Tag Archives: Windows Server 2008

How to Create a Certificate Request in Windows Server 2008 R2 for Use with Threat Management Gateway 2010

For a recent project I needed to create a certificate request for use with a new listener on Threat Management Gateway 2010. I wanted some specific criteria on the cert, so I really needed to use the Certificates Snap-In in Windows to create the necessary .req file. I had a little difficulty to get this to work right at first, but it turns out there are just a couple of tricks to getting this to work right.

First, open the Certificates snap-in for the local computer and navigate down to the Personal – Certificates certificate store. Right-click on it and go to All Tasks – Advanced Operations – Create Custom Request.

Click Next on the first information screen that comes up, and then verify that Proceed Without Enrollment Policy is highlighted on the following screen. Now Click Next.

Now, by default, the Template combo box has “(No Template) CNG Key” selected, but this won’t work for Threat Management Gateway, as it does not support CNG keys. So you need to change this to “(NO Template) Legacy Key” and click Next (the default selection of PKCS #10 is fine).

On the next screen, you need to click the down arrow next to details, which will expose the Properties button.

Click Properties and fill out the form with the following.

General Tab
Friendly Name – The friendly name is however you want to refer to the certificate, I usually use the full URL so I know exactly why I got this particular certificate, but you can use whatever you want.

Subject Tab
At a minimum you should use the same fields I have listed in Subject Name.

Alternative names are optional, but if you have other URLs the certificate should be valid for you would list them here. You need to verify that the type of certificate you intend to purchase from your certificate authority supports alternative names.

Extensions Tab
There are five subsections under this tab; Key Usage, Extended Key Usage, Basic Constraints, Include Symmetric Algorithm and Custom Extension Definition.

Under Key Usage, you would normally select Digital Signature and Key Encipherment. Your application may vary, but this is a typically what you would use to publish a web site.

For Extended Key Usage, you’ll select Server Authentication and Client Authentication.

The final three you’ll leave as the defaults. Again, you may need them in some specific applications, but this is for publishing a web site or other web service.

Private Key
There are four subsections under this tab; Cryptographic Service Provider, Key Options, Key Type, and Key Permissions.

Under Cryptographic Service Provider, you can really select any one, but I typically use Microsoft RSA SChannel Cryptographic Provider (Encryption).

Under Key Options, you will probably want to change the key size to 2048, which is the new minimum for most SSLs…. Any larger and you may have to pay more for your SSL certificate.

Personally, I generally select the option “Make Private Key Exportable” as this allows me to freely back up and move the key to other servers in the array.

The options under Key Type and Key Permissions can be left as the default. Again, under specific circumstances or for specific applications, you may need to set those options, but this is just for a published web site, nothing more.

Hit Apply and then OK, and that should take you back to this screen:

Click next, select where you want the .req file stored, and you’re all done. After you have submitted the request to your Certificate Authority and recived your signed certificate back, you can import it using the Certificates snap-in for Windows. At that point it will be available for assignment to a Lister in Threat Management Gateway.

How to Use Windows Server Backup to back up Exchange 2010 Database Availability Groups (DAG)

Unless you’re comfortable with entrusting your data to DAG & circular logging, backing up Exchange 2010 on a routine basis is critical in order to protect your data and truncate the database logs.

While Microsoft has several articles on using Windows Backup for Exchange 2010, none of them really spell out a start to finish solution for a DAG environment.

In order to configure Windows Backup for an Exchange 2010 environment employing DAG’s, the following need to be accomplished.

  1. If not installed already, install the Windows Server Backup Feature, but NOT the command line tools (those are still 32-bit and incompatible)
  2. Uninstall the Windows Server Backup Features “Command-line Tools” if installed.
  3. Create a registry entry to disable the Microsoft Exchange Replication service VSS writer (see below for step-by-step).
  4. Restart the Microsoft Exchange Replication service.
  5. Set to Automatic and then start the Microsoft Exchange Server Extension for Windows Server Backup service.
  6. Configure your backup using Windows Server Backup (see below for step-by-step).

