I’ve recently been assisting clients with Microsoft Exchange Server 2016 migrations and thought I’d write a quick blog post demonstrating the deployment process.

Note that the full TechNet Planning and deployment guide can be found at the following URL:

https://technet.microsoft.com/en-us/library/aa998636(v=exchg.160).aspx

Prerequisites

I won’t go into too much details but here are some requirements that are important to be aware of:

• Exchange 2007 coexistence is not supported
• Exchange 2010 SP3 with RU11 is required for coexistence
• Exchange 2013 SP3 with CU10 is required for coexistence
• Forest functional level needs to be at least Windows Server 2008
• OS must be Windows Server 2012 or 2012 R2
• Supported clients include:

• Outlook 2016

• Outlook 2013

• Outlook 2010 with KB2965295

• Outlook for Mac for Office 365

• Outlook for Mac 2011

More information about the requirements can be found here: https://technet.microsoft.com/en-us/library/aa996719(v=exchg.160).aspx

Begin by installing the prerequsites onto the Exchange server with the following PowerShell cmdlet:

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS

Download and install the following two components:

.Net Framework 4.5.2
https://support.microsoft.com/en-us/kb/2901907
NDP452-KB2901907-x86-x64-AllOS-ENU.exe

Microsoft Unified Communications Managed API Core Runtime, version 4.0
https://www.microsoft.com/en-us/download/details.aspx?id=34992
UcmaRuntimeSetup.exe

Installing Exchange 2016

If the Schema, AD and Domain prep needs to be executed independently from the actually install, simply execute the following switches with the Exchange 2016 setup.exe executable:

• setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
• setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms
• setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms

**Note that the schema, AD and domain prep will also be automatically executed with the installation wizard.

Proceed with running the setup.exe executable from the Exchange 2016 installation binaries:

Proceed through the wizard:

Select the Mailbox role to be installed (you cannot collocate Mailbox and Edge Transport roles together):

Specify the installation path:

Specify whether malware scanning should be turned on:

Start the installation:

… and that’s it.  Exchange Server 2016 is now installed.  Proceed with the configuration of the new server as required.

As an extra note I’d like to include here for my future reference, the following PowerShell script designed for Exchange 2013 for relocating the logging directories also works for 2016:

Move Logging in Exchange 2013 via Powershell
http://social.technet.microsoft.com/wiki/contents/articles/22479.move-logging-in-exchange-2013-via-powershell.aspx

I’ve noticed many of my clients and colleagues have asked the question how to export and import PSTs from mailboxes on Exchange Server 2016 so I thought I’d write this quick blog post to demonstrate a quick way to do it.

Most Exchange administrators are probably familiar with cmdlets such as New-MailboxExportRequest as shown in the following TechNet library:

https://technet.microsoft.com/en-us/library/ff607299(v=exchg.160).aspx

Those who prefer not to use PowerShell cmdlets can actually use the EAC (Exchange Admin Center) to perform the import and export options as well.  To enable this, the first item to do is grant the Mailbox Import Export role to the group that the account you’ll be performing the import/export action with.  For the purpose of this example, I’ll be granting the Organization Management group the permission.

Navigate to permissions –> admin roles

Open up the properties of the group you would like to assign the Mailbox Import Export permissions.

Navigate down to the Roles window and locate the Mailbox Import Export role:

Add the role:

Save the changes:

If you are testing with the account that you are logged in with, log out of the EAC and back in then navigate to recipients –> mailboxes, right click on a user’s mailbox and you should now see the options:

• Import PST
• Export to a PST file

Problem

You completed deploying a new XenDesktop virtual desktop catalog, publishing it through a StoreFront, then providing access to the StoreFront through a NetScaler gateway:

Clicking on the desktop icon opens the window while the Delivery Controller attempts to launch and broker the session through the NetScaler to the Windows desktop:

The attempt eventually fails with the following error:

Desktop Viewer

The connection to “<VDI Desktop Group Name>” failed with status (1110).

Solution

While there this error could be caused by several configuration issues, one of the more common reasons I’ve come across is if the NetScaler appliance is configured with 2 networks where 1 is connected to an outside DMZ and the other is connected to an inside DMZ (or internal server network).  A common challenge with this type of setup is that the NetScaler’s default gateway is most likely going to be configured to go out to the internet (outside DMZ network) but this gateway usually does not allow the NetScaler to get back into the internal networks.  The error above is thrown because the NetScaler needs to communicate with the actual VDI but is unable to reach it through the internet gateway.  To get around this issue, either create a static route on the NetScaler to use the internal leg’s default gateway to reach the VDI subnet:

… or configure the gateway out through the internet to route traffic back to the internal network.

