Hello,
i have server with 2 ip-adresses:
I want only 192.168.2.200 instead of 2, but i can`t find the place where to edit this.
There is nothing found here:
Howto fix this?
Thx
↧
2nd IP-adress on server, howto delete
↧
Windows 2012 Elevated Command prompt
I have an issue with a backup not running. Its a VSS backup that gets permissions denied to the VSS interface. I have added all the correct permissions the the VSS registry keys. i have also added Network Service to the Com+. I can run the backup manually through an elevated command prompt but the adhoc environment does not work correctly. My Questions are How come domain user added to all local permissions does not elevate automatically. Also is there a way to elevate it by default for all administrators users. (Secpol.msc shows elevate automatically for all administrators. but it does not work.)
Also the Local Administrator account works but we perfer to run our backups under one user. Can anyone answer these questions.
↧
↧
Trusted Root CA Problem...
Hi, this may not be posted in the correct forum, but I had some trouble trying to identify which the correct forum would be.
Basically when a Windows 8 Client machine, or a Windows Server 2012 machine for that matter joins our Server 2012 Domain, they seem to lose the ability to install any new Trusted Root Certification Authorities. Which makes browsing using IE a bit of a nightmare,
and also anything else that depends on CAPI2 for SSL certificate verification. Firefox of course is quite happy as it manages its own list of root CA's.
- Installing a new list of Trusted Root CA's from the Windows Update Catalog http://catalog.update.microsoft.com/v7/site/Search.aspx?q=root%20update and more specifically http://catalog.update.microsoft.com/v7/site/ScopedViewInline.aspx?updateid=08b653ce-2c1b-40a1-ab0b-d4d7b79ba61c (Still can't actually verify that that does anything, its a bit useless)
- Tried deleting some certs from the C:\windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content and deleting certs from the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates and rebooting
- Tried some sort of command line cert magic with certutil.exe but I have to confess I didnt really know what I was doing, just following some suggestions
- Tried setting the Turn off Automatic Root Certificates Update group policy setting to disabled rather than Not Configured just in case.
- Verified that the WSUS Intranet Location was not set.
Additional information
- Client agent: Microsoft-CryptoAPI/6.2
- Object source: Internet (Source is the Internet. Object was added to the cache.)
- Cache info: 0x1300000 (Response includes either the CACHE-CONTROL: MUST-REVALIDATE or CACHE-CONTROL: PROXY-REVALIDATE header. Response includes the CACHE-CONTROL: MAX-AGE or S-MAXAGE header. Response includes the EXPIRES header.)
- Processing time: 312 MIME type: application/ocsp-response
None of this has had any impact. This is not the only machine exhibiting the problem, and when a machine is removed the from domain everything comes back to life, rejoin the machine and it resets the Tusted Root Certs list back to default and also won't install any new ones again.
I don't believe it's a connectivity issue, the problem still occurs outside of the network, and I can't identify denied traffic through our TMG firewall, or any traffic that looks "off" in wireshark on the local machine.
One other thing that I should mention is that we have a CA in house that is a kind of indeterminable state at the moment, but by my understanding that should impact the client verifying the cert chain.
Basically I am wondering if anyone has any idea as to what might cause the CAPI to not request new root certs from Windows Update like it should.
Any help would be most appreciated.
At present the following ROOT CA's are present in the machines Trusted Root CA store:
I can see the following:
| Allowed Connection | TP-TMG 1/30/2013 9:41:39 AM |
|---|---|
| Log type:Web Proxy (Forward) | |
| Status: 200 OK. | |
| Rule:Sauron Outbound | |
| Source:Internal (10.10.140.10:50060) | |
| Destination:External (115-104-148-198-dedicated.multacom.com 198.148.104.115:80) | |
| Request: GET http://198.148.104.115/sub/class1/server/ca/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBRlaIdPQHUPAWo0dWJeH1yT5aJtWAQU60I00Jiwq5%2F0G2sI98xkLu8OLEUCAwgFew%3D%3D | |
| Filter information:Req ID: 09d6bc63; Compression: client=No, server=Yes, compress rate=0% decompress rate=0% | |
| Protocol: http | |
| User: anonymous | |
Which is basically the Cypto API requesting the root cert (I think) and after that the browser seems to just start closing sockets.
In the CAPI2 log I get:
CAPI Retrieve Object From Network: (Which corresponds to the request above)
Log Name: Microsoft-Windows-CAPI2/Operational
Source: Microsoft-Windows-CAPI2
Date: 30/01/2013 9:41:39 a.m.