Registry Change

This was taken from http://technet.microsoft.com/en-us/library/dd876851.aspx which has additional information on using Windows Backup with Exchange 2010… I highly encourage everyone responsible for their Exchange environment to read it thoroughly:

If a server hosting the data being backed up is a member of a database availability group (DAG) and hosts both active and passive database copies, you must disable the Microsoft Exchange Replication service VSS writer. If the Microsoft Exchange Replication service VSS writer is enabled, the backup operation will fail.

To disable the Microsoft Exchange Replication service VSS writer, perform the following steps:

  1. Log on to the server by using an account that has local administrator access, and then start Registry Editor (regedit).
  2. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\ExchangeServer\v14\Replay\Parameters.
  3. Add a new DWORD value named EnableVSSWriter, and set its value to 0.
  4. Exit Registry Editor and then restart the Microsoft Exchange Replication service.

Configure Windows Backup

You only need to specify the drives that have an Exchange database on them that you wish to backup.  In my environment, I have one database per drive, and I only back up the drives that typically run the Active copy of the database.   i.e. every Exchange mailbox server in my environment has a Windows Backup job configured to back up only the drives that have an active database.  There is no reason to back up the passive database copies on every server.

By configuring it this way, that Exchange Agent for Windows Backup automatically knows that you’ve backed up the database and will truncate the logs shortly after the backup completes on all servers in the DAG.

The following was taken from http://technet.microsoft.com/en-us/library/dd876854.aspx which has additional information on using Windows Backup with Exchange 2010… Again, I highly encourage everyone responsible for their Exchange environment to read it thoroughly:

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the “Mailbox recovery” entry in the Mailbox Permissions topic.

  1. Start Windows Server Backup.
  2. In the Actions pane, click “Configure Performance Settings…”
  3. Change the Performance Settings to Custom, and then configure at least your DAG volumes to Incremental, though I would recommending changing all volumes to Incremental (this will cause a fresh, full backup to occur every 14 days)
  4. In the Actions pane, click Backup Once. The Backup Once wizard appears.
  5. On the Backup options page, select Different options, and then click Next.
  6. On the Select backup configuration page, select the type of backup that you want, and then click Next.
    1. Select Full server (recommended) to back up all volumes on the server.
    2. Or, select Custom to specify which volumes should be included in the backup. If you select this option, the Select backup items page appears. Select the volumes to be backed up, and then click Next.
  7. On the Specify destination type page, select the location where you want to store the backup, and then click Next. If Remote shared folder is selected, the Specify remote folder page appears. Specify a UNC path for the backup files, and then do one of the following to configure access control settings:
    1. Select Do not inherit if you want the backup to be accessible only by a set of specified user credentials, and then click Next. Type a user name and password for a user account that has write permissions on the computer that is hosting the remote folder, and then click OK.
    2. Or, select Inherit if you want the backup to be accessible by everyone who has access to the remote folder, and then click Next.
  8. On the Specify advanced options page, select VSS full backup, and then click Next.
  9. On the Confirmation page, review the backup settings, and then click Backup.
  10. On the Backup progress page, you can view the status and progress of the backup operation.
  11. Click Close when the backup operation has completed.

Poor Video/Mouse Performance in VMWare Console with Windows Server 2008 R2

An issue has been floating around that VMWare Tools are not working as well as they should under Windows Server 2008 R2.  This does not appear to be an issue if the tools are installed fresh on an installation as opposed to being part of the SysPrep’d image or otherwise deployed during the server installation phase.  The primary symptom is slow mouse performance under the VMWare console.

The root cause of this is that Windows Server is examining the hardware it is on and installing what it considers the appropriate drivers for the situation.  It finds compatible, default drivers of its own and therefore does not use the VMWare drivers.  Even though the VMWare tools are running properly overall, they do not attempt to correct the video or mouse drivers.

In order to correct this , you need to manually replace the video & mouse driver and then restart the server.  Once this is done, Video and Mouse performance is greatly enhanced.

The proper video driver can be found at:

“C:\Program Files\Common Files\VMware\Drivers\wddm_video”

…and the proper mouse driver can be found at:

“%program files%\Vmware\VMWare Tools\Drivers\mouse”

NOTE:  On the mouse driver, once you browse for the proper driver, you will have to select “Let me pick from a list of device drivers installed on my computer” as opposed to just hitting “Next.”  Windows 2008 R2 does not see the VMWare driver as a better driver than its own.

