eXe's questions

Windows Server 2012 - WDS installed and configured to deploy Windows Server 2012 on several Clients.

We will depoly several Windows Server 2012 Clients, each of the Clients should NOT know the initial Password of the other Clients.

The WDS Server stores each image_unattended.xml assigned to an image in following way:

{WDSRoot}/Images/{ImageGroupName}/{ImageName}/Unattend/ImageUnattend.xml

This Folder and containing files are readyble for all Users which authenticated via the client_unattended.xml:

<WindowsDeploymentServices>
  <Login>
    <WillShowUI>OnError</WillShowUI>
    <Credentials>
      <Username>Unattended</Username>
      <Domain>WORKGROUP</Domain>
      <Password>{Password}</Password>
    </Credentials>

Is there a way to Limit the access to only one desired user?

On the other side it would be fine if there would be a secure mechanism to encrypt the Administrator password in the image_unattended.xml, but as far as i know, it can only encoded base64 with the addition of "AdministratorPassword":

So, mystrongpassword becomes bXlzdHJvbmdwYXNzd29yZEFkbWluaXN0cmF0b3JQYXNzd29yZA==, which can be decoded every time *rolleyes

Is there another way to (really) encrypt / hash the password in the xml?

If not, is it possible to set user permissions to the image_unattended.xml files?

Edit: maybe netsh advfirewall is the way to go, to not let other (already installed) clients browse all data on the WDS Server?

Windows Server 2012 - WDS installed and configured to deploy Windows Server 2012 on several clients.

Two problems are occuring during / after installation of Windows 2012 via WDS:

• If the Server had Linux installed before the reinstallation, Windows Setup failes with the Error Message, that it can not read the partitions (WillWipeDisk is set to true) - is there a way (exept custom WindowsPE image) to destroy all partitioning before the windows setup begins to read the partitions?

• If no partitioning error occurs (becouse no linux partitions are on the hdds) the installation will success. After the installation is done, the first screen is the language selection (but the language is already defined in the xml), and after that the next screen is to accept the eula :-( (which is alo defined in the xml)

Seems i have some missconfigurations in my xml's (?):

Client XML

Windows Server 2012 Image XML

I tried several configrations right now, but none of them seem to accept the language and eula config.

The weird thing is, that those configurations (eula and language) does work if we do not work with an WDS Server (Old way, without WDS - one unattended XML for all configurations).

Distribution Server and Software:

Debian 8
TFTP Server
SAMBA Server
DHCP Server

Right now we use following way for windows (2012) distribution to our servers:

• installation task inkomming
• edit dhcp server (new server)
• auto create wim boot image (via debian server, modification of wim template via wimlib)
• create samba share with unattended.xml
• power on pc
• dhcp request of new server
• tftp download of wim (winpe) image
• winpe boot and mount of sambsa share
• unattended installation of windows

this works as expected - but the tftp download is limited to one fix source {TFTPSource}/Boot/startrom.0

Becouse of the limitation of the path, right now its only possible to start one windows installation at time until the load of the wim image is done. after the wim image is done the next installation can be triggered.

now we searched for a "better" way to install multiple windows servers at once. We found several projekts like OPSI or Unattended but none of them seems to fit our requirements:

OPSI seems to need a software on the client, which is permament on the client. It seems there is no official support for Windows Server 2016 Distribution.

Unattended seems only for Windows 2000 / XP / 2003.

We would need (it could be a windows deploeyment server at all) a deployment server, which can deliver multiple clients at once (unattended installation based on a unattended template, which we will edit before the installation)

What is the right way to deliver windows server 2012 (2016, and maybe other windows distributions) onto multiple clients?

Is there a free windows software (preferable remote controllable with commandline) for this need?

Maybe there is a way to modify the fix coded path {TFTPSource}/Boot/startrom.0 of the windows Bootrom?

Preseeding of Ubuntu / Debian works correct - system is bootable.

But fdisk -l is resulting following:

Disk /dev/sda: 50 GiB, 53687091200 bytes, 104857600 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0x000e157a

Device     Boot    Start       End  Sectors   Size Id Type
/dev/sda1             63    192779   192717  94.1M 83 Linux
/dev/sda2  *      192780   1172744   979965 478.5M 83 Linux
/dev/sda3        1172745  96470324 95297580  45.5G 83 Linux
/dev/sda4       96470325 104856254  8385930     4G 82 Linux swap / Solaris

Partition 1 does not start on physical sector boundary.
Partition 2 does not start on physical sector boundary.
Partition 3 does not start on physical sector boundary.
Partition 4 does not start on physical sector boundary.