Event ID: 53
Task Category: Retrieve Object from Network
Level: Information
Keywords: Automatic Root Update,Retrieval,Revocation,Path Discovery
User: TALOS\admin.ryan.clarke
Computer: F00009058-WIN8.talos.net.nz
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>53</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>53</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000036</Keywords>
<TimeCreated SystemTime="2013-01-29T20:41:39.981218000Z" />
<EventRecordID>24001</EventRecordID>
<Correlation ActivityID="{7695E01C-0129-0000-E3B8-400038050000}" />
<Execution ProcessID="1336" ThreadID="1464" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>F00009058-WIN8.talos.net.nz</Computer>
<Security UserID="S-1-5-21-3176498072-361222827-1563420157-1110" />
</System>
<UserData>
<CryptRetrieveObjectByUrlWire>
<URL scheme="http">http://ocsp.startssl.com/sub/class1/server/ca/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBRlaIdPQHUPAWo0dWJeH1yT5aJtWAQU60I00Jiwq5%2F0G2sI98xkLu8OLEUCAwgFew%3D%3D</URL>
<Object type="CONTEXT_OID_OCSP_RESP" constant="6" />
<Timeout>PT9.828S</Timeout>
<Flags value="202004" CRYPT_WIRE_ONLY_RETRIEVAL="true" CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL="true" CRYPT_PROXY_CACHE_RETRIEVAL="true" />
<AuxInfo maxUrlRetrievalByteCount="104857600" cacheFileNamePrefix="A27A0B5E1ECAAA01CC77385E9FA4AC43_" fProxyCacheRetrieval="true" />
<AdditionalInfo>
<NetworkConnectivityStatus value="1" _SENSAPI_NETWORK_ALIVE_LAN="true" />
<Action name="NoProxy" />
<HTTPRequestHeadersInfo>
<Header>GET /sub/class1/server/ca/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBRlaIdPQHUPAWo0dWJeH1yT5aJtWAQU60I00Jiwq5%2F0G2sI98xkLu8OLEUCAwgFew%3D%3D HTTP/1.1</Header>
<Header>Accept: */*</Header>
<Header>User-Agent: Microsoft-CryptoAPI/6.2</Header>
<Header>Connection: Keep-Alive</Header>
</HTTPRequestHeadersInfo>
<HTTPResponseHeadersInfo>
<Header>HTTP/1.1 200 OK</Header>
<Header>Cache-Control: max-age=86400, must-revalidate</Header>
<Header>Connection: Keep-Alive</Header>
<Header>Date: Tue, 29 Jan 2013 20:42:16 GMT</Header>
<Header>Via: 1.0 TP-TMG</Header>
<Header>Content-Length: 1609</Header>
<Header>Content-Type: application/ocsp-response</Header>
<Header>Expires: Wed, 30 Jan 2013 20:42:16 GMT</Header>
<Header>Proxy-Connection: Keep-Alive</Header>
<Header>Content-Transfer-Encoding: Binary</Header>
</HTTPResponseHeadersInfo>
</AdditionalInfo>
<CacheInfo lastSyncTime="2013-01-29T20:41:39.981Z">
<URLCacheResponseInfo responseType="CRYPTNET_URL_CACHE_RESPONSE_HTTP" maxAge="86400" proxyId="B2F4B523" />
</CacheInfo>
<RetrievedObjects>
<OCSPResponse fileRef="13A6CF0FC55A0A9D7D2A5F4A3EB515D97F7254F6.bin" />
</RetrievedObjects>
<EventAuxInfo ProcessName="iexplore.exe" />
<CorrelationAuxInfo TaskId="{288F615F-C92E-48D5-805D-9B0CA99A71CE}" SeqNumber="17" />
<Result value="0" />
</CryptRetrieveObjectByUrlWire>
</UserData>
</Event>
Then a Verify Revocation
Log Name: Microsoft-Windows-CAPI2/Operational
Source: Microsoft-Windows-CAPI2
Date: 30/01/2013 9:41:39 a.m.
