What is the current advice is on the frequency of patching for IIS web servers and SQL DB servers please?
I know that patches are released each month but is it recommended to apply patches every month/more frequently/less frequently?
Thank you!
Tweedtheatrekat
I am attempting to upgrade our infrastructure to server 2012r2 from 2008r2. I've have run into issues with the KMS volume activation for our clients.
I've installed the Volume Activation Services Role and added a 2012r2 KMS key fine. Everything looks to be setup OK in DNS etc. However when I try and install additional KMS keys for Office 2010/13 Windows 7/8 the wizard tells me the key is invalid.
"Invalid product key or license mismatch"
I've tried installing the Key Host management hot fixes but these just report not for this operating system. I guess am I am missing something or misunderstanding but what?
Any help appreciated, I don't want to have to leave the 2008r2 running just for licensing.
Good Evening,
my client runs an application on a hosted Windows server. The application sends emails via exchange online mailbox. We are having the issue that sending an email takes over 3 minutes before we get the acknowledgment that the email was sent. I contacted Microsoft and they did a header analysis, which shows that it takes 5sec within the MS network to actually send the email. If I use a simple mail test program from the server, I get the same delays. If I use it from my computer, I get the acknowledgment within 20sec.
A tracert on the server to smtp.office365.com does not show any time outs and I've tried multiples, as smtp.office365.com resolves into many IPs. Tech support of the server host added some of the IPs to the firewall settings, but that did not make any difference.
To be honest, I don't even know where to start with this. Any help would be much appreciated.
Thanks!
Hi i have a server working as PDC & sole Dc for one of my environment & all other servers sync time from it.
Its a virtual server.
In w32time/config announce flag is set to 5.
In w32time/Timeproviders/ntpclient SpecialPollInterval is set to be 900.
In w32time/Parameters ntpserver is set to time.nist.gov & no 0X1 entry there.
How to resolve this all my servers are running 30 minutes behind .
By using command w32tm /query /peers i get below output & after time interval shows status active
#Peers: 1 Peer: time.nist.gov State: Pending Time Remaining: 663.1093750s Mode: 0 (reserved) Stratum: 0 (unspecified) PeerPoll Interval: 0 (unspecified) HostPoll Interval: 0 (unspecified)
w32tm /query /status shows below output.
C:\Users\Administrator>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 1 (primary reference - syncd by radio clock)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x4C4F434C (source name: "LOCL")
Last Successful Sync Time: 25/09/2014 09:34:31
Source: Local CMOS Clock
Poll Interval: 6 (64s)
I need this PDC to sync time with time.nist.gov.
Hi there
Since I've beeing installing server with Windows Server 2012 and Windows Server 2012 R2 I noticed some differences using a network account (ie Domain Admin - contoso\joe) and a local account (ie builtin local administrator - lcladm).
I noticed that, for example, when I run a command prompt logged as .\lcladm, it opens as Administrator by default; when I run it logged as contoso\joe, it opens as a non-Administrator. To open as Administrator I have to right-click, "run as Administrator".
Another example is running a .exe under "C:\Program Files" as contoso\joe.. It says: "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item" (even running as an Administrator). Logged as lcladm, I've normal access.
The UAC is disabled and this only happens on 2012/2012 R2 servers.
My question is, how can I make all the members of the Administrators group (that include lcladm, Domain Admins,...), when log in, have all the same permissions and log as administrators with no limitations? So, contoso\joe when log in, he runs de command prompt as administrator by default and don't need to right-click "run as administrator".
Thanks in advance. Cheers from Portugal!
Hi
I have tow server on my network i installed windows server 2008 and domain server and in the other server installed windows server 2008 and domain server but with replication configuration so now the main server if down shoud the second working auto ore what.
Regards
Hello,
Does anyone know of a way that i can use the computers OUs in my active directory to issue commands. e.g. I have an OU in my AD called "Accounts PCs" ... i'd like to be able to highlight all those computers, right click --> issue command. This pops up with a window or something that i can then enter a command or script into, then hit enter and that command gets issued to all those PCs.
