Monthly Archives: October 2024

In Place Upgrade of Window Server

Posted on by
Reply

 In Place Upgrade KB ID 0001895

Problem

An in-place upgrade of a Windows Server, where you update an existing server installation to a newer version without reinstalling from scratch, can be a powerful way to bring older infrastructure up to date without the lengthy process of rebuilding a system and restoring data. The allure of this method lies in its simplicity and time efficiency; theoretically, you can go from, say, Windows Server 2016 to Windows Server 2022 with much less downtime, keeping configurations, applications, and user data intact. This can be especially appealing in scenarios where budget or time constraints make a full migration impractical, or for environments where a server holds critical roles that are complex to reconfigure from scratch.

However, while in-place upgrades have their perks, they aren’t without pitfalls. For starters, there’s always a risk of compatibility issues, especially if the server runs legacy software that might not play nicely with the new OS version. Performance problems can also arise, as remnants of old files and configurations may lead to a less than optimised system, compared to a clean installation. Additionally, any existing issues on the server, such as misconfigurations, registry bloat, or malware, can carry over to the new version, potentially causing instability. Therefore, before deciding on an in-place upgrade, it’s essential to weigh these pros and cons carefully, considering both the potential gains and risks based on your environment and long-term plans.

As I’ve previously stated, I prefer to do in place upgrades, If you have less than 50 servers and an IT support team, you may want to plan a clean install and data migration, but there comes a point where that’s simply not practical. My firm looks after more than 10 thousand Windows servers, and when a ‘wave’ of them goes outside of supportability – We either stop supporting them or offer and in-place upgrade.

Windows Server In Place Upgrade Paths

Current OS Upgrade Path to Windows Server 2022 Upgrade Path to Windows Server 2025
Windows Server 2008 Upgrade to Windows Server 2008 R2 → Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2008 R2 → Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2008 R2 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2012 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2012 R2 Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2016 Direct upgrade to Windows Server 2022 Direct upgrade to Windows Server 2025
Windows Server 2019 Direct upgrade to Windows Server 2022 Direct upgrade to Windows Server 2025
Windows Server 2022 NA Direct upgrade to Windows Server 2025

Note: Server 2025 information is not official at time of writing, information was provided my Microsoft Copilot.

Solution : In Place Upgrade

In Place Upgrade Planning and Pre Upgrade Steps

As well as making sure you have the compute and storage requirements (of the OS that you are upgrading to), make sure your hardware and/or Hypervisor supports the target OS. Then you have things to consider.

  • Roles And Features.
  • Microsoft Applications.
  • Third Party Applications.

Roles and Features: these are add-on components to the OS that you can enable (add) or disable (remove). Some common ones like DNS server or DHCP server, we just accept and don’t even worry about, but what about roles like certificate services? or a feature like NDES? What if the server is a domain controller? I’ll attempt to answer SOME of those questions below, but this is another reason why you should check, research, and test before upgrading

Show all Roles and Features With PowerShell

[box]

Get-WindowsFeature

[/box]

Microsoft Applications: Here I’m talking about things like Microsoft Exchange, Microsoft SQL, Microsoft Teams etc. Each one of those have their own dependancies OS requirements an upgrade paths that you may need to take into consideration. My personal preference is to migrate these applications onto new clean servers rather than in-place upgrade. I’ve done two in place upgrades of Exchange on the test bench and both of those were 100% successful, I’d be less happy doing them in production, and I’ve got a lot of articles showing you how to upgrade and migrate Exchange, I suggest you look there first! 

Third Party Applications: This will vary from use case to use case, but consider your AV and security products, do they support the new OS? Does you backup and replication software support the new OS. That’s before you look at you line of business or back office applications like print management software, or the software that controls your building access for example.

Show all Installed Software With PowerShell

[box]

Get-WmiObject -Class Win32_Product

[/box]

In Place Upgrade ‘Pre-flight checks’

Most servers these days are virtualised, and time spent on reconnaissance is seldom wasted, If you are considering in place upgrading anything, I would urge you to clone those machines, sandbox them, and perform the in place upgrade in isolation, this will give you a change to do some functional (post upgrade) testing of both the server OS, its installed roles and any third pert applications.

As with all things infrastructure, you’re only as good as your last backup, before doing anything MAKE SURE you have a reliable (tested!) backup. Not just for the server you intend to upgrade but for any server that has a service or software dependency on the server you intend to upgrade.

Ensure the upgrade server is FULLY UPDATED before proceeding.

If the server is virtual, we also have the advantage, to take a snapshot prior to upgrade. (You can even clone a copy and keep it on standby) .

In Place Upgrade Process

Well it’s 95& preparation and 5% execution, the actual upgrade process is alarmingly simple. Present the installation media ISO to the source server, (or copy the files to the server and run setup.exe)

At the welcome screen > Next > At this point the system may take some down getting update’s > Enter the Windows activation code for the new server OS > Next > Select the version you want to install, remember if you want a server with a GUI interface, select the Desktop Experience option > Next.

At the EULA screen > Accept > Select “Keep files settings and apps” > Next > Install.

At this point the upgrade will take place, the server may reboot, but the upgrade process will continue.

When complete, you will be looking at a login screen, simply authenticate with the same credentials as before.

In Place Upgrade of Domain Controllers

Yes it’s possible, yes I’ve done it multiple times, if all the server is doing is performing Active Directory domain services and other common roles like DNS and DHCP, then I would not bother in place upgrading a domain controller, I’d simply build a fresh one, then decommission the old one (possibly needing to migrate FSMO roles)

But I’ve said its possible, just beware you may come across this error during the upgrade.

Active Directory on this domain controller does not contain Windows Server {version} ADPREP / FORESTPREP updates

This one is pretty much self-explanatory, and makes complete sense if you’ve spent any time deploying domains controllers! Well of course it doesn’t! Think about it if this is the first domain controller with the new OS in the domain, the schema has not been updated for that version of domain controller, which would happen if you were installing a DC from scratch. Here there’s only one server in the domain, and I’m on it. DON’T CLOSE THE UPGRADE WINDOW.

Open a administrative command window and change to the D:\Support\Adprep directory, run adprep.exe /forestprep and when prompted press C {Enter} to continue.

I prefer to also perform a adprep.exe /domainprep  also, but you can progress in the upgrade without doing this, below I’m performing the command within PowerShell so I’m using ./adprep.exe /domainprep.

In Place Upgrade of Servers Running Certificate Services

Can you do this? Yes – Even if you have a multi-tier PKI deployment. see here I’ve personally done this twice (Server 2016 > Server 2022 and Server 2019 > Server 2022) and both were 100% successful. You can of course perform a traditional migration of Certificate Services to another server.

In Place Upgrade of Servers Running DHCP

I would not even worry about this, if you wanted to migrate a DHCP scope to another server it’s easy as peas. But in place upgrade of a DHCP server is not a concern. Even if they are performing DHCP HA

In Place Upgrade of Servers Running NPS (Network Policy Server)

I’ve done this successfully, if you wanted to migrate this role manually then simply see the following article Migrate NPS Server.

In Place Upgrade of Servers Running RDS (Remote Desktop  Services)

Whilst supported be aware that if you upgrade you RDS licensing server, ensure you have CALs/Licenses (or SALS if you’re SPLA licensed) that support the new version of Windows. e.g. 2016 RDS CALs will work with Server 2019 but will not with Server 2022. If you have problems ‘post upgrade‘ delete the following folder “\windows\system32\lserver ” then relicense correctly with new CALs/SALs.

Invitation

If you’re reading this and considering an in place upgrade there may be a role or feature, or piece of software your server is running I’ve not covered. If so please bookmark this article, and return later, then post below what OS you upgraded from and to, and what Role/Feature/Software you were running. Was it a seamless procedure, or did you encounter a problem, error message, of complete failure? Please post your follow ups below to help the next person.

Related Articles, References, Credits, or External Links

In Place Upgrade Windows 2016 to Windows 2019

Upgrade Server 2012 (In Place)

Copy Error 8×80070780

Posted on by
Reply

Error 8×80070780 KB ID 0001896

Problem

This is a really strange one, when attempting to copy a file from a network location to another Windows server, I got this error.

Error 0x80070780: the file cannot be accessed by the system

Solution : Error 8×80070780

I did some searching, and got the usual annoying, run CHKDSK, reformat drives, one poster had even replaced the computer with another one! I came across one post that didn’t fix the problem but pointed me in the right direction. the SOURCE location (I was copying from) was the folder I use on one of my test servers is a DROPBOX folder, I use it so I cand download files on my MacBook, and they sync to the server for me to use on my test network. I was attempting to copy a file (in this case a license file for Veeam) to my Veeam server, by opening an Explorer window on the Veeam server, browsing to the NETWORK location on the Dropbox folder on another server.

Why is that relevant? Well, I thought if I could not copy it TO the destination by initiating the copy on the destination server, what if I went to the SOURCE server and browsed to the destination servers C drive and initiated the copy FROM the source.

Which worked perfectly. Admittedly this is a work around more than a fix, but my Veeam is licensed, I’m happy, move on.

Related Articles, References, Credits, or External Links

NA

Setup up a Central ‘PolicyDefinitions’ Store (for ADMX files)

Posted on by
7

PolicyDefinitions KB ID 0001339 

Problem

We have had ADMX files for group policies for ages now, they are the successor to the older ADM files. They only really trip you up if you have something unusual to do, (like roll out LAPS, or Forefront, or Customising Office Deployments.)

In most cases you will want to have a central store in your Windows domain, so the clients can see the ADMX files, (and ultimately enforce the policies within them). 

 

Solution: PolicyDefinitions

You probably already have ADMX files on your windows clients/servers,  look in C:\Windows\PolicyDefinisions. So if you have installed any new ADMX files, they will get put in this folder on your local machine, (or domain controller).

Do you already have a central PolicyDefinitions store? It’s easy  to find out, from any domain joined machine, run the following command;

[box]\\{Your-Domain-Name}\SYSVOL\{Your-Domain-Name}\Policies[/box]

If theres a PolicyDefinitions folder already there, half your work has been done for you!

Copying Files to the Central PolicyDefinitions Store

ADMX Files are usually accompanied by an ADML file, while the ADMX files live in the PolicyDefinitions folder, the ADML files are ‘location specific’, if you look in your PolicyDefinitions folder you will see another sub folder for your ‘locale’. Below you can see mine is en-US (English US) your ADML files will live in here.

IMPORTANT: As you can see, (below). I’ve navigated to the PolicyDefinitions folder ON A DOMAIN CONTROLLER, at the following path;

[box]C:\Windows\SYSVOL\sysvol\{Your-Domain-Name}\Policies[/box]

DON’T Try and copy the folder, (or ADMX and ADML) files to the network path of SYSVOL, or you ‘may’ get permission errors, (see error below).

You can simply copy the entire PolicyDefitions folder across if it does not already exist, or copy individual ADMX/ADML files (to the folder locations outlined above).

Now on your domain controller, Administrative tools > Group Policy Management console, create (or edit and existing policy). If you are setup correctly you should see this;

If something is wrong you will see this;

Copying PolicyDefinisions and ADMX/ADML Files: Access Denied

If this happens, you need to ensure you are NOT trying to copy folders or files to the network path of the SYSVOL folder, Open the LOCAL path to the SYSVOL folder directly on a domain controller.

Related Articles, References, Credits, or External Links

NA

VMware – Setting up ESX NTP Time Sync

Posted on by

ESX NTP KB ID 0000798

Problem

Having your ESX Server running the correct time is quite important, and before you visit this subject, I would suggest you MAKE SURE the time is set in the ESX Servers BIOS, ie the internal clock is set correctly first. I’ve lost count of the amount of times I’ve seen Windows domains fall over because the ESX host has reverted to its BIOS time and replicated that time to its guests, suddenly your domain clocks are two years apart and carnage ensues!

Throughout this procedure I will be setting my VMware environment to sync time with a LOCAL windows domain controller, some may argue if the domain controller is a virtual machine in a virtual environment that this is a BAD IDEA. I understand that argument (but this is my test network). In production I would rather have my devices getting time synchronised from a public reliable public time source.

Solution : ESX NTP

Step 1: vCenter NTP

Assuming you have already set time correctly on you domain controller as per this article. Then the next step is to configure you vCenter server(s) NTP time source. note: If you are using stand-alone ESX Servers please skip this section.

Note: For this to work the hosts need to be able to communicate with the time servers over NTP (UDP Port 123), ensure your firewall has this port open to the NTP source or time sync will fail.

Connect you your vCenter(s) direct admin console https://{ip-or-domain-name}:5400 log in as root. Navigate to Time > Select the correct Time Zone (Note: there is GMT but no BST So if you’re in the UK select Europe/London). Under Time Synchronization > Edit > Mode = NTP > Time Servers = the IP(s) of you time sources > Save.

Have a coffee, eventually it should look like this.

Step 2: ESX NTP (Directly)

Note: If you are managing ESX hosts via vCenter skip to the next section, this procedure is used to set NTP on an ESX host directly. Connect to the management console of your ESX Server. Navigate to Manage > System > Time & Date > Edit NTP Settings.

Select “Start and Stop with Host” > Enter the IP addresses or names of the NTP Source(s) > Save.

 

Step 2: ESX NTP (via vCenter)

Connect to vCenter and select your first ESX host  > Configure > Time configuration > Add Service > Network Time Protocol > Enter the IP addresses(s) or name(s) of you NTP Server(s) > OK.

At this point go and have a coffee > Hit Refresh > ONCE there’s an entry under Last Time Sync > Test Services.

The output should look something like this

 

ESX NTP For OLDER versions of vSphere

Connect to the host (or vCenter and drill down to the host(s)). Select the host in question > Configuration > Time Configuration > Properties > Tick NTP Client Enabled > Options > Add > Add in your public time server IPs > Tick ‘Restart NTP Service to apply changes’ > OK > OK.

Note: I’m in the UK so I’m using two time servers in this country, you may want to use one closer to home.

130.88.212.143 = turnip.mc.man.ac.uk (Manchester University)
130.88.200.4 = dir.mcc.ac.uk (Manchester University)

2. When you see the following all is well.

Note: If all these details are IN RED, then it has failed to sync, either be patient, try putting the host into and out of maintenance mode, or reboot it, if it continues to fail check it can see the public time servers on UDP port 123.

Related Articles, References, Credits, or External Links

NA

Windows – Setting Domain Time

Posted on by

Domain Time KB ID 0000112

Problem

If you have arrived here, you have either noticed that the time is wrong on your server(s) or client PC(s), or you have looked in the event viewer and seen one of the following events being logged. Event ID’s 12, 22, 29, 36, 38, 47, and 50.

Time Problem Events – On the PDC Emulator

Event ID 12 (W32 Time Time Provider NtpClient: This machine is configured to use {text omitted}, but it is the PDC emulator…).

Event ID 29 (The time provider NtpClient is configured to acquire time from one or more time sources…).

Event ID 36 (The time service has not synchronized the system time for 86400 seconds…).

Event ID 38 (The time provider NtpClient cannot reach or is currently receiving invalid time data from…).

Event ID 47 (Time Provider NtpClient: No valid response has been received from manually configured peer…).

Domain Time Problem Events – On Domain Members

Event ID 50 (The time service detected a time difference of greater than 5000 milliseconds for 900 seconds…).

Event ID 22 (The time provider NtpServer encountered an error while digitally signing the NTP response for peer…).

Solution : Domain Time Problems

Setting domain time is a TWO-STEP process, set the time correctly on the PDC emulator, then let the clients take their time from the PDC emulator.

Locate the PDC Emulator

1. On a domain controller, Windows Key+R > netdom query fsmo {Enter}.

2. Take note of the PDC name and go to that server.

NTP Firewall config (Domain Time)

1. Ensure UDP Port 123 is open outbound from the PDC Emulator. How this is done will vary depending on your firewall vendor. If you have a Cisco ASA or a Cisco PIX see my article here.

To Test Use NTPTool

Below either the port is blocked (or the hostname/IP of the external NTP server is incorrect);

This is how it should look, every-time you press query you should get a response, now you know the correct port is open;

Configure the PDC Emulator to collect Reliable Domain Time

There’s two ways to do this, 1. Use Group Policy, and 2. Use command line.

Setting PDC Emulator Time With Group Policy

Of course our PDC Emulator is also a domain controller, so we need to link a GPO to the domain controllers OU. But we dont want all DC’s getting their time from an external source, so we will create a WMI filter to ensure the policy will only apply to the PDC emulator server.

Administrative tools > Group Policy Management > WMI Filter > New > PDC-Emulator-Only > Add > Select * from Win32_ComputerSystem where DomainRole = 5 > OK.

Don’t panic if you see this error > OK > Save.

Create a new GPO linked to the Domain Controllers OU.

Change the policy so it uses your WMI filter;

Edit The Policy, and navigate to;

[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]

Configure Windows NTP Client

Enable the policy > set the NtpServer setting to server-name(comma)stratum-type(space). If you get this wrong you wont sync, and you will see this error.

Enable Windows NTP Client

Enable the Policy (The server still needs to get its time from the external source!)

Enable Windows NTP Server

Enable the policy (The server also needs to provide time to the domain clients).

Save and exit the policy editor, then on the PDC emulator force a policy update  and resync the time. Finally run rsop to make sure the settings have applied.

Setting PDC Emulator Time From Command Line

 

1. On the PDC emulator Windows Key+R > cmd {Enter}.

2. At command line execute the following four commands;

[box]

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update

net stop "windows time"

net start "windows time"

w32tm /resync

[/box]

Note: If you are NOT in the UK or simply want to use a different NTP time server go here for alternatives.

3. Look in the servers Event log > System Log for Event ID 37.

 

---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 37
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time provider NtpClient is currently receiving valid time 
data from ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————

4. You will also see Event ID 35.

---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time service is now synchronizing the system time with the time source 
ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————

Step 2 Check the domain clients

This is all you should need to do, because, (by default) all Domain clients get their time from the PDC when they log on, but to check;

1. Windows Key+R > cmd {enter}.

2. Execute the following command;

[box] w32tm /monitor [/box]

3. You will see the time this client can see, on all the domain controllers.

[box]

C:Documents and SettingsAdministrator.yourdomain>w32tm /monitor
server-dc.yourdomain.co.uk [192.168.1.1]:
ICMP: 0ms delay.
NTP: +363.2032725s offset from server-pdc.yourdomain.co.uk
RefID: server-pdc.yourdomain.co.uk [192.168.69.6]
site2-dc.yourdomain.co.uk [192.168.2.1]:
ICMP: 70ms delay.
NTP: +0.0470237s offset from server-pdc.yourdomain.co.uk
RefID: dc.yourdomain.co.uk [192.168.69.4]
serverdc2.yourdomain.co.uk [192.168.1.4]:
ICMP: 0ms delay.
NTP: +0.0000553s offset from server-pdc.yourdomain.co.uk
RefID: server-pdc.yourdomain.co.uk [192.168.1.6]
server-pdc.yourdomain.co.uk *** PDC *** [192.168.1.6]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from server-pdc.yourdomain.co.uk
RefID: scarp.mc.man.ac.uk [130.88.203.64]

[/box]

(In the case above the time on server-dc is way out, address that first – (it was an old Windows 2000 server and running “net time server-pdc” {enter} fixed it).

4. Once all the domain controllers have a time that’s accurate (like the last three in the example above), then proceed.

5. Execute the following commands on a client machine;

[box]

net stop "windows time"

net start "windows time"

w32tm /resync

[/box]

6. The machines event log should show the following successful events;

Event ID 37 (The time provider NtpClient is currently receiving valid time data from..).

Event ID 35 (The time provider NtpClient is currently receiving valid time data from..).

Setting Domain Clients Time via GPO

As already outlined you should not need to do this, (as it’s the default setting,) but if there’s a problem you can force domain clients to look at your PDC emulator for reliable time.

Create a GPO, and link it to the OU containing the computers you want to sync’

Edit the policy and navigate to;

[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]

Configure Windows NTP Client

Enable the policy > Set the NtpServer to {Your-PDC-Name},0x9  > Set the Type to NT5DS.

Enable Windows NTP Client

Enable this policy.

Testing Client NTP Settings

Either run;

[box]w32tm /query /status[/box]

Or run RSOP.

 

Related Articles, References, Credits, or External Links

PDC Emulator: PDC Emulator: Cannot Sync Time From External NTP Server

Cisco ASA – Configuring for NTP 

 

Network Connection Failiure

Posted on by
Reply

Network Connection Failiure KB ID 0001894

Problem

Logon failure the user has not been granted the requested logon type at this computer.