Problem

You’ve recently upgraded a NetScaler VPX appliance to version 11.0.63.16.nc and have been running the upgrade for a few months but noticed that the appliance fails to boot into the kernel after a restart halting at the following:

FreeBSD/x86 bootstrap loader, Revision NS1.2

Loading /boot/defaults/loader.conf

Unable to load a kernel!

\

can’t load ‘kernel’

Type ‘?’ for a list of commands, ‘help’ for more detailed help.

OK

You proceed with a restore of the virtual machine from a backup solution such as Veeam but noticed that all of the backups boot into the same error.

You attempt to try and find the /boot/defaults/loader.conf directory in the disks but it does not appear to exist:

lsdev -v

set currdev=disk1s1b

ls

set currdev=disk1s1d

ls

set currdev=disk1s1e

ls

You are able to locate the /nsconfig directory on one of the disks:

… and able to list the contents with the command ls nsconfig:

… but missing the other directories such as:

1. /var
2. /netscaler

*Reference: http://support.citrix.com/article/CTX200418

Solution

One of the ways to resolve this issue is to either restore from a backed up virtual machine that would actually boot properly or redeploy a new appliance then restore configuration files.  If you do not have either then the following steps can be used in an attempt to bring the appliance back to a bootable state:

Execute lsdev -v to list the available drives:

From the drives listed, we need to find the one that contains the nsinstall directory and in this example, the list is disk1s1e so execute the following to set the context of the prompt to that drive:

set currdev=disk1s1e

Use the ls command to list the directories:

Note the nsinstall directory in the screenshot above. Execute the ls nsinstall/ command to list the contents:

Note that the following 2 directories are listed:

1. 10.5.54.9.nc
2. 11.0.63.16.nc

This appliance was deployed as version 10.5.54.9.nc initially then upgraded several times to version 11.0.63.16.nc and what appears to have happened is that the boot configuration has gone missing.  Execute the commands:

ls 10.5.54.9.nc

ls 11.0.63.16.nc

Note that both directories contain quite a few files. The file we’re interested in is the NetScaler kernel file that is named ns-{version}-{build}.gz. Since both directories contain this file, we’ll attempt to load the newer 11.0.63.16.nc kernel file by executing the following:

unload

load disk1s1e:/nsinstall/11.0.63.16.nc/ns-11.0-63.16

With the kernel successfully loaded, proceed to type boot to boot into the kernel:

With the appliance booted and accessible, if you don’t have a configuration backup, proceed to get it now through the CLI or GUI:

What you’ll notice at this point is that if we attempt to restart the appliance, we’ll encounter the same error message:

can’t load ‘kernel’

… we faced earlier and this is because the boot configuration has been lost.  The next step to ensure that this boot configuration stays persistent is to reinstall the NetScaler binaries by executing the following:

shell

cd /var/nsinstall/

ls

cd 11.0.63.16.nc

./installns

You should now see the installation begin:

Proceed to reboot the appliance once the install has completed:

The appliance should now be able to boot into the OS and operate as it should:

Note that there is a good chance that:

1. The licenses on the appliance will need to be regenerated so log onto the web portal and see if the NetScaler is now labeled as NetScaler VPX (1)
2. SSL Certificates may be missing so they would need to get re-created (the files will still be there)
3. Various NetScaler features may be disabled so they will need to get re-enabled

Problem

You have an on-prem Active Directory domain with ADFS 2012 configured to use Office 365 services to for messaging services and would like to expand the usage to another domain that is a different tree in the same forest. The task required to do this is quite simple and that is to change the Authentication type for the new domain from Managed to Federated which is what the currently set up domain with O365 mailboxes is configured as:

You attempt to execute the Update-MsolFederatedDomain cmdlet with the -supportmultipledomain switch to change the federation for the currently federated domain to support multiple federated domains but receive the following error:

PS C:\> Update-MsolFederatedDomain -domainname contoso.com

Successfully updated 'contoso.com' domain.

PS C:\> Update-MsolFederatedDomain -domainname contoso.com -supportmulti

pledomain

Update-MsolFederatedDomain : The switch parameter SupportMultipleDomain is not

supported here.

At line:1 char:27

+ Update-MsolFederatedDomain <<<< -domainname contoso.com -supportmult

ipledomain

+ CategoryInfo : InvalidOperation: (:) [Update-MsolFederatedDomai

n], FederationException

+ FullyQualifiedErrorId : MultipleDomainSwitchNotSupported,Microsoft.Onlin

e.Identity.Federation.Powershell.UpdateFederatedDomainCommand

PS C:\>

Solution

What threw me off with this problem was that most articles I found specifies that the Microsoft Office 365 Identity Platform Relaying Party Trust needs to be removed:

… during this process but because the environment I was working in already had production services in use, I decided to test the -supportmultipledomain on the federated domain to ensure it actually existed and the error message:

Update-MsolFederatedDomain : The switch parameter SupportMultipleDomain is not

supported here.

… does not instill much confidence. After scheduling a weekend window for this reconfiguration, I was able to confirm that the cmdlet:

Update-MsolFederatedDomain -domainname contoso.com -supportmultipledomain

… will work once the Microsoft Office 365 Identity Platform Relaying Party Trust is removed:

So to recap, the process should be as follows:

1. Log onto the ADFS server
2. Launch the AD FS administration console
3. Navigate to AD FS > Trust Relationships > Relaying Party Trusts
4. Delete the Microsoft Office 365 Identity Platform entry
5. Launch Windows Azure Active Directory Module for Windows PowerShell
6. Execute the following:
1. Connect-MSOLService
2. Set-MsolADFSContext -Computer <internalADFSserverName>
3. Update-MsolFederatedDomain -DomainName <alreadyFederatedDomainFQDN>
4. Update-MsolFederatedDomain -DomainName <alreadyFederatedDomainFQDN> -SupportMultipleDomain
5. Convert-MsolDomainToFederated -DomainName <newDomaintoBeAddedFQDN> -SupportMultipleDomain
6. Get-MsolDomain

Hope this helps anyone who might be a bit uncertain whether the -SupportMultipleDomain switch would work or not before they delete the Relaying Party Trust.

Problem

You have successfully published applications on a XenApp 7.8 application server through a NetScaler but noticed that while you are able to log into the portal and view the published applications, you receive the following error when an application is launched:

Unable to launch your application. Contact your help desk with the following information:

Cannot connect to the Citrix XenApp server.Socket operation on non-socket

Attempting to launch the desktop of the application server throws the following error:

Desktop Viewer

The connection to “Citrix XenApp” failed with status (Unknown client error 1110).

Solution

One of the reasons why this error would be thrown is if you have not defined at least one STA server in the created NetScaler Gateway Virtual Server:

Notice that the screenshot below states No STA Server under the Published Applications section:

The error should no longer persist once a functioning STA server (the FQDN of your XenDesktop / XenApp Delivery Controller) is configured.

I’ve noticed that I’ve been asked quite a few times over the past year about how to upgrade the Lync 2013 client to Skype for Business 2015 and through speaking to colleagues and clients, I think the confusion is caused by the fact that the Lync 2013 client could be upgraded to Skype for Business 2015 through Windows updates and the update applied isn’t something an administrator would easily spot in a list that could contain a screen full of line items. Not knowing the patch required to upgrade the client then becomes a problem when administrators need to package Lync 2013 / Skype for Business 2015 installation packages for their desktops.  To avoid having to reference my notes when being asked this question again, I figured it would be best to write this blog post for future reference.

Begin by installing the Lync 2013 RTM client with the version:

Lync 2013 – 15.0.4569.1503
MSO – 15.0.4701.1000

Once the Lync 2013 client is installed, you can install any of the following updates to upgrade Lync 2013 to Skype for Business 2015:

• April 14 2015 - KB2889923
• July 14 2015 - KB3054946
• October 13 2015 - KB3085581

The following screenshots shows how installing the April 14 2015 - KB2889923 update will change the Lync 2013 item in the start menu to Skype for Business 2015:

lyncmso2013-kb2889923-fullfile-x86-glb.exe

Lync 2013 – 15.0.4711.1002
MSO – 15.0.4711.1000

The following screenshots demonstrates how installing the July 14 2015 - KB3054946 update would return the same results:

lync2013-kb3054946-fullfile-x86-glb.exe

Lync 2013 – 15.0.4737.100
MSO – 15.0.4711.1000

Finally, installing the latest October 13 2015 - KB3085581 update would also work:

lync2013-kb3085581-fullfile-x86-glb.exe

Lync 2013 – 15.0.4763.1001
MSO – 15.0.4711.1000

Hope this helps anyone looking for the specific patches that would update Lync 2013 to Skype for Business 2015.

