Archive

Archive for the ‘Windows 2008 R2’ Category

Creating a wildcard webserver certificate with your internal Microsoft CA

April 4, 2014 4 comments

It is sometimes necessary to issue a wildcard certificate from your internal Microsoft CA, I had such a requirement this week and thought it would make a nice blog post.

The post assumes you have a Enterprise CA already deployed and a web server template deployed and available for enrolment.

First we need to create the certificate request that will be issued to your CA.

1. Logon to a Windows 2008 R2 or Windows 7 domain member

2. Open the certificates MMC snap-in

 

image

 

image

 

image

 

image

 

image

 

Now create the certificate request

3. Right click the Certificates folder which is found under the personal folder

4. Select All Tasks > Advanced Options > Create Custom Request

 

image

 

5. In the Certificate Enrolment Wizard Click Next

image

 

6. In the Certificate Enrollment Page select Custom Request > Proceed without enrolment Policy and then select Next

 

image

 

7. In the Custom Request Page select (No template) Legacy Key from the drop down and then select Next

image

 

8.On the Certificate Information Page select the Details link, then select the Properties button

image

 

9. On the General tab complete the Friendly name field and optionally you can add a description for the certificate.

 

image

 

10. Select the Subject tab and fill in the relevant information as described below

 

Field

Value

Description

Common Name

*.contoso.com

The name of the certificate. This field is used to identify the certificate. Adding the * before the domain name indicates a wildcard certificate for that domain.

Organizational Unit

IT

The name of the OU. In most cases this is the IT department

Organization

Contoso Corp

The name of the Organization where the certificate is for.

Location

Seattle

The location of the registered location of the organization.

State

WA

The County/State of your organization

Country

US

The country of your organization

 

image

 

image

 

11. Select the Extensions tab

12. In Key usage select Digital and Key encipherment

 

image

 

13. On the Private Key tab set the key size to 4096 and select the option Make private key exportable.

 

image

 

14. Under Key type select Exchange

15. Select OK

 

image

 

15. On the certificate Information page select Next

image

 

16. Save the request file

image

SNAGHTML2cebb4ae

 

That’s the certificate request file done, which was nice and easy even though there was a number of steps, we next need to use this request to generate the rest of the certificate on the CA.

 

17. Browse to your internal CA web enrollment pages

18. Select Request a certificate

image

19. Select advanced certificate request

 

image

 

20. Select the Submit a certificate request link

 

image

 

21.Open the previously created request file in notepad and copy all the data in it to clipboard.

22. Past the clipboard into the Saved Request box

23. Select the web server template

24. Click submit

25. You might get a popup box asking for confirmation, select yes

image

image

 

When the CA done it’s job it will offer you the ability to download the certificate

26. Select Base 64 and select Download certificate

 

image

 

Now back in the local machines Certificate snap-in

27. Right click the Certificates folder in the personal folder store and select import and import the file you downloaded from the CA

 

image

SNAGHTML2cf4fb12

image

image

 

Now check in the certificate store you should be a valid certificate with a private key

 

SNAGHTML2cf6087b

Advertisements

System Centre Virtual Machine Manager 2012 R2 The object was not found on the server

October 30, 2013 1 comment

Issue:

When setting or amending a configuration setting in SCVMM 2012 R2 against a Hyper-V Clustered VM I got a error which looked something like

 

Error (2915)

The Windows Remote Management (WS-Management) service cannot process the request. The object was not found on the server (SERVER NAME)

Unknown Error (0x80338000)

image

This put the VM in the console into a failed state, the natural first action is to try and repair the VM, this generates another error which looks like:

Error (12711)

VMM cannot complete the WMI operation on the server (HOST Server Name) because of an error (MSCluster…….) The cluster resource could not be found.

the cluster resource could not be found (0x138F)

 

image

 

1.Logon to one of the host servers and from a Powershell session run:

2.Import-Module FailoverClusters

Get-ClusterResource -c CLUSTERNAME | where {$_.resourcetype.name -eq ‘virtual machine configuration’} | Update-ClusterVirtualMachineConfiguration

3.From VMM console refresh cluster

4.From VMM console repair VM

How to Extend a Windows 2012 R2 CSV volume

October 29, 2013 Leave a comment

Just had to extend a CSV volume in our Windows Server 2012 R2 cluster due to low available disk space that was alerted by SCOM.

The good news it was the same process as Windows Server 2008

1) Increase size of LUN on you storage.
2) RDP to current CSV owner
3) run diskpart from Command Prompt
3.1) rescan
3.2) list volume
3.3) select volume 4
3.4) extend
3.5) list volume

Configure Netscaler Management for SSL with Trusted Certificate Part1

September 14, 2012 Leave a comment

So here is a scenario, you have two Citrix Netscaler VPX devices configured as a HA pair and you need to manage that pair over SSL for whatever reason. The devices are installed out of the box with a self-signed certificate which maybe fine in a dev environment but not really best practise in production. Also now with Microsoft’s Internet Explorer 10 you will find you cannot even manage the box as it no longer gives you the option to accept the untrusted certificates and continue, you will also find that this could break applications such as System Centre 2012 Virtual Machine Manager.

So what to do, well you need to get a trusted certificate but pause for a moment, you may want a little more. In this scenario we have two devices so what if you wanted to have the ability to not only logon to the active device but also the standby, well you are going to now need a certificate with Subject Alternate Names (SAN), this will enable you to connect to the device by the individual device name and the Virtual IP address shared by the devices.