It would be useful for remotely shutting down the PCs of a certain group or somesuch.
Thanks
Hi,
I've got a very strange problem with KMS. I have recently inherited a SharePoint DMZ environment built usingBest Practices for Securing Active Directory and CIS Microsoft Windows Server 2008 R2. All the servers were built using MAK keys, which worked well enough until IT Security locked down firewall access. Now all the server are going non-genuine. My solution was to setup a KMS activation and convert all the servers over. Seemed simple enough, even tested it in my Dev Lab no issues once the Windows Firewall was configured to allow KMS (TCP-in). So I set it up started converting servers to KMS, (slmgr /ipk). The client all Windows 2008 R2 Servers started sending activation requests to the KMS machine, (Event ID: 12288). Here’s where the problems start, according to the firewall logs on the KMS Server it allows the request in but no Event ID: 12289’s are registered and the client display’s the following: “Error: 0xC004F074 The Software Licensing Service reported that the computer could not be activated. The Key Management Service (KMS) in unavailable”. Verified the KMS is active and listening on port 1688. Ran it again with Wire Shark installed and it showed the DCERPC protocol attempting to connect and getting “status: nca_s_fault_access_denied”. Began investigating RPC issues, found two RPC related GPO entries in our Default Domain Policy and reference in the CIS benchmark referenced above.
Computer Configuration \ <policies> \ Administrative Templates \ System \ Remote Procedure Call
Both are “Enabled” and the first is set with the following option: "Authenticated without Exceptions".
So I proceeded to set these up in my Lab and… BOOM, killed my Lab environment. See http://blogs.technet.com/b/askds/archive/2011/04/08/restrictions-for-unauthenticated-rpc-clients-the-group-policy-that-punches-your-domain-in-the-face.aspx
After I rebuilt my Lab, I determined the culprit was GPO entry #1 -Restrictions for unauthenticated RPC clients -Authenticated without Exceptions. My attempts at changing this option cause it to “hoop” my lab environment yet again.
Question time:
Does anyone know how to change this option safely and to not cause the problems I’ve had?
Does anyone have any alternate methods or ideas for setting up KMS in an environment such as mine?
Any help would be greatly appreciated.
Regards,
James
I have a Windows network with 3 domain controllers and 5 member servers, all running Windows 2003 server. All workstations are XP professional. Since Monday, I have noticed that my user account keeps getting locked out every 6 or 7 minutes. The AD accounts are set to lock out after 4 tries with a wrong password. How do I setup an audit process to find out which computer, user, process or perhaps hacker is trying to access what part of the network on which server that is causing this?
thank you for your help
Vahid
History
I've been using Server 2008R2 as a KMS server for years. Last year, we installed the patch to allow it to function for Windows 8.1/2012R2 clients. It worked flawlessly.
I recently decommissioned that server (I manually uninstalled the KMS host key, unpublished the DNS entry, shutdown the server, and deleted its VM). Furthermore, I deleted the _VLMCS srv record from DNS, and confirmed that no trace of the server remained - anywhere.
Then, I built a new 2012R2 server, added the Volume Licensing Role, installed the KMS host key, and activated it. I verified the DNS entry was properly created, and confirmed clients are registering with the new server. Everything worked great -- that was three weeks ago.
Problem
Today, I have a problem with a new Windows installation not activating. I discovered that the DNS SRV record for the KMS server was gone.
I went to the server and confirmed that DNS publishing is enabled, and I restarted the sppsvc service. The DNS record was not created, so I rebooted the server. The DNS record still not created. I checked the event logs, and there are no entries indicating a failure, nor are there entries indicating an attempt to register the DNS record.
It seems that the KMS server simply isn't publishing the DNS record.
