Monday, May 19, 2014
Sunday, May 18, 2014
SSL 3.0 errors and solutions
http://www.techieshelp.com/how-to-enable-ssl-3-0-server-2008-sbs-2008/
How To Enable SSL 3.0 Server 2008 /SBS 2008/SBS2011
Problem
Server 2008,server 2008 SBS and SBS 2011 do have the functionality for SSL 3.0 however by default it does not understand anything that tries to connect with this protocol. For security reasons if you need to enable SSL 3.0 on your server we can enable it with some additional registry keys. Follow the step by step guide below.
Resolution
(MAKE SURE THAT YOU BACKUP YOUR REGISTRY BEFORE APPLYING THOSE CHANGES)
• Using regedit to add the following keys ( right click on protocols -> new -> key -> “SSL 2.0″ then “SSL 3.0″ then “TLS 1.0″ )
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
• Under each of the keys above you need to create additional keys “Client” and “Server”
Enable ssl 3.0
For SSL 2.0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
For SSL 3.0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
For TLS 1.0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
Then you will have to create DWORD (32bit) value called “Enabled” under each “Client” and “Server” key for “SSL 2.0, SSL 3.0 and TLS 1.0″
DWORD (32bit) Value
Value name = Enabled
Value date = 0
Value date can be set to “1″ – Enabled or “0″ – Disabled
In my scenario the values were “enabled” (set to 1) for SSL 3.0 and TLS 1.0 and “disabled” (set to 0) for SSL 2.0
Here is a disabled value for ssl 2.0
Enable ssl 3.0 server 2008
and here is SSL 3.0 enabled
Enable ssl 3.0 server 2008
• Next step is to add correct Ciphers, to do so you will have to navigate to the following key in the registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Ciphers
• (right click on “Cliphers” New -> Key)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
• That’s all! Now you need to restart your server to apply those changes.
• If you are using TMG 2010 or ISA 2006 to publish the website externally you will need to apply exactly the same settings to registry to it.
If you need to buy an SSL cert, check out Go Daddy and if you want to know how to install the certificate thenfollow this guide.
If you need to buy an SSL cert, check out Go Daddy and if you want to know how to install the certificate thenfollow this guide.
How to troubleshoot journal_wrap errors on Sysvol and DFS replica sets
http://support.microsoft.com/kb/292438
http://www.squidworks.net/2011/09/ntfrs-journal-wrap-errors-detected-on-domain-controller/
http://www.squidworks.net/2011/09/ntfrs-journal-wrap-errors-detected-on-domain-controller/
File Replication Service has detected that the replica set “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)” is in JRNL_WRAP_ERROR
Are you getting this error in your File Replication Service?
The File Replication Service has detected that the replica set “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)” is in JRNL_WRAP_ERROR.
Replica set name is : “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)”
Replica root path is : “c:\windows\sysvol\domain”
Replica root volume is : \\.\C:
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.
[1] Volume “\\.\C:” has been formatted.
[2] The NTFS USN journal on volume “\\.\C:” has been deleted.
[3] The NTFS USN journal on volume “\\.\C:” has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on \\.\C:.
Setting the “Enable Journal Wrap Automatic Restore” registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
Replica set name is : “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)”
Replica root path is : “c:\windows\sysvol\domain”
Replica root volume is : \\.\C:
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.
[1] Volume “\\.\C:” has been formatted.
[2] The NTFS USN journal on volume “\\.\C:” has been deleted.
[3] The NTFS USN journal on volume “\\.\C:” has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on \\.\C:.
Setting the “Enable Journal Wrap Automatic Restore” registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
This is caused when the Sysvol gets currupted and is simple to fix. I will walk you through the steps.
First off before we do anything lets backup by taking a Shadow Copy of the C: Drive. To do this we will open MyComputer and select the C:Drive, right click it and select properties. Now find the ShadowCopy Tab, highlight the C: Drive and click the “Create Now” button to create a backup point on the drive. You do not need to “Enable” ShadowCopy to take a 1 time snapshot.
Now that we have a backup point to go to if all hell breaks loose we can safely move on to the next step. Open up REGEDIT and navigate to the RegKey ->System\CurrentControlSet\Services\NtFrs\Parameters and create a new REG_DWORD key called Enable Journal Wrap Automatic Restore and place a 1 as the hex value.
Now launch a Command window(DOS) and run the following commands:
NET STOP NTFRSNET START NTFRS
This will then cause the following to appear in your File Replication Service Event Log:
The File Replication Service is deleting this computer from the replica set “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)” as an attempt to recover from the error state,
Error status = FrsErrorSuccess
At the next poll, which will occur in 5 minutes, this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
Error status = FrsErrorSuccess
At the next poll, which will occur in 5 minutes, this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
This will be followed by the following Event Log:
File Replication Service is scanning the data in the system volume. Computer MyDomainServer cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
This will be followed by the following Event Log:
The File Replication Service moved the preexisting files in c:\windows\sysvol\domain to c:\windows\sysvol\domain\NtFrs_PreExisting___See_EventLog.
Now we need to wait a bit and allow the replication to complete. This has taken anywhere from 5 minutes to 20 minutes for me based on server and what is being replicated. You will know it is complete when you get the Event Log:
The File Replication Service is no longer preventing the computer MyDomainController from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
Once you get this log your replication is complete and the Journal Wrap issues are fixed. We now need to go back to REGEDIT and change the entry we placed in there from a 1 to a 0.
You are all done.
Event ID 8193 Volume Shadow Copy Service Error - fix
Event ID 8193 Volume Shadow Copy Service Error
Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied.
Context:
Writer Class Id: {0ff1ce14-0201-0000-0000-000000000000}
Writer Name: OSearch14 VSS Writer
Writer Instance ID: {07c936a8-347c-4e39-8014-2a057f611382}
Solution:
Go to the details tab within the event.
