NDES, is the name for what we used to call MSCEP, which was an ‘add-on’ for the Server 2003 family of servers. In Server 2008 it was renamed to NDES. It is a role service that runs on a Certificate Services Server, and is used to create a registration authority (RA) that can issue certificates from your PKI infrastructure to network devices, i.e. Routers, Firewalls and Switches.
Solution
Installing Network Device Enrollment Service
I’m assuming you already have an Active Directory Certificate Services Server setup, if not you can deploy that and add in NDES at the same time.
1. Either: Launch Server Manager > Manage > Add Roles and Features > Below Active Directory Certificate Services select Network Device Enrollment Service.
2. Or: From within PowerShell run the following command;
1. Create a domain user (below I’ve called it SVC_NDES) > Add that user to the IIS_IUSRS group on the CA server.
2. From within Server Manager launch the post deployment configuration wizard.
3. Next.
4. Select Network Device Enrollment Service, (if not already selected).
5. Change the account details, to the service account you created above.
6. Enter the details that will be used to enroll the RA certificate.
7. Accept the defaults > Next.
8. Configure.
9. Close.
10. Launch the Certificate Authority management console > Certificate Templates > Right Click > Manage.
11. Open the properties of the ‘IPSec (Offline request)’ certificate > Security Tab > Make sure the account you created (above) has the ‘Enroll’ permission.
NDES Disable Password Requirement.
I’ve read a few blogs and articles that say;
“There is no way for Cisco devices to supply the required password to enroll with NDES/MSCEP, so you need to disable the requirement for a password.”
This is NOT TRUE, however the whole point of issuing certificates via your PKI infrastructure, is that it can scale dramatically. If you are creating passwords and embedding those passwords in all your enrollments, it can get a little unwieldy. So it may be sensible to remove the password requirement.
Update: 22/10/21: You may also need to recycle the SCEP application pool in IIS (on the Certificate Services Server)
From IIS Manager > CA > Application Pools, SCEP. > From the right hand panel > Advanced Settings. > Set Load User Profile to ‘True‘ > OK.
Again in the right panel > Recycle > From IIS Manager > Sites > Default Web Site. > From the right panel, click Restart.
Below you can see the difference, with the password requirement enforced, and without.
2. Restart the Certificate Services Service;
[box] net stop certsvc net start certsvc [/box]
NDES More Password Options and Renewing Certificates
If you do want the more secure option of using passwords, but don’t want to ad a new password every time you have a new enrollment, you can specify that the password does not expire after the default 60 minutes, in fact it never expires. This is handy if you want to renew certificates without generating new passwords. To do that carry out the following procedure;
[box] HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP[/box]
Create a new 32 bit DWORD value called ‘DisableRenewalSubjectNameMatch’ Set the value to 1 (one).
3. If (as above), you are running NDES under a service account, ensure that account has full control of the MSCEP key. (Again don’t forget to restart the Certificate Server service.)
IIS Query String Problem
You may find that with the default IIS settings you may encounter some problems. This is because (by default) IIS will only accept a Query String that’s less than 2048 characters long. If that happens you may see the following errors;
Request URL Too Long
HTTP Error 414. The request URL is too long.
HTTP Error 404.15 – Not Found
The request filtering module is configured to deny a request where the query string is too long.
Before you start troubleshooting clients, how long have you waited? I usually setup and configure WSUS up at the start of a job, then leave it alone for a few DAYS, before I start worrying.
Here are the steps I usually follow to get the machines listed in the WSUS management console.
Solution
Before doing anything further, simply try running the following two PowerShell commands, (on the problem client,) and then waiting for a few hours;
1. Assuming you are deploying your WSUS settings by GPO, make sure the machine in question is actually trying to apply the policy, you can do this by running rsop.msc like so:
Or by running gpresult /R from command line
Note: If you cannot see Computer Policy / Computer Settings, i.e. you can only see user settings, then you are probably not running the command window as ‘Administrator’ (Locate cmd.exe > right click > Run as Administrator).
2. If you are enforcing by GPO, or directly via registry edit, your next step is to check that the registry entries exist. Start > In the Search/Run box type regedit {Enter}. Navigate to:
[box]HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows > WindowsUpdate[/box]
3. Start > In the Search/Run box type services.msc {enter} Locate the Windows Update service and ensure it is running.
4. Then locate the Background Intelligent Transfer Service and make sure that’s also running.
5. To make sure the client can see the WSUS website, open a browser window, and navigate to http://{name-of-the-wsus-server}/iuident.cab and make sure you can open/download the file.
6. If all the above is OK, you can try forcing a registration with the following command;
[box]wuauclt /detectnow[/box]
7. All update events are being logged, you can find the log at c:windowsWindowsUpdate open the file with notepad.
8. Scroll all the way to the end, then work upwards looking for errors.
9. Sometimes if you image a machine (Or clone a VM) it keeps it’s unique update ID, if this happens then the first machine with this ID to register gets listed, and all the rest do not. To find out if this is your problem, locate and stop the Windows update service on an affected client.
