How to Install a trusted certificate onto a FileZilla FTP server to enable FTPS (FTP over TLS)

I was recently helping troubleshoot an issue where as part of that I needed to get a 50GB SQL Database transferred from an interstate client onto our servers.  Both the client and us have a decent Internet Connection and we already had an FTP server in place but I was worried about the sensitive nature of the material we were transferring, so I set about enabling FTP over TLS on our FileZilla FTP Server using our Public CA Digital Certificate, the process took a little fiddling and I’ll outline it now. One thing I would highly recommend is re-exporting this Certificate with a different private key than what you would normally use as FileZilla unfortunately stores it in plain text.

openssl-commandsFirstly, you will need the OpenSSL windows binaries (available here).  Once downloaded, extract them to a handy place like c:\openssl and copy across your Certificate in PKCS#12 .pfx format (which is what our default format of the certificate is).  So we have .pfx inside c:\openssl. Now that we are ready, open an administrative command prompt and CD into C:\OpenSSL (handy tip, in Windows Explorer when you are in a folder you want to open a CMD prompt to, just type CMD into the address bar and hit enter).  Now there are two commands we will use with OpenSSL to convert and strip out what we need.

openssl pkcs12 -in <your.pfx>  -nocerts -nodes -passin pass:<yourpass> | openssl rsa -out <output.pem>

and

openssl pkcs12 -in <your.pfx> -clcerts -nokeys -passin pass:<yourpass> -out <output.crt>

filezilla-settingsOnce you have that, open both of them up in Notepad (or Notepad++), you will want to copy the Certificate extract from command two into the RSA Key we extracted in command one.  Once we have that save the file as <yourcertnamehere>.crt.  Open up FileZilla Server manager and go into Settings.  Under the FTP over TLS Settings page, select the Certificate we created earlier and enter the Private Key for the Certificate and click OK.  Now I’d recommend using WinSCP to connect as it trusts certificates already in the Windows Trusted Root CAs Store (FileZilla will always prompt to trust).

 

Adventures with setting up RDS RemoteApp and Web Access in Windows Server 2012 R2

RDS Overview in Server ManagerSo I was recently setting up a demo environment in Azure with two servers.  Our goal was to have Remote Web Access and then publish RemoteApps through that so we could give live demos.  The process to setup Remote Desktop Services is much easier in Server 2012 / 2012 R2 thanks to the Add Remove Features Wizard, but there are still some gotcha’s that I encountered and will cover in this blog post.

The first thing was getting the FQDN of the RD Gateway / Web Access server set to our external domain (since it is different). For example we’ll use adatum.internal and adatum.com.au.  For web access it is simply a matter of having a public DNS record and pointing to your web server but getting it working for the RD Gateway requires some PowerShell.  A script from the TechNet Gallery called Change published FQDN for Server 2012 or 2012 R2 RDS Deployment works a treat for Server 2012 and 2012 R2.  Simply go to the directory you have the script in with a PowerShell admin prompt and enter the following;

Set-RDPublishedName "remote.adatum.com.au"

This should now allow clients to see a connecting to a proper server FQDN instead of something like rds-01.demo.adatum.local.

My next issue was when my demo client when to connect it errored out with 0x607 – An authentication error has occurred.  After having a talk with someone in the office I had found out the Session Host server was hosting some demo web apps that ran using HTTPS.  Now I had imported a proper certificate (that hadn’t expired) but still found this issue.  So I opened up mmc.exe added the Certificates snap-in, browsed the computer certificate store and under personal I could see an EXPIRED certificate.  I deleted this but was still getting the error.  So my other trick was to force Terminal Services to no longer try to use that certificate.  To do this I opened up REGEDIT and went to the following key;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

In this key I would scroll down until I found SSLCertificateSHA1Hash and deleted the entry (you could also replace the hash with our good certificate).  Once I had done this, I restarted the server for good measure and was then able to connect up to my Remote Apps using Web Access without an issue.

 

A note about Veeam and Guest Indexing

Guest Indexing PropertiesSo I was asked to help out in a situation where a Backup Server had begun to run out of space. One of the first things you look at doing is cutting down retention rates.  In this particular setup Veeam had its Database and other associated files sitting on a 30GB disk, which also happened to be just about full (30MB free).

After a quick run of SpaceMonger I was able to identify that the Guest Indexing folder was taking up the majority of the space.  So I set about making a list of VMs that we didn’t really need indexing for.  A thing a lot of people don’t realise is that you don’t need to enable Guest Indexing to perform item level restores but makes the process becomes much faster because Veeam already knows what is in the backup image and where it needs to go.

To go about disabling it for particular virtual machines in a backup job, edit the job, go into Guest Processing, hit the indexing button then for each Virtual Machine in your job that you don’t need indexing for, hit edit and then select Disable Indexing.  For my job I left it on for an application server that had flat file attachments and file servers, the remainder I turned off for this job. Hope that helps.

ProTip: Did you know you can get a 1 year NFR Veeam License if you are certified in some areas of VMWare, Microsoft, Cisco or PernixData?