I’ve been asked several times in the past about what I typically use to monitor server disk space if the environment I was working in did not have a proper monitoring server or was in the process of deploying one and I’ve always recommended a script I’ve used for quite some time but never blogged about it so I thought it would be great to do so as I could give credit to a script a fellow blogger created as well as demonstrate how to set it up as a task in Task Scheduler.

The PowerShell script I’ve been using for the past few years that works with Windows Server 2008 R2 and 2012 R2 is written by Sean Duffy:

Disk Space Monitoring and Early Warning with PowerShell

https://www.simple-talk.com/sysadmin/powershell/disk-space-monitoring-and-early-warning-with-powershell/

What I like about this script is that it allows you to specify a list servers to monitor in a text file and provides a simple report coloured in red:

The way I automate this script is to perform the following steps:

Step #1 - Selec t a server that I would like to execute this PowerShell script on then create the following folder:

C:\Scripts\CheckDiskSpace

Step #2 – Create the following 3 files:

File #1 - CheckDiskSpace.txt

Copy the following command into this file:

powershell.exe -command "& 'C:\Scripts\CheckDiskSpace\diskspace.ps1''C:\Scripts\CheckDiskSpace\list.txt'"

File #2 - DiskSpace.ps1

Copy the PowrShell script into this file:

--------------------------------------------------------------------------------------------------------------------------------------------------------------

#########################################################

#

# Disk space monitoring and reporting script

#

#########################################################

$users = "toaddress@yourdomain.com" # List of users to email your report to (separate by comma)

$fromemail = "fromaddress@yourdomain.com"

$server = "yourmailserver.yourdomain.com" #enter your own SMTP server DNS name / IP address here

$list = $args[0] #This accepts the argument you add to your scheduled task for the list of servers. i.e. list.txt

$computers = get-content $list #grab the names of the servers/computers to check from the list.txt file.

# Set free disk space threshold below in percent (default at 10%)

[decimal]$thresholdspace = 10

#assemble together all of the free disk space data from the list of servers and only include it if the percentage free is below the threshold we set above.

$tableFragment= Get-WMIObject -ComputerName $computers Win32_LogicalDisk `

| select __SERVER, DriveType, VolumeName, Name, @{n='Size (Gb)' ;e={"{0:n2}" -f ($_.size/1gb)}},@{n='FreeSpace (Gb)';e={"{0:n2}" -f ($_.freespace/1gb)}}, @{n='PercentFree';e={"{0:n2}" -f ($_.freespace/$_.size*100)}} `

| Where-Object {$_.DriveType -eq 3 -and [decimal]$_.PercentFree -lt [decimal]$thresholdspace} `

| ConvertTo-HTML -fragment

# assemble the HTML for our body of the email report.

$HTMLmessage = @"

<font color=""black"" face=""Arial, Verdana"" size=""3"">

<u><b>Disk Space Storage Report</b></u>

<br>This report was generated because the drive(s) listed below have less than $thresholdspace % free space. Drives above this threshold will not be listed.

<br>

<style type=""text/css"">body{font: .8em ""Lucida Grande"", Tahoma, Arial, Helvetica, sans-serif;}

ol{margin:0;padding: 0 1.5em;}

table{color:#FFF;background:#C00;border-collapse:collapse;width:647px;border:5px solid #900;}

thead{}

thead th{padding:1em 1em .5em;border-bottom:1px dotted #FFF;font-size:120%;text-align:left;}

thead tr{}

td{padding:.5em 1em;}

tfoot{}

tfoot td{padding-bottom:1.5em;}

tfoot tr{}

#middle{background-color:#900;}

</style>

<body BGCOLOR=""white"">

$tableFragment

</body>

"@

# Set up a regex search and match to look for any <td> tags in our body. These would only be present if the script above found disks below the threshold of free space.