10. Open the registry Editor and navigate to:
[box]HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > WindowsUpdate[/box]
Locate and delete the SusClientId entry.
11. Restart the Windows Update service and run the following two commands:
There are many reasons why you might want to do this, someone has managed to change a user password and that person is not available, you might simply have forgotten it. Or you might have been given a machine, or bought one from ebay that has come without a password. Also there have been a few times when a user has looked me in the eye and said “I’m typing my password in, but it’s not working”, I have never seen a password change on it’s own, so I will just put that down to the evil password gremlins.
The procedure will also work on the Windows local administrators password, just bear in mind that his account is disabled by default, (after Windows 8). This procedure will not work if the machine in question has had its hard drive encrypted using BitLocker.
You can use this procedure to blank, (or reset) a Domain Controllers DSRM (Directory Services Restore Mode) password.
You can avoid this procedure if you have access to another account on this machine that has administrative access. If you can log on as an administrator, then you can change the password of other local accounts on the affected machine without the need to do this.
2. Download ImgBurn and install, Launch the program, if it does not look like this you need to select View >EX-Mode-Picker. Select the ‘Write image file to disc’ option.
2. The file you downloaded is a zip file that contains the disk image, you will need to extract the image from the zip file (i.e. drag it to your desktop). From within ImgBurn launch the browse option and navigate to the disk image you have just extracted > Open.
3. Select the burn to disc icon (Note: This will be greyed out, until there is a blank CD in the drive). The image is very small, it will not take long to burn.
Carry Out a Windows 8 Password Reset.
This procedure uses the boot CD you have just created, for it to work you need to make sure the machine will attempt to boot to its CD/DVD Drive before it boots to its hard drive. (Or it will simply boot into Windows again). This change in ‘Boot Order’ is carried out in the machines BIOS, how you enter this varies depending on machine vendor, when you first turn on the machine watch for a message that looks like Press {key} to enter Setup. Typically Esc, Del, F1, F2, or F9. When in the BIOS locate the boot order and move the CD/DVD Drive to the top of the list.
1. Boot your machine from your freshly burned CD, when you see this screen simply press {Enter} to boot.
2. Depending on how many disks/partitions you have it will discover them and assign a number to each one, here I only have 1 so I will type ‘1 {Enter}’.
Note: You may see a small 300Mb partition, ignore that. You may also see your machines recovery partition if it has one, if that’s the case you may have to carry out some trial and error to get the right one.
3. The system is set to look for the default registry location C:WindowsSystem32Config so simply press {Enter}. If it fails at this point you selected the wrong drive/partition.
4. We want password reset so select option 1.
5. We will be editing user data and passwords, so again select option 1.
6. You will be presented with a list of the user objects that it can locate, here I want to reset the password for the ‘PeteLong’ user object so simply type in the username you want to edit.
Note: As mentioned you can see here the administrator account is disabled, if you want to work with that account, you will need to unlock and enable it on the next screen before you blank or change the password.
7. You can choose option 2 and type in a new password, but I’m going the blank the password, then change it when I get back into the machine by selecting option 1.
8. To step back you need to enter an exclamation mark.
9. Enter a ‘q’ to quit.
10. To write the changes you have made enter a ‘y’.
11. As long as you are happy, and have no other accounts that need changing, enter ‘n’.
12. Now remove the boot CD, and press Ctrl+Alt+Delete to reboot the machine.
13. As the user object we are dealing with was the last one that has logged on, it will select that account as soon as the computer boots, and now it has a blank password it will automatically log on.
14. To change the password, press Ctrl+I > Change PC settings.
15. Users > Create a password.
16. Type and confirm your new password, and enter a password hint > Next.
17. Log off the account and test the new password.
Related Articles, References, Credits, or External Links
I was trying to demote a domain controller yesterday morning, it was a 2008 R2 Domain controller, (in fact it was SBS 2011). I’d already added a nice new Server 2016 Domain Controller to the domain, and transferred all the FSMO roles, so I was surprised when I tried to gracefully demote the old DC and got this;
You did not indicate that this Active Directory domain controller is the last domain controller for the domain {domain-name}. However, no other Active Directory domain controllers for that domain can be contacted.
Do you want to proceed anyway?
If you click Yes, any Active Directory Domain Services changes that have been made on this domain controller will be lost.
Well, that’s a scary error, and pretty much made me cancel the demotion right away.
Solution
Well I could ping the other domain controller, by name and by IP address, and it was listed in ‘Sites and Services’, and I could replicate Active Directory? (Very Strange). It was not until I ran dcdiag that I saw some warnings about ‘sysvol replication‘. that steered my in the right direction.
On the ‘outgoing’ Domain Controller, run regedit, then navigate to the following location;
[box]HKEY LOCAL MACHINE > SYSTEM > CurrentControlSet > services > Netlogon > Parameters[/box]
Locate the SysvolReady value, (it’s probably set to 0 (Zero)).