Event ID: 41
Task Category: Verify Revocation
Level: Information
Keywords: Revocation,Path Validation
User: TALOS\admin.ryan.clarke
Computer: F00009058-WIN8.talos.net.nz
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>41</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>41</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000005</Keywords>
<TimeCreated SystemTime="2013-01-29T20:41:39.981218000Z" />
<EventRecordID>24002</EventRecordID>
<Correlation ActivityID="{7695E01C-0129-0000-E3B8-400038050000}" />
<Execution ProcessID="1336" ThreadID="1464" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>F00009058-WIN8.talos.net.nz</Computer>
<Security UserID="S-1-5-21-3176498072-361222827-1563420157-1110" />
</System>
<UserData>
<CertVerifyRevocation>
<Certificate fileRef="949912667FA7E15E9B9B025A94FF28067939AB12.cer" subjectName="www.asafaweb.com" />
<IssuerCertificate fileRef="F691FC87EFB3135354225A10E127E911D1C7F8CF.cer" subjectName="StartCom Class 1 Primary Intermediate Server CA" />
<Flags value="4" CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG="true" />
<AdditionalParameters timeToUse="2013-01-29T20:41:39.247Z" currentTime="2013-01-29T20:41:39.247Z" urlRetrievalTimeout="PT19.656S" />
<RevocationStatus index="0" error="0" reason="0" actualFreshnessTime="PT1H40M30S" thirdPartyProviderUsed="C:\Windows\SysWOW64\cryptnet.dll" />
<OCSPResponse location="Wire" url="http://ocsp.startssl.com/sub/class1/server/ca/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBRlaIdPQHUPAWo0dWJeH1yT5aJtWAQU60I00Jiwq5%2F0G2sI98xkLu8OLEUCAwgFew%3D%3D" fileRef="13A6CF0FC55A0A9D7D2A5F4A3EB515D97F7254F6.bin" issuerName="StartCom Class 1 Primary Intermediate Server CA" />
<EventAuxInfo ProcessName="iexplore.exe" />
<CorrelationAuxInfo TaskId="{288F615F-C92E-48D5-805D-9B0CA99A71CE}" SeqNumber="18" />
<Result value="0" />
</CertVerifyRevocation>
</UserData>
</Event>
Now things go bad. CAPI2 Build Chain Error
Log Name: Microsoft-Windows-CAPI2/Operational
Source: Microsoft-Windows-CAPI2
Date: 30/01/2013 9:41:39 a.m.
Event ID: 11
Task Category: Build Chain
Level: Error
Keywords: Path Discovery,Path Validation
User: TALOS\admin.ryan.clarke
Computer: F00009058-WIN8.talos.net.nz
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>11</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000003</Keywords>
<TimeCreated SystemTime="2013-01-29T20:41:39.981218000Z" />
<EventRecordID>24003</EventRecordID>
<Correlation ActivityID="{7695E01C-0129-0000-E3B8-400038050000}" />
<Execution ProcessID="1336" ThreadID="1464" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>F00009058-WIN8.talos.net.nz</Computer>
<Security UserID="S-1-5-21-3176498072-361222827-1563420157-1110" />
</System>
<UserData>
<CertGetCertificateChain>
<Certificate fileRef="949912667FA7E15E9B9B025A94FF28067939AB12.cer" subjectName="www.asafaweb.com" />
<ValidationTime>2013-01-29T20:41:39.247Z</ValidationTime>
<AdditionalStore>
<Certificate fileRef="F691FC87EFB3135354225A10E127E911D1C7F8CF.cer" subjectName="StartCom Class 1 Primary Intermediate Server CA" />
<Certificate fileRef="949912667FA7E15E9B9B025A94FF28067939AB12.cer" subjectName="www.asafaweb.com" />
</AdditionalStore>
<ExtendedKeyUsage orMatch="true">
<Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />
<Usage oid="1.3.6.1.4.1.311.10.3.3" />
<Usage oid="2.16.840.1.113730.4.1" />
</ExtendedKeyUsage>
<Flags value="48000000" CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT="true" CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT="true" />
<ChainEngineInfo context="user" />
<AdditionalInfo>
<NetworkConnectivityStatus value="1" _SENSAPI_NETWORK_ALIVE_LAN="true" />
</AdditionalInfo>
<CertificateChain chainRef="{F639D75C-571E-456A-B2CE-57BC562C760A}" revocationFreshnessTime="P35DT21H41M49S">
<TrustStatus>
<ErrorStatus value="80010" CERT_TRUST_IS_NOT_VALID_FOR_USAGE="true" CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE="true" />