{Location} is not accessible. You might not have permission to use this network resource.
Contact the administrator of this server to find out if you have access permissions

Solution : Network Connection Failiure

If you’re seeing the error “The user has not been granted the requested logon type at this computer” while trying to connect to a network share on a Windows  machine, it usually means that the user account you’re using doesn’t have the correct permissions to access that computer remotely. But don’t worry I’ll guide you through a simple troubleshooting process to fix it.

Here’s what you can do:

Step 1: Network Connection Failure Log in as Administrator

You’ll need to be on the computer you’re trying to connect to. Make sure you’re logged in with an account that has administrator privileges.

Step 2: Open Local Security Policy

  1. Press Windows + R to open the Run dialog.
  2. Type secpol.msc and hit Enter. This opens the Local Security Policy window.

Step 3: Navigate to User Rights Assignment

  1. In the left-hand pane, expand Local Policies, then click on User Rights Assignment.
  2. In the right-hand pane, scroll down to find “Deny access to this computer from the network”.
    • Why? If the user you’re trying to connect with is listed here, they won’t be able to connect to network shares.

Step 4: Check Deny Policies

  1. Double-click on “Deny access to this computer from the network” and make sure the user or group you’re trying to connect with is not listed. If they are, remove them by selecting the user or group and clicking Remove.
  2. Similarly, check the “Deny log on locally” policy. Make sure the user or group is not listed here either.

Step 5: Grant Network Access Rights

  1. Still under User Rights Assignment, find “Access this computer from the network”.
  2. Double-click it, then click Add User or Group.
  3. Type in the name of the user or group that needs access (like “Everyone” or specific users), then click OK.

Step 6: Apply and Restart

  1. Once you’ve made the changes, click Apply and OK.
  2. Restart the computer to ensure the changes take effect.

Step 7: Network Connection Failure Test the Connection

Now, try reconnecting to the network share from the other computer. If everything is set up correctly, you should now be able to connect without any issues. If it still doesn’t work, make sure the user account is also part of the local users or administrators group on the machine you’re connecting to. Let me know if you run into any trouble with these steps! It should be a straightforward fix, but every system is a little different.

Related Articles, References, Credits, or External Links

Remote Desktop Services – Connection Errors

Remote Desktop Web Access – Connection Error

Trust a Certificate

Posted on by
Reply

Trust a Certificate KB ID 0001893

Problem

There was a question on the Spiceworks forum this week and I suggested simply trusting the certificate to stop a certificate error, and got asked.

Could you please let me know how to import the downloaded certificate

I was surprised to find I’d not really covered this as a stand-alone subject so here we go.

Solution: Trust a Certificate

Firstly,  If you can go and spend a few minutes reading the following article Digital Certificates Explained especially the Golden Rules of Certificates section. Every IT Pro and Developer should have a basic grasp of certificates and how they work. It will take you less than 5-10 minutes to read that article and will save you struggling in future.

Now you’ve read that article above, you know to trust a certificate you must trust the CA that issued the certificate. With the askers problem it was getting the certificates from a VMware vCentre server, which is easy as peas, because it gives you the option to download them on the main screen like so;

Note: If you download the certs they come in a zip file, extract them out of that zip file, (or you won’t see “Open As” on your right click menu when you want to import the certificate(s)).

Now normally you will get four files, two are CRL (Certificate Revocation List) files we won’t be needing those but the two remaining files (the ones with the .crt extension) right click > Open With > Select Crypto Shell Extensions (Note: If you don’t do this the file may open in notepad, and just show you the certificate as a PEM file).

 

Import or Trust a Certificate

Install Certificate > Select “Local Machine” > Next > Select “Place all certificates in the following store” > Next.

Finish > OK.

You can now see I don’t have any certificate errors, (if yours still does, check the Golden Rules of Certificates (see above) , one of them still broken).

I can’t See a Root Certificate! (or Root CA Certificate) In some cases you may need to select the Certification Path tab select the CA certificates (there may be a few in the ‘chain’ look at each certificate and import them one by one, going up the chain all the way to the root certificate at the top.

Related Articles, References, Credits, or External Links

NA