# We use this regex matching method to determine whether or not we should send the email and report.

$regexsubject = $HTMLmessage

$regex = [regex] '(?im)<td>'

# if there was any row at all, send the email

if ($regex.IsMatch($regexsubject)) {

send-mailmessage -from $fromemail -to $users -subject "Disk Space Monitoring Report" -BodyAsHTML -body $HTMLmessage -priority High -smtpServer $server

}

# End of Script

--------------------------------------------------------------------------------------------------------------------------------------------------------------

File #3 - List.txt

Type in the list of servers you would like to monitor:

Step #3 – Configure the variables in the scripts

Open the DiskSpace.ps1 script and modify the email address the report should be send from and to, the server name of the SMTP server that will be sending the email, the % for the threshold you would like to set for the free disk space.

What I usually do as a test is to set the threshold to 50% so that an email would get fired off during the initial setup allowing me to confirm that all the variables are set up properly.

Step #4 – Fill in the List.txt file with server FQDNs

As shown in the screenshot above, proceed by adding in the FQDNs of the servers you will be monitoring with this script.

Step #5 – Test Script

Open the CheckDiskSpace.txt then copy the command in the file:

powershell.exe -command "& 'C:\Scripts\CheckDiskSpace\diskspace.ps1''C:\Scripts\CheckDiskSpace\list.txt'"

… and paste it into a command prompt to confirm that an email alert is generated and sent to the email address you’ve specified.

Step #6 – Configure scheduled task to execute the script

Launch the task schedule and create a new task:

Provide a name for the Task:

Configure the task to Run whether user is logged on or not and Run with the highest privileges:

Click on the Triggers tab and create a new Trigger based on your requirements:

Click on the Actions tab and create a new Action with the following configuration:

Program/script: powershell.exe

Add arguments (optional): -command "& 'C:\Scripts\CheckDiskSpace\diskspace.ps1''C:\Scripts\CheckDiskSpace\list.txt'"

Save the configuration and you should now see a new task configured:

You can test the task by right clicking on the line item and selecting Run:

I’ve recently been asked by a client whether there was a way to disable the Do Not Send a Response option within Outlook 2010 and Outlook 2016 because the Response column in the View Tracking Status does not get updated unless the user chooses to send a response:

After doing a bit of research on forums about this topic, it appears many users have complained about sending a response because it would lead to mailbox clutter for the meeting organizer and the proposed solution is to turn on the Update tracking information, and then delete response that don’t contain comments option in the File > Options > Mail > Tracking settings:

While this helped with encouraging users to send a response, the client still wanted to disable the Do Not Send a Response option and after a bit more digging, I found the solution in this forum post:

https://social.technet.microsoft.com/Forums/office/en-US/5861d690-aae8-4f37-a9e6-687984fb2540/how-to-disable-meeting-response-action-do-not-respond?forum=outlook

The setting to disable the option is in User Configuration > Polices > Administrative Templates > Microsoft Outlook 2010 > Disable Items in User Interface > Custom

Proceed and enable the setting Disable command bar buttons and menu items and then enter the following command bar ID:

• 19987
• 19995
• 19991

Apply this GPO to the user accounts that require this configuration and users should see the following when attempting to accept a meeting:

I’ve also tested this with Outlook 2016 and can confirm that the same settings with the Office 2016 policy templates yield the same result.

I recently had to determine how to disable the Update tracking information, and then delete response that don’t contain comments option in the File > Options > Mail > Tracking settings via either GPO or registry but wasn’t able to find any information available:

After going through the Outlook settings provided by the ADM file and not finding anything, I managed to track down the registry so I thought it would be good to write this quick blog post for others.

The registry key that controls this configuration is located in:

HKCU\Software\Microsoft\Office\14.0\Outlook\Options\General

Name: AutoDelRcpts
Type: REG_DWORD
Data: 1 (enabled) and 0 (disabled)

Hope this helps anyone who may be looking for this information.

Problem

I recently ran into an issue while upgrading VMware Horizon View to 6.2.0 and 6.2.1 when I noticed that user accounts from other Active Directory domains within the same forest of the domain you have VMware Horizon View installed on are no longer able to log into their virtual desktops with the following error message thrown:

Your user account is disabled

Logging into VMware Horizon View continued to work as expected with accounts that belonged to the same domain the server was installed in.

