
New-NetFirewallRule -Name Allow_Ping -DisplayName “Allow Ping”  -Description “Packet Internet Groper ICMPv4” -Protocol ICMPv4 -IcmpType 8 -Enabled True -Profile Any -Action Allow
 
EnablePing2

(For IPv6 Ping you obviously enable the v6 Inbound Rule…)

Thats all there is to it!
Back to top

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn