Archive for SMB

Renew SSL Certificate for 2012 R2 Essentials

These are the steps I recently followed to renew a third party (GoDaddy) SSL certificate on a 2012 R2 Essentials server. Although these steps have been documented many, many times over the years, it doesn’t hurt to review the process and make sure it works properly.

The overall process has three major parts to it:

  • Generate SSL request on the server
  • Request and rekey the certificate on GoDaddy’s site and download new certificate
  • Install the intermediate cert and your domain SSL cert on the server

Part One – Server

  • Open up the Essentials dashboard, click on Quick Status from the left column of the screen, then click Anywhere Access from the middle column, and finally click “Click to configure Anywhere Access” from the right column of the screen.
    image
  • In the next window ( Settings – Anywhere Access) click on the Configure… button. Please note, there’s a red X in my screen shot. That’s because my SSL certificate is about to expire. However, DO NOT click on the “Repair…” button. Just click on the “Configure…” button
    image
  • In the next windows (Set up Anywhere Access) make sure that you UNcheck the option labeled “Skip Domain name setup. I have already set up my domain”
    image

            image

  • In the next window, select “Import a new trusted SSL certificate”
    image
  • In the next window, first verify your domain name to be registered, which should already be correct as we are renewing an existing SSL certificate. Then click to enable the option “I want to purchase a trusted SSL certificate for this domain”
    image
  • The next screen is the important one. It should display for you automatically the certificate request that you will need. If you need to , open up Notepad and then copy everything inside the box, starting with “—-BEGIN NEW CERTIFICATE” all the way to the very end.

    image

If you wish, leave this window open while you go to Part Two and request the new certificate from GoDaddy

Part Two – GoDaddy

  • Open up a browser, go to GoDaddy’s web site, login, and go to your registered SSL for your domain and select to purchase/renew it. I’m not including screen shots of this process. Go Daddy will generate an email to verify you are the owner of this certificate.
  • Once that is done and approved you can proceed on the GoDaddy site to rekey your certificate. It will ask you to copy/paste in the certificate request info we just generate (that starts with “—-BEGIN NEW CERTIFICATE REQUEST…”
  • After you paste and submit this information, GoDaddy will generate another email to you with the link to download the certificate and instructions for installing it.
  • When you are at the screen to download your certificate, you must select what Server type you will be using this on. From the drop down, select IIS. Then download the generated zip file. If you are not doing this step from the server, then you will need to copy the zip file over to the server.
  • Unzip the zip file on the server. You will have two files, one with a  .p7b suffix and the other with a .crt suffix
    image

Part Three – Server

Before we go back to the Essentials  dashboard that we left open, we first need to go to MMC and insert the new p7b intermediate file from GoDaddy.

  • The steps to do this is provided by GoDaddy (click here). In short:
    • Run C, add the Certificates add-in, select Computer Account, select Local Computer.
    • Once Certificates is added, drill down to Certificates > Intermediate Certification Authorities, right click and select All Tasks > Import.
      image
    • Click to browse, change the file extension in the browse window to “all files”, then locate the .p7b file that came from the zip file, and load it. Once done, you can close MMC.
  • Now we return to the Essentials dashboard that we left open. If it’s still sitting on the “Generate a certificate request’ window, go ahead and click Next.
  • On the next window (“A trusted SSL certificate is in progress…”), click on the first option: “I have the trusted SSL certificate…” and click Next
    image
  • On the next screen (Import the trusted certificate), click to Browse, change the file extension again to “all files” then locate the file ending with .crt that you unzipped, and click Next.
    image
  • Wait while the new certificate is installed. You will get a green check window indicating that the domain is set up. You have one final step – to add this to Anywhere Access
    image
  • On the next screen, you can select to enable VPN access and/or Remote Web Access. I only select Remote Web Access, as I use my network firewall/router box for VPN connectivity.
    image
  • Go ahead and select what you need, and you will be all done. You will also see that the red X we saw earlier should now have disappeared, since the SSL certificate is now up to date.
    image
    image

Windows 10 Workstation Shows Offline Status and No Backups from 2012 R2 Essentials Dashboard

It’s been well documented that updates for Windows 10 (such as the 1607 Anniversary update) will cause issues with interfacing to the 2012 R2 Essentials Server. Two things in particular:

  • Workstations will have a status of Offline on the Essentials Dashboard
  • More importantly, client workstation backups are not up to date

Until now, the process that I had taken to resolve this on each workstation was as follows:

  • Drop workstation to Workgroup
  • Login as local administrator (not domain)
  • Run http://{servername}/connect
  • Use domain admin login and password to proceed, when prompted
  • Approve (acknowledge) you want to use the domain admin login
  • Complete rejoining to the server
  • Reboot workstation and login as domain user

Well, now, it comes to pass that we can make this process a bit faster, as we can eliminate the first two steps (dropping workstation to a workgroup, and logging in with the local admin account).

So here’s how the steps now look, while remaining logged in as the current domain user account:

  • Run http://{servername}/connect
  • Use domain admin login and password to proceed, when prompted
  • Approve (acknowledge) you want to use the domain admin login
  • Complete rejoining to the server
  • It’s possible to just logoff and log back in as the current domain user. However, I still like to reboot the workstation just to make sure all is fine.

SBS 2011, Windows Server Backup, and VSSAdmin List Writers Issue

One of my customers runs a SBS 2011 server with Exchange 2010. I consider it a very clean server. Suddenly, after three years, I had issues with the Windows Server Backup.

Opening the WSB console, I would get the message Reading Data, please wait….

I knew that the first thing I should check was the VSS writers. When I tried to run vssadmin list writers from an admin level command prompt,  I would get the message: Waiting for responses. These may be delayed if a shadow copy is being prepared.

Rebooting the server didn’t help.

I tried the wbadmin delete catalog command, but that didn’t help.

I then found this blog post from ServerFault.com which provided instructions for stopping specific services, reregistering VSS related DLL’s, and then restarting service. Eventually this solution worked for me!

Here’s a look at each of the looking at each of these three parts of the solution:

Step 1 – Stop specific services

You can run these commands one at a time from a command line prompt, or put them into a  batch file and run them:

net stop “System Event Notification Service”
net stop “Background Intelligent Transfer Service”
net stop “COM+ Event System”
net stop “Microsoft Software Shadow Copy Provider”
net stop “Volume Shadow Copy”
net stop VSS
net stop SWPRV

Note #1: Stopping the COM+ Event System will also cause several other dependent services to be stopped. Take a note of these dependent services so you can make sure they are restarted later on

Note #2: When I ran these commands, the COM+ Event System service did not successfully stop — it will have a status of  “Stopping…”. But it needs to be successfully stopped for the rest of the solution to work. If this happens to you, here’s how to stop it:

    • Open up another command prompt window
    • Type: sc queryex eventsystem and press Enter
    • Note the associated PID# for this service. Let’s say the PID# is 408
    • Next type:  taskkill /pid 408 /F  and press enter’’

Step 2 – Reregister DLLs

Now copy the following commands into a batch file and run it from the command line

regsvr32 /s ATL.DLL
regsvr32 /s comsvcs.DLL
regsvr32 /s credui.DLL
regsvr32 /s CRYPTNET.DLL
regsvr32 /s CRYPTUI.DLL
regsvr32 /s dhcpqec.DLL
regsvr32 /s dssenh.DLL
regsvr32 /s eapqec.DLL
regsvr32 /s esscli.DLL
regsvr32 /s FastProx.DLL
regsvr32 /s FirewallAPI.DLL
regsvr32 /s kmsvc.DLL
regsvr32 /s lsmproxy.DLL
regsvr32 /s MSCTF.DLL
regsvr32 /s msi.DLL
regsvr32 /s msxml3.DLL
regsvr32 /s ncprov.DLL
regsvr32 /s ole32.DLL
regsvr32 /s OLEACC.DLL
regsvr32 /s OLEAUT32.DLL
regsvr32 /s PROPSYS.DLL
regsvr32 /s QAgent.DLL
regsvr32 /s qagentrt.DLL
regsvr32 /s QUtil.DLL
regsvr32 /s raschap.DLL
regsvr32 /s RASQEC.DLL
regsvr32 /s rastls.DLL
regsvr32 /s repdrvfs.DLL
regsvr32 /s RPCRT4.DLL
regsvr32 /s rsaenh.DLL
regsvr32 /s SHELL32.DLL
regsvr32 /s shsvcs.DLL
regsvr32 /s /i swprv.DLL
regsvr32 /s tschannel.DLL
regsvr32 /s USERENV.DLL
regsvr32 /s vss_ps.DLL
regsvr32 /s wbemcons.DLL
regsvr32 /s wbemcore.DLL
regsvr32 /s wbemess.DLL
regsvr32 /s wbemsvc.DLL
regsvr32 /s WINHTTP.DLL
regsvr32 /s WINTRUST.DLL
regsvr32 /s wmiprvsd.DLL
regsvr32 /s wmisvc.DLL
regsvr32 /s wmiutils.DLL
regsvr32 /s wuaueng.DLL

