I like to learn the keyboard shortcuts for these sort of things, (because developers will change the way things are done in the GUI). So in the good old days I simply ran msconfig, and located the offending software on the startup list and disabled it. Then that got removed and put in ‘Task Manager’, then that got removed. So I’m pulling a frowny face at Microsoft Developers for their lack of continuity 🙁 (It’s not just them Cisco and VMware are just as bad!)
I’ve got an administration server I use, (Server 2016,) and it’s got a load of software on there that usually would not be on a server, Skype Client, Citrix Client etc. So how do I stop them autoloading?
Solution
Well I could start digging around in the registry manually, but a much simpler option is to download and run AutoRuns;
Either untick the offender or right click and go to the source and manually disable it yourself.
Related Articles, References, Credits, or External Links
Massive thanks to Syinternals and Mark Russinovich, who has been bailing me out of the mire for many years!
Seen while attempting to install Microsoft Management Framework 5.1 on Server 2012 R2, (to upgrade PowerShell).
Windows Update Standalone Installer
The update is not applicable to your computer
Solution
Well in the the end it turns out I was being a doofus! I was installing W2K12-KB3191565-x64.msu which is for Server 2012 (Not Server 2012 R2!) Look a bit lower, you need Win8.1AndW2K12R2-KB3191564-x64.msu.
The solution was in front of me the whole time!
Related Articles, References, Credits, or External Links
After a recent Exchange migration (2007 > 2013 > 2016), I had problems with users not being able to see public folders, one user could see them all, (so I know they were present and correct, content wise,) but other users could not even see them.
Normally in this situation I’d test them in Outlook Web App first, if they work there then look at Outlook, but Public folders just didn’t work in Outlook Web App 2016 at all.
My first task was to check/set the permissions of the public folders, the one user who could see them was set as ‘Owner‘ on the root of the public folders, so my first step was working out how to grant myself these rights, and apply all those rights to all the child public folders below?
Note: Granting a user ‘Owner‘ rights at the root has obvious security implications, in your scenario you might want to choose ‘Reviewer’, or some other level of access.
View Existing Public Folder ‘Root’ Permissions
Simply use the following PowerShell in the Exchange Management Shell;
[box]
Get-PublicFolderClientPermission "\"
[/box]
If you just wanted to check for one user, then do this instead;
Once upon a time, adding a domain controller that was running a newer version of the Windows Server family involved opening command line and schema prepping, and GP prepping etc. Now all this happens in the background when adding a 2019 domain controller and the wizard is doing the heavy lifting for you.
Solution
2008 to 2019 Domain Controller
2008 to 2016 Domain Controller
Obviously the server needs to be a domain member first!
For Server 2019 Forest and Domain Functional levels need to be at ‘Windows Server 2008‘. (The documentation says 2008 R2, but Server 2008 also works flawlessly).
For Server 2016 Forest and Domain Functional levels need to be at ‘Windows Server 2003‘.
Before You Start!
Remember if your ‘retiring’ domain controller is also a DNS/DHCP server you will also need to address that, and make sure you don’t have a service or device that queries the old domain controller directly (Radius Devices, Firewalls, RSA Appliances, Proxy Filters, Security door software, etc).
Procedure: Deploy a 2019 Domain Controller
With a vanilla install Server Manager will open every time you boot, (unless you’ve disabled it!) To open it manually, run ‘servermanager.exe’ > Manage > Add Roles and Features.
I usually tick the ‘Skip this page by default’ option > Next.
Role Based… > Next.
Ensure the local server is selected, (if you are managing another server, you can of course do the role install from here as well, but let’s keep things simple) > Next.
Select Active Directory Domain Services > Next.
Next.
Next.
Ensure ‘Restart’ is selected > Next.
Next.
Promote Windows Server To Domain Controller
Back in Server Manager > In the ‘Notifications’ section, click the warning triangle > ‘Promote This Server To Domain Controller’.
Assuming you already have a domain, and this is not a greenfield Install > Add a domain controller to an existing domain > Next.
Type and confirm a Directory Services Restore Mode Password (DSRM,) make it something you will remember in a crisis, or store it securely somewhere > Next.