My current partitioning parameters in the preseed are:

d-i partman-lvm/device_remove_lvm                   boolean true
d-i partman-auto/purge_lvm_from_device              boolean true
d-i partman-md/device_remove_md                     boolean true
d-i partman-lvm/confirm                             boolean true
d-i partman/alignment                               select cylinder
d-i partman/confirm                                 boolean true
d-i partman-basicfilesystems/no_swap                  boolean false
d-i partman-partitioning/confirm_write_new_label    boolean true
d-i partman/choose_partition                        select finish
d-i partman/confirm_nooverwrite                     boolean true
d-i grub-installer/only_debian                      boolean true
d-i grub-installer/bootdev                                      string /dev/sda
d-i partman-auto/disk                               string /dev/sda
d-i partman-auto/method                             string regular
d-i partman-auto/expert_recipe string                         \
      boot-root ::                                            \
              100 50 100 free                                 \
                          $gptonly{ }                         \
                          $primary{ }                         \
                          $bios_boot{ }                       \
                          method{ biosgrub }                  \
              .                                               \
              500 50 500 ext2                                 \
                      $primary{ } $bootable{ }                \
                      method{ format } format{ }              \
                      use_filesystem{ } filesystem{ ext2 }    \
                      mountpoint{ /boot }                     \
              .                                               \
              500 10000 1000000000 ext4                       \
                      $primary{ }                             \
                      method{ format } format{ }              \
                      use_filesystem{ } filesystem{ ext4 }    \
                      mountpoint{ / }                         \
              .                                               \
              200% 500 200% linux-swap                        \
                      $primary{ }                             \
                      method{ swap } format{ }                \
              .

How to avoid the Partition {n} does not start on physical sector boundary error. How to set the correct starting sector and sector size in partman while preseeding?

System is:

Debian GNU/Linux 8.2 (jessie)

BIND 9.9.5-9+deb8u3-Debian (Extended Support Version)

named.conf.options:

options {
    directory "/var/cache/bind";
    key-directory "/etc/bind/keys";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

    // forwarders {
    //  0.0.0.0;
    // };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;
    dnssec-dnskey-kskonly yes;
    sig-validity-interval 21 16;
    inline-signing yes;

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };

    // permit lookup of unknown dns names
    recursion no;

    // allow dynamicly new zones
    allow-new-zones yes;
};

the cache file /var/cache/bind/3bf305731dd26307.nzf has thr rights 0744 and is owned by bind:bind

everything works as expected, i can add zones, stat, load keys and everything - except:

rndc delzone {ZoneName}

If i trigger this command (as root in console) i get an rndc: 'delzone' failed: permission denied

in the log nothing is showed..

i'm really stuck here - anyone have a clue why this permission error occurs?

is there a way to remove all dnssec related stuff from a zone on a running bind server?

I configured bind like like here described.

If i use rndc signing -clear all domain.tld nothng happens to the zone.

If i delete the dnssec signed zone via rndc delzone domain.tld and recreate it via rndc addzone domain.tld ... , the domain.tld.jnl file with the related dnssec data will be automaticly recreated and the zone is dnssec signed again.

How can i remove all dnssec related data from a zone with rndc ?

What is the default expire time/period for a key, generated by dnssec-keygen:

If i execute: dnssec-keygen -a RSASHA256 -b 2048 -f KSK mydomain.com

I get 2 files:

(Kmydomain.com.+008+21346.key)

; This is a key-signing key, keyid 21346, for mydomain.com.
; Created: 20151208123320 (Tue Dec 08 13:33:20 2015)
; Publish: 20151208123320 (Tue Dec 08 13:33:20 2015)
; Activate: 20151208123320 (Tue Dec 08 13:33:20 2015)
mydomain.com. IN DNSKEY 257 3 8 AwEAAfcTOQq0VoMZFTKMPsRzUlO4cUzZvHCf9sb+MMeZhfMyLOSc6j6j hKtfYOVAwxDu7hEG5pG+5V908r7EAgZfjJgBPFlz6c3xZ9Yf5FqU4vRR CAAMye/87e2J4TKoFnv6J/8Vigz21IvKGYgdsXMs5Pf8rgqPgpZjXP+D gMxezJH1dQYV3oW6zULttm1/4+yeXZrc1NIzbmS3AChwKCNtP+fcj0dt PpV8Z8lcd0EnhZWCN7KZTgs8kzRHVGNKZSJ7Mvlklt74vNXnjpwsl3LL Uxi0ucXiWd7zB3eBA92+lH13QJPZnlUGe7iGiD4HYOeFAyRQGGYzd1Gf 3xwtWyF/3h8=

and (Kmydomain.com.+008+21346.private)

