Windows Server 2012 Evaluation – convert & activate to fully licensed

So I’m at the end of the trial period for Windows Server 2012, and having a bought a volume license for the Data Center edition, I need to activate it. Microsoft have taken away the ability to alter product keys through Control Panel -> System so we have to use the command line.

I’ve read a lot of articles out there on this, which generally don’t work, presenting an error when you try and process your new key using the slmgr command line tool.

First of all, you need to establish your exact currently installed version. From a elevated command prompt, run the following command:

DISM /online /Get-CurrentEdition

In amongst the blurb that appears on screen, it will tell you your current edition (in my case ServerDatacenterEval). Make a note of this – you will use in the next command with the last ‘Eval’ bit ommitted.

With your license key to hand, now run following command:

DISM /online /Set-Edition:ServerDatacenter /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

The above unboldened / italicised entries will need to be your own specific variables (remember to drop the ‘Eval’ bit for the Set-Edition). I believe, you can also use this as an opportunity to upgrade to a higher edition, for example using the /Set-Edition switch to go from Standard up to Datacenter. The /AcceptEula switch allows the system to silently accept the Microsoft license agreement.

When you run this command, your system will need to restart 1 or 2 times. Thereafter (if it doesn’t happen automatically) you will be able to activate with your newly provided key from Control Panel -> System or using the slmgr tool, and you will now be running your licensed copy :)

Use OpenSSL & Windows to Convert UCC / SAN certificate from .crt / .key format to a .pfx for Exchange 2010

This post assumes you have already completed the process of getting a signed certificate issued and installed on a Linux / Apache server, and that you would like to convert that certificate to install and use on an additional Exchange 2010 server. The cheapest UCC (multiple FQDN on the same certificate) I’ve found is with GoDaddy.

Download a Windows implementation of OpenSSL from here: http://www.openssl.org/related/binaries.html. I recommend getting the full 32-bit version, and you will most likely need the ‘Visual C++ 2008 Redistributables’ as well. Install OpenSSL to C:\OpenSSL or another location that is convenient to you. Make sure you run Windows Update post install, to check for any security patches for the C++ 2008 redistributable you’ve installed.

With OpenSSL installed, you will need to get copies of the public and private keys downloaded that make up your certificate config. These will be stored somewhere on your existing web server. I have a VPS with Host Gator, which uses a pretty typical Linux distribution called Cent OS, and which can be accessed via SSH / Secure FTP. I personally connect up using a secure channel through FireFTP, a free addon for Firefox. It is essential you use secure means for all file downloads, as interception would completely compromise your certificate’s security. And don’t do this on a public / shared PC!

Having connected to your web server, browse to /etc/ssl from folder root. Here should be a folder called certs, which you need to download one or two files from. Find and download your certificates, in the form of domain.com.crt and, if applicable, your Certificate Authority’s bundle, normally in the form of domain.com.cabundle. Download these files to C:\OpenSSL\bin

Additionally within /etc/ssl you will also find a folder called private , and within here you need to locate your private key file, listed in the form of domain.com.key. Also download this to C:\OpenSSL\bin.

Fire up a Windows Command Line (cmd) and type cd C:\OpenSSL\bin

Then Type openssl to fire up the Openssl command line. At this command line, enter the following command, replacing the file entries with your own appropriate ones:

pkcs12 -export -out domain.com.pfx -inkey domain.com.key -in domain.com.crt -certfile domain.com.cabundle -name “Friendly Name”

This will take your existing certificate, private key and Cert Authority bundle, and generate a pfx file compatible with Exchange 2010 / Windows (The -name switch will define the friendly name for the certificate, as it will appear in your Exchange Management Console later). You will be prompted to enter a password twice – keep a note of this, and you’ll need it later.

The generated .pfx file will now be residing in C:\OpenSSL\bin. Move it to location where your Exchange Server will be able to access it (such as a secured network share).

