Windows Server 2019 Core
SQL Server 2019 Serial Key
Enterprise: HMWJ3-KY3J2-NMVD7-KG4JR-X2G8G
Enterprise Core: 2C9JR-K3RNG-QD4M4-JQ2HR-8468J ios
Strandard: PMBDC-FXVM3-T777P-N4FY8-PKFF4
win server 2019 core: shell
安装更新 windows
sconfig 浏览器
设置时区: 服务器
control timedate.cpl app
设置区域: dom
control intl.cpl ssh
记事本: tcp
notepad ide
注册表:
regedit/regedt32
修改计算机名:
netdom renamecomputer %computername% /newname:DC01
Installing and Configuring OpenSSH on Windows Server 2019
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Set-Service -Name ssh-agent -StartupType ‘Automatic’
Set-Service -Name sshd -StartupType ‘Automatic’
Start-Service ssh-agent
Start-Service sshd
ssh username@domain@hostname_or_IP_address
将PowerShell 设置成默认的命令Shell:
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\' -Name Shell -Value 'PowerShell.exe -noExit'
查看网卡IP配置:
Get-NetIPAddress
肯定须要修改IP地址的网卡进行配置:
New-NetIPAddress -InterfaceIndex 12 -IPAddress 192.168.16.20 -PrefixLength 24 -DefaultGateway 192.168.16.2
修改DNS服务器:
Set-DNSClientServerAddress -InterfaceIndex 12 -ServerAddress "192.168.16.2,223.5.5.5"
启用远程桌面:
cscript C:\Windows\System32\Scregedit.wsf /ar 0
Get-NetFirewallRule -Name *SMB* | Select Name,Enabled,Direction,Action,PrimaryStatus
1.Use PowerShell to Create a New Active Directory Forest on Windows 2019 Server Core Installation (no-GUI):
Install-WindowsFeature -Name AD-Domain-Services
$Password = Read-Host -Prompt 'Enter SafeMode Admin Password' -AsSecureString
Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath C:\Windows\NTDS -DomainMode WinThreshold -DomainName nipit.cn -DomainNetbiosName NIPIT -ForestMode WinThreshold -InstallDns:$true -LogPath C:\Windows\NTDS -NoRebootOnCompletion:$true -SafeModeAdministratorPassword $Password -SysvolPath C:\Windows\SYSVOL -Force:$true
a new domain or forest functional level for Windows Server 2019 so a value of “WinThreshold” or 7 puts it in Windows Server 2016 mode. The valid values are:
- Default
- Windows Server 2003: “Win2003” or “2”
- Windows Server 2008: “Win2008” or “3”
- Windows Server 2008 R2: Win2008R2 or “4”
- Windows Server 2012: “Win2012” or “5”
- Windows Server 2012 R2: “Win2012R2” or “6”
- Windows Server 2016: “WinThreshold” or “7”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Create a new DWORD called EnableAutoTray and set the value to 0
Creating New AD User in Powershell from Existing User:
set-ADUser administrator -PasswordNeverExpires $true
$user = Get-ADUser administrator –Properties *
New-ADUser -Name 'gazh' -Instance $user
New-ADUser -Name 'gazh' -Instance $user -AccountPassword (Read-Host "Password" -AsSecureString)
Add-ADGroupMember -Identity "Domain Admins" -Member gazh
Add-ADGroupMember -Identity "Enterprise Admins" -Member gazh
Add-ADGroupMember -Identity "Schema Admins" -Member gazh
安装第二个Domain Controller:
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Install-ADDSDomainController -InstallDns -Credential (Get-Credential nipc\gazh) -DomainName "nipc.com.cn"
删除第一个Domain Controller:
Uninstall-WindowsFeature ADCS-Web-Enrollment
Uninstall-WindowsFeature ADCS-Cert-Authority
Uninstall-WindowsFeature AD-Certificate
Uninstall-WindowsFeature DHCP,Web-Server
Uninstall-ADDSDomainController
Uninstall-WindowsFeature dns,AD-Domain-Services
To clean up server metadata by using Ntdsutil
-
Open a command prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials of an Enterprise Administrator if required, and then click Continue.
-
At the command prompt, type the following command, and then press ENTER:
ntdsutil -
At the
ntdsutil:prompt, type the following command, and then press ENTER:metadata cleanup -
At the
metadata cleanup:prompt, type the following command, and then press ENTER:remove selected server <ServerName> -
In Server Remove Configuration Dialog, review the information and warning, and then click Yes to remove the server object and metadata.