Once both drivers are corrected, you will need to reboot your server.  If you look in Device Manager, you should see “VMWare SVGA 3D…” under Display Adapters and “VMWare Pointing Device” under Mice and other pointing devices.

Active Directory Architecture: How to Migrate DHCP from Windows Server 2003 to Windows Server 2008 R2

As part of a global initiative to migrate to a Windows Server 2008-based architecture, I have to migrate DHCP at numerous sites from Windows Server 2003 to Windows Server 2008 R2.

This procedure is covered in the Microsoft DHCP Server Migration Guide, but as usual it is all encompassing and covers sever different scenarios. I’ve decided to write a quick blog entry on (probably) the most common scenario… starting with a Windows Server 2003 (source server) and migrating to Windows Server 2008 R2 (destination server).

Fortunately, Microsoft created a tool set to make the migration of various domain services from 2003 to 2008 relatively easy. The Server Migration Tools can be used to migrate server roles, features, operating system settings, and other data and shares to computers that are running Windows Server® 2008 R2.

The first step is to prepare an installation package of the Server Migration Tools for a Windows Server 2003 environment. To do so, follow these steps:

  1. Log in to your new Windows Server 2008 R2 server
  2. Open a command prompt (make sure to Run as Administrator)
  3. Navigate to %Windir%\System32\ServerMigrationTools
    a. If your source server is Windows 2003 x86, run the following command – SmigDeploy.exe /package /architecture X86 /os WS03 /path c:\DHCPMig
    b. If your source server is Windows 2003 x64, run the following command – SmigDeploy.exe /package /architecture amd64 /os WS03 /path c:\DHCPMig
  4. Copy C:\DHCPMig to your Windows Server 2003 Source Server

We now need to get the Windows Server Migration Tools package registered (installed) on the Windows 2003 source server. To do so, ensure the Microsoft .NET Framework 2.0 and PowerShell 1.0 or later is installed on your 2003 server and follow these steps:

  1. Log in to your Windows Server 2003 source server
  2. Open a command prompt
  3. Navigate to the only sub-directory of the DHCPMig folder you created in the step above.=
  4. Type the following: .\smigdeploy.exe

The “.\” tells Windows to run that command as a PowerShell command.

With the Server Migration Tools now installed, it’s time to actually export our DHCP server instance. To do so, follow these steps:

  1. Go to Start – All Programs – Administrative Tools – Windows Server Migration Tools and click on Windows Server Migration Tools. This opens a specific Windows PowerShell instance with the Migration Tools applet already loaded.
  2. Run the following command to export all DHCP settings- Export-SmigServerSetting -featureID DHCP -User All -Group -IPConfig -path c:\DHCPMig –Verbose
  3. It will prompt for a password to secure the file it is about to create. Choose a password and try not to forget it 🙂
  4. Now that DHCP is backed up to a file, you need to delete DHCP authorization from the source server so that it does not hand out any additional addresses. To do so, type the following command in the same PowerShell session: Netsh DHCP delete server
  5. Copy the svrmig.mig file that was created in step two to the same directory (I use c:\DHCPmig) on the destination server.

We now get to bring our new Windows Server 2008 R2 DHCP server to life, and to do so, do the following:

  1. Go to Start – All Programs – Administrative Tools – Windows Server Migration Tools and right-click on Windows Server Migration Tools and select “Run as Administrator.” This opens a specific Windows PowerShell instance with the Migration Tools applet already loaded.
  2. Run the following command to import all DHCP settings: Import-SmigServerSetting -featureid DHCP -Group -Force -path c:\dhcpmig -Verbose
    NOTE: If you do not already have DHCP installed, it will be installed by running this command. However, you may have to reboot and then run this command again to finish the migration
  3. Type in the password you set when exporting the settings from the source server.
  4. Run this command to start the DHCP Server: Start-Service DHCPServer
  5. Run this command to authorize the new DHCP Server: netsh DHCP add server

That’s it! You have now successfully migrated DHCP from your Windows Server 2003 source server to your new Windows Server 2008 R2 destination server.