From your Exchange Server, load of the Exchange Management Console, and navigate to the root of Server Configuration. Look to right hand pane for the Import Exchange Certificate … Click this link, and then locate your pfx file, enter the password you set, then complete the wizard to import the certificate. You now just need to bind the Exchange services (such as SMTP) you would like associated with this certificate.

I STRONGLY recommend you now delete all of the errant files you downloaded from your web server, or generated with OpenSSL, to complete this task, and the job is done! :)

Can’t remove System Center 2012 Endpoint Protection client (it just keeps reinstalling)

Even after removing all traces of System Center 2012 from our AD network, when I uninstalled the client software from each user system, within a few hours (or post a reboot) the software would mysterious regenerate and come back. Simply uninstalling the client is not enough. Here’s what you need to do.

Working on the assumption you are using Windows 7, go in to control panel and select Programs and Features. Uninstall:

System Center 2012 Endpoint Protection Client.
Windows Firewall Configuration Provider

Having done this, load up the command line (cmd) with administrative priviledges (search for and right click to get this option). Then type in the following commands at the prompt:

cd c:\windows\ccmsetup
ccmsetup /uninstall

The cursor will just return without any confirmation of completion. I found it took up to 10 minutes for the uninstall to release a lock on the setup files (and presumably possibly this long to actually carry out the uninstall). So after 10 mins, close the command line window, and do a search for %windir%. In that very folder, you should find two folders CCM and ccmsetup. Highlight and delete them. You should be prompted for admin authorisation, and then (if the uninstall is truly complete) you should see them delete. Otherwise, try to repeat deletion after a few more mins. If you see a folder called ccmcache the uninstallation is definitely still running.

After this, reboot your PC, and you should finally be free of the System Center 2012 Endpoint Protection client (assuming you haven’t set it up to reinstall by Group Policy or an Active System Center server).

Microsoft Forefront TMG 2010 won’t upgrade to Service Pack 2

On trying to upgrade to service pack 2 for MSForeFront TMG (Threat Management Gateway), I repetitively got the below error:

“The upgrade patch cannot be installed by the windows Installer service beause the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the corect upgrade patch.”

This one has me beaten for a while. I had already upgraded to SP1 for TMG, and I couldn’t see why upgrading to SP2 wouldn’t work. Furthermore, in recent years Microsoft have generally allowed you to jump service packs anyway (such as going to a Service Pack 2, whilst still having the original RTM of a given product).

I dug around a bit, and found there is an interim update for TMG, post SP1, that must be installed to install SP2. This update (unsurpisingly named “Software Update 1 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 1”) can be found here.

Install this, then try running the SP2 for TMG update again. You should find it all goes well.

Adding .admx GPO templates for Win 2008 Group Policy and beyond…

For a long time I have tried to add .admx files to individual group policies using the management editor, as I do with older .adm template files. However, whilst the conventional Add/Remove Templates method works for the old school .adms, it gives the following error message if you try and add an .admx:

“file.admx is not a valid template file. Only files that end with the .adm file externsion can be added to this Group Policy Object.”

Why does this happen? Because Microsoft revised their policy on where the templates were stored and implemented from. Now, you just need to make sure that your required .admx files are placed in the %systemroot%\PolicyDefinitions folder. Also, the .adml files (which should be provided) need to be placed in the appropriate language subdirectory (such as en-us) of this folder, for the policies to list and work correctly. This only needs to be on the system you manage group policy from, not every DC in your Active Directory network.

The upshot of this new method is that for every .admx / .adml file you add to this folder tree, it is automatically available to all GPOs managed with that system. Converesely, I believe under the old system that you had to add the .adm file to every individual policy you wanted to use the template in.

SharePoint 2010 – Search and other Web Apps don’t work out the box

Every time I tried to do a search on my SharePoint server, it came back with an error as follows:

“The Web application at http://sharepoint.domain.local/ could not be found. Verify that you have typed the URL correctly. If the URL should be serving existing content, the system administrator may need to add a new request URL mapping to the intended application.”

