Wednesday, September 18, 2013
Some excellent demo and examples of System Center 2012
Excellent video demo of how to automate the tasks to fulfil a self-help user service request:
http://blogs.technet.com/b/privatecloud/archive/2013/03/24/automation-orchestrating-service-manager-orchestrating-orchestrator.aspx
A comprehensive blog post on how to trigger an Orchestrator runbook based on alerts from Operations Manager:
http://social.technet.microsoft.com/wiki/contents/articles/12602.system-center-operations-manager-incident-remediation-with-system-center-orchestrator.aspx
3
Excellent detailed step-by-step example of Application Performance Monitor (APM) of SCOM2012
http://kevingreeneitblog.blogspot.sg/2012/07/scom-2012-apm-consoles-part-1.html
Monday, September 16, 2013
Cert template of Issuing CA must be updated on Account Forest
Previously, we did a successful trial on cross-forest cert enrollment with 2-way forest trust enabled. The user objects are on Account Forest and the PKI / CA servers are on the Resource Forest. I created a new cert template, issued it on the enterprise CA and sync the new cert template to the account forest using PKIsync.ps1 script. But the users were unable to enroll the new cert even though I've ensured the necessary permissions have been granted. I tried a manual enrollment and saw the following error message:
A valid certification authority (CA) configured to issue certificates based on this template cannot be located...
The new cert template in this case would be "TestingDoNoEnroll". Look like the enrollment clients could not find the issuing CA. On a domain controller of account forest, I did a check on the "AD Sites and Services" console with "View / Show Services Node" enabled. Expand on "Services / Public Key Services / Enrollment Services" and I check on the object of issuing CA on resource forest.
Double click on the object and select "Attribute Editor / certificateTemplates". The new template was missing - no wonder that the CA for the new issuing cert template could not be found. I added the new cert template name and enrollment worked as expected!
A valid certification authority (CA) configured to issue certificates based on this template cannot be located...
The new cert template in this case would be "TestingDoNoEnroll". Look like the enrollment clients could not find the issuing CA. On a domain controller of account forest, I did a check on the "AD Sites and Services" console with "View / Show Services Node" enabled. Expand on "Services / Public Key Services / Enrollment Services" and I check on the object of issuing CA on resource forest.
Double click on the object and select "Attribute Editor / certificateTemplates". The new template was missing - no wonder that the CA for the new issuing cert template could not be found. I added the new cert template name and enrollment worked as expected!
Monday, September 2, 2013
How to enable Remote Desktop remotely using Powershell
In Windows Server 2012, remote management is enabled by default but not Remote Desktop. To enable RDP on the server, add the target server to the Server Manager and run remote Powershell console.
On the remote Powershell console, enable remote desktop and firewall using the following cmdlets:
1) Enable Remote Desktop
set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
On the remote Powershell console, enable remote desktop and firewall using the following cmdlets:
1) Enable Remote Desktop
set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
2) Allow incoming RDP on firewall
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
3) Enable secure RDP authentication
set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
Refer to "Windows 2012 Core Survival Guide – Remote Desktop" for more information.
Monday, July 29, 2013
You have been logged on with a temporary profile
This is annoying. My domain-joined Windows 7 machine kept showing this error upon login and I couldn't save any new profile.
On the Event Viewer, I saw these 2 errors (Event 1511 and 1515)
Initially, I thought my roaming profile was corrupted. But re-building the profile did not solve the problem. The same error still appear until I saw this Microsoft KB post.
I enumerated through the registry records on
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Instead of just removing the sid.bak records, I removed all user registry records. In effect, it would force a rebuild of all local user profiles that would be synced from the central user profiles on the network share.
Initially, I thought my roaming profile was corrupted. But re-building the profile did not solve the problem. The same error still appear until I saw this Microsoft KB post.
I enumerated through the registry records on
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Instead of just removing the sid.bak records, I removed all user registry records. In effect, it would force a rebuild of all local user profiles that would be synced from the central user profiles on the network share.
Wednesday, July 24, 2013
Delegate Certificate Template Management
By default, only Domain Admins are able to create and manage Certificate Templates on the Active Directory. To delegate to other groups (e.g. CA admins), follow this guide on Allowing the Creation and Modification of any Certificate Template.
Thursday, July 18, 2013
Cert Template MMC Crashed on WS2012 whenever Key Archival was enabled
Cert Template MMC (CertTmpl.msc) on WS2012 crashed whenever the archive key check-box was enabled as shown in red box below.
A technical support was raised to Microsoft premium support with TTTrace.exe debugging tool. Eventually, the support team replied that the crash was due to a recently added CA server did not return any cert template information. Indeed, after I issued a cert template on that CA server, the crash issue was gone.
Workaround
No resolution or hotfix was given. Instead, the support team acknowledged that it was a bug that would be fixed in next Windows version. The decision was made due to the following considerations:
A technical support was raised to Microsoft premium support with TTTrace.exe debugging tool. Eventually, the support team replied that the crash was due to a recently added CA server did not return any cert template information. Indeed, after I issued a cert template on that CA server, the crash issue was gone.
Workaround
No resolution or hotfix was given. Instead, the support team acknowledged that it was a bug that would be fixed in next Windows version. The decision was made due to the following considerations:
- Low impact of this bug
- Easy workaround by adding an unused cert template on the CA server
- Any code change could potentially bring wider implication to world-wide customers
Tuesday, July 16, 2013
Nice Random Password Generator
Nice random password generator for AD user account creation or reset. It's a Powershell script (Get-RandomString.ps1) available on Generating Random Passwords in PowerShell.
If you need to reset the password of an AD user account, there is another script (AD_Password_reset_v1.0.ps1) that uses this random password generator.
If you need to reset the password of an AD user account, there is another script (AD_Password_reset_v1.0.ps1) that uses this random password generator.
Subscribe to:
Posts (Atom)