This is fine, You see this error because it’s trying to create a delegation for this DNS zone, and there isn’t a Windows server above you in the DNS hierarchy. For example if your domain name is petelnetlive.co.uk > Then I do not have access to create a delegation in the .co domain space. (So you can safely ignore) > Next
If you have a backup of AD you can ‘Install From Media’. This used to be handy on remote sites that had awful bandwidth, as it saved you having to replicate a large Active Directly over a ‘pants’ connection > I’ve not had to do that in a long time > Next.
Unless you want to change the default AD install locations > Next.
Next.
Read any warnings > Install
Go have a coffee, we ticked ‘reboot’ earlier so it will complete, then reboot the server, which will come back up as a domain controller.
You will notice, (if you’re interested,) that your schema version is now 88 (Server 2019), or 87 (Server 2016).
If you are retiring a CA Server, or there’s a problem with the server and you want to move Microsoft Certificate Services to another server, the procedure is pretty straight forward.
BE AWARE: We are moving the CA Server Name , NOT the Server Name (FQDN), the two things are NOT the same, (you might have called them the same thing!) But a Certificate Authority has a name of its own, and that’s what we are going to move.
So the new server doesn’t have to have the same name? No, it can do if you really want, but that’s an added layer of complication I can’t see the point of?
In the video below, I’m migrating from Server 2008 R2 to Server 2019, and I’m also moving CRLs and OSCP responders. In the screenshots below I’m moving from Server 2016 to Server 2016, but the process is pretty much identical all the way back to Server 2003.
Can I migrate from Server 2008 (NON R2) to 2016 (or newer): Yes, but not directly, you need to upgrade to Server 2012 R2 first. If you don’t, the database wont mount and you will get this error.
Solution
On the ‘Source‘ server, open the Certificate Services management console > Right click the CA NAME > All Tasks > Back up CA.
The backup wizard will open, Next > Tick BOTH options > Select a Backup Location > Next > Set a password (you will need this to set the new CA up!) > Next > Finish.
Now we need to take a backup of the Registry key that holds the information for this CA server. Run ‘regedit’ > Navigate to;
Export a copy of this key, (save it in the same folder that you backed up to earlier).
Now we need to uninstall CA Services from this server. Server Manager > Manage > Remove Roles and Services > Next.
REMOVE all the CA role services > Complete the Wizard, then launch the wizard again and select ‘Active Directory Certificate Services’ > At the pop-up select ‘Remove Features’ > Next.
Next > Next > Next > Close.
Setup Certificate Services on the Target/New Server
Server Manager > Add Roles and Features > Next.
Next > Select ‘Active Directory Certificate Services’ > Add Features > Next.
For now let’s just stick with the Certification Authority > Add the other role services later* > Next.
*Note: I’ve written about all these role services before, just use the search function, (above), if you are unsure what they all do.
Next > Close.
Warning > Configure Active Directory Certificate Services > Next.
Next > Enterprise CA (Unless it’s an offline non domain joined CA) > Root CA (unless it’s a subordinate CA!) > Next.
> Select ‘Use existing private key‘ > Select ‘Select a Certificate and use its associated private key‘ > Next > Import > Browse > In your backup folder locate the certificate (it will have a .p7b extension.) > Enter the password > OK > Select the Cert > Next.
Next > Next > Configure > Close.
Stop Certificate Services;
[box]net stop certsvc[/box]
If your new server has a different hostname/FQDN open the registry file you exported above with Notepad, locate and change the CAServerName entry to the name of the NEW server.
Right click the registry backup > Merge > Yes > OK.
Launch the Certificate Services management console > Right Click the CA NAME > All Tasks > Restore CA.
The restore wizard will start > Next > Browse to the folder with your backup in > Next > Enter the password you used (above) > Next > Finish.
You will be prompted to start the Certificate Services service > Yes.
What About Certificate Templates? Do I need to Move Them?
No! Certificate templates are actually stored in Active Directory, NOT in/on the actual Certificate Services server, (that’s why sometimes they take a while to appear after you create them!) You can see them here;
Related Articles, References, Credits, or External Links
I’ll cover the ones that have tripped me up, if you find some new ones feel free to post them below.