For a while it had me beaten. Then I realised the problem – elements of SharePoint will not work properly if the Internal FQDN (Fully Qualified Domain Name) is used from a browser instead of the Host name, because elements of SharePoint will only work when using the pre-defined names it knows. To illustrate the point, by connecting to the server via http://sharepoint/, the search process worked perfectly.

So how to fix this? In an ideal world you want to be able to have SharePoint working fine on the Hostname, the Internal FQDN and [depending on your setup] the external FQDN. And here is how you do it……

1) Fire up the SharePoint Central Administration.

2) On the opening page, look under the System Settings heading for Configure alternate access mappings.

3) From here you can edit, add or ‘map to external resource’ a URL. In this case, I am going to add a URL for my internal FQDN. So I click Add Internal URLs.

4) Next, you need to select the entry for Alternate Access Mapping Collection. I click the drop down link to do this and use the change option, and in the proceeding window select my main SharePoint site. This then takes me back to the previous window with this option selected.

5) In the field for Add Internal URL, I need to add my FQDN, protocol and port number. As I am operating on port 80 / http, this is set as: http://sharepoint.domain.local:80. My required domain is internal, so from the zone list I select Intranet then click on Save.

6)You’re done! Fire up a browser using the newly added domain name, and you will find all should now work. Note that if you are applying an internal domain name that is completely different from the SharePoint host name, you will need to make changes to your DNS servers records to reflect this, or else the name won’t resolve.

‘Verify that the Activity Feed Timer Job is enabled’ error in SharePoint 2010

I’m only just breaking open the box on properly using SharePoint. Every test install I have done, I have been hampered by this same error. The solution is simple.

First off, completely ignore the link that Microsoft gives you for ‘help’ – it resolved nothing. Instead, from within the Central Administration home page, do the following:

Click the Monitoring title.
Under the Timer Jobs heading, click on Review job definitions.
Scroll down the list and look for User Profile Service Application – Activity Feed Job (might be worded differently on pre- SharePoint 2010 SP1). You’ll note this is ‘disabled’. Click on the title link, and then the Enable button in the page that follows. This will set the service to hourly by default, and in the span of time your problem should disappear from the problems list in Central Administration.

SharePoint 2010 – ‘database requires upgrade or not supported’ error post SP1 install

I was unable to search for anything in my SharePoint portal. On inspection in the Central Administration panel, I got the error message in the title.

To correct this, I did as it said in the ‘remedy’ area, when clicking on the problem. In summary:

1) Fired up the PowerShell; in my case with Win 2008 R2 and SharePoint 2010 installed, this can be found as ‘Windows PowerShell Modules’ under the  ‘Administrative Tools’ section on the from the start menu.

2) Run Upgrade-SPContentDatabase -id WSS_Content. If you want to upgrade a different database, you will need to find its GUID instead, which should be listed within the database name

3) You will be asked for confirmation as to whether you want to do this. Upon approving this, a percentage readout will trickle along PowerShell window. This may take a few minutes or more to complete, depending on how much data you have.

4) Your database for content should now be updated!

N.B. Having done the above, I found that SharePoint was still having problems with a lot of other database. My conclusion was that during the SP1 update, it did not update the databases. An easy resolution to this to go to:

Start -> All Programs -> Microsoft SharePoint 2010 Products ->SharePoint 2010 Products Configuration Wizard

This will save a lot of time! The wizard is automated, and fixed all problems for me :) Why the upgrade didn’t do this automatically is anyone’s guess!

RemoteApp programs ‘lock’ after 10 minutes of inactivity

if the user was to leave their computer for 10 minutes, when they returned the RemoteApp was locked. It required re-entering the password for the TS account in use for these apps, something which they shouldn’t even have to know (and don’t)

I’ve just rolled out a 32-bit Windows 2008 Server, for the sole purpose of running our legacy DOS and other 16-bit applications via a Terminal Server (these apps are just a little long in the tooth, but still currently important part to the firm I work for). We’re running Windows 7 x64, so DOS mode is now a non-entity for us on local systems.

