1. Stop the target VM.
2. Export the current OS disk as VHD. Run the following script in cloud shell bash.
Background
In certain enterprise scenarios, it is possible to have isolated servers, a.k.a workgroup servers, that are not joined to the main Active Directory domain due reasons such as security requirements (ex: internet facing servers).
Generally, Windows Server Clients should be part of the same domain as SCCM servers to be able to retrieve packages and security updates from SCCM Distribution Points (DPs). That is because SCCM needs to trust the client before it could push/pull packages and updates.
However, there is a workround to this problem that involves installing domain certificates in workgroup servers that are not part of the domain. To add on, this could be automated using PowerShell.
Steps
1. From a domain connected client server, copy the following types of certs over to the target workgroup client server:
a. Root
b. CertificateAuthority
c. TrustedPublisher
2. Run the following PowerShell script on the workgroup server with admin privileges. It uses .NET classes x509certificate2 and x509certificate. Make sure .NET 2.0 or above is installed on the target server.
Background
You have been tasked to find out if EMC Networker is configured properly on your new Windows Server builds. This could be achieved by running an Ansible Playbook coupled with a PowerShell script.
Script
Playbook
PowerShell
In this example, we wanted to check the backup configuration on 2 sites where each site had their own Backup servers. Hence, this script taps on the naming convention of each Windows Server to determine which Backup server it should connect to.
Background
You have been tasked to write a script to check the health of your Windows Server clusters. Additionally, you are also required to email the cluster health report to your team.
Script
In order for the following script to work, FailoverClusters module must be imported to the sever that this script will run on. This can be achived by running the following command and it is a one-time task.
Before automating the installation, there are some things that needs to be taken care of.
Universal Forwarder requires you to create a splunk administrator username and password during the installation. This can either be entered at prompt during the installation or specified in the installation command line. To get around this, we will be using a user-seed.conf that contains a preconfigured username and password as follows that can be called during the installation. More on that here https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Secureyouradminaccount
[user_info] USERNAME = admin PASSWORD = <your password>
Playbook is as follows.
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)
Configure the following registry and restart the server
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800
Transport Layer Security (TLS) Protocol CRIME Vulnerability - Splunkd port 8089
Change allowSslCompression = true to false and restart splunkforwarder service
C:\Program Files\SplunkUniversalForwarder\etc\system\default>more server.conf | findstr allowSslCompression
allowSslCompression = false
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)
Add the following line in sshd_config and restart sshd service
# Ciphers and keying