<InfoStatus value="10100" CERT_TRUST_HAS_PREFERRED_ISSUER="true" CERT_TRUST_IS_COMPLEX_CHAIN="true" />
</TrustStatus>
<ChainElement>
<Certificate fileRef="949912667FA7E15E9B9B025A94FF28067939AB12.cer" subjectName="www.asafaweb.com" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
<TrustStatus>
<ErrorStatus value="0" />
<InfoStatus value="102" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
<ApplicationUsage>
<Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />
</ApplicationUsage>
<IssuanceUsage />
<RevocationInfo freshnessTime="PT1H40M30S">
<RevocationResult value="0" />
<StrongSignProperties signHash="RSA/SHA1" issuerPublicKeyLength="2048" issuerSignHashList="RSA/SHA1" />
<OCSPResponse location="Wire" url="http://ocsp.startssl.com/sub/class1/server/ca/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBRlaIdPQHUPAWo0dWJeH1yT5aJtWAQU60I00Jiwq5%2F0G2sI98xkLu8OLEUCAwgFew%3D%3D" fileRef="13A6CF0FC55A0A9D7D2A5F4A3EB515D97F7254F6.bin" issuerName="StartCom Class 1 Primary Intermediate Server CA" />
</RevocationInfo>
</ChainElement>
<ChainElement>
<Certificate fileRef="F691FC87EFB3135354225A10E127E911D1C7F8CF.cer" subjectName="StartCom Class 1 Primary Intermediate Server CA" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
<TrustStatus>
<ErrorStatus value="0" />
<InfoStatus value="102" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
<ApplicationUsage any="true" />
<IssuanceUsage />
<RevocationInfo freshnessTime="P33DT9H42M38S">
<RevocationResult value="0" />
<StrongSignProperties signHash="RSA/SHA1" issuerPublicKeyLength="2048" issuerSignHashList="RSA/SHA1" />
<OCSPResponse location="Wire" url="http://ocsp.startssl.com/ca/MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBRBc6bT2N9qzRkeiWvn5WI5MHBpNQQUTgvvGqRAW6UXaYcwyjRoQ9BBrvICARg%3D" fileRef="B967E55B9D0DFE02DB1FFEB2D367A54B396740A0.bin" issuerName="StartCom Certification Authority" />
</RevocationInfo>
</ChainElement>
<ChainElement>
<Certificate fileRef="3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F.cer" subjectName="StartCom Certification Authority" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="4096" />
<TrustStatus>
<ErrorStatus value="0" />
<InfoStatus value="10C" CERT_TRUST_HAS_NAME_MATCH_ISSUER="true" CERT_TRUST_IS_SELF_SIGNED="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
<ApplicationUsage any="true" />
<IssuanceUsage>
<Usage oid="1.3.6.1.4.1.23223.1.1.1" />
</IssuanceUsage>
</ChainElement>
<ChainElement>
<Certificate fileRef="A930A42B89DB2C6D44E8EFFC06727348E2070B6C.cer" subjectName="Microsoft Certificate Trust List Publisher" />
<CertificateTrustList fileRef="B13FCDACE3D3F19383D2602B16911AA399880DAF.stl" issuerName="Microsoft Certificate Trust List Publisher" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
<TrustStatus>
<ErrorStatus value="10" CERT_TRUST_IS_NOT_VALID_FOR_USAGE="true" />
<InfoStatus value="102" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
<ApplicationUsage>
<Usage oid="1.3.6.1.4.1.311.10.3.9" name="Root List Signer" />
</ApplicationUsage>
<IssuanceUsage />
<RevocationInfo freshnessTime="P35DT21H41M49S">
<RevocationResult value="0" />
<StrongSignProperties signHash="RSA/SHA1" issuerPublicKeyLength="2048" />
<CertificateRevocationList location="TvoCache" url="http://www.microsoft.com/pki/crl/products/MicCerTruLisPCA_2009-04-02.crl" fileRef="3F4AF142299409E2B3F29E57F6048A03A40694CC.crl" issuerName="Microsoft Certificate Trust List PCA" />
</RevocationInfo>
</ChainElement>
<ChainElement>
<Certificate fileRef="F77A3F82B7C4B3A9D869A93E3335CF1F78BC441E.cer" subjectName="Microsoft Certificate Trust List PCA" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
<TrustStatus>
<ErrorStatus value="0" />
<InfoStatus value="102" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
<ApplicationUsage>
<Usage oid="1.3.6.1.4.1.311.10.3.1" name="Microsoft Trust List Signing" />
<Usage oid="1.3.6.1.4.1.311.10.3.9" name="Root List Signer" />
</ApplicationUsage>
<IssuanceUsage />
<RevocationInfo freshnessTime="P14DT18H53M19S">