Solution

Searching through the internet revealed that there did not appear to be any official VMware KB article describing this issue and the only two posts related to this error did not contain any resolution:

https://communities.vmware.com/thread/532241?start=0&tstart=0

https://communities.vmware.com/thread/520384?start=0&tstart=0

Having exhausted all options, I decided to rollback the environment to 6.0.1 then opened up a ticket with VMware (case #: 16955248704). What was strange was that when I finally spoke to an engineer, the first thing they asked was whether we had domain issues and when I told him no, he told me there was no such known issue for 6.2.0 and 6.2.1. After sending the engineer the forum posts included above and waiting for a week, the engineer finally emailed me and said this was indeed a known issue and that the only way around it was to upgrade to version 7. I’m not exactly sure if there is a workaround for the earlier versions but the engineer did not provide me with one so I’m going to assume he’s correct.

Hope this post helps anyone who might run into this issue during an upgrade.

Problem

You have a KMS server in your environment and would like to uninstall the KMS product key for Office 2016 with the command:

Slmgr.vbs /upk <Activation ID>

You execute the following command in an effort to obtain the Activation ID:

slmgr.vbs /dlv all

However, the output in the Windows Script Host window contains so much content that you are unable to see the information beyond the bottom of the screen and there is no way to resize the window:

Solution

The way around this is to use the cscript.exe command to execute slmgr.exe /dlv all command so that all the information is listed in the command prompt:

C:\Windows\System32>cscript.exe slmgr.vbs /dlv all

Or you can also pipe it to a text file as such:

C:\Windows\System32>cscript slmgr.vbs /dlv all > C:\slmgr-output.txt

Activation ID: 98ebfe73-2084-4c97-932c-c0cd1643bea7

With the Activation ID identified, you can now execute the following /upk command to remove the key from the KMS server:

slmgr.vbs /upk 98ebfe73-2084-4c97-932c-c0cd1643bea7

I’ve recently been asked by many of my colleagues and clients about what they would need to do to upgrade their internal Microsoft CA from the deprecating SHA1 hash algorithm. The process could be short or long depending on the Cryptographic Settings that the CA is currently configured with. This post will demonstrate the process if your CA is already configured with the Cryptographic Settings Provider as Microsoft Software Key Storage Provider.

Begin by confirming that your CA is indeed configured with the Cryptographic Settings Provider as Microsoft Software Key Storage Provider by logging onto your Certificate Authority server and launching the Certification Authority management console then right clicking on the existing CA and selecting properties:

Under the General tab, review the configuration listed for the Provider and ensure that it is Microsoft Software Key Storage Provider:

You can also confirm that the current certificate used for signing is SHA1 by clicking on the View Certificate button, then the Details tab and review the Signature algorithm and Signature hash algorithm fields:

With the above items confirmed, proceed to change the Hash Algorithm from SHA1 to SHA256 by executing the following command:

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

Restart the CA service with the commands:

net stop certsvc

net start certsvc

Now when you open the properties of the Certificate Authority, you should see that the Hash algorithm is set to SHA256:

With the Hash algorithm updated, continue by renewing the CA certificate as such:

All Tasks > Renew CA Certificate…

A new certificate should now be created that uses the new SHA256 hash algorithm:

Here’s a screenshot of before:

… and now after with SHA256:

I was recently asked by a client to fix an issue with their Exchange 2013 Outlook Web Access webpage where an HTTP request to the site would expose the internal IP address of the Client Access Server in the Location HTTP header as shown in the following test performed with NMAP (https://nmap.org/download.html):

ncat 76.8.35.111 80
GET / HTTP/1.0

HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache
Pragma: no-cache
Location: https://10.10.10.93/owa/
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Thu, 05 May 2016 00:08:13 GMT
Connection: close
Content-Length: 0

The client referenced the following Microsoft KB but the article references an older version of IIS:

https://support.microsoft.com/en-us/kb/218180

After researching about the issue and not finding a way to correct this in IIS, I decided to use the Citrix NetScaler load balancer we were already using to publish OWA to rewrite the header to use the FQDN. The following are steps required.