There you'll see some information AND a USER --> the SharePoint Search Admin Account.
Just give that user Full Control at the Registry Key:
HKLM\SYSTEM\CurrentControlSet\Services\VSS\Diag
After a Serverreboot the errormessage shouldn't appear again.
Event ID 10 is logged in the Application log
http://support.microsoft.com/kb/950375
Event ID 10 is logged in the Application log
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until
the problem is corrected.
To resolve this problem, run a script to stop the Event ID 10 messages. To run this script, follow these steps:
Event ID 10 is logged in the Application log
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until
the problem is corrected.
To resolve this problem, run a script to stop the Event ID 10 messages. To run this script, follow these steps:
- In a text editor, such as Notepad, create a new text document named Test.vbs.
- Paste the following code into Test.vbs:
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" _ & strComputer & "\root\subscription") Set obj1 = objWMIService.Get("__EventFilter.Name='BVTFilter'") set obj2set = obj1.Associators_("__FilterToConsumerBinding") set obj3set = obj1.References_("__FilterToConsumerBinding") For each obj2 in obj2set WScript.echo "Deleting the object" WScript.echo obj2.GetObjectText_ obj2.Delete_ next For each obj3 in obj3set WScript.echo "Deleting the object" WScript.echo obj3.GetObjectText_ obj3.Delete_ next WScript.echo "Deleting the object" WScript.echo obj1.GetObjectText_ obj1.Delete_ - After you run this script, the Event ID 10 messages stop appearing in the Application log. However, you have to manually clear any previous Event ID 10 messages.
Note Make sure that you only delete the appropriate Event ID 10 messages. There may be other pertinent Event ID 10 messages that you do not want to delete.
http://support.microsoft.com/kb/950375
VSS error 8193 Unexpected error calling routine ConvertStringSidToSid fix
I you get this error you need to find the .bak sid in the error code
so for example
Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(S-1-5-21-2747290079-2543033363-2118852912-1197.bak). hr = 0x80070539, The security ID structure is invalid.
the sid is S-1-5-21-2747290079-2543033363-2118852912-1197.bak
Then go into registry
HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
Delete key after backup
reboot, see if problem goes away
http://social.technet.microsoft.com/Forums/windowsserver/en-US/7b52f7c1-a783-409e-9af3-da64567676df/vss-error-8193?forum=winserverfiles
so for example
Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(S-1-5-21-2747290079-2543033363-2118852912-1197.bak). hr = 0x80070539, The security ID structure is invalid.
the sid is S-1-5-21-2747290079-2543033363-2118852912-1197.bak
Then go into registry
HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
Delete key after backup
reboot, see if problem goes away
http://social.technet.microsoft.com/Forums/windowsserver/en-US/7b52f7c1-a783-409e-9af3-da64567676df/vss-error-8193?forum=winserverfiles
Friday, May 16, 2014
Windows NTP Tips - 2008/2012 - Setting external time sources
Ntp on windows
Follow this but for 2012 do not put quotes around ntp names just use commas
http://jackstromberg.com/2013/10/configuring-external-time-source-on-your-primary-domain-controller/
so
w32tm.exe /config /manualpeerlist:”0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org” /syncfromflags:manual /reliable:YES /update
would be
w32tm.exe /config /manualpeerlist:0.us.pool.ntp.org,1.us.pool.ntp.org,2.us.pool.ntp.org,3.us.pool.ntp.org /syncfromflags:manual /reliable:YES /update
I am going to repost content in here in case page goes away
Follow this but for 2012 do not put quotes around ntp names just use commas
http://jackstromberg.com/2013/10/configuring-external-time-source-on-your-primary-domain-controller/
so
w32tm.exe /config /manualpeerlist:”0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org” /syncfromflags:manual /reliable:YES /update
would be
w32tm.exe /config /manualpeerlist:0.us.pool.ntp.org,1.us.pool.ntp.org,2.us.pool.ntp.org,3.us.pool.ntp.org /syncfromflags:manual /reliable:YES /update
I am going to repost content in here in case page goes away
Configuring external time source on your Primary Domain Controller
Here we will configure your primary domain controller (PDC) to connect to an external source to keep your time synchronized up with the rest of the world. By changing the primary DC’s time source to an external source, the changes will be replicated from the PDC to other clients in your domain; limiting the amount of bandwidth needed to synchronize with an external source. First, I am going to reference much of the information provided by Marc Weisel. I would highly recommend you check out his blog post as it contains a ton of valuable information on the subject as well as more information/best practicies in regards to keeping time in your organization’s infrastrucutre: http://binarynature.blogspot.co.uk/2012/04/configure-active-directory.html
- Find out what your primary domain controller (PDC) is for your domain by executing the following powershell commands from any machine in the domain
- [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain.PdcRoleOwner.Name
- [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain.PdcRoleOwner.Name
- Login to your primary domain controller
- Open up a command prompt/powershell window with administrative privileges
- Execute the following command to configure the domain controller to look at an external time source
- w32tm.exe /config /manualpeerlist:”0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org” /syncfromflags:manual /reliable:YES /update
- Notes: You can find the closest time server near you by browsing the following page and clicking on the nearest zone: http://www.pool.ntp.org/zone/@
- w32tm.exe /config /manualpeerlist:”0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org” /syncfromflags:manual /reliable:YES /update
- Execute the following command to actually perform a time synchronization with the external source
- w32tm.exe /config /update
- w32tm.exe /config /update
- Execute the following command for the changes to take effect
- Restart-Service w32time
- Restart-Service w32time
That’s all that is to it!
Subscribe to:
Posts (Atom)