<RevocationResult value="0" />
<StrongSignProperties signHash="RSA/SHA1" issuerPublicKeyLength="4096" />
<CertificateRevocationList location="TvoCache" url="http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl" fileRef="C18C08B576143387D9956F8049366903677497B6.crl" issuerName="Microsoft Root Certificate Authority" />
</RevocationInfo>
</ChainElement>
<ChainElement>
<Certificate fileRef="CDD4EEAE6000AC7F40C3802C171E30148030C072.cer" subjectName="Microsoft Root Certificate Authority" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="4096" />
<TrustStatus>
<ErrorStatus value="0" />
<InfoStatus value="10C" CERT_TRUST_HAS_NAME_MATCH_ISSUER="true" CERT_TRUST_IS_SELF_SIGNED="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
<ApplicationUsage any="true" />
<IssuanceUsage any="true" />
</ChainElement>
</CertificateChain>
<EventAuxInfo ProcessName="iexplore.exe" />
<CorrelationAuxInfo TaskId="{288F615F-C92E-48D5-805D-9B0CA99A71CE}" SeqNumber="19" />
<Result value="800B0110">The certificate is not valid for the requested usage.</Result>
</CertGetCertificateChain>
</UserData>
</Event>
Then CAPI2 Verify Policy Chain Error
Log Name: Microsoft-Windows-CAPI2/Operational
Source: Microsoft-Windows-CAPI2
Date: 30/01/2013 9:41:39 a.m.
Event ID: 30
Task Category: Verify Chain Policy
Level: Error
Keywords: Path Validation
User: TALOS\admin.ryan.clarke
Computer: F00009058-WIN8.talos.net.nz
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>30</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>30</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000001</Keywords>
<TimeCreated SystemTime="2013-01-29T20:41:39.981218000Z" />
<EventRecordID>24004</EventRecordID>
<Correlation ActivityID="{7695E01C-0129-0000-E3B8-400038050000}" />
<Execution ProcessID="1336" ThreadID="1464" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>F00009058-WIN8.talos.net.nz</Computer>
<Security UserID="S-1-5-21-3176498072-361222827-1563420157-1110" />
</System>
<UserData>
<CertVerifyCertificateChainPolicy>
<Policy type="CERT_CHAIN_POLICY_SSL" constant="4" />
<Certificate fileRef="949912667FA7E15E9B9B025A94FF28067939AB12.cer" subjectName="www.asafaweb.com" />
<CertificateChain chainRef="{F639D75C-571E-456A-B2CE-57BC562C760A}" />
<Flags value="0" />
<SSLAdditionalPolicyInfo authType="server" serverName="www.asafaweb.com">
<IgnoreFlags value="0" />
</SSLAdditionalPolicyInfo>
<Status chainIndex="1" elementIndex="0" />
<EventAuxInfo ProcessName="iexplore.exe" /> <CorrelationAuxInfo TaskId="{288F615F-C92E-48D5-805D-9B0CA99A71CE}" SeqNumber="20" />
<Result value="800B0110">The certificate is not valid for the requested usage.</Result>
</CertVerifyCertificateChainPolicy>
</UserData>
</Event>
↧
App Tiles not showing for some users in RDS
Hi
We are testing RDS on Server 2012 (one physical server at present). We have a few users who have been using it since the start of the week no problem.
A couple of days ago I installed Office 2013 for further testing; people have been able to access this without issue, all of the Office Apps appearing as Tiles in the new Start Menu.
However any users that log onto to the server for the first time after the installation of Office 2013 do not see the Tiles in the Start Menu.
I'm not sure why this is or how to fix, does anyone have any ideas?
Many thanks
↧
WIndows 2012 Upgrade - Black Screen
Hi,
I was trying to upgrade from windows 2008 r2 sp1 DC to windows 2012. Once the installation is complete the system boots with black screen with a mouse cursor and stays like that. It does not display anything. I need to rollback the installation...
Any help would be appreciated
Thanks
↧
↧
Virtualization and Liscenses Windows Server 2012
Alright so, I am working as an intern as a System Administrator, or what they call a Configuration Specialist and I have been planning to make a home server for various purposes in my free time to help me get comfortable with the way it works.