Note: I am going to be using FQDN’s to access the device and not just an IP address

You need to have each nodes management name (whatever you put in the browser to get to the devise) and IP address in DNS not forgetting the shared Virtual IP.

You need to have a valid certificate, with all the FQDN’s listed as SAN’s that is trusted by all devices that will connect using SSL.

You then need to import the certificate into the Netscaler and map it to the management services.

Sounds easy, but it took me a while to put all this together.

Step 1 Get a Certificate

I am using Microsoft 2008 R2 Certificate Services and using the guide here I generate a certificate for use on the Netscalers.

1. Log on to the server as a member of the local Administrators group.

2. Click Start.

3. In the Search programs and files box, type mmc.exe, and press ENTER.

4. On the File menu, click Add/Remove Snap-in.

5. In the list of available snap-ins, click Certificates, and then click Add.

6. Click Computer account, and click Next.

7. Click Local computer, and click Finish.

8. Click OK.

9. In the console tree, double-click Certificates (Local Computer), and then double-click Personal.

10. Right-click Personal, point to All Tasks, and then click Request New Certificate to start the Certificate Enrolment wizard. (in my case Active Directory Enrollment Policy”

11. Click Next.

12. Select the Web Server template. Click the warning icon below more information is required to enroll for this certificate. Click here to configure these settings.

13. In the Subject name area under Type, click Common Name.

14. In the Subject name area under Value, enter the fully qualified domain name of the server, and then click Add.

15. In the Alternative name area under Type, click DNS.

16. In the Alternative name area under Value, enter the fully qualified domain name of the server, and then click Add.

17. Repeat steps 15 and 16 above for each additional SAN that you require.

18. On the Private Key tab ensure you enable the “Make private key exportable”

19. Click OK when finished.

20. Click Enroll

It should have looked something like the below

clip_image001

clip_image004

 

clip_image006

 

Checking the certificate we can see all the names listed (awesome)

clip_image007

 

We next need to export this certificate and prepare it for upload into the Netscaler devices

Click export to file and follow the wizard ensuring you select Yes to exporting the file and Include all certificates in the certification path id possible. The end result you will have a pfx file.

This file is no good for the Netscaler as it want a PEM file so we need to convert it.

Part 2

Can’t Join to a Windows 2008 R2 Cluster “The Computer is Joined to a Cluster”

Well here was an interesting one, I build two brand new cluster nodes and attempted to create cluster but when I selected the two nodes the UI proved an error with “The Computer “NAME” is Joined to the cluster”

This was weird as I had one just build them, anyway it turns out the the Cluster service was set to automatic whereas it should have been disabled, go figure something must have changed when I was not looking……

 

Change the service to disabled and you are all set

SNAGHTMLb290ec

 

image

Add possible Owner to a Cluster Shared Volume

April 11, 2012 2 comments

Another interesting issue this evening, today I added a Hyper-v host server to an existing cluster using System Centre Virtual Machine Manager 2012 (which rocks BTW). As part of the process to add the node you click a button to say add this node to this cluster and provide some credentials and off it goes and performs some validation tests before actually adding it to the cluster, this is great I hear you say….. In this case the node was added to the cluster and I start to check to make sure everything was OK before loadng the dad boy/girl up with VM’s when I happen to notice the the CSV’s LUNS were not attached it puzzled me how VMM 2012 thought this was OK……

Anyway I connected the LUNs and proceeded to load him/her up and moved onto the next node to take out of the cluster for maintenance, as part of this process I wanted to move the owner of a CSV disk first. so I go into Failover Manager find the CSV resource and select migrate to other node…. Only to be presented with

 

Operation has failed.

The action ‘Move to node <nodename>’ did not complete

Error code: 0×80071398. The operation failed because either the specified cluster node is not the owner of the group, or the node is not a possible owner of the group

 

Uh OH.. I have had enough problems with this cluster/SAN/CSV’s (that’s anther story put is this way one of the CSV’s ‘lost’ it’s partition information). I surmised that because the CSV’s were not presented to the server when it joined the cluster it may not had updated the “Possible Owners list” and sure enough this server was missing a few command laster and were are back in business.

note command needs to run from a Admin commpand prmpt

 

To tell who are the possible owners run:

Cluster res <resource name> /listowners

 

To to add a server to the list

Cluster res <resource name> /addowner :<servername>

 

Hope this helps

Categories: Hyper-V, SCVMM, Windows 2008 R2 Tags:

WDS Windows Cannot install required Files

March 14, 2012 1 comment

Well here was a interesting one today, we use WDS in the datacentres to assist with the provisioning of servers. So today I had to build 2 new servers ready for tomorrow. I booted up the servers after configuring the network switches and pressed F12 at the appropriate time to get into the WDS system. I selected the OS I wanted and the system went ahead and started to install the server, however during the expansion part of the process I was presented with the error “Windows cannot install all files required for installation are available…….. Error code 0x80070570”

 

image

After a little digging around it seems that the Res.RWM may have become corrupt, the easiest solution was so remove the Image Group and recreate it. For me this was ok as I had the original wim files safely backed up.

image

 

Deleting and recreating the Image Group fixed the issue.

Categories: WDS, Windows 2008 R2