C7 Solutions Team Blog This blog contains a variety of useful information from the consultants at C7 Solutions.
Friday, October 24, 2008
Enterprise Certificate Services and Terminal Services Gateway - Certificate Issuing for Internet Usage
To issue a certificate for the Windows 2008 Terminal Services gateway using your own intalled Enterprise Certificate Authority, out of the box you need to create a certificate request file, request the certificate from the Enterprise CA, install the issued certificate and map the certificate to the TS Gateway.
This can help you if you get errors such as -2146875377 or "the dns name is unavailable and cannot be added to the subject alternative name" or "denied by policy" errors.
In detail these steps are: Create MMC Console for all steps
On the TS Gateway Windows 2008 server, with the remote administration tools installed, click Start > Run and enter mmc.exe.
Confirm the UAC prompt and add the following snap-ins: Certificate Authority (choose computer on which this role is installed), Certificates (for local machine), TS Gateway Manager.
Choose Web Server as the template. The template type that you chose is the 2nd most important choice you make in this process. Click Next.
Click the Details down arrow and then click Properties.
On the Subject tab, under Subject Name, select Common Name under Type and enter the URL that you will use across the internet to reach this TS Gateway. Click OK when the names you are using have been added to the list on the right of the dialog. The correct value for common name is the 1st most important choice you make here.
Click Next.
Enter a file name and click Finish.
Upload Certificate Request to Enterprise Certificate Authority
Expand the Certification Authority node in the MMC you created above.
Right-click the CA name and choose All Tasks>Submit New Request.
Browse and select the request file created in step 7 in the previous section.
Save the issued certificate with a .cer file extension.
Install the Certificate on the TS Gateway Server
Expand Certificates (Local Computer)/Personal/Certificates and right-click Certificates>All Tasks>Import and click Next.
Browse to the file created in step 4 in the previous section.
Click Next twice.
Click Finish. You will be told the import was successful.
Map Certificate to TS Gateway
Expand TS Gateway Manager in the MMC.
Right-click your TS Gateway server and choose Properties
Select the SSL Certificate tab and ensure the "Select an existing certificate..." option is set.
Click Browse Certificates and select the new certificate that you have just created
Click Install and OK.
Then to finish, open Remote Desktop Connection tool (mstsc.exe) and connect to a Terminal Server using the Gateway option via the Options>Advanced>Settings dialog. To complete these steps you must also have created the policies for connection the the gateway.
Enabling Previous Versions on Windows 2008 Server Core
Enabling Previous Versions for file shares on Windows 2008 when you have the full graphic's interface is easy to do - but what about if all you have is the command line as you get in Server Core.
To turn on Previous Versions (shadow copies) via the command line follow these steps:
From the command line on the server type: vssadmin add shadowstorage /for=c: /on=c: /MaxSize=5GB
This will enable shadow copies on the volume, and this might be enabled already (esp. if you have already run a backup on the server). This particular command will do copies for the shares on the C: drive, with the storage for the copies also on the C: drive, and limiting that storage to 5Gb. Any of these options can be changed.
Enable remote management on the Server Core firewall (again this might have already been done): Netsh firewall set service RemoteAdmin Netsh advfirewall set currentprofile settings remotemanagement enable Netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes Netsh advfirewall firewall set rule group="Windows Firewall Remote Management" new enable=yes
Then from a remote machine with the Task Scheduler MMC snap-in enabled, connect to the Server Core machine as an administrator level account and add the following scheduled task - 1 for each disk on the server: General>Name: Shadow Volume Copy General>User Account: Administrator level account (run whether logged in or not) Triggers>New: Weekly, 7am, Mon-Fri and Weekly, 12pm, Mon-Fri Actions>Start a program: %systemroot%\system32\vssadmin.exe Actions>Start a program>Arguments: Create Shadow /AutoRetry=15 /For=c: (changing C: if you have a different drive)
Click OK and right-click the task and choose Run.
Open a file share that is held on the Server Core machine and see if the Previous Versions tab shows a previous version having just been created.
If you run out of space on your Windows Server Update Services (WSUS) server then the following will allow you to move the content to another location on the same machine.
Create a folder called WSUS on a different partiton from the current WSUS folder location. This folder must not be compressed.
Open a command prompt and change directory to c:\program files\update services\tools and run wsusutil.exe movecontent newcontentpath logfile. This might appear as wsusutil movecontent j:\wsus j:\wsus\movewsus.log
Wait until this completes
Stop IIS (iisreset -stop from the command line) and stop the Update Services service.
Install and run the Management Studio Express software and connect to the local \\.\pipe\mssql$microsoft##ssee\sql\query database (you must use this name and not the actual server name).
Expand Databases, right-click SUSDB and choose Properties. Note down the name and path of the database files.
Expand Databases, right-click SUSDB and choose Tasks > Detach.
