Categories
Server 2016 Windows 10

Enable Remote Powershell between two non domain or workgroup systems

I needed to enable remote PS ability between my workstation, Windows 10, and my server core installation, Server 2016. Found this article and it worked great.

 

http://www.paulligocki.com/how-to-setup-winrm-in-a-workgroup-non-domain-environment/

Categories
SCVMM Server 2012

Adding a Library Server in SCVMM 2012 R2 ends in no jobs

So I installed System Center Virtual Machine Manager 2012 R2 to do some playing around with it on the network that I share, via an IPSEC tunnel, with my friend. I installed at his location and tried to bring up a new Library Server in my location. Ran through the wizard, added the SCVMM service account as a run as account, chose the server and the share and up pops the job frame but the only job there is the creation of run as account job. No error, nothing. Ran it a couple more times, changing permissions on the share to see if that was it and nothing. No jobs at all after finishing the wizard.

So off to Google I go, search for 20 mins and finally found this article from System Center Central. It sees that even though the library created on install uses the SCVMM service account, you can not use the same account to add additional libraries. Would have been nice for MS to have this error pop up or at least give us an easy way to know what the issues was.

Hope this helps!

Categories
Server 2012 WIndows 8

Windows Server 2012 and Windows 8 Component Store

So a few times now I’ve come across a system that had a corrupted component store, usually by trying to run SFC /ScanNow and failing, whether it be by power loss, hard drive crash or other. I’ve found some good commands on how to attempt to repair the component store and thought I would put them here so I could find them easily.

First is how to manage and clean up your component store:

Dism.exe /Online /Cleanup-Image /AnalyzeComponentStore
Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase
Dism.exe /online /Cleanup-Image /SPSuperseded

The first command analyzes your store and tell you if a cleanup is needed, the second command does the cleanup (/ResetBase blocks the uninstallation of all SP’s and updates), and the third command removes all updates that are superseded by the latest installed SP.

Now to scan and repair the component store:

Dism /Online /Cleanup-Image /CheckHealth
Dism /Online /Cleanup-Image /ScanHealth
Dism /Online /Cleanup-Image /RestoreHealth

CheckHealth checks to see if a corruption marker already exists in the store, ScanHealth scans the store for corruption and RestoreHealth TRIES to fix the corruption.

Eightforums has great write ups on these commands and I recommend looking at them for more information:

DISM – Fixing Component Store Corruption in Windows 8

WinSxS Folder (Component Store) – Analyze in Windows 8.1

WinSxS Folder (Component Store) – Clean Up in Windows 8.1

Categories
Uncategorized

Java error connecting to Juniper VPN

So had a weird issue with connecting to my work’s Juniper VPN after getting a new laptop. Seems that our version of Juniper VPN head end doesn’t like IE 11 so I had to turn on compatibility view for it to work. So if you use a Juniper VPN head end and get the below error, try turning on compatibility mode and see if it works.

3-3-2014 4-34-09 PM

Categories
Lync

Lync 2013 installs

So I’ve played around with Lync 2013 in my home lab. I previously had it installed and running internally but due to lack of resources, yes I need more hardware, I removed it from my lab. Will with logmein now not offering a free service my friend and I decided to relook at Lync and see if we can get it working externally also and leverage screen sharing. During the reinstall I found a couple of issues/shortcuts that I want to keep track off.

First, installing the pre-requisite roles and features for a Lync 2013 Standard install on Server 2012. I found this nice PowerShell command line that will install the roles and features that are needed:

Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Windows-Identity-Foundation, Telnet-Client, BITS -Source D:\sources\sxs

Next was an error when trying to publish the topology. Looks like I didn’t correctly decommission the Central Management store from the original implementation so I had to clear it out by running this PowerShell command:

Remove-CsConfigurationStoreLocation

Followed by an error on the lync share when installing the server. I had to add the following groups to the SHARE permissions with full control:

RTCHSUniversalServices
RTCComponentUniversalServices
RTCUniversalServerAdmins
RTCUniversalConfigReplicator

And then there was the certificate issue. I ran through the setup, requested and assigned the certificates but it wouldn’t let me continue stating that not all certificates usages were assigned. Well I did the old windows 3 finger salute and restarted the server and voilà, no more error message.

