{"id":23522,"date":"2018-08-08T11:00:19","date_gmt":"2018-08-08T11:00:19","guid":{"rendered":"http:\/\/www.inacreditavel.pt\/?p=23522"},"modified":"2018-08-12T11:12:04","modified_gmt":"2018-08-12T11:12:04","slug":"windows-server-2012","status":"publish","type":"post","link":"http:\/\/www.inacreditavel.pt\/?p=23522","title":{"rendered":"Windows Server 2012"},"content":{"rendered":"

Trabalhar com ferramentas Microsoft \u00e9 uma aventura. Mas uma aventura tipo pesadelo, tipo Assalto \u00e0 13\u00aa esquadra, do Carpenter<\/a>, ou algo do g\u00e9nero.<\/p>\n

Trabalho com Linux h\u00e1 mais de 20 anos, e raramente tenho problemas destes. Aquilo que se aprende em administra\u00e7\u00e3o de sistemas Linux, dura anos, ou d\u00e9cadas: as mudan\u00e7as radicais s\u00e3o raras. Em Windows, ao inv\u00e9s, mudam sempre que sai um sistema novo.<\/p>\n

Estou a configurar um Windows Server 2012 R2, e \u00e9 diferente do que eu tinha antes, o 2008. Ali\u00e1s, \u00e9 sempre tudo completamente diferente. Est\u00e1 tudo, sempre, em s\u00edtios diferentes… O que vale \u00e9 que na net@ respondem a estas d\u00favidas todas, porque milhares j\u00e1 as tiveram.<\/p>\n

Ao tentar ativar o IIS, deu erros de instala\u00e7\u00e3o, sem mensagens detalhadas. Dizia apenas que falhou. Eis o que aconteceu. Consultei um site na net@ que explicava que par\u00e2metros devia ativar. Selecionei-os todos e premi o bot\u00e3o “Install”. Deu erro. Voltei ao in\u00edcio e tentei instalar um item de cada vez, para tentar perceber qual deles tinha gerado o erro: j\u00e1 n\u00e3o deu erro e consegui instalar todos.<\/p>\n

A solu\u00e7\u00e3o para ativar o IIS, tirei-a daqui: Enabling IIS and required IIS components on Windows Server 2012\/2012 R2<\/a>. Os passos s\u00e3o os seguintes:<\/p>\n

\n
    \n
  1. Open Server Manager and click Manage > Add Roles and Features. Click Next.<\/li>\n
  2. Select Role-based or feature-based installation and click Next.<\/li>\n
  3. Select the appropriate server. The local server is selected by default. Click Next.<\/li>\n
  4. Enable Web Server (IIS) and click Next.<\/li>\n
  5. No additional features are necessary to install the Web Adaptor, so click Next.<\/li>\n
  6. On the Web Server Role (IIS) dialog box, click Next.<\/li>\n
  7. On the Select role services dialog box, verify that the web server components listed below are enabled. Click Next.<\/li>\n
  8. Verify that your settings are correct and click Install.<\/li>\n
  9. When the installation completes, click Close to exit the wizard.<\/li>\n<\/ol>\n<\/div>\n

    Como esta m\u00e1quina vai correr como m\u00e1quina virtual, em modo headless, preciso de aceder a ela atrav\u00e9s do Remote Desktop Connection. Tamb\u00e9m a\u00ed deu erro. Depois de configurar o servidor, para aceitar liga\u00e7\u00f5es, de configurar a firewall desse servidor, assim como as firewalls de dois gateways Linux que est\u00e3o pelo meio, ao ligar-me obtive o erro seguinte: “Remote Desktop Authentication Error Has Occurred. The function requested is not supported”. Impenetr\u00e1vel. Mas v\u00e1 l\u00e1, na TecNet tinham uma solu\u00e7\u00e3o<\/a>. Funciona, mas \u00e9 uma solu\u00e7\u00e3o de brincadeira. Configuramos tudo o que \u00e9 necess\u00e1rio e que est\u00e1 nos manuais, e depois, se queremos que o sistema funcione, temos que dar o chupa-chupa ao c\u00e3o.<\/p>\n