Step 3 – Scan these DLL’s

Next, we will check the integrity of the following three DLLs

sfc /SCANFILE=%windir%\system32\catsrv.DLL
sfc /SCANFILE=%windir%\system32\catsrvut.DLL
sfc /SCANFILE=%windir%\system32\CLBCatQ.DLL

Step 4 – Restart Services

Finally, let’s restart the services we stopped

net start “COM+ Event System”
net start “System Event Notification Service”
net start “Background Intelligent Transfer Service”
net start “Microsoft Software Shadow Copy Provider”
net start “Volume Shadow Copy”

Step 5 – Rerun VSSADMIN

Go ahead and try to rerun the vssadmin list writers command and see if it works.

New 2012 Windows Server 2012 R2 VM Couldn’t Complete the Updates Undoing Changes

Aarrgghh – why don’t I remember these things anymore????

I was in the process of firing up a new 2012 R2 VM,  and in my rush, I  clicked to download and install all updates before heading out to do some errands. When I got back home, I was greeted with the following error message:

We couldn’t complete the updates. Undoing changes. Don’t turn off the computer.

image

The thing is — this was a known issue over a year ago! One that my good MVP friend Boon Tee encountered it, and wrote up a blog post at that time for the workaround.

The problem occurs if you are creating a Gen 2 virtual machine (.vhdx) and KB 2920189 is included in the list of updates you are trying to install.

The solution?

Shutdown VM –> disable Secure Boot from the VM –> Start VM  and install updates –> Shutdown VM –> re-enable Secure Boot –> Start VM

You can find the option to enable/disable Secure Boot under the Firmware section of the VM settings.

image

Warning — the “Undoing changes” can take quite a long time to complete. I decided to delete the VM, and start over from scratch!

Samsung 850 EVO SSD crashes Windows 2012 R2 Server

I have personally used Samsung’s 850 SSD drives in a few workstations, and they appear to work great.

However, there are several recent posts of Windows 2012 R2 and 2012 R2 Essentials servers crashing. The common denominator? Samsung’s 850 EVO SSD drives.

One person wrote that a 2012 R2 Essentials server will produce 100% crashes. Any other 2012 R2 server will crash if the write cache is disabled, which happens when a server is promoted to a DC. Hopefully, it’s a firmware issue with those drives that Samsung can address. Also, the Samsung 840 SSD drives appear to work just fine, and does NOT cause similar crashes.

Here are some links for your further reading pleasure that identify the issues at hand:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/81c6d52f-578c-44c8-a6ec-18c03a818295/cant-promote-server-2012-r2-to-domain-controller-get-error-0xc000021a?forum=winserverDS

https://social.technet.microsoft.com/Forums/windowsserver/en-US/ebc71806-37ab-49c4-9218-9964b30d958a/0xc000021a-during-server-2012-r2-essentials-setup?forum=winserveressentials

http://community.spiceworks.com/topic/869314-warning-do-not-use-samsung-850-evo-ssd-with-windows-server-2012-r2

How to Configure a Custom Domain Suffix when Installing Windows 2012 R2 Essentials

For as long as I can remember, Microsoft’s Small Business Server (SBS) and Essentials Server would default to using .local for the internal domain suffix during installation. So, if your company name was Contoso, it would create Contoso.local as your internal domain.

And for me, using .local worked great all these years. The customer would still use .com (such as Contoso.com) for their public web site and for their email address. Contoso.local was strictly for internal DNS purposes.

But SSL Certificate authorities have announced that they will not issue new UCC/SAN SSL certificates that contain non-public local Intranet domain suffixes (such as .local) or IP addresses.

See detail announcements from these vendors: GoDaddy   DigiCert  

So … the question was raised recently within my Microsoft MVP group: how does one install Windows Server 2012R2 Essentials with a custom internal domain suffix, since by default Essentials uses .local?