Now onto the Edge server which installed with no issues but it seems that I can’t use it for external connectivity without purchasing a UC SSL cert which runs over $200/yr. That’s a kick in the head right there so basically no external Lync access. 🙁

Categories
Windows 7

Error access Certsrv site from 2008 server to 2003 CA

So we recently had to request a certificate from a Windows 2008 R2 Server from our internal Windows 2003 Enterprise Certificate Authority. When we hit the https://server/certsrv site we got this error:

 

Microsoft Active Directory Certificate Services  —   
Error
The certificate enrollment page you are attempting to access cannot be used with this version of Windows. To enable Web certificate enrollment for clients running Windows Vista, your administrator must update all Windows CA Web enrollment pages. To learn more about this issue and the steps needed to update Web enrollment pages to support all versions of Windows, see:
http://support.microsoft.com/kb/922706

 

Well after doing some searching, http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=53, I found that you need to do some uninstalling and re-installing of patches for the CA server.

Here are the steps to get it working:

To work around this issue you must follow the steps described below:

  1. Uninstall KB2518295 from Add or Remove Programs applet.
    Note: by default security updates are not shown in Add or Remove Programs applet. Mark Show Updates check-box.
  2. Install KB922706 update. Use the links below to download appropriate update:
    Download link for Windows Server 2003 x86
    Download link for Windows Server 2003 x64
  3. Install MS11-051 security patch. Use the links below to download appropriate update:
    Download link for Windows Server 2003 x86
    Download link for Windows Server 2003 x64

After update installation you may need to restart web site that serves enrollment web pages. To do that, do the following:

  1. In the Start –> Administrative Tools select Internet Information Services (IIS) Manager.
  2. In the opened console, expand Computer Name\Web Sites node.
  3. Select Default Web Site entry.
  4. In the Actions menu, select Stop and then click Start from the Actions menu.
Categories
Active Directory

Cleaning up AD DN’s

Ok, I often have to extract and attribute from AD that returns objects in a DN format. Then I have to clean it up to only get the CN of the object and i re-create what I do every time so I figured I’d post it here so I don’t forget 🙂

So you have a list of DN’s, here’s how to clean it up.

  1. Paste the list into Excel
  2. Do a search/replace on CN= and replace with blank
  3. Punch this formula into an adjacent cell and expand down, "=LEFT(A1,(FIND(",",A1)-1))". This will return all the characters to the left of the first ","
  4. You now have a list of only the CN’s from the full DN 

I hope this helps 🙂

Categories
Windows 7

How to Enable Remote Desktop Remotely using PSEXEC

If you’re like me, you’ve probably tried to connect to a remote Windows system and found that the "Allow Remote Connections" setting is disabled. Well I found this great little article, Ben O’Sullivan’s Blog, that will allow you to enable it remotely. 

 

 

  • Download and install PSExec. This is an offical tool from Microsoft to emulate a remote command prompt. 
  • Enter the following command to enable remote desktop in cmd
    psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
  • Enter these commands enable RDP traffic through the windows firewall
    psexec \\remotecomputername netsh firewall set service remoteadmin enable
    psexec \\remotecomputername netsh firewall set service remotedesktop enable

    psexec netsh

     

     

Categories
Google Maps

BlackBerry Google Maps app continuously prompts for permission change

I recently deployed version 4.2 of Google Maps via our BES infrastructure in order to support BlackBerry Device version 5. As soon as it was deployed we got the prompt stating that Google Maps is requesting a permissions change.

We went through, looked at all the application permissions and they were all set to allow. But Google Maps still wanted to change permissions. The application still ran find if we choose the option to "Proceed Anyways" but on startup the app would ask for permission change again.

I found the answer after going through every one of our IT Policies one by one. 

It seems that the "Allow Third Party Apps to Use Serial Port" IT Policy must be set to default or Allow in order for the Google Map application to work without constant prompting to change permissions.
 
The question still remains why does Google Maps need to use the Serial Port, IrDA or USB ports? Previous version where ok with this setting being set to no and this has recently changed with Version 4.x.
Categories
Linux

Linux Failed Attempt Account Lockout (Time Based)

Add the following appended to the pam_tally.so:

onerr=fail deny=5 unlock_time=1800

Relevant entries in bold in /etc/pam.d/system-auth:

auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_tally.so onerr=fail deny=5 unlock_time=1800
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so
account     required      /lib/security/$ISA/pam_tally.so