Category: Windows Server

Hewlett Packard has released the Proliant Support Pack v8.30 with support for Windows Server 2008 R2.  Excellent news: we’re getting closer and closer to when I can schedule our Hyper-V cluster upgrade.

We had a customer report an issue with a hosted server last night.  They were trying to RDP in to a hosted Windows Server 2008 machine from Vista PC’s and we’re not able to.  XP clients were fine.  Here’s the error they got:

“Remote Desktop cannot connect to the remote computer because the authentication certificate received from the remote computer is expired or invalid”.

Windows is trying to make RDP secure, doing all sorts of mutual authentication things with x.509 certificates.  The solutions I first saw were to renew a certificate from the PKI.  Huh?  This is a workgroup machine in an isolated/firewalled network.  No go there sunshine!

The solution was to fire up the Certificates snap-in in MMC on the server for the local computer, browse to Remote Desktop and delete the certificate.  This was because the cert was expired.

Alternatively you can change the security of RDP from “SSL (TLS 1.0)” or “Negotiate” to “RDP Security Layer” to instruct RDP to abandon the certificate.  This is done in the properties of RDP in the Terminal Services Configuration MMC.

If the cert wasn’t expire then you should check that the time was correct on both the client and the server.

Microsoft has made a whitepaper available with details on how to implement Simple Certificate Enrolment Protocol (SCEP).

“Microsoft Active Directory Certificate Services in Microsoft Windows Server 2008 R2 includes the Network Device Enrollment Service role service. This role service implements the Simple Certificate Enrollment Protocol. This white paper provides an overview of this role service in the Windows Server 2008 R2”.

They also published a whitepaper on deploying user and computer certificates:

“The Windows Server 2008 R2 Core Network Guide provides instructions on how to plan and deploy the components required for a fully functioning network and a new Active Directory domain in a new forest. This companion guide to the Core Network Guide provides instructions on how to deploy client computer and user certificates with Active Directory Certificate Services (AD CS) and Group Policy. You can use client computer and user certificates to allow Network Policy Server (NPS) and Routing and Remote Access Service (RRAS) to authenticate users and computers when you deploy the following authentication methods for network access authentication:

• Extensible Authentication Protocol with Transport Layer Security (EAP-TLS)
• Protected EAP with TLS (PEAP-TLS)”.

 

As I’m typing, I’m installing a Windows Server 2008 R2 Hyper-V server from a USB stick.  Why would you consider doing this?

1. Have you noticed how many server suppliers consider a DVD drive to be an option now?  With money being tight, everyone wants to save a few bucks.
2. It’s a pain to burn DVD’s for the occasional install.  And I can never find a DVD-RW.

However, 4GB USB flash sticks are pretty cheap and common now.  Heck, most of the USB memory or thumb drives that I have were free at events, etc.

I wanted to burn the ISO I downloaded from Microsoft but didn’t want to go searching for a DVD-RW.  I knew the Windows installer could be put onto a USB; I was given the Windows 7 RC on a 4GB USB and had installed from that.  What I’m going to do now should be feasible with Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2.  We’re going to use a USB instead of a DVD to “burn” an image and install Windows from a USB 2.0 stick.

• Download the ISO from Microsoft for the version of Windows you want to deploy.
• Install something like Virtual CloneDrive to mount the ISO.  We’ll call this the G: drive, for example.
• Make sure there’s nothing valuable on your 4GB+ USB 2.0 stick and insert it into your admin PC.  That might be the I: drive.
• Fire up command prompt with “run as administrator”.
• Run DISKPART.  Then run the following sub commands:
• List disk.  Identify the USB stick, e.g. #1
• Select disk 1.  Using disk #1
• Clean
• Create partition primary
• Select partition 1
• Active. 
• Format quick fs=fat32.  That gives us a quick format FAT32 file system on the USB stick
• Assign.  We now have a bootable USB drive.
• Exit.  The disk is now prepared.
• You now need to copy the contents of the mounted ISO (G:) onto the USB stick (I:).  Do that by running: xcopy g:*.* /s/e/f i:
• That will take a while.  Once it’s complete you have a USB that you can install windows from.
• Make sure your machine can boot from USB.  Insert the USB stick and boot it up.  be sure that either the boot device is the USB (may require a prompt or a boot order configuration, depending on the BIOS).  The machine should boot from USB and load up the WindowsPE for installing the version Windows from your ISO.

