Home » Computers » System Management

Category Archives: System Management

WSUS Fails Initialization

Windows Server Update Services fails to start with a fairly generic error message.

  • Run elevated Command Prompt and issue the following command:

"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing

  • Restart “WSUS Service”

Create the Key Distribution Services KDS Root Key

Create the “KDS Root Key” for use with Managed Service Account (MSA) and Group Managed Service Accounts (gMSA). Use the New-KdsRootKey PowerShell cmdlet for set up and initialize the KDS root key.

  1. On the Windows Server 2012 domain controller, run the Windows PowerShell from the Taskbar. (I normally run it as Administrator.)
  2. At the Windows PowerShell, type the following command, and then press ENTER:
    Add-KdsRootKey –EffectiveImmediately

The domain controllers will wait up to 10 hours from time of creation to allow all domain controllers to converge their AD replication before allowing the creation of a gMSA. The 10 hours is a safety measure to prevent password generation from occurring before all DCs in the environment are capable of answering gMSA requests. If you try to use a gMSA too soon the key might not have been replicated to all Windows Server 2012 DCs and therefore password retrieval might fail when the gMSA host attempts to retrieve the password. gMSA password retrieval failures can also occur when using DCs with limited replication schedules or if there is a replication issue.

Even if there is only one DC you still have to wait the 10 hours.  If you don’t want to wait you can refer to the Microsoft TechNet article this information was taken from: https://technet.microsoft.com/en-us/library/jj128430.aspx

SQL MSA and gMSA info

“Managed Service Account” (MSA) and “Group Managed Service Account” (gMSA) articles:

Microsoft NPS with Cisco Equipment Using RADIUS

See this article: Integrating Cisco devices CLI access with Microsoft NPS/RADIUS

Should be cheaper than Cisco’s ACS or ISE systems for small to medium 50-1000 user/computer  organizations.

Think about PCI/DSS (3.0) when analyzing cost/risk/liability/brand reputation.

TLS Certificate for Windows 8/8.1 Remote Desktop Service

# —————————————
# Remote Desktop Service (RDS) certificate for Windows VERSION 6.2 and 6.3
# This works on Windows 7, 8, and 8.1 Professional and Enterprise Editions, for both 32-bit and x64 CPUs.
# —————————————

# All of this required Administrator level “elevated” privileges. If you don’t know what that means or how to get an “Administrator:Command Prompt” then stop and find a different guide.

# 1) Add SHA1RSA certificate to “Run” -> certlm.msc -> Certificates Local Computer -> Personal -> Certificates
# 1.1) Windows 7 does not have certlm.msc. Use mmc.exe and the Certificates snap-in for the “local computer” and then continue on to step 2).

# 2) Get the cert hash(sha1) “thumbprint”
# Example:
certutil.exe –store my example.com | findstr /r "Subject: Cert.Hash"
# Subject: CN=*.example.com, OU=Domain Control Validated
# Cert Hash(sha1): ff 65 98 ff d0 a9 ff f1 70 ff 53 2b ff dd 3d ff eb 22 ff 0a

# 3) Verify the subject line is the correct certificate and then cleanup the “thumbprint” hash by removing all space characters

# 4) The networkdriver has the right to read the sha1 thumbprint of the certificate from a BINARY registry key:
# HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SSLCertificateSHA1Hash = <thumbprint>
# Example reg hack
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "SSLCertificateSHA1Hash" /t REG_BINARY /d ff6598ffd0a9fff170ff532bffdd3dffeb22ff0a

# Only change this only as a last resort!
# 5) The revocation-list may need to be constrained to the local list with DWORD key if no CRL is available.
# HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors = 1
# Example reg hack
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Credssp" /v "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"/t REG_DWORD /d 1

Dell Wyse Cloud Connect

This is the Dell “PC-on-a-Stick”: http://www.dell.com/us/business/p/cloud-connect/pd?~ck=anav

Use the Dell Cloud Client Manager server for $22 a year per device: https://www.cloudclientmanager.com/

Spiceworks Agent Deployment