WSUS – Configure SSL with external name.

Installing and configuring WSUS, this is a task I have done time and time again BUT only a few of those has involved configuring SSL for WSUS. I was given a task to set up a WSUS for multiple customers within our datacenter and outside our datacenter so using a certificate and SSL was needed. After following Microsoft’s article on Securing WSUS with SSL and adding the appropriate DNS records I fired up the WSUS Management console and could not connect to the server on port 443 as configured in IIS.

The server responded to ping using the FQDN I had assigned to it so no problem there. It just didn’t seem to accept the FQDN so I remembered a registry setting I used during migrations providing aliases to servers. The registry value should be located here, if it is not there just create it.

HKLM\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0

Name: BackConnectionHostNames

Type: REG_MULTI_SZ

Value(s): Add the fqdn you want it to listen to e.g. server.domain.com, one line for each entry if you wish to have more than one.

After adding the FQDN and performing an IISRESET from an elevated command prompt I could establish a connection to the WSUS server using the FQDN and desired port.

 

Mapping Onedrive for business

What if I wan’t to access my onedrive files in Windows Explorer, not Internet Explorer or the Onedrive for business app. The Onedrive for business App works fine (sometimes) for accessing the files from a laptop or workstation but it syncronizes the contents to the local drive which is fine in. But when the users are working in a Remote Desktop or Citrix Environment you do not want to synronize every users ondrive files to the session host, accessing the files from a web browser is also not optimal.

This article will show you how to access your onedrive for business files by adding a networkplace. This guide is based on a Remote Desktop farm based on Windows Server 2012 R2, the users are using ADFS with SSO to connect to Office 365, this is not required but I have not tested it in any other way.

Add https://*.sharepoint.com to your trusted sites zone in internet Explorer, I do this by using Group policy under the following path.

User Configuration/Administrative Templates/Windows Components/Internet Explorer/Security Page

Site Zone Assignment List enter

Value Name: https://*.sharepoint.com Value: 2

Microsoftis_onedrivemapping_1

 

 

 

Quick way to extend your self-signed certificate using powershell

Certificates are not my favorite thing and I guess I am not the only one. This method to renew a self-signed certificate made life a bit easier.

Scenario: Certificate needs to be renewed and distributed using group policy to client computers.

First thing: Get the thumbprint from the old certificate.

Open Powershell in administrative mode:

Copy the thumbprint from the certificate you want to renew.

Voila, a copy of the old certificate is created valid for one year.

To export the certificate for distribution using group policy manager, just copy the new thumbprint and run the following command.

Now there are some things to wish for, I wish I could generate a certificate with more than one years validity but….you can’t get everything.

The “getting rid of old crap” way of moving from ADFS 2.0 and dirsync to ADFS 3.0 and AAD Sync.

This gave me a headache so I need to write this down. The project meant moving an existing ADFS 2.0 and dirsync installation without TMG to a new install made up of ADFS 3.0 and AAD Sync on one server and WAP on one. I started of using Windows Internal Database (WID) for ADFS and SQL LocalDB was installed by AADSync, when importing the configuration from the ADFS 2.0 server the ADFS 3.0 service would not start and gave event error 220, looking at the configuration file for ADFS it looked as I had imported way to much configuration information than I wanted to. I then proceeded to an alternate migration path.

 

After resetting the new ADFS server I installed SQL Server Exress 2014 with tools and configured a default instance on the server so that I didn’t have to be concerned about having both Windows Internal Database (for ADFS) and SQL LocalDB (for AAD Sync). I used the latest version of AAD Connect for the installation since it does most of the job for you.

I started of leaving the external mapping of port 443 for the external dns record fs.customerdomain.com pointing to the old ADFS server and logged in on the old ADFS server. In the ADFS 2.0 server I started “Microsoft Online Services Module for Windows Powershell” as an administrator.

I connected to the customer tenant using the following commands.

The next step was to convert the already federated domain customerdomain.com to a standard Managed domain WITHOUT converting the users to standard users. This was achieved by the following command.