Begin by creating a new Rewrite Action with the following configuration:

Name: act_location_header

Type: REPLACE

Expression to choose target location: HTTP.RES.HEADER("Location")

Expression to Replace with: https://webmail.domain.com/owa/

Once the Rewrite Action is created, proceed with creating a Rewrite Policy with the following configuration:

Name: pol_location_header
Action: act_location_header
Undefined-Result Action: -Global-undefined-result-action-
Expression: true

With the Rewrite Policy created, proceed with assigning it to the HTTP (not HTTPS) OWA Load Balancing Virtual Server that serves to redirect user requests to HTTPS:

Choose Policy: Rewrite
Choose Type: Response

Select the pol_location_header Rewrite policy:

Leave the rest of the settings as default and click on the Bind button:

Redoing the test will now show the Location header replaced with the FQDN:

Problem

You’ve successfully completed the steps required to migrate your Microsoft CA (Certificate Authority) from Cryptographic Service Provider (CSP) to Key Storage Provider (KSP) after performing the steps outlined in the following TechNet guide:

Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP)
https://technet.microsoft.com/en-us/library/dn771627.aspx

However, you receive the following error when you attempt to start the CA service:

keyset does not exist 0x80090016 certificate services

Reviewing the System logs shows that the following is logged:

Event ID: 7024
Level: Error

The Active Directory Certificate Services service terminated with the following service-specific error:

Keyset does not exist

Solution

While there could be various solutions to correct the issue, one of the method that worked for my situation was to launch the CA’s Local Computer store, navigate to Personal > Certificates, delete all of the imported CA certificates:

Then rerun step #5 in the TechNet article:

https://technet.microsoft.com/en-us/library/dn771627.aspx

Migrate the CA certificate and private key to a KSP:

a.Run the following command:

Certutil –csp <KSP name> -importpfx <Your CA cert/key PFX file>

For example: Certutil –csp “Microsoft Software Key Storage Provider” –importpfx c:\Backup\CorpSubCA.p12

Once the CA’s certificate along with their private keys are reimported, the CA service should now start.

One of the most common Citrix NetScaler questions I’ve been asked by colleagues and clients is how to import a PFX certificate from a Microsoft Windows Server into Citrix NetScaler and while there is a KB from Citrix demonstrating this process via the GUI:

How to Convert PFX Certificate to PEM Format for Use with NetScaler
http://support.citrix.com/article/CTX136444

… there did not appear to be any instructions performing this via the command line so this post serves to demonstrate the process.

Step #1 - Export the certificate to PFX

Begin by logging onto the server with the certificate installed, launch the certificate store (certlm.msc) and export the certificate with the private key as a PFX:

Step #2 (Optional) - Export the certificate to CER

Exporting the certificate as a CER file without the private key is optional as you can create the CER file from the PFX file on the NetScaler but if you are performing the export from the Microsoft server, go ahead and create this file as well:

Note that you should export the file as Base-64:

Step #3 - Upload PFX and CER file

With the files exported, proceed to upload them to the NetScaler’s /nsconfig/ssl directory with either WinSCP or via the web management portal by navigating to Traffic Management > SSL then click on Manage Certificates / Keys / CSRs:

Use the Upload button to upload the files:

Step #4 (Optional) -CER file

If you’ve exported the certificate without the private key as a .cer file then this step could be skipped but if you had no control over the export and was only given a .pfx file then you can execute the following commands to generate the .cer file on the NetScaler:

shell

cd /nsconfig/ssl

openssl pkcs12 -nokeys -in certificate.pfx -out certificate.cer

You should now see a .cer file:

Step #5 -Generate .KEY file

The next file we will need to generate is the key file (also known as pem) using the uploaded PFX that contains the private key. Proceed by executing the following commands:

shell

cd /nsconfig/ssl

openssl pkcs12 -nocerts -nodes -in certificate.pfx -out tempcertificate.key -des3

openssl rsa -in tempcertificate.key -out certificate.key

rm tempcertificate.key

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

***Note that the reason why we needed to create a tempcertificate.key file is because the following error would be thrown if we do not use the openssl rsa command to remove any hidden space control characters:

ERROR: Invalid private key, or PEM pass phrase required for this private key

See the following Citrix Knowledge Base article for more information:

ERROR: "Invalid private key, or PEM pass phrase required for this private key" on NetScaler Appliance
http://support.citrix.com/article/CTX134233

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

The commands displayed above is the equivalent of the operations performed in the GUI demonstrated in the following screenshots:

Step #6 –Installing Certificate onto the NetScaler

With the .key and .cer file on the NetScaler we can now proceed to install the certificate by executing the following command:

add ssl certKey www-contoso-com -cert certificate.cer -key certificate.key -password P@ssw0rd -expiryMonitor ENABLED -notificationPeriod 30