At this point, Ntdsutil confirms that the domain controller was removed successfully. If you receive an error message that indicates that the object cannot be found, the domain controller might have been removed earlier.
-
At the
metadata cleanup:andntdsutil:prompts, typequit, and then press ENTER. -
To confirm removal of the domain controller:
2.Use PowerShell to Install a DHCP Server on a Windows Server 2019 (Server Core) Active Directory Domain Controller
Install-WindowsFeature -Name DHCP
Add the DHCP scope to the server:
Add-DhcpServerv4Scope -Name '192.168.16.0' -StartRange 192.168.16.101 -EndRange 192.168.16.199 -SubnetMask 255.255.255.0
设置Scope Option
Set-DhcpServerv4OptionValue -ScopeID '192.168.16.0' -DNSServer 192.168.16.20 -DNSDomain nipit.cn -Router 192.168.16.2
或Server Option:
Set-DhcpServerv4OptionValue -DNSServer 192.168.16.0 -DNSDomain nipit.cn -Router 192.168.16.2
Authorize the DHCP server 域受权:
Add-DhcpServerInDC -DnsName dc01.nipit.cn
Display information about the scope.
Get-DhcpServerv4Scope | Select-Object -Property *
3. Installing Certificate Services in Server Core 2019
Role Name:
Active Directory Certificate Services AD-Certificate
Certification Authority ADCS-Cert-Authority
Certificate Enrollment Policy Web Service ADCS-Enroll-Web-Pol
Certificate Enrollment Web Service ADCS-Enroll-Web-Svc
Certification Authority Web Enrollment ADCS-Web-Enrollment
Network Device Enrollment Service ADCS-Device-Enrollment
Online Responder ADCS-Online-Cert
Install-WindowsFeature AD-Certificate,ADCS-Cert-Authority,ADCS-Web-Enrollment
Install-AdcsCertificationAuthority -ValidityPeriod Years -ValidityPeriodUnits 20 -CACommonName NIPIT-CA
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 50 -CACommonName NIPIT-CA
配置 Certificate Authority Web Enrollment:
Install-AdcsWebEnrollment
打开:http://<servername>/certsrv
就能够经过浏览器申请证书了。
4. 远程管理Windows Server Core 2019 上的IIS:
Install-WindowsFeature Web-Mgmt-Service
netsh advfirewall firewall add rule name=”IIS Remote Management” dir=in action=allow service=WMSVC
New-NetFirewallRule -DisplayName "IIS Remote Management" -Direction Inbound -Action Allow -Service WMSVC
Open the Registry Editor by running “regedit”.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server
set “EnableRemoteManagement” to “1”
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server] "EnableRemoteManagement"=dword:00000001
reg import file.reg
Configure the Web Management Service to run on boot by running the following command.
- Install the Web-Server role
- Install the Web-Mgmt-Service
- Enable Remote Management
- Set the WMSVC service to start automatically
- Create connection from Remote IIS Management Console
Set-Service -Name WMSVC -StartupType Automatic
Get-Service WMSVC | Select-Object -Property Name, StartType, Status
Set-Service -Name WMSVC -Status Running -PassThru
IIS Manager for Remote Administration 1.2
https://www.iis.net/downloads/microsoft/iis-manager
Download IIS Manager for Remote Administration 1.0
Remote Server Administration Tools for Windows 10
https://www.microsoft.com/en-us/download/details.aspx?id=45520
windows admin center:
https://docs.microsoft.com/zh-cn/windows-server/manage/windows-admin-center/overview
Invoke-WebRequest http://aka.ms/WACDownload -UseBasicParsing -outfile wac.msi -PassThru
msiexec /i wac.msi /qn /L*v log.txt SME_PORT=8080 SSL_CERTIFICATE_OPTION=generate
New-NetFirewallRule -DisplayName "Allow Windows Admin Center port 8080" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 8080
Enable and Disable Windows Firewall:
Set-NetFirewallProfile -All -Enabled false
Set-NetFirewallProfile -All -Enabled true
netsh advfirewall set allprofiles state off
netsh advfirewall set allprofiles state on
New-NetFirewallRule -Name "Block HTTP" -DisplayName "Block HTTP" -Enabled 1 -Direction Inbound -Action Block -LocalPort 80 -Protocol TCP