If you’re installing lots of machines then you should check out the network installation methods:

• WDS: Windows Deployment Services
• MDT: Microsoft Deployment Toolkit
• ConfigMgr: Configuration Manager 2007

2 downloads are available now:

• Windows Server 2008 R2 Multilingual User Interface Language Packs
• Windows Server 2008 R2 Evaluation VHD Images for Hyper-V (180 Days)

Note that the RC release of PowerShell V2 is available for Vista and Server 2008.

I had an issue this week with a Windows Server 2008 machine where we could not share folders.  It’s a web server where a new application needs to access data via a share on the same server.  Now this was not an issue where people could not connect to a share.  This was an issue that when we tried to enable a share the GUI just said “Could not share folder”.  NET SHARE on command prompt just said “System Error 1 has occurred.  Incorrect Function”.

I checked all the usual suspects: Server service, client for file and printer sharing, event logs, Network & Sharing Center, you name it.  The strange things was that existing shares were sharing OK.  I got MS PSS involved and they pulled loads of logs and traces and couldn’t find anything.  Today I got the case escalated to second level support.  We ran a ProcMon trace.  The Escalation Engineer noticed that the request wasn’t getting down the stack.  His first suspect was anti virus.  We disabled it but no joy.  Next up was Windows Firewall.  What?

This is where I started to get sceptical.  What the hell would a firewall have to do with enabling a file share?  I can see it preventing access to the file share but not creating it.  It turns out that there is a rule called “File and Printer Sharing (Echo Request)” (IPv4 and IPv6 versions) and that must be enabled in order to create a file share.

The firewall on this machine had been customised and that rule was removed.  That caused the issue.  So how to fix it?  The engineer wanted to restore the defaults to the Windows Firewall.  But that meant losing everything that was configured in the current firewall rule set.  We exported the rules but there’s no way to import/merge rules.

The engineer got very creative here.  He got me to go into \HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewall Rules.  We exported that to a .REG file.  That’s where every firewall rule is stored.  We’d just backed them up to a REG file.  We “reset defaults” in Windows Firewall and Advanced Security.  That restored the firewall back to factory settings.  We then imported the .REG file to do a merge.  Sweet.  We tested and we were able to share folders on the server.

Thanks to Addy in MS PSS for his help in getting this sorted.

W2008 R2 has been released to the web by Microsoft.  You can download it from EOpen or MVLS now if you have a volume license account.  Expect to see it on Friday if you have TechNet or MSDN subscriptions.

I’m itching to get this deployed but there’s a few things that will slow me down on the production systems:

1. VMM 2008 cannot manage Hyper-V on Windows Server 2008 R2.  I’m running a Hyper-V 2008 production cluster so that’s pretty important.
2. There are no OpsMgr management packs for Windows Server 2008 R2 yet.  Some of the 2008 management packs only got released a few months ago, i.e. IIS and Failover Clustering!
3. HP don’t have support for it yet.  We have to wait until PSP (Proliant Support Pack) 8.30 for that.

I do have a test server (that I blogged about before) that’ll get rebuilt with the RTM release, hopefully next week.

 

Microsoft released the RSAT for Windows 7 overnight.  This allows you to manage your servers from a desktop computer.

“Remote Server Administration Tools for Windows 7 enables IT administrators to manage roles and features that are installed on remote computers that are running Windows Server 2008 R2 (and, for some roles and features, Windows Server 2008 or Windows Server 2003) from a remote computer that is running Windows 7. It includes support for remote management of computers that are running either the Server Core or full installation options of Windows Server 2008 R2, and for some roles and features, Windows Server 2008. Some roles and features on Windows Server 2003 can be managed remotely by using Remote Server Administration Tools for Windows 7, although the Server Core installation option is not available with the Windows Server 2003 operating system.
This feature is comparable in functionality to the Windows Server 2003 Administrative Tools Pack and Remote Server Administration Tools for Windows Vista with Service Pack 1 (SP1).

