Install .Net 2.0 on Server 2019 & 2016

KB ID 0001506

Problem

.Net2, man thats old! Well I was setting up PowerCLI for VMware today and was faced with this;

.Net Framework 2.0 is not installed on this machine. Please download and install .Net Framework 2.0 before installing VMware PowerCLI.

Solution

Pop in the Server 2019/2016 DVD, (or present the ISO if it’s a VM.) Then execute the following commands, (Note: It’s installed with .Net 3);

[box]

dism /online /enable-feature /featurename:NetFx3ServerFeatures /Source:D:\sources\sxs
dism /online /enable-feature /featurename:NetFx3 /Source:D:\sources\sxs

[/box]

Note: This assumes your CD/DVD Drive letter is D.

Related Articles, References, Credits, or External Links

NA

Print Migrator Error ‘WARNING: Kernel Mode drivers (version 2) are blocked on the target machine’

KB ID 0000811 

Problem

I really like Print Migrator, it makes a time consuming laborious task really easy. It’s so good Microsoft don’t use/support it any more, (after Server 2003). So this week when I was migrating printers from an SBS 2003 server to a clients 2003 CRM server, I was really happy, and dragged out PrintMig.

Download Print Migrator 3.1

However when trying to restore the printers on the target server this popped up;

Kernel Drivers Blocked
Warning: Kernel Mode Drivers (version 2) are blocked on the target machine. Disable Kernel Mode driver blocking and re-run Printer Migrator. Ignoring this warning (Cancel button) will result in driver installation, but because they are kernel mode drivers – a serious problem with any dependent print queue could potentially bring down the system. Selecting OK will result in a restore termination.

Solution

Option 1 via GPO

1. A quick internet search told me to disable the policy within the servers local policy, but Computer Configuration > Administrative Templates > Printers didn’t exist, so I did it in the default domain policy.

[box]

Computer Configuration > Administrative Templates > Printers >
Disallow installation of printers using kernel-mode drivers

[/box]

Set the policy to Disabled > Apply > OK > Close the policy editor.

2. Now on the target server run the following command and try again;

[box]
gpupdate /force
[/box]

Option 2 via the Registry

1. On the Target server > Start > Run >Regedit {Enter} > Navigate to;

[box]
HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > windows NT
[/box]

If there is no sub-key called Printers > Create one.

2. Within the Printers Key create a new DWORD called KMPrintersAreBlocked and set its value to 1.

3. Run the PrintMig restore process again.

Related Articles, References, Credits, or External Links

NA

Why Securing Your VPN Solution With Computer Certificates ‘Only’ Is A BAD Idea

KB ID 0001055 

Problem

After a large AnyConnect 4 roll-out, I had the following conversation with a client;

Client: Can we change the way the clients authenticate?
Me: Yes, no problem what do you need?
Client: Well instead of user based certificate authentication, we want to use computer certificates only.
Me: Really why?
Client: So when we roll out a lot of imaged new machines we don’t need to get the users to log onto them and get a user certificate before they can be deployed.
Me: If we can, and user exports the cert onto another device, that device will be able to connect as well.

I then pondered on just how difficult this would be to do. I had a fully working (certificate based) VPN solution running on the bench that I’d used to ‘proof of concept’ the clients requirements. Why don’t I attempt to compromise that for educational purposes 🙂

Disclaimer: As stated, this post is for educational purposes only, not so you can get a free VPN or Wireless connections.

Solution

1. By default computer certs issued by Microsoft Certificate Services have their private key marked as ‘non exportable’ to stop people doing things like this. But just because Windows wont let you do this does not mean you can’t do it. Here I’m using Mimikatz 2.0 to handle that.

[box]privilege::debug[/box]

  [box]crypto::cng[/box]

  [box]crypto::capi[/box]

  [box]crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE /store:MY /export[/box]

2. All being well you should see something like this.

3. All your computer certs (in this case I only have one so I don’t have to hunt though them) will be in the Mimikatz directory.

