Tools Windows Server Tricks Lead image: Lead Image © Kati Molin, Fotolia

11 Tricks for Windows servers

Knowledge

A number of techniques applied in PowerShell or other management tools can run Windows servers more effectively, harden them, and improve their performance. By Thomas Joos

Fine-tuning Windows servers doesn't have to be a complex process. Easily manageable commands and settings can have a great effect. In this article, I look at 11 practical tips for Windows servers.

1. Remote Desktop Settings

In many organizations, employees use the Remote Desktop tool, usually activated in the server's graphical user interface or from the Server Core text-based menu. On servers with a graphical user interface, the quickest way to find the settings is to call sysdm.cpl. However, you can also enable the remote desktop from the registry with the settings found in the HKLM | SYSTEM | CurrentControlSet | Control | Terminal Server key. With this approach, you can activate Remote Desktop by importing registry entries. The most important entry is fDenyTSConnection. A value of 0 activates Remote Desktop, and a value of 1 disables it. To see which users are connected to a server (Figure 1), run the command:

qwinsta /server:<server name>

Remote Desktop Protocol connections are displayed by the qwinsta command. — Figure 1: Remote Desktop Protocol connections are displayed by the `qwinsta` command.

To deny access to certain users, use group policies. To block access to the Remote Desktop Services (e.g., for local administrators), you should manage the authorizations centrally. The path to the settings is Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment. The following two settings are important:

Deny log on through Remote Desktop Services
Deny log on locally

Here, you configure which users are allowed to log on to the server locally (i.e., directly at the console) and which users can connect to the server by Remote Desktop. Remote Desktop connections can also be used in the web browser if you use Windows Admin Center. The Remote Desktop menu item waits for connections and allows you to open a session.

2. Uninstalling Media Player

By default, Windows Media Player is installed on Windows Server 2019. Because this tool is not needed on production servers, it is an unnecessary function and therefore a potential vulnerability. To uninstall Media Player, run the command:

dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer /norestart

The command is also useful for deployment scripts or tools that distribute automatic settings to servers. Besides the Windows Admin Center and Server Manager, Media Player can also be uninstalled with the PowerShell command:

Disable-WindowsOptionalFeature -Online -FeatureName WindowsMediaPlayer

3. Configuring LDAP Priorities and Weighting

Checking that the LDAP SRV entries are correct in the domain name system (DNS) can help you detect Active Directory (AD) issues. Correct accessibility of domain controllers (DCs) in the SRV entries is an important basis for many server-based services. You can launch the check with the fully qualified domain name (FQDN; e.g., joos.int in this example):

nslookup -type=all _ldap._tcp.dc._msdcs.joos.int

Domain controllers register multiple SRV records (Figure 2), which in turn tell clients to which DCs they should connect. If you set the priority to a high value (e.g., 1), these DCs are only addressed if no other DCs with a priority of 0 exist. The weighting distinguishes DCs with the same priority. A DC with a weighting of 10 is addressed more often than a DC with a weighting of 5. In other words, you can relieve the load on individual DCs by adjusting the weighting. This procedure is also useful if you want to replace a DC and reduce the number of requests on the server.

Figure 2: Checking the LDAP entries in the DNS on the command line.

The settings for weighting can be seen in the properties of the DNS record. The priority and the weighting are defined by registry entries, which can be found in the DC registry key at HKEY_LOCAL_MACHINE | SYSTEM | CurrentControlSet | Services | Netlogon | Parameters, where you enter the weighting and priority:

"LdapSrvWeight"=dword:00000001
"LdapSrvPriority"=dword:00000002

In most cases, you will have to create the two DWORD values again, which are enabled either after restarting the DC or after restarting the login service:

net stop NETLOGON && net start NETLOGON

To display the current values, again run the command:

nslookup -type=all _ldap._tcp.dc._msdcs.joos.int

The entries are displayed in the DNS record properties in the priority and weight fields (Figure 3).

Figure 3: The weightings of the LDAP requests are shown in the DNS properties.