Supported Operating Systems: Windows 7; Windows Server 2003; Windows Server 2008; Windows Server 2008 R2

Remote Server Administration Tools for Windows 7 can be installed on computers that are running the Enterprise, Professional, or Ultimate editions of Windows 7.
Remote Server Administration Tools for Windows 7 runs on both x86- and x64-based editions of Windows 7, and can be used to manage roles and features that are running on either the Server Core or full installation options of the x64-based Windows Server 2008 R2 operating system. Remote management is also supported for some roles and features that run on Windows Server 2008 or Windows Server 2003.
Remote Server Administration Tools for Windows 7 should not be installed on a computer that is running the Windows Server 2003 Administration Tools Pack or Windows 2000 Server® Administration Tools Pack. Remove all versions of Administration Tools Pack or Remote Server Administration Tools for Windows Vista SP1 from the computer before you install Remote Server Administration Tools for Windows 7.
Only one copy at a time of Remote Server Administration Tools for Windows 7 can be installed on a computer. Before you install a new package, remove any existing copies of Remote Server Administration Tools for Windows 7. This includes any copies that are in different languages”.

Here’s the list of admin tools, courtesy of John Howard:

Server Administration Tools:

• Server Manager

Role Administration Tools:

• Active Directory Certificate Services (AD CS) Tools
• Active Directory Domain Services (AD DS) Tools
• Active Directory Lightweight Directory Services (AD LDS) Tools
• DHCP Server Tools
• DNS Server Tools
• File Services Tools
• Hyper-V Tools
• Terminal Services Tools

Feature Administration Tools:

• BitLocker Password Recovery Viewer
• Failover Clustering Tools
• Group Policy Management Tools
• Network Load Balancing Tools
• SMTP Server Tools
• Storage Explorer Tools
• Storage Manager for SANs Tools
• Windows System Resource Manager Tools

I recently wrote a piece about the new Server Manager for a W2008 R2 book.  It’s got one HUGE improvement: the ability to manage remote machines, as long as those machines have been configured to allow remote management. That also allows remote management via PowerShell so that might not be desirable for everyone. 

Speaking of PowerShell, the PowerShell Module for Active Directory was also in that chapter that I wrote.  It is very cool, even for a PSH newbie like me.  I even figured out how to create many customised users from a CSV file with a 1 line cmdlet.  That’ll be in the book.

 

I’ve been getting a few search hits on my site where people are looking to see what the upgrade path is to Windows Server 2008 R2.  OK, it’s pretty simple really.  It’ll be bad news for some who didn’t keep an eye on the industry.  There is no 32bit version of Windows Server 2008 R2 so you must be running an x64 install to upgrade to W2008 R2. 

MS strongly that you don’t do an in-place upgrade.  However, it is safe if the machine is stable and only runs MS software.  Please test before doing the upgrade, e.g. make a copy of the server using virtualisation technology, e.g. P2V.

You can upgrade from Windows Server 2003 x64 to Windows Server 2008 R2 Full Installation.  You can upgrade from Windows Server 2008 x64 Full Installation to Windows Server 2008 R2 x64 Full Installation.  You can upgrade from Windows Server 2008 x64 Core Installation to Windows Server 2008 R2 Core Installation.

You can upgrade from one edition to the same edition or lower editions, e.g. from Standard to Standard, Enterprise or DataCenter.  You cannot upgrade from one edition to a lower edition, e.g. you cannot upgrade from DataCenter to Standard.

Here’s a basic upgrade path for Windows Server 2008 R2:

Windows Server 2000 x86	->	N/A
Windows Server 2003 x86	->	N/A
Windows Server 2003 x64	->	Windows Server 2008 R2 Full Installation
Windows Server 2008 x64 Core Installation	->	Windows Server 2008 R2 Core Installation
Windows Server 2008 x64 Full Installation	->	Windows Server 2008 R2 Full Installation
Windows Server 2008 x86 Core Installation	->	N/A
Windows Server 2008 x86 Full Installation	->	N/A

Windows 7 has RTM’d.  It’s official.  The build number is 7600. 

Windows Server 2009 R2 also RTM’d. 

Check my previous post for when you can expect to get your hands on them (legitimately).

Well done MS!

EDIT#1:

Here’s the official sign-off:

     

Here’s the original announcement by Steve Ballmer and Steven Sinofsky:

 
Windows 7 Sneak-Peak from MGX