    Neste caso, foi necess\u00e1rio, na m\u00e1quina local (o cliente), autorizar o pr\u00f3prio protocolo do RDC, pois este \u00e9 vulner\u00e1vel a determinado tipo de ataques! Fant\u00e1stico. A Microsoft usa um protocolo vulner\u00e1vel e, em vez de o corrigir, inativa-o. Segue a solu\u00e7\u00e3o<\/p>\n

    Correr: gpedit.msc\r\nIr a Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Encryption Oracle Remediation\r\nAbrir - Encryption Oracle Remediation, escolher Enable, alterar Protection Level para Vulnerable e premir Apply.<\/pre>\n
    Aproveito e deixo aqui – para n\u00e3o me esquecer e poder configurar as firewalls do Linux – informa\u00e7\u00e3o sobre os portos que \u00e9 necess\u00e1rio abrir para aceder ao SQL Server da Microsoft: Configure the Windows Firewall to Allow SQL Server Access<\/a>. <\/p>\n
    SQL Server default instance: 1433, em TCP
    \nSQL Server named instances (\u00e9 necess\u00e1rio fixar): 1434, em UDP
    \nDedicated Admin Connection: 1434, em TCP
    \nSQL Server Browser service: 1434, em UDP
    \nSQL Server instance running over HTTP(S): 80 ou 443, em TCP
    \nService Broker (confirmar com query): 4022, em TCP
    \nDatabase Mirroring (confirmar com query): 5022 ou 7022, em TCP
    \nReplication: 1433, em TCP
    \nTransact-SQL debugger: 135, em TCP<\/p>\n
    Fica tamb\u00e9m o aviso de que \u00e9 muito prov\u00e1vel que a instala\u00e7\u00e3o Custom do SQLServer Express pendure. Depois de 2 horas \u00e0 espera num ecr\u00e3 parado, num aparente fim de instala\u00e7\u00e3o, fui \u00e0 net@ e vi muitas queixas de pessoal que quis fazer instala\u00e7\u00f5es personalizadas. Vou tentar a instala\u00e7\u00e3o Basic e depois acrescento itens um a um. Que perda de tempo. Grande Microsoft.
    \n(…)
    \nE assim foi: a instala\u00e7\u00e3o Basic demorou 5 minutos. Os outros itens demoraram um pouco mais, alguns tamb\u00e9m emperraram e n\u00e3o me deram oportunidade de configurar tudo o que queria. Mas eu tamb\u00e9m n\u00e3o espero muito mais do que isto da Microsoft.
    \n(..)
    \nE isto \u00e9 uma saga. Na documenta\u00e7\u00e3o da Microsoft, dizem que o SQL Server corre no porto 1433. Configurei as firewalls todas para deixarem passar os pacotes para este porto, mas n\u00e3o conseguia comunicar com o SQL Server. Afinal o servidor est\u00e1 a escutar um porto din\u00e2mico, e, al\u00e9m disso, nem sequer tem o protocolo TCP ativo.
    \nAinda precisei das configura\u00e7\u00f5es que encontrei neste artigo –     Configuring a SQL Server for Remote Connections<\/a> – para conseguir p\u00f4r o SQL Server acess\u00edvel remotamente. Fica aqui um resumo, com alguns erros corrigidos (as figuras ter\u00e3o que as ver no site original):<\/p>\n
    \nA. Enabling Remote Connections on the Instance of SQL Server<\/p>\n
    First, you will ned to enable remote connections on the instance of SQL Server that you want to connect to from a remote computer.<\/p>\n
    1) Open & Login SQL Management Studio. Right-click on the server name in the Object Explorer and select \u201cProperties\u201d to access the Server Properties Window.<\/p>\n
    2) In the left pane of the Server Properties Window, select \u201cConnections\u201d and under \u201cRemote Server Connections\u201d, check the box next to \u201cAllow remote connections to this server.\u201d Click OK.<\/p>\n
    B. Configure SQL Server to Listen on Static Port<\/p>\n
    1) Open the SQL Server Configuration Manager and click on \u201cSQL Server Services\u201d in the left pane.<\/p>\n
    2) In the center, you will see a column that lists the Process ID for each running service. Look for the Process ID in the row for the SQL Server. Identify the port that the PID is listening on by typing the following into a command prompt: netstat -ano | find \/i \u201cPID-Number_of_SQL-Server\u201d. In the example based on figure 3, you would type the following into the command prompt: netstat \u2013ano | find \/I \u201cNUMBER\u201d. For an example, please see Figure 4 below.<\/p>\n
    3) By default, the TCP\/IP protocol is disabled and must be enabled. If you do not enable the TCP\/IP protocol, there will be no results from the command executed in step 2. To enable the TCP\/IP protocol, go to the SQL Server Configuration manager and click on \u201cSQL Server Network Configuration\u201d. Right click on the \u201cTCP\/IP\u201d protocol and select \u201cEnable\u201d. <\/p>\n
    4) Restart the SQL Server service and identify the Process ID assigned to the SQL Service.<\/p>\n
    5) In the command prompt, execute the following command: netstate \u2013ano | find \/i \u201cPROCESSID\u201d. In the example below, the command would be: netstate \u2013ano | find \/i \u201cNUMBER\u201d. Results should be seen as below in Figure 7.<\/p>\n
    6) Return to the SQL Server Configuration Manager. Click on \u201cSQL Server Network Configuration\u201d in the left pane and right-click the \u201cTCP\/IP\u201d protocol and select \u201cProperties\u201d. Go to the \u201cIP Addresses\u201d tab and scroll down to the IPALL section. Remove the value for TCP Dynamic Ports (leaving it blank) and enter the port 1433 for TCP port. <\/p>\n
    7) Restart the SQL Server Service, identify the new process ID assigned to the SQL service. In the command prompt, execute the following command: netstate \u2013 ano | find \/i \u201c3948\u201d. Results should be displayed as shown in Figure 9 below.<\/p>\n
    8) The SQL Express is now configured to listen on standard port 1433.<\/p>\n
    C. Turn On the SQL Server Browser Service<\/p>\n
    1) Open the SQL Server Configuration Manager. Click on \u201cSQL Server Services\u201d in the left pane and right click on \u201cSQL Server Browser Service\u201d and click \u201cProperties\u201d.<\/p>\n
    2) In the SQL Server Browser Properties Window, click on the \u201cService\u201d tab. Under the \u201cStart Mode\u201d option, change the start type to \u201cAutomatic\u201d. Click \u201cApply\u201d. <\/p>\n
    3) In the SQL Server Browser Properties Window, click on the \u201cLog On\u201d tab. Click the \u201cStart\u201d button to start the SQL Browser Service. <\/p>\n
    4) In the SQL Server Browser, confirm that the service is running as shown in figure 13.<\/p>\n
    Note: According to SQL Server Hardening best practices, the SQL Server Browser service should be disabled. This service is typically not required. The SQL Server Browser service responds to requests for SQL Server resources and redirects the caller to the correct port. Keeping the Browser service disabled will remove the redirector as an attack vector, helping to obscure the correct entry ways into your SQL Server components.<\/p>\n
    D. Configure the Firewall to Allow Network Traffic Related to SQL Server and the SQL Server Browser Service<\/p>\n
    In Windows Firewall, four exceptions must be configured to allow access to the SQL Server.<\/p>\n
        1) A port exception for TCP Port 1433. In the new Inbound Rule Wizard dialoag, use the following information to create a port exception:<\/p>\n
        Select \u201cPort\u201d
    \n    Select \u201cTCP\u201d and specify port \u201c1433\u201d
    \n    Allow the connection
    \n    Choose all three profiles (Domain, Private, and Public)
    \n    Name the rule \u201cSQL \u2013 TCP 1433\u201d<\/p>\n
        2) A port exception for UDP Port 1434. Click the New Inbound Rule Wizard dialog and use the following information to create another port exception:<\/p>\n
        Select \u201cPort\u201d
    \n    Select \u201cUDP\u201d and specify port \u201c1434\u201d
    \n    Allow the connection
    \n    Choose all three profiles (Domain, Private, and Public)
    \n    Name the rule \u201cSQL \u2013 UDP 1434\u201d<\/p>\n
        3) A program exception for exe. Click the New Inbound Rule Wizard dialog and use the following information to create a program exception:<\/p>\n
        Select \u201cProgram\u201d
    \n    Click \u201cBrowse\u201d to select \u201csqlserver.exe\u201d in the following location:<\/p>\n
    C:\\Program Files\\Microsoft SQL Server\\MSSQL11.\\MSSQL\\Binn\\sqlservr.exe where  is the name of your SQL instance.<\/p>\n
        Allow the connection
    \n    Choose all three profiles (Domain, Private, and Public)
    \n    Name the rule \u201cSQl \u2013 Sqlservr.exe\u201d<\/p>\n
        4) A program exception for exe. Click the New Inbound Rule Wizard dialog and use the following information to create another program exception:<\/p>\n
        Select \u201cProgram\u201d
    \n    Click \u201cBrowse\u201d to select sqlbrowser.exe. By default, it is located in the following location:<\/p>\n
    C:\\Program Files (x86)\\Microsoft SQL Server\\90\\Shared\\sqlbrowser.exe<\/p>\n
        Allow the connection
    \n    Choose all three profiles (Domain, Private, and Public)
    \n    Name the rule \u201cSQL \u2013 sqlbrowser.exe\u201d\n<\/p><\/div>\n
    \n
    Entretanto, por duas vezes n\u00e3o consegui desligar o IIS usando o IIS Manager. Tenho andado a fazer altera\u00e7\u00f5es na configura\u00e7\u00e3o e j\u00e1 tive que deslig\u00e1-lo v\u00e1rias vezes. Isto nunca me aconteceu com o Apache, com o qual trabalho h\u00e1 mais de 15 anos. O Apache desliga-se sempre. O IIS neste Windows 2012, com o qual trabalho h\u00e1 2 dias, j\u00e1 vai em 2 vezes que se recusa a desligar-se. Tive que desligar a m\u00e1quina. Entretanto, disseram-me para experimentar deslig\u00e1-lo na linha de comando para ver se recebo alguma informa\u00e7\u00e3o sobre o problema. O comando \u00e9 o seguinte:<\/p>\n
    net stop iisadmin \/y<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"
    Trabalhar com ferramentas Microsoft \u00e9 uma aventura. Mas uma aventura tipo pesadelo, tipo Assalto \u00e0 13\u00aa esquadra, do Carpenter, ou algo do g\u00e9nero. Trabalho com Linux h\u00e1 mais de 20 anos, e raramente tenho problemas destes. Aquilo que se aprende em administra\u00e7\u00e3o de sistemas Linux, dura anos, ou d\u00e9cadas: as mudan\u00e7as radicais s\u00e3o raras. Em […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/www.inacreditavel.pt\/index.php?rest_route=\/wp\/v2\/posts\/23522"}],"collection":[{"href":"http:\/\/www.inacreditavel.pt\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.inacreditavel.pt\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.inacreditavel.pt\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.inacreditavel.pt\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=23522"}],"version-history":[{"count":19,"href":"http:\/\/www.inacreditavel.pt\/index.php?rest_route=\/wp\/v2\/posts\/23522\/revisions"}],"predecessor-version":[{"id":23555,"href":"http:\/\/www.inacreditavel.pt\/index.php?rest_route=\/wp\/v2\/posts\/23522\/revisions\/23555"}],"wp:attachment":[{"href":"http:\/\/www.inacreditavel.pt\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=23522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.inacreditavel.pt\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=23522"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.inacreditavel.pt\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=23522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}