Windows: How to generate a SAN certificate via Web enrollment

In environments where you have a Microsoft PKI Infrastructure (AD CA) setup, you can create new certificates via web enrolment:

https://ca-server/CertSrv

This is straight forward for single-name certificates. If you wish to have multiple names for a certificate (Subject Alternative Names = SAN), you need a certain syntax in the "Atrributes" field of the web pate:

san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com

You can add as many names as you want, separated by "&"

Active Directory: Reset Expiry Date of an expired Password

Many companies have a policy that require their users to change their passwords regularly (e.g. every 90 days). In Active Directory, this is normally enforced via Group Policy.

This works well, but can be problematic if the user is out of the office while the password expires. An example: If he or she is using a mobile phone to access company emails via ActiveSync, the access will be blocked once the password has expired. ActiveSync does not support password changes, so the user has no way to get his or her mail working again.

One possible solution is to have the user call the company's service desk and have them reset his or her password to a standard one. On the ActiveSync device this new password would have to be entered and then mail flow would start again. Once back in the office, the user would have to set the password to something secret again.

While possible, this solution has some drawbacks and also some security and compliance implications.

A better solution is to have the service desk do the following:

  • Go to the user object in AD Users and Computers
  • On the "Account" tab, tick "User must change password at next logon"
  • Click "Apply"
  • Un-tick "User must change password at next logon"
  • Click "Apply"

This will un-expire the password and reset the expiry date to the full period (e.g. 90 days).

Windows: Microsoft SQL Server 2008 R2 Setup Support Files cannot be uninstalled

I recently wanted to uninstall SQL Server 2008 R2 completely after I have upgraded to SQL Server 2014. The uninstall of the

"SQL Server 2008 R2 Setup Support Files"

did not work and produced the error:

Microsoft SQL Server 2008 R2 Setup Support Files cannot be uninstalled because the following products are installed:
Microsoft SQL Server 2008 R2 RsFx Driver

Strangely, the "Add/Remove Programs" section did not list the "Microsoft SQL Server 2008 R2 RsFx Driver". To uninstall this "hidden" program, you have to use command line tools. Open a cmd box as Administrator and type the following:

WMIC PRODUCT GET Caption, IdentifyingNumber > c:\info.txt

Look in the info.txt file for the "Microsoft SQL Server 2008 R2 RsFx Driver" and copy the associated IdentifyingNumber. Then type:

msiexec /X {1BA457D4-90F2-4D83-9543-9715849023C8}

Your IdentifyingNumber can vary, of course. It is now possible to uninstall "SQL Server 2008 R2 Setup Support Files" from "Add/Remove Programs"

This trick can be used for any "hidden" program you wish to uninstall.

Outlook 2010/2013: How to find the folder path of a message

I frequently do a mailbox wide search in Outlook. Sometimes, it is important to find out where exactly that email is located in Outlook. The search results list doesn't indicate the folder, unfortunately.

Solution 1 (reveals the folder name, but not the sub-folder structure):

If only the name of the folder is important to you, you can determine this by opening the “classic” Properties dialog of a message via the keyboard shortcut ALT+ENTER. This works for an email that you have selected in the Search Results list but also for a message which you’ve opened via a double click. The folder name can be found under "Location".

Solution 2 (reveals the folder name and sub-folder structure):

Double click on the message to open it in its own window. Open the Advanced Find feature via the keyboard shortcut CTRL+SHIFT+F. The “Look in” field will reveal the folder name to you and clicking on the Browse… button will show you the full folder hierarchy.

Blackberry OS 10: How to mute the dial pad on the phone

When you dial a number on a Blackberry OS 10 device like the Classic or the Z30, you hear the typcal "dialling" sound, also called DTMF. Unfortunately, there is no switch to turn that off.

The only way to do this is to switch your sound profile to "Silent" or "Vibrate", but that mutes any other notifications as well.

Here are the instructions to turn the dial pad tone off but still hearing other notifications:

Settings > Notifications

Make sure, the active profile is "Normal"

Under the Profiles heading, tap on "Normal"

On the "Normal" profile, toggle "Sound" off

Tap on "Customize App Notifications"

Tap on "Phone" and toggle "Sound" on

With that, you will hear the ring tone, but you will not hear the dial pad.

If you have other apps that should do sound notifications, e.g. Calendar, you have to go to "Customize App Notifications" > "Calendar" and set the Sound to on as well.

Windows Time service doesn't start automatically on a workgroup computer

On a workgroup computer that's running Windows 7/8.1, Windows Server 2008 R2/2012 R2, the Windows Time service stops immediately after system startup. This issue occurs even after the Startup Type is changed from Manual to Automatic. Additionally, the following event is logged in the System log:

Log Name: System
Source: Service Control Manager
Event ID: 7036
Level: Information
The Windows Time service entered the running state.

Log Name: System
Source: Service Control Manager
Event ID: 7042
Level: Information
The Windows Time service was successfully sent a stop control. The reason specified was: 0x40030011 [Operating system: Network connection (Planned)]

Log Name: System
Source: Service Control Manager
Event ID: 7036 Task Category: None
Level: Information
The Windows Time service entered the stop state.

Cause

This issue occurs because the Windows Time service is configured as the Trigger-Start service. and this has been implemented as the default setting in Windows 7 and Windows Server 2008 R2 and later operating systems.