My plan was to make a couple different servers for different purposes using a single host and then several guest servers(One for a project I am working on with several other people, one for my family, one as data storage and so on). I had wanted to do it on Windows Server 2012 but while trying to figure out what exactly each license entails and each little detail of what they allow, I have come to several questions I am struggling to find answers for.
First, on the standard license, which allows for two virtual servers only, does that include the host server? So in other words, can I have a host, and two guest servers, or only one host and a guest server with a standard license?
Second, does that only refer to "Server 2012" virtual servers, or any virtual servers. For instance, could I have Linux servers running to practice on and work on without extra costs, or does that license require I pay for each virtual server even if they are not windows?
Third, on newegg there is a product called Windows Server 2012 Standard- Additional License, which costs 10 dollars more approximately, what is the difference between this, and the base license?
And finally, on the new egg store, the Server options are marked as OEM, which the description in the product details seems to imply its meant for resale only. Does this mean as a home user I am not suppose to buy these copies?
Thank you in advance, Scott.
↧
Crypto folder size 13 gig and increasing - Server 2008 R2
We've noticed over the last few months the C:\Programdata\Microsoft\Crypto has increased in size and is currently 13gig in size and increasing daily. The 2008 R2 Server is currently running SCCM 2012 and WSUS. I have read that it may be a corruption or memory leak and that the fix is to remove and re-install IIS.
Any ideas?
thanks
↧
AD FS terminology
Hello!
20417 textbook, p.414:
"Attribute Store - An Attribute Store is used by AD FS to look up claim values. ..."
"Claims Providers - A Claims Provider enables one side of AD FS authentication and authorization process. ..."
Page 415:
"AD FS supports the following attribute stores:
1) ADAM 2) LDS 3) SQL 2005 3) SQL 2008 4) Custom - 5) AD DS
Page 425, "Configuring an Account Partner":
In B2B scenario terminology used to describe parties involved in AD FS deployment changed slightly. In this scenario, the claims provider organization is also called the account partner organization.An account partner organization is the organization in which user accounts are stored in an attribute store."
If the "Account Partner" is just another term for a claims provider why does it requre to storeuser accounts in an attribute store? Attribute store CAN store both user accounts AND claim values (AD DS) but it also possible to store user accounts in AD DS and claim values in SQL 2008, for instance.
Does it mean that the "Account Partner" is the claims provider that supportsonly AD DS as an Attribute Store?
Thank you in advance,
Michael
↧
Security Event logs wont allow me to change size in event viewer - GPO's show other max size then Event viewer does
I have several different servers (2008 R2 Standard) that in event viewer.. the Security log shows to have a max size of 61440000 kb. It will not allow me to change that to a smaller size. I get the following error message when I try to change it:
The Maximum Log Size specified is not valid. It is too large or too small. The Maximum Log Size will be set to the following: 61440000 KB
I have checked all applicable GPO's on my domain, and all are set to max log sizes of either 1, 2 or 4 gb. I have checked registry settings on the affected servers (HKLM/System/CurrentControlSet/services/eventlog/Security)
I have tried to find a solution in Technet, and just searching the 'net... but without success.
How would I reset the logs sizes to the default values? Is there a setting somethere that overrides all other settings for log sizes, and if so.. where is it?
Thanks in advance for any assistance you can provide.....
↧
↧
Direct Access NRPT
Hello!
20417 textbook ("Upgrade Your Skills to MCSA Windows Server 2012".), page 197:
1) "Some names need to be treated differently with regards to name resolution; these name should not be resolved by using intranet DNS servers. To ensure that these names are resolved with the DNS servers specified in the client's TCP/IP settings, you must add them as NRPT exemptions."
- so 1) NRPT exemptions = names that SHOULD NOT be resolved by using intranet DNS servers
2) 20417 textbook, page 199:
"How DirectAccess Works for Internal Clients
...
1. The DirectAccess client tries to resolve the fully qualified domain name (FQDN) of the NLS URL.
Because the FQDN of the NLS URL corresponds to an exemption rule in the NRPT, the DirectAccess client instead sends the DNS query to a locally-configured DNS server (an intranet-based DNS server). The intranet DNS server resolves the name."
-so 2) according to the page 199 the name of the NLS server SHOULD be resolved by intranet DNS server because it corresponds to an exemption rule.
As far as I understand 1) and 2) can not be correct simultaneously - where is the mistake?
And the second question: if the name being resolved does not match the rule in an NRPT rule it will be resolved by theDNS servers specified in the client's TCP/IP settings (NOT intranet servers). In this case why do we have to use NRPT exemptions to direct the name resolution process to INTERNET DNS servers (as discussed in 1)?