Solutions
Before continuing, the image needs to have the Horizon Agent installing within it, and it has to be the SAME version that your Composer and Connection servers are running, (or newer). Also your Horizon servers are connecting to VMware vCenter using an account, (in a lot of cases that will be the domain administrator account, or an account you setup for this reason), make sure that account has global administrator properties in vSphere.
Also in your image install the LATEST version of VMWare Tools, Note: that might be NEWER than the one that you have on your ESX servers, download it and install it manually, (to do this uninstall the old VMWare Tools, then Uninstall the Horizon Agent, then Install the NEW VMWare Tools, then finally reinstall the Horizon Agent again. (Note: If using Horizon Composer, make sure you install the composer option!)
Horizon Inability to get a licence for your KMS Server.
For sysprep obviously you need to be deploying images with sysprep and NOT quick prep, if you are using sysprep check the error log, (if the error log is empty, then sysprep is not your problem).
Navigate to: C:\Windows\System32\Sysprep\Panther\setuperr.log
Sysprep Problem 1
Problem 0x0f0043 Failed DeleteInstance AntiSpywareProduct
Error [0x0f0073] SYSPRP RunExternalDlls:Not running DLLs; either the machine is in an invalid state or we couldn't update the recorded state, dwRet = 0x1f
Error SYSPRP WinMain:Hit failure while processing sysprep re-specialize internal providers; hr = 0x8007001f
Error SYSPRP Error 0x-2147417850: Failed to re-enable Compat-Gentel custom trigger.[gle=0x0000047e]
Error SYSPRP setupdigetclassdevs failed with error 0
[/box]
This is happening because the machine you are using as your image has been sysprepped too many times, you nee to make some changes on the reference image to reset/rearm it, so it can be sysprepped.
On your image machine run regedit and navigate to;
HKLM > SYSTEM > Setup > Status > Sysprep Status
Ensure the following;
CleanupState is set to 2
GeneralizationState is set to 7
Open an administrative command window and execure the following commands;
[box]
msdtc -uninstall
msdtc -install
[/box]
Back in registry editor navigate to
HKLM > SOFTWARE > Microsoft > Windows NT > CurrentVersion > SoftwareProtectionPlatform
Set SkipRearm to 1
Try again.
Related Articles, References, Credits, or External Links
When attempting to install the VMware Horizon client you see ‘Install Failed’;
Well that’s very descriptive and helpful?
Horizon Client ‘Install Failed’
Firstly make sure you are NOT trying to install the client software on a Horizon Connection Server, or a Horizon Security Server! If you are not, then the easiest way to get it to install, is to ‘extract’ the .msiinstallation files, and manually run them.
In PowerShell navigate to the folder that you download the client .exe file to, and extract its contents with the following command;
It looks like nothing has happened, but the files get put in the ‘Temp‘ folder in YOUR user profile, Navigate to C:\Users\{Your-Username}\AppData\Local\Temp
In this location you will find a folder containing the individual install files you require.
From here you can launch the one you want, In my case (VMware Horizon View Client (x64).msi).
Ensure you have disabled your AV Software, especially if you’re running WebRoot, or Symantec Endpoint Protection, (or at least ensure your AV is not stopping access to c:\windows\system32\drivers\etc\hosts
Grant ‘Full control’ to the c:\windows\system32\drivers\etc\hosts file
Related Articles, References, Credits, or External Links
I see this get asked in online forums A LOT. If you have an existing AnyConnect VPN setup, and then need to add another network how do you do it?
Well that depends on where the new network is, and how it’s entering the firewall, these diagrams can be either way round, but the new network will either be coming into the ASA on the same interface (i.e you’ve spun up a new network for phones, or a new department etc), or the traffic will be coming into the ASA through a different interface, (like a DMZ, or partner network).
Option A: New Network is on another interface;
Option B: New Network is on existing (inside) interface;
Note: The process for adding the new network is the same for both, BUT depending on which interface the new traffic is coming in on, this will change your NAT command.
Locate the NAT Exemption for the AnyConnect traffic, and add a new one on the SAME interface.
If usingSplit Tunnelingadd the new network to the Spit Tunnel ACL
Locate the Nat Exception (or NO NAT on old Cisco Money) that prevents the AnyConnect traffic form getting NATTED.
[box]
ASA-1(config)# show run natnat (inside,outside) source static any any destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (inside,outside) source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-LAN Obj-Remote-LAN no-proxy-arp route-lookup
!