4. Blocking DNS Queries

In Windows Server 2016 and 2019, DNS policies can be defined to block queries from clients. Configuration is made with PowerShell, and the settings are implemented on the individual DNS servers. (For information about the configuration cmdlets, see the Microsoft docs [1]). For example, if you want to block the resolution of the erp01.joos.int server on the 255.255.255.0/24 subnet, you first need to define the appropriate subnet then create a policy that blocks resolving an FQDN from that subnet:

Add-DnsServerClientSubnet -Name "UnsecureSubnet" -IPv4Subnet 255.255.255.0/24 -PassThru
Add-DnsServerQueryResolutionPolicy -Name "Block_ERP01" -Action IGNORE -ClientSubnet "EQ,DWPSubnet"-FQDN "EQ,erp01.joos.int" -PassThru

The policies are available in PowerShell; enter

Get-DnsServerQueryResolutionPolicy

to see the policies, or enter

Remove-DnsServerQueryResolutionPolicy -Name "Block_ERP01" -PassThru

to delete the policies.

5. Changing Windows Server Editions

Windows Server 2016 and 2019 let you change the edition on the fly, without reinstalling Windows. For example, if you installed Windows Server 2019 Standard, you can switch to the Datacenter edition. The command to upgrade from Standard to Datacenter is:

Dism /Online /Set-Edition:ServerDatacenter /AcceptEula /ProductKey: <xxxxx-xxxxx-xxxxx-xxxxx-xxxxx>

After the update, restart the server. You can also switch from the trial version of Windows Server 2019 to a full version. The following commands let you see whether you are running a trial version, tell you to which edition you can upgrade, and display your current edition:

slmgr.vbs /dlv
dism /online /Get-TargetEditions
dism/ online /Get-CurrentEdition

To update the trial version, use the same command as for the upgrade from Standard to Datacenter; that is, you can switch from the Windows Server 2019 Datacenter trial version to the licensed version. The server has to be restarted at least twice, so you can unlock new features like Storage Replica or Storage Spaces Direct. Of course, you will need a valid product key for the change.

6. Starting Safe Mode in Automatic Repair

Interrupting the Windows startup process two or three times starts Windows Automatic Repair. If the server is not working properly, you can start the Windows server in different modes. To switch to Safe Mode, first go to the Repair menu and select See advanced repair options, then Troubleshoot | Advanced options | Windows startup settings. When you click Restart, a system menu appears in which you can Enable Safe Mode.

7. Accessing BPA with PowerShell

The Best Practices Analyzer (BPA) lets Windows Server 2019 check its own health and the installed server roles to look for incorrect configurations. The fastest way to start the BPA is to launch it from PowerShell:

Get-BPAModel | Invoke-BpaModel

If you want to start a scan process for a certain role only, first discover the ID of the corresponding model; then, start the test(s):

Invoke-BPAmodel -modelId Microsoft/Windows/DNServer,Microsoft/Windows/FileServices

You always need to specify the ID as a complete path, which you discover with Get-BPAModel. Hyper-V, for example, has the ID Microsoft/Windows/Hyper-V. You can also use a single command to discover the BPA model and start the scan process immediately:

Get-BPAmodel <ID> | Invoke-BPAmodel

If you do not specify an ID, all roles are scanned. To read the roles and search for the "Error" string, enter:

Get-BpaResult -ModelId Microsoft/Windows/DirectoryServices | Where-Object Severity -eq "Error" | Format-List Title

To display all results from specific server roles (BPA models), use:

Get-BPAResult Microsoft/Windows/DNS Server,Microsoft/Windows/FileServices

You can export the BPA results (e.g., to an HTML file) from PowerShell:

Get-BPAResult <model ID> | convertTo-Html | Set-Content <path>

By way of example, write the information of the file services to an HTML file:

Get-BPAResult Microsoft/Windows/FileServices | convertTo-Html | Set-ContentC:\BPAResults\FileServices.htm

Finally, the command:

Get-BPAResult Microsoft/Windows/FileServices | Export-CSVC:\BPAResults\FileServices.txt

exports the results to a comma-separated values file.