Private-key-format: v1.3
Algorithm: 8 (RSASHA256)
Modulus: 9xM5CrRWgxkVMow+xHNSU7hxTNm8cJ/2xv4wx5mF8zIs5JzqPqOEq19g5UDDEO7uEQbmkb7lX3TyvsQCBl+MmAE8WXPpzfFn1h/kWpTi9FEIAAzJ7/zt7YnhMqgWe/on/xWKDPbUi8oZiB2xcyzk9/yuCo+ClmNc/4OAzF7MkfV1BhXehbrNQu22bX/j7J5dmtzU0jNuZLcAKHAoI20/59yPR20+lXxnyVx3QSeFlYI3splOCzyTNEdUY0plInsy+WSW3vi81eeOnCyXcstTGLS5xeJZ3vMHd4ED3b6UfXdAk9meVQZ7uIaIPgdg54UDJFAYZjN3UZ/fHC1bIX/eHw==
PublicExponent: AQAB
PrivateExponent: vn6qry8luIRBTKzGxC5p3jTJ3kfOO0OKQBjBwVMD7OLVrBmznUHzyzGJgpgxDcA5+xTH9r0pGjUP57c2HHXU72mcfxeYv3kN5xDFvnUmmtpTAb7af1cSlt+EqsrgMwxHhCu2OZKhg3n5v3GtXDDUBMNj6K6HL65CiJp6VpgMv8btbDMBkc+eytFmJDIJ0FdOtlWxJYzFTZ6lAcxR7sSOidP/nKz8/5GLwwU/dxdMWS5xavzJYTZjG7ZQRwkTcEGZ9/PjgSzeqOUvJt2pcQXt6mi5/ZNpcC1843JYt+N6/O0sHSmphtv7WYOl5FOBYJP66akfv1XeNaYHKDZg+A+kUQ==
Prime1: /0oPncwFldrW/Iu3HmymBk4ntelWsKJgtaEZNXe7p5KXs4w8V48t+y2bz6k89ZSdR5cpVPmXd28BHqbODgetBkKKCi+P2+3N//7EuKr4qEVT/w7BWtp6+5zBnl6nBtblxz4RuBIb6kuues6GfHfIRMngeggxduuSCpOlSRyyGlc=
Prime2: 98NOx4xaPweAgz98gxPWXEQ6uB3CzVI1NFIGN1xGhS9qSq1FRWDe2bH5RjXh9m2tDCXC/TKzBjUfe3+xNKliO+Kkr7V45jpAlAfU2M3GKJ4Yqv9zHgk4ueQAtOFx6cQNywOLUnY4ms+JkmnWVWQxuBkcFPBY+9iuGLc3NbL9DXk=
Exponent1: qsieB9+MQQMk3dCOEbF3pDI2yLCwSPxoHDoIxkcyZ9le2UPQvnbPuQB7AwJiAJyKV3FdujY7STAenKXUpXgnHU/4TvYglG3TaRXD/xKJxPCUT8ZMPf55Vcg5kzwZGy86iv8QFYcv258Du65cM/piJPq0zI6coMTZb2/0nCOxVoM=
Exponent2: D578xJAQ0JCEhcHm88y4YzDaEumtcoyQVjAlvC/RMmx+4x5xk6I76rXR5Z9YE9VuZ6mp1ZTwvJ900LCIV62mR+hOQdXLPZjGoY6s2M6Ag+cT3xQkCezC6tV5Re5A5GA8DmS20AgsIXacUeLiZJfgmp7aqmdM9PQAZgaHMJeMZOE=
Coefficient: jmEpQL+U4NCvGrucQHHwdSlNphGI86rpuyB32vBs5khx1kiVyfj06/0yP2QAXjZv9DLoKxpfDwv7VGJb9hqr98E27zhdHzSNV5mo5COR7wMcApPfPZvu7k9pwiqf+MT1eNdzS31fOIp8APpaDMCnYPiIxbtynUHeUCU/etH2oxg=
Created: 20151208123320
Publish: 20151208123320
Activate: 20151208123320

As i thought the key(s) have a validation time, and will automaticly be revoked after the time is up.

Is there a default value for expiration - or do i have to manually set it via the -R flag as descriped @ the dnssec-keygen man page ?

Or did i missunderstood something completly wrong here?