Change it to 1 (one) then click OK, (this sort of ‘kicks windows up the backside’, and re-shares Sysvol with the correct permissions). Then after you have changed it, change it back to ZERO. You don’t need to restart any services, just change it, then change it back. Repeat the process on your other domain controllers. Have a coffee, then attempt to demote your Domain Controller again.
Related Articles, References, Credits, or External Links
This question appeared in my inbox today, ‘Edge’ has a nasty habit of assigning itself the default PDF reader, particularly after a round of updates!
Solution
First I went and had a look at my old Experts Exchange Buddy Ramesh’s site (www.winhelponline.com) who had done the heavy lifting and worked out the registry keys;
Note: I’m only concerned with .pdf files, if you want to block .htm and/or .html files, then just repeat this process using the the REG_SZ values from above;
The solution for a single machine is to create the following two registry string values;
HKEY_CURRENT_USER\Software\Classes\AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723
REG_SZ Name = NoOpenWith
REG_SZ Name = NoStaticDefaultVerb
Then set the correct file associate like so;
Which is fine for one machine but what if you have hundreds of complaining users! Then we need to employ some Group Policies. But there’s a few hoops to jump though first. On your client machine, the one you have just tested the procedure on, export your file association to an XML file. Open an administrative command window, and execute the following command;
If you take a look at the a file you will see, (providing you did it right) the Adobe/PDF file association.
Now copy the file to a location all your domain clients can see, in my case I’m going to drop it in the sysvol directory.
Crete a new Group Policy linked to the computers you want to apply the change to, then edit it.
Navigate to;
[box]Computer Configuration > Policies> Administrative Templates > Windows Components > File Explorer > Set default associations configuration file >Enable > Put in the path to your .XML file[/box]
Save and exit the, group policy, now create a SECOND POLICY linked to your USERS.
Navigate to;
[box]User Configuration > Preferences > Windows Settings > Registry > New > Registry Item[/box]
Note: Ive already created the registry values on the machine I’m configuring the policy on, (you can export the key and import it on a domain controller to make things easier for you). Close and exit the policy editor.
As I’ve said UAC is a good thing, it’s there for a reason, but in this case I was logged onto a clients domain servers, with an administrative account, doing administration! Every time I tried to open regedit, Active Directory Users and Computer, or even a command line window, I was getting prompted.
Solution
Even if you have disabled UAC, there are some times when it does not properly ‘go-away’. To make it stop you need to edit the following registry key;
[box]HKLM > SOFTWARE > Microsoft > Windows > CurrentVersion >Policies > System[/box]
Locate the ‘EnableLUA’ Value and change it to 0 (zero).
Reboot the server, problem solved
Related Articles, References, Credits, or External Links
Thanks to Paul Sanderson for pointing this out to me.
Microsoft have done a good job of embedding OneDrive into Windows 10. While Ive got nothing against OneDrive, for some admins the thought of users storing data out of their networks is quite worrying. So how do you ‘un-couple’ OneDrive from Windows 10?
Seen on Windows 10, and Server 2012, when attempting to open or mount an ISO file, (even downloaded direct from Microsoft). You get the following error;
Note: Can also been seen with .VHD files.
Couldn’t Mount File
Sorry, there was a problem mounting the file.
Solution
Before you try anything else simply COPY the iso file to the root of your C: drive, and try again.
99% of the time simply copying the file to the C: drive will fix the problem, but if you’re still reading then that’s probably not the case for you? The problem is most likely that the ISO file has had the sparse attribute set.
Option 1
Download Remove Sparse > Extract the Contents and > Run the .reg file.
Now you have the option to remove Sparse on the right click menu.
This was driving me nuts on my Windows 7 x64 Laptop.
Log Name: System
Source: Schannel
Event ID: 36888
Task Category: None
Level: Error
User: SYSTEM
Description:
The following fatal alert was generated: 10. The internal error state is 10.
I was getting a dozen of these an hour!
Solution
This error is caused (from what I can gather) by an error in certificate negotiation, your machine is trying to initiate communications with another machine/server using a certificate and TLS and the process is producing this error TLS1_ALERT_UNEXPECTED_MESSAGE (10).
1. If your browser is the cause of the problem, then simply open Internet Options > Advanced > Untick all the TLS options > Apply.
2. However this DID NOT WORK for me, so something is programmatically chatting from my laptop using TLS. The bottom line is, this problem is probably not even on your machine, so I’m simply going to disable SCHANNEL logging.
Note: If your Error does NOT say “The following fatal alert was generated: 10. The internal error state is 10“. then I would suggest NOT doing this.
3. In the search run box type regedit and navigate to the following key;
[box]
HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > SecurityProviders > SCHANNEL
[/box]
Change the EventLogging value from 1 to 0 (that’s a zero).
Related Articles, References, Credits, or External Links