Workaround
I manually created the SRV record, but I shouldn't need to do this and I don't like it. Hence, I am posting this looking for a proper "fix".
Speculation/Conclusion
Does Windows Server 2012R2 have a bug where it doesn't publish the DNS entry, except for the very first time? Does anyone have any helpful ideas? Does anyone else have this problem?
Other
This problem is very similar to:KMS publish DNS record
Thanks in advance for your efforts to help me!
-Tony
Hello All
Am facing an issue for configuring the NFS Service but as initial installation its showing as successful!
After NFS installation am not seeing NFS sharing in the folder property's tab!
And in this forum some people suggested to stop n disable ONC/RPC portmapper services! hw this possible ??
Cos RPC Service is created only when we install NFS and if we stop this then hw come NFS will work ??
There is no logic in that!
And even I one person said to stop the services which are using port 111 [udp/tcp] ??
In my server port 111 using process id 4 n this process is same for other ports to like 443,139 and the pid 4 belongs to System services !! If I stop this service my server system itself get crash!!
Even I tried the option Server Mgr->File Service->Share n Storage Management-> Edit NFS Configuration (right side)-> use service for NFS to share folder
Even this option also failed saying NFS shared folder cannot be created!
Request you to look on this n help to fix it!!
Note: This is a virtual machine running on vmware!
Thanks
Praveen
praveen bellary.
Hello,
in Active Directory Server When opening \\server , Shared Folders are shown but after trying to open the folder windows says "Can not access \\server\folder"
On domain clients when entering \\server an empty page is shown.
How can I resolve this problem?
Hi, I do not know if I have ask the question in the correct thread or forum. So I decided to put into Windows server management.
My company does create website and also host for them, and we also have FTP services for some of the clients. currently we have about 6 servers, and all of them are stand alone web server, with SQL installed in each and everyone of them. THis have been running for past 7 years and I am having a hard time managing it due to licensing and also too many web and ftp services spreading across all the servers.
We have decided to virtualize most of them and also have a centralize storage (SAN). we have bought the necessary hardwares (3x hosts and 1 SAN) and also licensing to do it.
Now this is my problem, i am the only one managing the whole infra. I have a group of developers who create the website and upload them to the respective servers (normally via FTP), I have also clients who have FTP services with us for them to dump their files to their clients. There are many times where the servers is infected with viruses mainly due to the files they uploaded, or the server is compromised as they have leaked out their password and of course many other reasons too. I am tired of clearing the shit every now each time the server is infected.
I need some suggestions or ideas or pointers, of the best and common practice that how i should managed the developers and users or their account. My new setup will be
3 Hosts, 1 SAN
1 Web VM - Shared hosting.
1 FTP VM
1 SQL VM
multiple Web VM - Dedicated hosting
1 DNS
1 Backup server
I have about 6 developers who need toremote access the above servers every now and then to upload files or edit the files for the WEB. I also have clients who pay for our FTP services.
I have a firewall, AV.
Dear experts, please kindly advise me.
Regards,
Knight
I'm trying to get WinRM to run over HTTPS using GPO configuration, and I'm having difficulty with the Certificate part.
I've got it working fine over HTTP.
The article http://otherdutiesasrequired.com/wp-content/uploads/2014/07/PSRemotingHTTPsConfig.pdf is very promising, but he glosses over the Certificate part.
TechNet indicates: "This certificate needs to be marked as a Server Authentication Certificate. It must also support Secure Sockets Layer (SSL). No certificate needs to be configured for the WinRM client. The certificate is used only if the WinRM service is enabled for remote access."
I haven't found any other step-by-step. What I have found (especially on TechNet) related to WinRM HTTPS has been extremely vague.
I'm running AD Server 2012 with Win7 and Win 8.1 clients. I have a Certificate Server running on my domain.
I just need a step-by-step for configuring whatever I need on the CA and for the clients. Interestingly, I haven't seen any indication anywhere on whether the Certificates need to be User or Computer level Certs. And whether every session (User or Computer) needs one, or only the initiating machine, or the target machine, or both.