8. Changing the Data Medium Format

You can only convert an MBR disk to a GPT disk and vice versa if the disk is empty. To do this, right-click on the disk in the Windows Disk Manager and select the corresponding command. You can also perform the conversion at the command line. Start a command prompt and type:

diskpart
list disk
select disk <disk no. to convert>

Now use:

clean
convert gpt

The reverse approach uses:

convert mbr

In the Disk Manager (diskmgmt.msc), you can discover the partition style by right-clicking a volume and choosing Properties. In PowerShell, you can display the partition style with

Get-Disk | select FriendlyName, PartitionStyle

To set the partition style to GPT, use the command:

Initialize-Disk <Number> -PartitionStyle GPT

Another example is

Get-Disk 1 | Clear-Disk -RemoveData
New-Partition -DiskNumber 1 -UseMaximumSize -IsActive -DriveLetter Z | Format-Volume -FileSystem NTFS -NewFileSystemLabel Data

to create and format a disk.

9. BitLocker Without a TPM Chip

Hard disk encryption with BitLocker usually relies on a Trusted Platform Module (TPM) chip built into the computer. However, it can also be used if no TPM chip is installed. The associated settings are managed with group policies. In the navigation pane, go to Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Operating System Drives. In the right pane, double-click on the Require additional authentication at startup policy and check the Enabled option in the dialog box (Figure 4).

Figure 4: BitLocker enabled without a TPM chip.

Make sure the Allow BitLocker without a compatible TPM checkbox is selected and click OK. The policy is then assigned the value Enabled in the Status column. After these tasks are complete, you can enable BitLocker.

10. Joining a Domain

To join a computer to a domain, call sysdm.cpl from the Start menu. Click the Change button in the Computer Name tab and enter the name of the computer to be joined to the domain in the Computer description field. Next, activate the Domain option in the Member of section and enter the DNS name of the domain that you want the client to join.

Finally, you need to authenticate against the domain. If the login credentials have been entered successfully, the server is added to the domain. As in previous versions of Windows, you need to reboot the computer after joining the domain. Afterward, you can log on to the domain with your username. You can also use PowerShell,

Rename-Computer -Name <Computername>
Add-Computer -DomainName <DomainName>
Restart-Computer

to assign names to servers, restart them, and join them to domains.

11. Optimizing DNS Settings for AD

The TCP/IP | Properties | Advanced | DNS IPv4 and IPv6 protocols lets you access additional settings to set up name resolution optimally on the network by DNS or WINS. The individual options play a significant role in name resolution in a DNS infrastructure:

Append primary and connection specific DNS suffixes: The computer will always try to append the configured primary DNS suffix of its own computer name automatically when resolving computer names. For example, if you want to resolve the dc01 hostname, the computer will attempt a name resolution to dc01.contoso.int if the computer's primary DNS suffix is contoso.int.
Append parent suffixes of the primary DNS suffix: The names of parent domains are used in name resolution, as well. For example, if you want to resolve a server named dc05 in a subordinate domain named muenchen.de.contoso.int, the computer will first try to resolve dc05.muenchen.de.contoso.int if this is the computer's primary DNS suffix. Afterward, the computer tries to resolve the names dc05.de.contoso.int and then dc05.contoso.int, because these domains are at higher levels compared with the first domain attempted.
Append these DNS suffixes (in order): This option lets you configure DNS suffixes that resolve incomplete host names. Neither the primary DNS suffix of the server nor the DNS suffixes of this connection are used. Instead, the DNS suffixes are appended in the order configured in this field.
DNS suffix for this connection: If the computer cannot find the entered name on its configured DNS server by using its own primary DNS suffix, it tries the DNS suffix entered in this field. If you want to resolve a server named dc06, the machine will first try resolving to dc06.contoso.int if that is its primary DNS suffix. However, if you also enter the suffix muenchen.de.microsoft.int, the computer also will try to resolve the name dc06.muenchen.de.microsoft.int.
Register this connection's addresses in DNS: A DNS server can register entries dynamically. As soon as a computer logs on to the network, it tries to register its FQDN automatically with the configured DNS server.
Use this connection's DNS suffix in DNS registration: If you enable this option, the server name is registered with its computer name and its primary DNS suffix (i.e., its FQDN).

Conclusions

Many options for tuning Windows servers are not always directly visible or accessible, although the operations involved are often quite simple. Some inside knowledge can make an admin's life far easier. This article reveals a few of the tricks, many of which rely on PowerShell, the Windows admin's best friend.