Thank you in advance,
Michael
↧
IPAM Configure server Discovery
Hi everybody!
I have a problem just on fist steps on deploying IPAM
I have a server 2012 that is DHCP and DNS Server and of course it's DC(VmWare Virtual machine) and my domain name is test.net
I've installed another server 2012 named IPAM and i joined it to my domain test.net
then i deployed IPAM and when ever i want to start Configure server discovery i get this error:
"Failed to fetch domains in the enterprise"
"Current security context is not associated with an active directory domain or forest"
I don't know where is the problem?....everything is correct and in the right order
can any one help me to solve this issue?
thank you very much
best wishes!
↧
Server 2012 Essentials rebooting twice a day 0x00000133 error code
Everyday, twice a day, I will get a notification that my server 2012 essentials machine has been restarted unexpectedly. Blue screen viewer shows hal.dll caused the error as well as ntoskrnl.exe
hal.dllhal.dll+22e94fffff802`9fe0f000fffff802`9fe7b0000x0006c0000x50875a7910/23/2012 9:03:21 PMntoskrnl.exentoskrnl.exe+1d4143fffff802`9fe7b000fffff802`a05c40000x007490000x50ab0e6411/19/2012 11:00:20 PM
I've updated to the latest RSTe drivers, Intel i350 ethernet drivers, and asmedia vga drivers thinking it was a driver issue, but I am still having the same crashes everyday.
Motherboard: ASUS Z9PE-D16 CPU: 1x E5-2620 Memory: 24GB ECC DDR3 from the official memory list
↧
Windows Server Backup fails on Windows Server 2012
I have recently installed a new server that is running Windows Server 2012. Nobody is making a backup solution that works with Server 2012 yet. I have a free upgrade to Backup Exec 2012 R2 when it is released. (they tell me it is supposed to be released on Monday.) So I'm waiting patiently, but for now I was just going to use the Windows Server Backup feature to back up my volumes and system state to a network location. The network location is an older server that has an LTO 3 tape drive. Obviously the backup would then be backed up again on the LTO-3 tape. However, I can't seem to get a successful backup of the server. It will start off fine but then about half way through thte backup it stops. And I get an error message that says "Error: the specified network name is no longer available." I can't seem to figure out what is going on. Any help would be greatly appreciated.
Thanks,
Nate
↧
↧
IPAM Provisioning failed with the following error : Value cannot be NULL - Parameter Name: format
The operation Failed because of the following error
Value cannot be null
Parameter name: format
This happened after I installed IPAM server on 2012, decided I did not like
the GPO names, so De-installed IPAM and attempted to RE-install and now
it breaks when I attempt provision the IPAM server (for GPO
deployment). I really do not want to have to rebuild the server so would
appreciate some help here !!
↧
Dynamic Access Control issue with Retention - ownership
I am working on a retention pilot in my lab using Dynamic Access Control. My goal is to alert he file owner a week or so before the files expire. I got most of it working but there's a slight issue. When I look at the files properties the
owner is identified as the admin account which I am logged in as. Did I miss something? Any pointers on why the owner is changing?
↧
Cannot instal Akamai Download Manager in IE 10 with Windows8x64 Enterprise
Hi,
I have recently install Windows 8x64 Enterprise and I am trying to download another version of windows 8 from MSDN however I am not get Akamai download manager to install. It straight away takes me to IE download manager and the Pause button is greyed out.
Need help
Regards,
pritam
↧
2012 DirectAccess - 2x NICs behind Firewall
Hi All.
I have a question about setting up DA on a 2012 Server that has 2x NICs (LAN and DMZ).
The LAN NIC has an IP address of 192.168.1.24
The DMZ NIC has an IP address of 10.0.0.24 (Firewall is forwarding the public IP traffic to 10.0.0.24)
At first when I setup DA, I could not get the DA clients (all of which are Windows 7 Laptops) to see the DA server even though they were connected to the LAN (most of the Win7 clients are on a 192.168.80.x VLAN). The result was the Laptop clients Network Location switched to Public/Private and they were attempting to connect to the DA server as it they were external (which would fail because traffic can't go out the proxy, around and back in).