Any help would be appreciated. Thanks.
Can anyone point me to a resource/doc or provide instructions?
Hi,
I would like to know if there is any way we can restrict the usage of Managed service account\GMSA on a Windows system to a particular AD group.
For example, there is Managed Service Account named "MSA1" which is associated with system Computer1. Once the account MSA1 is installed on computer1, then anyone who has a administrative privilege on Computer1 can use that account MSA (with sufficient privilege) to run any desired service on the system (as there is no need for password for msa). I will not have a clear idea on how MSA has been used on the system and who all have used it.
I want to restrcit the use of MSA\GMSA to a particular AD group and not all administrators on the system should be able to use it. Please let me know if this possible? (or) any solution to handle the above scenario.
Appreciate your thoughts on this.
Thanks
Hi,
I recently created a discussion about a Winx (Right Click) issue that I have in my environment. For windows servers 2012/2012 R2 and windows 8/8.1, I don't have the right click menu.
I don't use roaming profiles. The workaround is to manually copy the Winx folder for each user who log on but I would like to understand why it doesn't work.
Here is the previous discussion I created.
I really appreciate your help.
Thanks
Hello
I have Microsoft Action Pack. I want to know how do the CALs for the Lync / TFS 2013 Server work.
Am I entitled to any CAL for these Servers with my suscription?
Thank you.
Enrique S.
I'm trying to setup Source-Initiated event log forwarding. The collector is Server 2012 R2, and my test machines are Windows 7. I've followed the directions on http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx. Winrm is enabled and configured on our machines by GPO, and I'm setting the SubscriptionManager setting on the source machines by GPO as well. And I've created a simple subscription on the collector that gets all critical, warning, and error messages from the Application and System logs.
The source computers are not connecting though, and I can't figure out why. On the source computers, in the Operational log of Eventlog-ForwardingPlugin, I see this whenever a source attempts to forward:
Event ID 105
"The forwarder is having a problem communicating with subscription manager at address <MYSERVER>. Error code is 5 and Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Machine="<MYCLIENT>"><f:Message>Access is denied. </f:Message></f:WSManFault>."
I've yet to find anything on the collector. The EventCollector log has no events. I've tried tweaks here and there based on stuff I've found on other sites, but nothing is working and I'm pretty stumped at this point. If anyone can give me an idea of what could be causing this access denied error or ways to get more information out of the source/collector machines, I'd really appreciate it.
I should also note all of these machines are in the same domain.
Hi All,
I have a Windows 2008 R2 SP 1 Domain Controller which has a handle leak in WinMGMT. We have have another 15 DCs with the same build and patch level that do not experience the handle leak. We use SCOM for monitoring.
I have used the information in this http://blogs.technet.com/b/yongrhee/archive/2012/06/28/how-to-troubleshoot-service-host-svchost-exe-related-problems.aspx blog to narrow the cause down to WinMGMT.
Currently svchost of Winmgmt is using around 75k handles, although it has been in the many hundreds of thousands before.
Using the handle.exe I can see that all but 500 of the handles of these are "Event" handles
Example output from handle:
C:\Users\username\Desktop>handle -a -p 2132 | find /C /I "event"
75090BE8: Event
Has anyone got experience identifying the source of these WMI Event Hooks? Is there a way to see the individual hooks to confirm that they are all the same, and possibly identify which scripts are causing them?
Cheers!
Shane
Hello,
The scenario is:
WIndows 2012R2 Std, and we want to audit the policy changes, in GPO like \policies\windows setting\secutirysettings\accountpolicies\password policy\
When I configure the "Password Policy modified" Audit , in de Event Viewer
shows invalid characters like this:
In Details shows
This event is not displayed correctly because the underlying XML is not well formed. Below is the raw text of the event.Any idea for resolution??
Thanks in advance.