Services and background processes have a significant effect on the performance of the system. The Trigger-Start service has been implemented in Windows 7 and Windows Service 2008 R2 in order to reduce the total number of auto-start services on the system. The goal is to improve the stability of the whole system, and this includes improving performance and reducing power consumption. Under this implementation, the Service Control Manager has been enhanced to handle starting and stopping services by using specific system events.

For more information, see Service trigger events.

Whether or not the Windows Time service starts automatically depends on whether the computer is joined to an Active Directory Domain Services (AD DS) domain environment or is configured as a workgroup computer. The Windows Time service on domain-joined computers starts when a trigger event occurs. On workgroup computers that are not joined to an AD DS domain, the startup value for the Windows Time service is Manual, and the service status is Stopped.

You can check the Trigger-Start service settings by running the following sc qtriggerinfo command:

sc qtriggerinfo w32time

Service Name: w32time

Start Service

DOMAIN JOINED STATUS : 1ce20aba-9851-4421-9430-1ddeb766e809 [DOMAIN JOINED]

Stop Service

DOMAIN JOINED STATUS : ddaf516e-58c2-4866-9574-c3b615d42ea1 [NOT DOMAIN JOINED]
Workaround

To start the Windows Time service at system startup, use any of the following methods.

Method 1

Run the following command to delete the trigger event that's registered as the default setting and to change the Startup Type setting for the Windows Time service from Manual to Automatic:

sc triggerinfo w32time delete

 

Method 2

Run the following command to define a trigger event that suits your environment. In this example, the command determines whether an IP address is given to a host, and then it starts or stops the service.

sc triggerinfo w32time start/networkon stop/networkoff

 

Method 3

Change the Startup Type of the Windows Time service from Manual to Automatic (Delayed Start).

Note If the Startup Type of the Windows Time service is set to Automatic (Delayed Start), the Windows Time service may be started by the "Time Synchronization before the Service Control Manager starts the Windows Time service" task. (This depends on the startup timing of the Windows operating system in question.)

In this situation, the service triggers an automatic stop after the success of the Time Synchronization task. Therefore, if you use Method 3, you must disable the "Time Synchronization to avoid the task to start the Windows Time service" task. To do this, follow these steps:

  1. Start the Task Scheduler.
  2. Under Task Scheduler Library / Microsoft / Windows / Time Synchronization, click Synchronize Time.
  3. Right-click, and then click Disabled on the shortcut menu.
More information

The Windows Time service on a workgroup computer is not started automatically at system startup by the Trigger-Start service. However, the Windows Time service is started by the Time Synchronization setting that's registered on the Task Scheduler Library at 01:00 a.m. every Sunday for Time Synchronization. Therefore, the default setting can be kept as is.

But if you run your workgroup computer as a time server, you must use one of the above 3 workarounds as the time service needs to be running all the time fot the time server to be contactable.

IIS 7.5: How to enable TLS 1.1 and TLS 1.2

In IIS 7.5, which is installed on Windows 2008 R2 servers, only SSL 3.0 and TLS 1.0 are enabled for HTTPS encryption by default. To enable TLS 1.1 and TLS 1.2 and disable the insecure SSL 3.0 protocol, add the following keys to the Registry of the server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff

After a reboot, IIS should be accepting TLS 1.2 connections.

Malicious Software Removal Tool (MRT): How to disable the monthly download and run via Windows Update

The Microsoft Windows Malicious Software Removal Tool (MRT) is downloaded and run with the monthly Windows Update cycle on many Windows versions (e.g. Windows 7, 8.1, Windows Server 2012 R2 and others). It always uses the same KB/Patch number:

KB890830

You can disable this in Windows Update by hiding the update, but it will be re-offered next month. To permanantly disable the offering via Windows Update, change this registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT]
"DontOfferThroughWUAU"=dword:00000001

It possible that the MRT folder does not exist. Just create it and then create the dword(32) entry.

Then start "Check for updates" in Windows Update. After it finishes, MRT should not be there any more.

Side note: It is still possible to run MRT manually:

Press Windows-R

Type "MRT.exe" in the Run box.

ESXi 5.5: How to install an update via SSH Online

In this previous post, I have explained how to install an update to ESXi when you are offline.

Find below the instructions to use when your ESX host is connected to the internet:

Login to ESX via SSH (e.g. with PuTTY)

Run the command to allow the traffic to the Internet

esxcli network firewall ruleset set -e true -r httpClient

Run the command to install the update

esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140902001-standard

Wait until this completes successfully (this can take a while).

Shut down all guests.

Put host in Maintenance Mode.

Reboot VMWare ESXi

SQL: How to rename a database, including file names

It happens sometimes that we need to rename a database. It is good to know that what happens behind the scenes is different from what you may be expecting. The SQL Server renames the presenting name of the DB only, but not the file names.

To rename the files, you need to use the following script to rename the files of OldDB to NewDB.

USE [OldDB];

ALTER DATABASE OldDB MODIFY FILE (NAME = OldDB, FILENAME = 'C:\...\NewDB.mdf');

ALTER DATABASE OldDB MODIFY FILE (NAME = OldDB_log, FILENAME = 'C:\...\NewDB_log.ldf');

ALTER DATABASE MyDB MODIFY FILE (NAME = OldDB, NEWNAME = NewDB);

ALTER DATABASE MyDB MODIFY FILE (NAME = OldDB_log, NEWNAME = NewDB_log);

Now take the database offline and then bring it online again.

Rename the .mdf and .ldf file on the disk.

Finally rename the DB by just clicking into the name and change it. This only works when there are no connections to the database and if the database is online.