Enable PowerShell execution in Windows

The default settings of Windows disable the PowerShell script execution. This protects your computer in case a malicious PowerShell script would try to make changes on your machine. The same settings prevent you from executing your own automation scripts too.

To enable PowerShell script execution

in Windows 10

  1. Click the Windows button and type powershell into the text box,
  2. Right-click the Windows PowerShell item and select Run as administrator,
  3. In the User Account Control window click the Yes button,
  4. In the PowerShell window execute
    Set-ExecutionPolicy unrestricted

in Windows 7

  1. Click the Windows button and type powershell into the text box,
  2. Right-click the Windows PowerShell item and select Run as administrator,
  3. In the User Account Control window click the Yes button,
  4. In the PowerShell window execute
    Set-ExecutionPolicy unrestricted

The security database on the server does not have a computer account for this workstation trust relationship

Time to time Windows servers may lose the trust of the domain. When you try to log in with your domain credentials you get the dreaded message:

The security database on the server does not have a computer account for this workstation trust relationship

This can have many causes, and the most effective way to fix this is to detach and re-attach the server to the domain.

For security reasons the best if there are no local admin accounts on the Windows server, only domain accounts added to the Administrators group. If there is no local admin account on the server, how can we access it with the non-working domain accounts? When a Windows computer loses the trust of the domain there is no way to log into it with a domain account when the computer is connected to the network and has access to the domain controllers.

If the server is in your data center it is enough to unplug the network cables, the server cannot connect to the domain controller, and you can log in with the last cached password you used for the Administrator domain account.

How can we unplug the network cables from a cloud computer?

The Amazon Web Services (AWS)  Security Groups and Azure Network Security Groups (NSG) act as firewalls. Those control the inbound and outbound traffic rules.

To be able to access your Windows server, but prevent it to contact the domain controller, create a security group that contains all necessary inbound rules to access your Windows server with the remote desktop connection, but do not enable any outbound connections.

Open port 3389 for inbound traffic, but do not allow any outbound traffic.

  1. Change the security groups of the server

    1. Unselect the existing security groups to remove all other security groups from the server,
    2. Select the newly created recovery security group
  2. Use Remote Desktop to log into the server with your domain credentials you used the last time you logged into the server (it can be an earlier domain password),
  3. Create a local administrator account, because once you remove the server from the domain, you will not be able to log into it with your domain account,
  4. To make sure the local administrator account credentials are correct, remote into the server with the local account,
  5. Change the security group back to the original one that enables outbound access to the domain controller,
  6. Remove the server from the domain by attaching it to a workgroup,
    1. Right-click This PC and select Properties
    2. On the Control Panel Home window select Advanced system settings
    3. On the Computer Name tab of the System Properties window click the Change… button
    4. In the Computer Name/Domain Changes window select the Workgroup radio button and enter WORKGROUP for the name of the workgroup
    5. Make sure you do these steps with the local admin account and click OK.
    6. Enter the credentials of a domain account that has enough rights to remove servers from the domain,
    7. Your server is out of the domain,
    8. Make sure again, you have a local admin account on the server and click OK,
    9. Click the Close button to continue,
    10. Make sure you have a local admin account with a known password, all your files are saved, and click the Restart Now button to restart the computer.

Remove the server from the domain controller database

To successfully add the server to the domain again, you need to remove the current entry of the server from the domain.

  1. Log into the domain controller,
  2. Open the ActiveRoles Console,
  3. Expand the Active Directory item, right-click the domain name, and select Find,
  4. in the Find drop-down select Computers, enter the name of the computer into the Name field and click the Find Now button,
  5. Right-click the name of the found computer and select Delete.

 

Add the server to the domain

  1. Using the local admin account log into the server,
  2. Follow the steps above to open the Computer Name/Domain Changes window,
  3. Select the Domain radio button, enter the name of the domain, and click OK,
  4. Enter the credentials of a domain account that has enough rights to add servers to the domain. Don’t forget to add the name of the domain in front of your username with a backslash.
  5. The server has been successfully added to the domain,
  6. Click OK to continue,
  7. Click the Close button to restart the computer.
  8. Click the Restart Now button to restart the computer.

Restore Windows Server 2012 R2 from backup

Windows Server contains the Windows Backup functionality. It can create full backups of your server that contain all volumes. With the bare metal recovery, you are able to fully restore the server even if the hard disks fail, after a virus attack, or security breach. Depending on the size of the server drives and the backup media, set up frequent backup times, so when you need to restore the server, less data has to be entered again.

To restore a Windows Server from a backup image

  1. Insert the Windows Server 2012 R2 installation DVD into the DVD drive of the server
  2. Boot the server from the DVD
  3. Connect the drive, that contains the backup images, to the server
  4. On the first screen select the language and keyboard options
  5. On the next screen, select Repair  your computer
  6. Select the Troubleshoot icon
  7. Click the System Image Recovery
  8. Select your operating system as the target operating system
  9. Select the backup image to restore; latest or from a previous date
  10. If you selected Select a system image option
    1. In the table select the backup device
    2. Select the time of the backup
    3. If you want to clear the drives of the server select the Format and repartition disks option

Configure the Windows virtual machine in VirtualBox

Enable shared folders on the virtual machine

To be able to use shared folders between the host ( your workstation ) and the Windows virtual machine.

  • Start the Windows virtual machine in VirtualBox,
  • Select the virtual machine window on your workstation,
  • In the Devices menu of VirtualBox select Insert Guest Additions CD image…
  • In the virtual machine start Windows Explorer,
  • Open the VirtualBox Guest Additions CD,
  • Start VBoxWindowsAdditions.exe,

The shared folders will be available in the virtual machine’s Windows Explorer as the D: drive

VirtualBox installation and configuration on Windows

Download Virtual Box from https://www.virtualbox.org/wiki/Downloads and follow the instructions to install it.

At the time of writing this was the section where the installer files were referenced

virtual-box-01-download

Run the downloaded installer file and accept all default values.

The installer starts the Virtual Box application.You can close it, we will use other tools to start it in the future.

To be able to launch 64-bit guest operating systems turn off Hyper-V in Windows Features

  1. In the Windows search box enter Windows Features and select Turn Windows Features on or off,
  2. Uncheck Hyper-V and click OK,
  3. Reboot the computer for the setting to take effect.

Create a virtual machine

To create a new virtual machine

Download the  OS image from the manufacturer’s web site.

  1. Start the VirtualBox application
  2. Click the New icon
  3. Enter a name, select the operating system type and version, and set the memory size,
  4. Set the initial size of the virtual hard disk
  5. Select the virtual machine icon and click the Start button,
  6. Click the Browse icon and select the OS image file in the Downloads directory,
  7. Click the Start button

Configure VirtualBox for each virtual machine

 Networking

To share the connectivity of the host computer with the virtual machine, mainly if you use VPN

  1. In Virtual box click Settings
  2. Select Network
  3. Attach the network adapter to NAT

Copy and paste

To enable copy and paste between the virtual machine and the host ( your workstation )

  1. On the General tab of the Settings page select the Bidirectional shared clipboard

Shared Folders

Specify the shared folder on your workstation

  1. In the VirtualBox menu select Preferences
  2. On the Shared Folders tab click the + icon
  3. To share the entire system drive, select the C: drive of your workstation

Configure the virtual machine OS

To configure the virtual machine operating system in VirtualBox, see Virtual machine configuration on the VirtualBox page.

Create the AWS credentials file from a Chef Data Bag

When a process on a server instance needs access to an AWS account, the user who will execute the AWS CLI commands needs to be able to automatically authenticate in AWS.

For automatic AWS authentication, the AWS CLI creates two files in the .aws directory:

  • config and
  • credentials.

The location of this directory depends on the operating system and the type of user.

  • On Linux, the location is ~/.aws ( the user’s home directory )
  • On Windows, it is located at C:\Users\USER_NAME\.aws
  • On Windows, if the file was created by SYSTEM, the location is C:\Windows\System32\config\systemprofile\.aws

Store the AWS key values

To create these files, you need to store the AWS Access Key and Secret Key. The safest place for these values is an encrypted data bag. To automatically generate the AWS files, create a data bag file and name it the same as the “id” in the following structure:

{
  "id": "MY_DATA_BAG_ITEM_NAME",
  "MY_PROFiLE_1": {
    "region": "MY_REGION_1",
    "aws_access_key_id": "MY_ACCESSKEY_1",
    "aws_secret_access_key": "MY_SECRET_KEY_1"
  },
  "MY_PROFiLE_2": {
    "region": "MY_REGION_2",
    "aws_access_key_id": "MY_ACCESSKEY_2",
    "aws_secret_access_key": "MY_SECRET_KEY_2"
  }
}

To create and encrypt the data bag see my post on Chef Data Bags

Create the AWS authentication files

  1. In your Chef recipe, first install the AWS CLI and reboot the server, so the new path entry will be available for the Chef process.
  2. The following Chef code will create the AWS config and credential files. The script
    1. opens and decrypts the data bag,
    2. loads it into a hash table,
    3. iterates through the hash items,
    4. skips the “id” item,
    5. stores the AWS key values in a temporary file,
    6. executes the “aws configure” command to generate the AWS config and credential files.
  # Iterate through the data bag and create the credentials file

  puts "***** Creating the AWS credentials file"

  # Load the encrypted data bag into a hash
  aws_credentials = Chef::EncryptedDataBagItem.load('MY_DATA_BAG_NAME', 'MY_DATA_BAG_ITEM_NAME').to_hash

  # Iterate through the items, skip the "id"
  aws_credentials.each_pair do |key, value|

    # skip the "id"
    next if key == "id"

    # Add the credentials to the .aws/credentials file
    puts "Account #{key}, Region #{value['region']}"

    batch "add_aws_credentials_#{key}" do
      code <<-EOF echo #{value["aws_access_key_id"]}> input.txt
        echo #{value["aws_secret_access_key"]}>> input.txt
        echo #{value["region"]}>> input.txt
        echo.>> input.txt
        aws configure --profile #{key} < input.txt
      EOF
    end

  end

 

Bootstrap Chef nodes to connect them to the Chef server

A Chef node is a physical or virtual machine with an operating system that is connected to the Chef server. Once the node has made the connection to the Chef server, the installed Chef Client can execute Chef cookbooks to configure the machine.

Bootstrapping is the process to connect the node the first time to the Chef server, or to attach it again if the node lost the connectivity to the Chef server. To be able to bootstrap a node, your workstation needs to have the Chef Development Kit installed. The kit includes the ‘knife’ command that communicates with the Chef server. Your workstation also has to be able to connect to the Chef server with the YOUR_USERNAME.pem file you store in the .chef directory just above your cookbooks.

Bootstrap a Linux node

To bootstrap a Linux node, open a terminal window on your workstation and execute the command:

knife bootstrap MY_NODE_IP -x MY_USERNAME -P MY_PASSWORD --sudo --node-name THE_NODE_NAME --environment THE_ENVIRONMENT --run-list 'recipe[MY_COOKBOOK1::default],recipe[MY_COOKBOOK2::default]'

Bootstrap a Windows node

knife bootstrap windows winrm MY_NODE_IP -x MY_USERNAME -P MY_PASSWORD --node-name THE_NODE_NAME --environment THE_ENVIRONMENT --run-list 'recipe[MY_COOKBOOK1::default],recipe[MY_COOKBOOK2::default]' -V

where

  • MY_NODE_IP is the IP address of the node you want to attach to the Chef server,
  • MY_USERNAME and MY_PASSWORD are the credentials to connect to the node.
    If the Windows server is in the Windows domain start the username with the domain name MY_DOMAIN\\MY_USERNAME
    If the Windows server is not in the domain start the username with the IP address MY_NODE_IP\\MY_USERNAME
  • THE_NODE_NAME is the unique name you want the node to use in the Chef server database. If you are bootstrapping a server that lost connectivity to the Chef server or moving the node to another Chef server, find the node name in the node list.
  • THE_ENVIRONMENT is the name of the environment the node will run the cookbook in,
  • The run list is a list of cookbooks and roles. No spaces are allowed in the string.

How to create a bootable USB drive to install Windows

If the computer you want to install Microsoft WIndows on, does not have a DVD drive, you can install Windows from a USB drive. To start the computer from the USB drive, you need to prepare the drive to make it bootable.

Microsoft has a free tool that can download the edition of the WIndows operating system you need, format the USB drive, make it bootable, and place the installer file on it.

  1. Using a web browser navigate to https://www.microsoft.com/en-us/software-download/windows10,
  2. Click the Download tool now button to install the Microsoft Media Creation Tool,
  3. Start the downloaded MediaCreationTool.exe program and follow the prompts.

Cannot restart the Atlassian Confluence service on Windows

When the Atlassian Confluence wiki is installed on a Windows server, it frequently becomes unavailable. Sometimes it is possible to restart the Atlassian Confluence Windows service, but most of the time the Stop phase times out with:

Windows could not stop the Atlassian Confluence service on Local Computer.
Error 1053: The service did not respond to the start or control request in a timely fashion.

To make Atlassian Confluence work again

  1. Open Task Manager,
  2. End the tomcat…exe process,
  3. Start the Atlassian Confluence Windows service.

Send CTRL-ALT-DELETE to a Windows Virtual Box computer from a Macintosh

When you start a Windows 7 or equivalent server machine, to log in, you need to press CTRL-ALT-DELETE on the keyboard to get the login page. To send Control-Alt-Delete to a Windows virtual machine in Virtual Box from a Macintosh

on a Macintosh laptop press the fn – Command  – Delete back  keys

on a Macintosh desktop press the Command  – Delete forward  keys.