4. Import the certificate on a machine that does not have one. (Or an iPad, phone, tablet, MAC, Linux box etc.)

5. Connect without error on the new machine.

The moral of the story is, where possible don’t rely on computer certificates on their own, couple them with user-names/passwords or two factor authentication.

 

Related Articles, References, Credits, or External Links

NA

Installing Exchange 2010 on Server 2012

KB ID 0000785 

Problem

With the release of Exchange 2010 Service Pack 3, Exchange 2010 is now supported on Windows Server 2012, but as there (at time of writing) is no media with SP3 slipstreamed into it, installing the product on Windows Server 2012 is a little problematic.

If you got here because you have tried and have got an error, follow the procedure below and you should have the product installed and running without any further problems.

To see the possible errors jump to the end.

Solution

1. If you have Exchange 2010 already deployed on the servers, I would suggest you get all these upgraded to Service Pack 3 before you start.

2. Install the Office 2010 Filter Pack, and the Office 2010 Filter Pack Service Pack 1.

3. Issue the following PowerShell Command;

[box]
Add-WindowsFeature Web-WMI,Web-Asp-Net,Web-ISAPI-Filter,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-Request-Monitor,Web-Static-Content,NET-WCF-HTTP-Activation45,Web-Security,Web-Windows-Auth,Web-Digest-Auth,NET-HTTP-Activation,Web-Basic-Auth,Web-Lgcy-Mgmt-Console,Web-Dyn-Compression,Web-Stat-Compression,RPC-over-HTTP-Proxy,RSAT-ADDS
[/box]

Note: Don’t panic if it appears to hang at 68% for a while!

4. Download this zip file, it contains a .reg file, run it and merge those files into the registry of the 2012 server.

5. Insert the Exchange 2010 DVD, or run setup.exe from the extracted Exchange 2010 install media.

Note: I’m using Exchange 2010 with SP1 included (because its the newest one I can download, and a version with SP2 or SP3 included is not yet available).

6. MAKE SURE, you DO NOT have the ‘Automatically install Windows Server roles and features required for Exchange Server’ option selected or you will see this error.

7. When complete install Service Pack 3.

Errors You May See If You Don’t Follow This Procedure

Error 1.
Error:
The following error was generated when "$error.Clear();
if($RoleInstallWindowsComponents)
{
# Install any Windows Roles or Features required for the Management Tools role
Install-WindowsComponent -ShortNameForRole "AdminTools" -ADToolsNeeded $RoleADToolsNeeded
}
" was run: "The system cannot find the file specified".
The system cannot find the file specified

You see this error if you left ‘Automatically install Windows Server roles and features required for Exchange Server’ ticked, simply click back and untick this box then try again.

Error 2

Mailbox Role
Failed

Error:
The following error was generated when "$error.Clear();
$wevtutil= join-path (join-path $env:SystemRoot system32) wevtutil.exe;
$manifestPath = [System.IO.Path]::Combine($RoleInstallPath, "ScriptsTSCrimsonManifest.man");
Start-SetupProcess -Name:"$wevtutil" -Args:"im `"$manifestPath`" "
" was run: "Process execution failed with exit code 15010.".
Process execution failed with exit code 15010.

Download this zip file, it contains a .reg file, run it and merge those files into the registry of the 2012 server. Then run the setup again.

Know Problem Opening Exchange Management Console

(19/06/13) Update from reader Jeremy Krautkramer.

You may find that on Server 2012, (and Windows 8) You can launch the Exchange Management Console, but are unable to expand any of the objects in the left hand pane.

Jeremy fixed it by dropping to command line and running the following three commands;

[box]set __COMPAT_LAYER=RUNASINVOKER
set COMPLUS_Version=v2.0.50727
“C:Program FilesMicrosoftExchange ServerV14BinExchange Management
Console.msc”[/box]

Note: Change the drive letter and path to match your own server.

Why this happens? The Exchange 2010 Exchange Management Console was built with CLR (Common Language Runtime) version 2.0. Windows 2012/8 by default runs its MMC snap ins with CLR version 4.0.

Related Articles, References, Credits, or External Links

Original article written: 14/03/13

Thanks to Jeremy Krautkramer for his feedback.