The passwordfile is not created when using the -SkipUserConversion parameter but the command didn’t let me skip it so I just added it anyway. This got rid of the federation configuration for the domain in the Office 365 tenant so the AAD Connect wizard can configure the new federation for the domain to the new servers. The next step was exporting the certificate for fs.customerdomain.com with the private key to a PFX file from the old ADFS 2.0 server and importing it in the Local computer perosnal store on the new, soon to be, ADFS 3.0 server. After that I changed the external mapping of port 443 from the internal IP of the old ADFS 2.0 server to point on the internal ip of the soon to be Web Application Proxy Server. Since I use split DNS I also had to change the internal record for fs.customerdomain.com to point to the internal IP of the ADFS 3.0 server since internal authentication request does not need to pass the Web Application Proxy. I also stopped and disabled the services for the old ADFS 2.0 server and the old dirsync services.

 

After this was done I started the AAD Connect wizard and it worked all the way. Since the customer did not syncronize the whole directory to Office 365 it was important to remember to uncheck the box “Start the syncronization process as soon as the configuration completes” at the end of the wizard and then start the AAD Sync UI and configure the correct OU to syncronize., after that is done you enable the task for AAD sync in scheduled tasks.

aadconnect2

How to check if your antivirus setup is working

When I install or upgrade an antivirus solution I always make sure that it works by creating a dummy file that reports as a virus but its not, that way I can see that the AV client reports the virus, that the management server gets a notice of virus and that the email notification to the support team is working as intended.

This is nothing new but I will share is no the less as I myself need to have the dummy file saved somewhere.

Save the following text in a file on the client and name it to EICAR.com (EICAR is the creator of this test file)

Now your AV should report the file as a virus and notify the management server and depending on your configuration you should receive an email

Exchange: Email error 451 4.4.0 DNS query failed

After an upgrade of DC to 2012R2 and removing the old 2003 DC I found that Exchange had problems sending mail to a small amount of different domains. When I looked in the message queue I found that all these domains had the same error:

domain.com 451 4.4.0 DNS Query Failed

Since I just had installed two new DC 2012R2 that now acted as the only DNS servers in the domain and that I recently read about extension mechanisms for DNS (EDNS) I figured this must be the issue. When EDNS is activated the DNS package can exceed 512 bytes and some firewalls don’t like this hence the DNS query failed problem.

But there is a quick fix for this and that is to just disable the EDNS on the DC:

  • At a command prompt, type the following command, and then press Enter:

    Note Type a 0 (zero) and not the letter “O” after “enableednsprobes” in this command.

    The following information appears:

 

https://support.microsoft.com/en-us/kb/832223

 

 

Manage test and production groups in WSUS from powershell with PoshWSUS

I have always found the WSUS interface lacking in functionality for handling multiple server groups with test and production environments and here comes PoshWSUS in real handy.

I will show you basics on how to manage test and production groups and verify patch assignment.

You can find the PoshWSUS module here

Loading the module and connecting to your WSUS server

Select the group for your test environment that already got the latest patches assigned and deployed where patch functionality is verified

Get all the patches from your test environment and assign them to your production group

When the script is done running you will have an output list on all the assigned patches to the production group.

Lets verify that the production environment has the same patches applied as the test environment and list missing patches if found

If no patches are returned then your test environment now match your production environment of assigned patches

 

 

Checking multiple scheduled jobs status on multiple servers.

I got tired of not knowing the status of several scheduled jobs scattered across multiple servers. This script resolves that by checking the last run status of each job I define in the input file and sending me an alert if something went wrong.

After struggeling a while trying to find a way to read the last status of a job I ended up using schtasks.exe in the script, it turned out that I could not retrieve the last status code for a job created using the scheduled tasks wizard using WMI. The script is pretty basic, it uses an input file, a regular txt file, where I list the servername and then the jobname in the following format.

servername,jobname

I create an output file just because it might be handy if the e-mail somehow gets lost on the way. I then run a foreach to process every line in the provided txt file and if the jobstatus is anything other than ”0” I ouput that to a file and send an e-mail with a customized message containing the server name, the job name and the last status code.

Without further delay..here is the script.

 

 

Check system up-time

0

Microsoft instructions to check system up-time:

Go to “Start” -> “Run“.

2.  Write “CMD” and press on “Enter” key.

3.  Write the command “net statistics server” and press on “Enter” key.

4.  The line that start with “Statistics since …” provides the time that the server was up from.

  •   The command “net stats srv” can be use instead.

Import specific GPO through powershell from the Backup all script

0

This script is based on the backup all gpo script done here

The script will loop through all the GPO and you will be presented with a pop-up asking if you wish to import the specific GPO.

Page 1 of 3123
Go to Top