Setting the default wallpaper on a Windows 10 image deployment through MDT

Action - Set Default WallpaperSo recently I’ve been working on improving and streamlining our imaging process. One of the pain points that I have had with Windows 10 was an easy way of setting the default wallpaper, but without locking out the user, i.e. Group Policy from changing it in the future. After a long session of Google Fu and finding Powershell and VB scripts I settled on a simple solution of a batch file to take ownership and replace the default wallpaper files.

As the majority of our devices are laptops, I set the default img0.jpg to a resolution of 1366 x 768 and then proceeded to create all of the different resolutions in the 4K folder, 1024×768, 1200×1920, 1366×768, 1600×2560, 1920×1200, 2160×3840, 2560×1440, 2560×1600, 3840×2160, 768×1024, 768×1366. Once I had all the images ready, I created a file structure and then made the below batch or cmd file for my Application Install Task. If you are running SCCM instead of just MDT, change Administrators to SYSTEM.

takeown /f c:\windows\WEB\wallpaper\Windows\img0.jpg
takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
icacls c:\windows\WEB\wallpaper\Windows\img0.jpg /Grant Administrators:(F)
icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant Administrators:(F)
del c:\windows\WEB\wallpaper\Windows\img0.jpg
del /q C:\Windows\Web\4K\Wallpaper\Windows\*.*
copy "%~dp0img0.jpg" c:\windows\WEB\wallpaper\Windows\img0.jpg
copy "%~dp04k\*.*" C:\Windows\Web\4K\Wallpaper\Windows

Once I had everything ready, I created an New Application Install called Action – Set Default Wallpaper and got it to call my batch file. Once that was done, I went and added it into my Task Sequence for building our Windows 10 Image as one of the first items to run once Windows 10 has passed the OOBE stage, so under State Restore, after the Windows Updates.

That process has worked every time flawlessly for me, where as the scripts I had found didn’t.

Adjust resource mailbox calendar permissions on Exchange 2010/2013 using PowerShell

Quick one today.  By default, when creating a room resource mailbox, Exchange will grant default permissions of AvailabilityOnly for any user (default), if you are after people knowing who has booked a room or resource then you can adjust the permissions to Reviewer. The quickest way to do this is via PowerShell, you can use the following cmdlet;

Add-MailboxFolderPermission -Identity MeetingRoom2:\Calendar -user "Staff - All Staff" -AccessRight Reviewer

I am using a group (called Staff – All Staff) in the above that does not have any permissions already applied to that mailbox calendar. If the user or group already has some kind of permission, you will need to use Set-MailboxFolderPermissions instead of Add-MailboxFolderPermissions.

If you have multiple Resource Mailboxes, you can pipe a Get-Mailbox to hit them all at once like so;

$rooms = Get-Mailbox -RecipientTypeDetails RoomMailbox
$rooms | %{Add-MailboxFolderPermission $_":\Calendar" -User "Staff - All Staff" -AccessRights Reviewer}

Hope that helps.

Fixing Windows cannot connect to printer with Error Error 0x0000007e when shared on Windows Server 2003 or 2008 32 bit (x86) and your client is 64 bit

Printers and FaxesSo I was out installing a new laptop for a client recently, their server infrastructure is very old (they’re still running Server 2003 but about to migrate) and doing the final stage of the deployment I was installing the local printer in the office but got Windows cannot Connect to the Printer (0x0000007e) error every time I tried.
I finally stumbled upon an old forum topic regarding HP print driver incompatibilities between 32 server and 64 bit client machines where it was unable to find a particular file.

The trick was to delete the following registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\PrinterNameHere\CopyFiles\BIDI replacing PrinterNameHere with the name of your printer. This then allowed me to connect to the printer correctly on the 64 bit client without any errors.

Issues Deploying a Custom Windows 10 Start Menu Layout when using an image with a Default Profile

So I’m in the final stages of getting our Windows 10 Deployment ready to go and I am currently in the process of branding and customising our image, which includes setting a custom Start Menu Tile Layout.  This is done with the use of two PowerShell commands Export-StartMenuLayout and Import-StartMenuLayout.

I created our preferred start menu, exported on my test computer and then added a Task to our MDT Deployment Task Sequence.

I found that this completed without any errors but Windows was not applying the Start Menu, after a bit of digging around, I found an issue where if you have CopyProfile set to true in your unattend xml answer file then there is another step that you need to complete which is to delete the TileDataLayer folder located in C:\Users\Default\AppData\Local and once I added that line to my batch file the Start Menu appeared.  My complete batch file is as follows;

powershell.exe -ExecutionPolicy Bypass -Command "Copy-Item '%~dp0StartMenu.xml' -destination C:\Windows\Temp; Import-StartLayout -LayoutPath C:\Windows\Temp\StartMenu.xml -MountPath $env:SystemDrive\; Remove-Item C:\Windows\temp\StartMenu.xml -Force"
rmdir C:\Users\Default\AppData\Local\TileDataLayer /q /s

Hope that helps.