Get-NetFirewallRule -Name *Block* | Select Name,Enabled,Direction,Action,PrimaryStatus
Get-NetFirewallRule -Name FPS-ICMP* |Set-NetFirewallRule -Enabled true
Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" |select Name,Enabled,Direction,Action
Enable-NetFirewallRule -DisplayacGroup "File and Printer Sharing"
To configure Windows Firewall to allow MMC snap-in(s) to connect
-
To allow all MMC snap-ins to connect, run
Enable-NetFirewallRule -DisplayGroup "Remote Administration"
-
To allow only specific MMC snap-ins to connect, run:
Enable-NetFirewallRule -DisplayGroup "<rulegroup>"
MMC snap-in Rule group
Event Viewer Remote Event Log Management
Services Remote Service Management
Shared Folders File and Printer Sharing
Task Scheduler Performance Logs and Alerts
File and Printer Sharing
Disk Management Remote Volume Management
Windows Firewall with Advanced Security Windows Firewall Remote Management
使用MMC管理远程的Windows Server Core服务器,须要先在远程服务器上打开一些防火墙规则:
# # This script works on a variety of settings that are easiest done from the # local machine to make it remotely manageable by a management workstation. # Ensure Server Manager remoting is enabled Configure-SMRemoting.exe -Enable # 设置一些防火墙规则 # 容许Ping Set-NetFirewallRule –Name "FPS-ICMP4-ERQ-In" –Enabled True Set-NetFirewallRule –Name "FPS-ICMP6-ERQ-In" –Enabled True Set-NetFirewallRule –Name "FPS-ICMP4-ERQ-Out" –Enabled True Set-NetFirewallRule –Name "FPS-ICMP6-ERQ-Out" –Enabled True # Enable remote volume management - firewall rules need to be set on both # source and destination computers # ***NOTE*** Policy must also be set on system to "Allow remote access # to the Plug and Play interface" # This is done with gpedit.msc locally or gpedit for domain policy Set-NetFirewallRule –Name "RVM-VDS-In-TCP" –Enabled True Set-NetFirewallRule –Name "RVM-VDSLDR-In-TCP" –Enabled True Set-NetFirewallRule –Name "RVM-RPCSS-In-TCP" –Enabled True # 容许 DCOM 管理入站规则(由于其它功能可能会打开DCOM-IN,因此有可能会报错找不到对象,不影响) Set-NetFirewallRule –Name "ComPlusNetworkAccess-DCOM-In" –Enabled True # Enable remote service management Set-NetFirewallRule –Name "RemoteSvcAdmin-In-TCP" –Enabled True Set-NetFirewallRule –Name "RemoteSvcAdmin-NP-In-TCP" –Enabled True Set-NetFirewallRule –Name "RemoteSvcAdmin-RPCSS-In-TCP" –Enabled True # Enable Remote Event Log Management Set-NetFirewallRule –Name "RemoteEventLogSvc-In-TCP" –Enabled True Set-NetFirewallRule –Name "RemoteEventLogSvc-NP-In-TCP" –Enabled True Set-NetFirewallRule –Name "RemoteEventLogSvc-RPCSS-In-TCP" –Enabled True # Enable Remote Scheduled Tasks Management Set-NetFirewallRule –Name "RemoteTask-In-TCP" –Enabled True Set-NetFirewallRule –Name "RemoteTask-RPCSS-In-TCP" –Enabled True # Enable Windows Firewall Remote Management Set-NetFirewallRule –Name "RemoteFwAdmin-In-TCP" –Enabled True Set-NetFirewallRule –Name "RemoteFwAdmin-RPCSS-In-TCP" –Enabled True # Enable WMI management requests in Set-NetFirewallRule –Name "WMI-WINMGMT-In-TCP" –Enabled True # Set some services to automatically start and start them. Set-Service -Name PlugPlay -StartupType Automatic Start-Service PlugPlay Set-Service -Name RemoteRegistry -StartupType Automatic Start-Service RemoteRegistry Set-Service -Name vds -StartupType Automatic Start-Service vds # Enable Remote Desktop (Get-WmiObject Win32_TerminalServiceSetting -Namespace root\cimv2\TerminalServices).SetAllowTsConnections(1,1) | Out-Null (Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\TerminalServices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0) | Out-Null $srvr = Read-Host "Enter name to assign to this computer:" (Get-WmiObject win32_computersystem).rename($srvr) $domain = Read-Host "Enter domain this computer should join (you will be prompted for credentials):" Add-Copmuter -DomainName $domain Write-Host -ForegroundColor Yellow "System will now be rebooted." Shutdown -r -t 5