For the problem I suffered, this was beside the point. After some effort, the RemoteApps would work absolutely fine, but if the user was to leave their computer for 10 minutes, when they returned the RemoteApp was locked. It required re-entering the password for the TS account in use for these apps, something which they shouldn’t even have to know (and don’t).

With Google as my friend, I set out trying to find a resolution. The resolution was along the lines I thought it might be – it’s all to do with a screensaver ‘time-out’ (the time marker for displaying the screensaver), which kicks in regardless of whether a screen saver is set or not. There were a series of solutions, most suitably involving Group Policy, but I simply couldn’t get them to work.

The problem is, the articles out there tell you what to do, but don’t clarify that the policy needs to ultimately apply to the Terminal Server, or the user account in use with Terminal Server. By implication I was left believing that the policy should be applied to the user workstation itself, and that the 10 minute screen saver setting for the workstation was causing a lock to the remoteapps. This is not the case.

Having established this, I set about creating a GPO. In my case, the setup is simple versus other real world scenarios; I only need one user account that all my RemoteApps are run through, and I only have one 2008 Terminal Server. I have done everything on the terminal server to ensure my user account can access the server via RDP, whether via a RemoteApp or full Remote Desktop Connection.

Because my setup is basic, I was able to put both the TS user account and the Terminal Server in its own OU called ‘Terminal Servers’. From here, I created and linked a GPO, and set the following policy setting:

User Configuration -> Policies -> Administrative Template -> Control Panel / Personalization -> Screen saver timeout

I enabled this setting, and set the value to 0 seconds.

If you have a more complex setup, with Terminal Servers in different OUs to user accounts (highly likely), you may need to play around with loop back processing to get this to work. Also, the templates for GPOs in my Active Directory are based around 2008 R2, so you may find the ‘Screen saver timeout’ setting in a slight different place.

To expidite the application of the new setting, run gpupdate /force from a TS user session on the Terminal Server. Otherwise, wait a time and it should kick it (although a restart to the server might be a good idea, to refresh any disconnected but still open TS sessions).

Internet Explorer prints & previews blank pages (IE7, IE8, IE9)

When trying to print from Internet Explorer (or print preview), all you see is blank content, and some header and footer information. The footer reads something to the effect of:

“file:///C:/Users/userprofile/AppData/Local/Temp/Low/randomfile.htm”

This problem drove me nuts for some time. I first noticed it under Windows Vista with IE8, but from reading out there on the web, it potentially effects any windows system running IE7 onwards (so XP through to 7).

Specifically, I am rolling out Windows 7 at my firm, with IE9 bundled in as part of an Image file. In my case the problem was probably occuring after I installed IE9 using the admin account on the system that the master image was based on (we don’t want users to be able to install their own apps). If I log in to Windows with the admin account directly, all prints fine.

Anyway, enough rambling, you are here because you want to know how to fix it.

Firstly, the ‘Low’ folder mentioned above is needed as a temporary working folder for the HTML pages being generated and printed from IE. Start by bringing up a command prompt (run -> cmd), making sure you DO NOT run with elevated permissions (otherwise it will do this for your local admin account, which won’t help you). At the command prompt, run the following command:

mkdir %userprofile%\AppData\Local\Temp\Low

This will create the necessary Low folder in the right place, which is almost certainly absent otherwise.

Other posts I read suggested this was enough, but it isn’t. The newly created ‘Low’ folder won’t work until you run a further command which sets the integrity level of this folder such that IE can use it (IE7 introduced a new protected mode, which you can read more about here: http://msdn.microsoft.com/en-us/library/bb250462%28VS.85%29.aspx). So at the same prompt, run the following command:

icacls %userprofile%\AppData\Local\Temp\Low /setintegritylevel low

Having done this, restart IE, and you should find print preview and printing itself now works :) Now I just need to correct the 10 systems I already have setup with this little menace of a problem……

Good luck! :)