Using Windows Explorer, move the UpdateServicesDbFiles folder from the old WSUS database location to the new database location.
Attach the database using Management Studio Express and right-click Databases > Attach. Add the database and log files that you just moved.
Once attached start IIS (iisreset from the command line) and start the Update Services service.
Check the event log for errors, and then you are free to delete the old folder location.
SSL based VPN's are great. In short it is VPN without firewall or NAT issues (both of which you get with PPTP and IPSec VPN's). But the current release of SBS 2008 (RC0) does not enable SSTP VPN's by default. It uses RRAS, so SSTP is possible, but it is not as easy as it first looks!
Ensure that you have run the connecting to the internet wizard, and that you are using a third party certificate (as there are less steps if you do this).
Enable remote access from the SBS Console > Network > Connectivity page.
Add some SSTP ports to the VPN in the Routing And Remote Access management program. Right-click Ports and choose Properties and enable SSTP for remote access inbound connections. Leave PPTP enabled as Windows XP does not support SSTP VPN tunnels (only Vista SP1 does at this time).
View the properties of your certificate and note down the Thumbprint value.
Ensure that this certificate is associated with 0.0.0.0:443 and [::]:443: certificate bindings on the server. Type "netsh http show ssl" from elevated command prompt to get this information. You typically get four entries with IP:port being the first line of each. Check for IP:port reading "0.0.0.0:443" and [::]:443 as this shows the IPv4 and IPv6 mappings for SSL certificates on the server. Ignore the :8172 and :987 entries (these are for IIS Management Service and companyweb).
Install the "Certificate Authority Web Enrollment" role service to Active Directory Certificate Services snapin within Server Manager. This adds a virtual directory to the default website in IIS called CertEnroll which contains the certificate revocation list for the certificate you are using. Only do this if you are using the built in default issued certificate. If you are using certificates from a third party then you need to ensure you can reach their CRL publishing site without issue - see the certificate details for information on the CRL publishing site location.
Expand the Certificate Authority on your server and right-click Revocated Certificates. Under tasks choose Publish. This updates the CRL with the new publishing location that SSTP needs to connected to. Again, use a third party certificate to make this easy!
On a Vista SP1 client create a new VPN connection and in properties > networking ensure that the Type of VPN is set to SSTP (for normal use set this to Auto, and it will find the best (starting with PPTP), but for testing set it specifically to SSTP). Also ensure that the name of the server you are connecting to is the same name that the certificate uses for the certificate common name.
I got error 0xc00000e9 when attempting to boot into a new guest Hyper-V image, using an ISO image as my boot CD. Using the real CD in the host worked fine.
So I downloaded the ISO again and all was well this time - must have been a dodgy download - now to go play with Windows Small Business Server 2008.
With the correct BIOS settings enabled on a E8500 processor (see http://processorfinder.intel.com/ for the processors that support EM64T, Virtualisation and Execute Disable which is needed for Hyper-V to work), and with them and the Trusted Execution property set to On in the BIOS I got the following errors with Hyper-V RC1 on Windows 2008 Enterprise Server RTM (running Server Core):
Hyper-V launch failed; Either VMX not present or not enabled in BIOS.
Hyper-V launch failed; at least one of the processors in the system does not appear to provide a virtualization platform supported by Hyper-V.
Fixed this by rebooting and pressing F2 to enter the BIOS and disabling the following settings
Security > Execute Disable (set to Off)
Performance > Virtualization (set to Off)
Performance > VT for Direct I/O Access (set to Off)
Performance > Trusted Execution (set to Off)
Press Esc and save settings. When the server reboots do a hard power off. Power on, and then in the BIOS again ensure that the following is set:
Security > Execute Disable (set to On)
Performance > Virtualization (set to On)
Performance > VT for Direct I/O Access (set to On)
Performance > Trusted Execution (set to Off)
Press Esc and save settings. Hard power off again once the server reboots. Turn power on and let computer boot normally.
At this point I got an Hyper-V error in that the entries in the event log above did not appear anymore, but were replaced by an error indicating that Hyper-V was not installed.
So I removed Hyper-V by running:
ocsetup Microsoft-Hyper-V /uninstall
and reboot.
Reinstall Hyper-V by downloading the latest build and install it using:
wusa
or if you have the latest build already installed, then reinstall using:
Sage ODBC Error "cannot find all files in data path"
Saw this error when attempting to connect Excel/Microsoft Query to an installation of Sage when Sage v14 had been installed on Vista with Office 2007 (but these two programs are unrelated to the error).
If in Microsoft Query I select the listed data source for Sage then it would generate the above error. The problem was that the data source that is created by default points to the sample Sage database and not the database on the network that the company was using.
So to fix, create a new datasource and for the data path value enter the full URL to the Sage database including the ACCDATA folder (for example \\server\sage\company.000\accdata).