In troubleshooting the problem, we realised LAN connected clients (DA and non-DA enabled clients) could not PING the DA server internally. At this point, someone suggested adding a Default Gateway onto the internal LAN NIC of the DA server and this enabled PING internally - I wasn't entirely comfortable with this knowing the LAN NIC shouldn't also have a Default Gateway, however magically the DA clients were now able to PIN the DA server and immediately their Network Location switched back onto the Domain location.
(side note: Interestingly, I have another DA server implementation at a different site and the clients at that site also can't ping the internal LAN interface of their DA server and yet they don't have this problem.)
Now what we're seeing is intermittent/random DA client connection issues. Every now and then a DA client will come back to work from home, the user will try to connect to the corporate LAN (usually coming out of Sleep or Hybernation) and the clients network location won't switch onto the Domain profile. The odd thing is, whilst one client is having the problem, 10 other clients are working fine. Sometimes (but not always) a reboot of the system will fix it.
Can anyone point me in the direction of:
a) NIC configuration for a DA server with 2x NICs, one on the LAN and one behind a Firewall/NAT
b) any route entries required on the DA server when using 2x NICs and the internal LAN having multiple VLANs
c) any troubleshooting ideas?
Thanks
Ben
↧
↧
How do I Unblock IPAM Access?
I have deployed IPAM in a test environment and for the life of me cannot get it to function at all.
Please help?
My setup is like this: 8x server 2012 virtual machines. Single forest, single domain, single site. The servers involved in the IPAM setup are, DC1 and DC2 which are also DNS and DHCP servers. Then there is IPAM1 which is the IPAM server, as well as MS1 management server that has the IPAM client feature installed. I have domain isolation require inbound request outbound, but there is also an exclusion rule for the IP address range that contains the servers so they don't have to authenticate (I have found that doing otherwise breaks many and more things). I have verified these connection rules are propagated to all servers correctly. And everything else works except for IPAM.
I used the GPO provisioning method following the guide here:
http://technet.microsoft.com/en-us/library/hh831622.aspx
I did everything in the IPAM install section of that guide, in the order specified. I created the GPO's using the powershell command from the IPAM1 server. I waited a few minutes and ran gpupdate /force. I rebooted both DC1 and DC2. I get the status of "Unblock IPAM Access". And DHCP RCP Access Blocked, DHCP Audit Share Access Status Blocked, DNS RPC Access Status Unblocked, Event Log Access Status: Blocked (DNS). The same status for both DC1 and DC2.
I have verified that the GPO's exist and are named correctly. DC1 and DC2 are listed on all 3 GPO's in the security filtering section. I logged on to both DC1 and DC2 and verified that the firewall rules from the GPO's had been created. I verified that both DC1 and DC2 were members of the IPAMUG group, and that IPAMUG group was a member of the domain Event Log Readers group. I verified that the IPAM Server inbound rule existed on the IPAM1 server. It doesn't matter if I use the IPAM client from IPAM1 or MS1 servers.
When I run a Group Policy Results query, it shows that the GPO's are applying to DC1 and DC2 to create the firewall rules, but it also shows and AD / Sysvol version mismatch on all the IPAM GPO's. I've checked and they are sync'd correctly so I don't know why it is showing this? It doesn't seem to affect it as the policy is still being applied to both servers.
I read some other guides that used a simpler powershell command, simply the Invoke-IPAMGpoProvisioning without any switches. I completely removed IPAM and set it up again using the simpler powershell command. After this I verified all the same GPOs, firewall settings and group memberships. Everything looks correct. I have run gpupdate many times on both DC1 and DC2. I have rebooted them. I've done everything short of manually creating everything, but I can see all the firewall rules and group memberships so I think the GPO provisioning method is better because it is more automated, I'd rather stick with GPO method.
What am I doing wrong? What have I missed?
↧
questions about VPN and Edsge servers
Can a Domain COntroller be used as an edge server for remmote access / VPN?
Where can I find detailed instructions on how to setup remote access / VPN in Server 2012? all teh MS docs I found were too general
David Sheetz MCP
↧
Swap Hard Disk Drives
Hello everyone, I have a general question to the operation of Windows Server 2012. I'm planning to use Windows Server 2012 Essentials as a home server. I planned to build the system in a small pc-case, there is only space for 5 HDD 3.5" drives.
My question: Is it possible to swap the hard disks (one at a time) to extend the capacity of my storage pool? I thought about running all my virtual hard disks in parity mode, that way i could simply disconnect the one drive i want to replace to start the rebuild of Windows Server 2012 itself, is this possible? Or is there an easier way to do this?
Many thanks for your answers!
↧