You can view the property details of newly installed certificate by executing the following command:

show ssl certKey www-contoso-com

The commands displayed above is the equivalent of the operations performed in the GUI demonstrated in the following screenshots:

I’ve recently ran into an issue at a client’s vSphere 5.5 environment where I was unable to configure any properties of a port group on the distributed switches.  The properties of the environment are as follows:

vCenter Server version: 5.5.0, 3252642

ESXi version: 5.5.0, 3116895

I would attempt to use the vSphere Web Client as suggested by the following VMware documentation that demonstrates how to:

Filter Traffic on a Distributed Port or Uplink Port in the vSphere Web Client

http://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.networking.doc%2FGUID-55F4EC3B-B3F1-4D7A-9DCE-578C817BBA3F.html

… but quickly notice that setting the Status from Disabled:

… to Enabled:

… does not activate the configuration settings below.  Clicking on the OK button to save the configuration and then navigating back in shows that the Status is still set to Disabled:

Proceeding to any of the other tabs such as Advanced or Traffic shaping yields the same results:

After restarting vCenter and not having much luck in determining what the issue was, I opened a call to VMware to get a support engineer to assist.  The engineer did a few checks and wasn’t sure why this was happening so he got me to log in via the vSphere client to make a change to the Traffic Shaping settings which were successfully applied:

Then we went back into the vSphere Web Client to try changing the port group settings and quickly noticed all of them worked:

I asked the engineer if this was a bug and he said no so I’ll assume it is just a glitch.  Hope this helps anyone out there who may encounter this issue as I was not able to find any information about this on the internet.

Problem

You’ve recently noticed that you receive the following message when logging into the Office 365 portal at https://portal.office.com:

One of your on-premises Federation Service certificates is expiring. Failure to renew the certificate and update trust properties within 27 days will result in a loss of access to all Office 365 services for all users.

You’ve checked your on-prem hosted ADFS server’s certificate and verified that it has not expired:

Solution

The following are 2 options I found after browsing the internet looking for an answer:

Option #1 – Manually renew the certificate

"One of your on-premises Federation Service certificates is expiring" message in the Office 365 portal

https://support.microsoft.com/en-ca/kb/2992335

Option #2 – Wait and allow certificate to auto renew

The following forum topic was responded by a Microsoft support representative indicating that the certificate should auto renew:

https://community.office365.com/en-us/f/613/t/173158

The day that I checked on the certificate was April 20 and launching the AD FS Management console on the ADFS server…

… then navigating to AD FS > Service > Certificates showed that the certificate was expiring on June 1which was more than 20 days before the expiration date:

What I ended up doing was set up a calendar reminder on the 19 day before June 1 to check back and when I did on May 13, I noticed that the ADFS server had indeed renewed the Token-decrypting and Token-signing certificate the day before on May 12:

Logging onto Office 365 via https://portal.office.com also confirmed that the warning message was no longer displayed:

Problem

You attempt to launch a XenApp 7.6 desktop published through NetScaler appliance:

… but notices that you are presented with the following error message:

The connection to "<YourXenAppGroup>" failed with status (Unknown client error 1110).

Solution

One of the common reasons why this error would be thrown is if there is a misconfiguration or lack of Secure Ticket Authority (STA) configured in the load balancing virtual server on the NetScaler appliance.  To correct this issue, launch the properties of the load balancing virtual server representing the StoreFront servers, review the Published Applications settings and ensure that STA Servers are configured:

Problem

You attempt to initiate a recompose of a desktop in you VMware Horizon View environment but notice that it errors out with the following details:

View Composer Fault: Unexpected VC fault from View Composer (Unknown) - Unknown - <fault xsi:type="SystemError" xmlns="urn:internalvim25" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<reason>Failed to create journal file provider: Failed to open "/var/log/vmware/journal/1464875847.40" for write: There is no space left on the device</reason>

</fault>

Pairing state:
Configured by:
Attempted theft by:

You are able to work around this issue by detaching the profile disk from the virtual desktop so that the VDI gets deleted and then recreate the machine successfully with the profile disk.

Solution

One of the reasons that could cause this error to be thrown is if you have SanDisks ioVDI solution deployed and have ran out of flash disk storage.  We noticed this after realizing that if we would be able to successfully recompose the virtual desktop if we vMotion or move the VDI to another host that has less SanDisk ioVDI utilization.