Archive

Author Archive

Windows 7 unable to connect to Wifi with WPA2-Enterprise (802.1

October 28th, 2021 No comments

I have deployed WPA2-Enterprise authentication on network. Computer should use computer certificate to authenticate to Wireless network. I deployed NPS server, configured all requirements. Windows 10 didn’t have problem to connect to Wifi network. Windows 7 computers have problem.

Problem

In eventviewer (Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig) I found following error:

Network Adapter: Intel(R) Centrino(R) Advanced-N 6205
Interface GUID: {c2c428cb-76cc-4474-a043-33ce2bfe9f0d}
Local MAC Address: 60:67:20:a6:42:63
Network SSID: SECURE_WIFI
BSS Type: Infrastructure
Peer MAC Address: 34:1F:a2:AF:C8:1E
Identity: DOMAN\USER1
User: USER1
Domain: DOMAIN
Reason: Explicit Eap failure received
Error: 0x80074005
EAP Reason: 0x4005
EAP Root cause String:
EAP Error: 0x4005

Solution

Problem is very weird. When you install NPS server, NPS server will use certificate to proof of identity. By default it uses certificate created from Windows CA Template called Kerberos Authentication. This certificate has empty attribute called Subject.

Windows 7 has problem that it doesn’t accept certificate with empty Subject attribute. Other OS’s worked fine. Solution to make it work is to populate this attribute into certificate. You can do it following way:

  • Go to Certificate Template console (use MMC, add snap in –> Certificate Templates) and change template called Kerberos Authentication.
  • Open properties of this template
  • Go to Subject Name tab
  • Change Subject name format to DNS name

Now go to NPS server. Open the Certificates MMC (Computer), go to Personal / Certificates and right click in the details pane – All Tasks / request New Certificate. Request new certificate from template Kerberos Authentication for computer account:

After new certificate is installed under computer certification store, you can find attribute Subject populated with DNS name of NPS server:

When certificate is OK, you can change certificate which should be used to proof identity.

Let’s make new certificate work on NPS server. Open NPS console. Go to Network Policies and open up your policy which handles 802.1x requests. Go to the Constraint tab, Authentication Methods / PEAP and click on Edit.

The certificate expiry date now shown should tie in to the one you just created:

Now also Windows 7 will connect to wireless network with no problem and not error event 🙂

That’s all fokls,

Veeam server rename

October 28th, 2021 No comments

Problem:

Sometimes it happens that you need to rename server where Veeam server is already installed. When you rename server you won’t be able to login into this server. You get following error:

Failed to connect to Veeam Backup & Replication server:

No connection could be made because the target machine actively refused it IP address.

Solution

You have to change server name to new new in registry:

  • open cmd and type regedit
  • go to registry \HKLM\Software\VeeaM\Veeam Backup and Replication and look for REG_SZ value called SqlServerName. Change it to new server’s name.
  • go to registry \HKLM\Software\VeeaM\Veeam Backup Catalog\ and look for REG_SZ value called CatalogSharedFolderPath. Fix it to point to new server’s name share.
  • restart whole server and you are all ready 🙂

Enjoy,

Categories: Veeam Tags: , , ,

Windows port forwarding

November 3rd, 2020 No comments

I didn’t know that it’s possible in Windows TCP/IP stack make port forwarding. I knew it’s possible in Linux using iptables. In windows we have powerful tool called netsh.

Let’s have a example. Some service is listening on port TCP/10000. If I want to make this service listen on other port than TCP/10000 and there is no configuration to change I will use netsh to make it happen. Let’s look at listening ports on TCP/10000 and TCP/20000:

netstat before netsh

We can see there is no port listening on TCP/20000. Let’s make a magic and run command:

netsh interface portproxy add v4tov4 listenport=20000 listenaddress=0.0.0.0 connectport=10000 connectaddress=192.168.100.118

You cannot use loopback or 0.0.0.0 in connectaddress parameter. You can even use remote server IP address in connectaddress parameter.

Let’s look at netstat commands:

netstat after netsh

If your command doesn’t work, please, check if service called IP Helper is Running.

To see all configuration of portproxy settings just run following command:

netsh interface portproxy dump

netsh interface portproxy dump

To delete rule just run following command:

netsh interface portproxy delete v4tov4 listenport=20000 listenaddress=0.0.0.0

And that’s all folks,

Windows update restart problem

November 3rd, 2020 No comments

Once upon the time I had problem with Windows Update. All updates got downloaded and installed. When user click on button Restart Windows got error 0x80070005.

After couple minutes of debugging with Process Monitor I found out that process called explorer.exe had problem with accessing directory C:\Windows\System32\Tasks. That means that if you click on button Restart in Windows Update, Windows doesn’t just restart system. It creates Scheduled Task to reboot. Weird, but it does it this way.

So I have created GPO with security settings for directory C:\Windows\System32\Tasks and allow BUILTIN\Users have Modify rights to this directory.