My good MVP friend, Robert Pearman, took the time to post a solution today on his blog site. He gives step by step instructions, along with screen shots:

http://titlerequired.com/2015/06/27/install-windows-server-essentials-with-a-custom-domain-suffix/

Here is a quick summary of the steps:

  • Perform the pre-install of Essentials 2012 R2
  • When the Essentials Configuration Wizard (ECW) starts up, click CANCEL.
  • From System Properties, change the name of your server
  • Now add Active Directory Domain Services as a server role (Systems Manager > Manage > Add Roles and Features) and use all the defaults.
  • Then run the Post Deployment task and promote the server to a domain controller.
    • Select to create a new forest and enter your root domain name.
    • Note: many now suggest using a subdomain of your public domain name. So if your public domain is Contoso.com, you might use Corp.Contoso.com)
    • After the pre-requisite check, use the defaults to complete the install of the server role.
    • After the server has rebooted, login as the domain admin, and the ECW will start up again.

Backup fails in Windows Server 2012 Essentials

I have a customer running Windows 2012 R2 Essentials with Windows Server Backup scheduled to do twice daily backups. Recently it started reporting that the backup “Completed with warnings”.

image

I opened up Event Viewer, and under Application logs, I found this event 547 warning:

“The backup operation that started at {date & time) has encountered errors for the volumes ‘X:’. Log of files not successfully backed up at ‘C:\Windows\Logs\WindowsServerBackup\Backup_Error-{date & time}.log’

image

So, I go to the specified log folder, and open up the log file and it reports that it could not back up some files – Error [0x80070005] Access Denied.

image

With this information in hand, I check Microsoft ‘s Support website, and sure enough, I found KB 2747459 that identifies this exact problem and lists two workarounds:  Server backup process fails and “0x80070005” errors are logged in Windows Server 2012 Essentials

I chose to implement option 2 (Registry Edit). Please note that after editing the registry, you will need to reboot the server in order to implement the change.

Here are the steps as outlined in KB 2747459:

  1. In Registry Editor, locate the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup

  2. Right-Click FilesNotToBackup, point to New, and then click Multi-String Value
  3. Type IgnoreNTFS, and then press Enter
  4. Right-click IgnoreNTFS, and then click Modify
  5. In the Value data box, type \$Extend\* /s
  6. Click OK, and then close Registry Editor.
  7. Restart the server.

image

MVP Roadshow Tampa FL

The “Transform the Datacenter” MVP Roadshow was held at the Microsoft office in Tampa FL on Monday Sept 22, 2014. Many kudos to Adnan Cartwright. Due to an illness in the family with our first presenter (Telmo Sampaio), Adnan had to step in at the last minute to do both the first and second presentations.

Topics covered new features in Windows Server 2012 R2, Hyper-V 4.0, migrating from  Windows 2003, public/private/hybrid clouds, Azure and more. More than half of the presentations were live demos, with lots of questions throughout. One comment from an attendee: “I can’t wait to get into Azure!”.

WP_20140922_002_cropped     WP_20140922_006-cropped

Fix for Windows Server Essentials 2012R2 and Multi-DC released

Microsoft released an update (KB 2974308) today to address the issue where integrating Windows Server Essentials 2012 R2 with Microsoft Office 365 or Windows Azure Active Directory is blocked when you are in a multiple domain controller environment.

Until now, you could only integrate Windows Server Essentials with O365/Azure AD in a single domain controller environment.

image

Attempting to run the integration in a multiple DC environment would fail:

clip_image002

I’m proud of the work that our MVP group did in identifying this issue soon after the release of Essentials 2012 R2 last year.

SMB Nation 2014 to focus on Office 365

Sig and Ads 220 x 150The 12th annual SMB Nation Fall conference is set for September 26-28, 2014, and will focus entirely on Office 365. The conference will be held at the Microsoft Redmond campus in Redmond, WA.

Harry Brelsford announced today that they are now taking reservations.

http://www.smbnation.com/content/news/entry/invest-forward-fall-conference-registration-open

I recall the excitement that surrounded his very first SMB Nation conference, which was held in Indianapolis, IN back in 2003.

https://kwsupport.com/2013/09/smbnation-2003-a-look-back/

If you have not attended an SMB Nation conference before, I would highly recommend it.