[/box]
From the output above we can see that the Nat exemption for the existing traffic is highlighted, we simply need to add another one, for the new interface (which we will call dmz).
Note: I’m using any, yours might be using a specific object or object-group, if so, you will need to create new objects or object groups for the new network(s), for the next step, I’m sticking with any!
[box]
ASA-1# configure terminal
ASA-1(config)# nat (dmz,outside) source static any any destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup
[/box]
Now let’s see if we are using split tunnelling;
[box]
ASA-1# show run group-policy
group-policy DfltGrpPolicy attributes
webvpn
customization value Portal
group-policy GroupPolicy_AnyConnectVPN internal
group-policy GroupPolicy_AnyConnectVPN attributes
wins-server none
dns-server value 192.168.1.10 192.168.1.11
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified split-tunnel-network-list value SplitTunneling
default-domain value petenetlive.com
webvpn
anyconnect profiles value AnyConnect type user
customization value Portal
group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-filter value ACL_Filter
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
webvpn
customization value PulsantPortal
[/box]
So we are using split tunnelling, and our split tunnel ACL is called SplitTunneling.
[box]
ASA-1# show run access-list SplitTunnelingaccess-list SplitTunneling standard permit 192.168.1.0 255.255.255.0
[/box]
Now simply just add the new subnet;
[box]
ASA-1(config)# access-list SplitTunneling standard permit 192.168.100.0 255.255.255.0
[/box]
Option B: New Network is on the Same Interface
Tasks on ASA
Locate the NAT Exemption for the AnyConnect traffic, and add a new one for the new interface.
If usingSplit Tunnelingadd the new network to the Spit Tunnel ACL
Locate the Nat Exception (or NO NAT on old Cisco Money) that prevents the AnyConnect traffic form getting NATTED.
[box]
ASA-1(config)# show run natnat (inside,outside) source static any any destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (inside,outside) source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-LAN Obj-Remote-LAN no-proxy-arp route-lookup
!
[/box]
From the output above we can see that the Nat exemption for the existing traffic is highlighted, IMPORTANT: Because I’m using any, (yours might be using a specific object or object-group), I DONT NEED TO ADD ANYTHING as any covers the newly added subnet. if you didn’t use any, then you will need to create new objects or object groups for the new network(s), for the next step, I’m sticking with any! then
I prefer to think of OVF Templates as “Zip” files for Virtual Machines and Virtual Appliances. Where as the OVA file is the complete appliance pre packaged. There are two things you will want to do with an OVF Template;
5. Select the disk format (Thick or Thin) you want the new VM to use.
What does Lazy Zeroed and Eager Zeroed Mean?
Data on disks is stored as a 1 (one) or a 0 (zero), so if all the blocks on the disk are set to zero, when you put data on the disk, it only has half the work to do (i.e. write the ones). Eager Zeroed, puts zeros on all the blocks on the disks straight away, LazyZeroed puts all zeroes in a block the first time the block is read.
6. Read the summary, and if you want to power on the VM on completion, tick the box > Finish.
7. Depending upon the amount of data this can take a while.
8. It will give you the following message when it’s finished.
9. And here is your VM, imported, powered up, and working.
Related Articles, References, Credits, or External Links
Seen when attempting to deploy Window Server 2016, as an ‘Image‘ (Parent VM,) with VMware Horizon View.
‘VM With Unsupported Guest OS’
I double checked, and Server 2016 (Standard and DataCenter) were supported, as was Server 2019 (Standard and DataCenter.) The image also had a new version of the VMware Horizon View agent installed in it?
Solution
In my case this was an embarrassingly easy fix, previously I’d deployed Windows 7, 8, and 10 with Horizon View, this was the first time I’d ever deployed a server OS as a VDI image, (With Windows Server Datacenter, this works out cheaper, licensing wise).
By Default: VMware Horizon View does not allow server operating systems, (even though they are supported.) You just need to enable the feature! Launch Horizon Administrator, View Configuration > Global Settings > Edit > Tick ‘Enable Windows Server Desktops‘ > OK.
Doh! That cost me two hours, (hope it saved you some time).
Related Articles, References, Credits, or External Links