And that’s the way we make it 🙂

Exchange 2010 PF not accessible from Exchange 2016 mailboxes

August 22nd, 2019 1 comment

Problem: When I do migration from Exchange 2010 to Exchange 2016 most of the time I have problem with old style Public Folders hosted on Exchange 2010. When you migrate user from Exchange 2010 to Exchange 2016 she cannot access Public Folders hosted on Exchange 2010.

Solution: You need to setup Exchange 2016 environment to be able to proxy Public Folders hosted on Exchange 2010. You need to create proxy mailbox which Exchange 2016 will use to proxy Public folders. Here are couple steps you need to do:

  • Create new mailbox:

New-Mailbox -Name PFMBX1 -Database {YOUR  EX2010 DATABASE NAME}

  • I preffer to hide this mailbox from other users

Set-Mailbox -Identity PFMBX1 -HiddenFromAddressListsEnabled $true

  • Set on Exchange 2016 server following proxying

Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes PFMBX1

Now when Exchange 2016 users restart their Outlook clients they will see Public folders hosted on Exchange 2010.

Have a nice day,

Exchange 2010 to Exchange 2013/2016 autodisover problem

August 22nd, 2019 No comments

Problem: There is a known error in Exchange 2013/2016 when you migrate user’s mailbox. After the migration is done use cannot access her new mailbox. It is possible after some time (max 15 minutes).

Cause: This is caused by outdated data cached by Autodiscover process on Exchange server. It’s called MSExchangeAutodiscoverAppPool.

Solution: You need to set application pool responsible for creation autodiscover XML file to recycle more often. You can do Recycle manually from IIS console after migration is done:

Manual Recycle

Or you can configure automatic recycling on specific condition. I most of the time configure Recycling on every minute. When all users are migrated I disable this rule:

Have a nice day,

Decommission problem in AD

January 30th, 2017 No comments

In long time I was asked to decommission one domain controller. It’s kinda straightforward process. But, yes again, I had a problem. When decommission process started I received error stated:”The operation failed because: Active Directory Domain Services could not configure the computer account DC_ACCOUNT$ on the remote Active Directory Domain Controller DC2_ACCOUNT$: “Access Denied.””.

 

 

I have checked my account and I was domain admin. My rights were alright.

Error “Access Denied” was interesting. Problem was checkbox called “Protect object from accidental deletion” on domain controller object which denied system to delete domain controller object:

 

To see this option you need to enable Advanced Features in Active Directory Users and Computers (dsa.msa) console.

Have a nice day,

Exchange 2010 versioning

April 28th, 2016 No comments

From some update there is no relevant information about version in Exchange 2010 SP3. Let’s try it in Powershell:

It says it’s 123.4 build which should coresponds to plaint Microsoft Exchange Server 2010 SP3 (Exchange Update Rollup numbers). This is not corrent information, because those servers have UR installed.

Using EMC I can see:

Which are also incorrect information about server versions. I suppose it’s just nicer output of Powershell cmdlet 🙂

Best way to find out it’s to use EMC console on server and use “About”:

You will get information which are correct:

It’s Update Rollup 11 for Exchange Server 2010 SP3.

It’s really bad that you cannot find Exchange version of all your Exchange servers in one place (Powershell or EMC). Let’s hope they will fix it in new Update Rollup 🙂

That’s all fokls for today.

Categories: Exchange, Microsoft Tags:

Quickie: DFSR not working

April 27th, 2016 No comments

Problem: One of our customer has about 30 locations across our country and they wanted to use DFSR to replicate folder content to all locations. At each location there is one Hyper-V host running Windows Server 2012 R2 OS with DFSR installed. Each server has three disks – C:\, D:\ and E:\. I have configured DFS Replication in DFS console, replicated AD across environment, and … and nothing happened. DFSR didn’t do anything. It did NOT even create its own private folders in “System Volume Information” folder. No error event in Event viewer. DFSR was set to replicate folder on disk D:\ – didn’t work. I tried to replicate directory on E:\ disk – didn’t work. So I tried to replicate folder on C:\ disk – it did work 🙂

Solution: I enabled DFSR debug logging. There was no error mentioned, but what I noticed was that disks D:\ and E:\ had same serial numbers and also same volume IDs. It was weird. But after some discussion I found out that those two disks were “copied” and “cloned” in Hyper-V environment. So that’s why they had same serial numbers and volume IDs. I found out that it can be a problem. So I had to change volume ID using Microsoft utility VolumeID. After I changed one disk volume ID and rebooted system, DFSR started to work as expected.

So never do disk cloning. Or if you do, change at least volume ID for those disks so Windows services don’t get confused. Looking into this problem took me one and half day! Thank you Microsoft 🙂

Categories: Microsoft, Quickie, Windows Tags:

VMWare vExpert 2016

February 8th, 2016 No comments

I was honored to be VMWare vExpert also this year 🙂

(http://blogs.vmware.com/vmtn/2016/02/vexpert-2016-award-announcement.html)

 

Categories: Unassigned Tags: