bkr's questions

Say I have an existing wildcard cert (*.example.com) from Vendor A (eg Symantec) licensed for 2 servers.

And now I want to purchase the same subject (*.example.com) from Vendor B (eg. RapidSSL) for install on multiple other locations.

On the face of it this should work, but is there any reason I can't do this - for licensing or technical reasons?

The motivation is twofold - the environment that the existing wildcard certs is installed into is sensitive and change cannot be made to it rapidly. And secondly, the pricing of Vendor A who charges "per server" licensing is too high for the deployment we're considering which will involve many servers.

Is there a way, using powershell or otherwise, to query a remote computer and see if it has had windows updates applied and is in waiting to reboot state? Any additional information would be useful too, such as has it entered the 15 minutes will force restart period or when were the updates applied.

windows 2012 servers will not restart after applying windows updates if a user is logged on. sometimes you remote in, unlock it, and it will then reboot under you in the middle of the day on a production server... or critical updates get held up and not applied.

I understand this this behavior can be modified somewhat with GPOs or registry hacks but that is not my question.

Is there a way to grant ownership of an ePO policy to a group?

Alternatively, is there a permission that can be set that would allow owners of an ePO policy to add other owners to that policy without making them ePO admin?

In the case I'm looking at, ePO is deployed within a large heterogeneous organization with a large amount of delegation in the form of create/modify policy rights to allow multiple IT departments to customize to their needs for their sections of the system tree. The problem is that the policies are owned by the creator of the policy. This causes problems when they leave (staff turnover) or when other people on their teams need the ability to modify the existing policy. Unfortunately, as far as I can see, only someone who is an ePO admin can change the owners. Even the owner of the policy cannot add other owners (unless they are also an ePO admin).

Ideally, I should be able to assign ownership of a policy to a group - since that would be easier to manage than me or another admin having to continually fix policy ownership or remove orphaned polices. Even just allowing the owners of the polices to add other owners would be sufficient.

How are other people handling policy ownership when dealing with a large amount of delegated control of polices? Is there a way to delegate this out without making users full ePO admins?

I'm seeing some weird behavior with the built in ping command that I don't understand. (this is on a windows 2012 r2 box - I haven't verified if this behavior is seen on other windows versions)

If I set the timeout (in ms) to a value like 120, I consistently see intermittent timeouts when pinging a remote host (about 10 hops away)

ping -t -w 120 myhost.domain.local
Reply from (removed): bytes=32 time=21ms TTL=246
Reply from (removed): bytes=32 time=23ms TTL=246
Request timed out.
Reply from (removed): bytes=32 time=25ms TTL=246
Reply from (removed): bytes=32 time=22ms TTL=246

which is fine, EXCEPT, if I leave the ping timeout at its default value (which is I believe 5000ms) I don't see any timeouts, AND never see a time reported greater than 30ms.

In fact, I can run 2 instances of ping at the same time, one with -w 120 and one with default timeout, and the instance with -w 120 will consistently have intermittent timeouts while the other instance will have none, and both instances won't show any responses greater than 30ms.

Does anyone have an explanation why it appears that ping is timing out in a much shorter interval than the one I'm specifying?

EDIT:

I'm beginning to think the -w parameter doesn't work at all, it certainly isn't doing what it says it should do. The description from the ping command is:

-w timeout     Timeout in milliseconds to wait for each reply.

so why the heck doesn't this timeout?

C:\Windows\System32>ping -w 10 google.com

Pinging google.com [66.58.255.29] with 32 bytes of data:
Reply from 66.58.255.29: bytes=32 time=46ms TTL=58

???

In windows server 2012 I can use File Server Resource Manager to screen file types by name and block them being created, ie, block all *.mp3 files being created.

Is there any way to do the same thing for folders? ie, prevent users being able to create a folder with a specific name, such as ".svn"

Users sometimes copy the .svn folders out to the server on accident and it would be nice to be able to block this instead of resorting to deleting them after the fact.

I'm setting up a win 2012 / IIS 8 web server with URL Rewrite module installed to replace an existing web server.

It will have 3 heavily used sites on it mapped to different domain names.

• domain1.com (site 1 in IIS with host name binding to domain1.com)
• domain2.com (site 2 in IIS with host name binding to domain2.com)
• domain3.com (site 3 in IIS with host name binding to domain3.com)

The problem I have is that I have many legacy domains (~20) that need to be redirected (301) variously to these sites and external sites.

1) I can use URL Rewrite rules defined at the server level to create these redirects

or

2) I can create an additional site, and use host name binding to bind all these 20 or so names to that site, and then within that site use - URL Rewrite rules

or

3) what else would be more efficient?

I'm kind of leaning towards option 2 because I would guess the site name bindings would be more efficient than evaluating the URL rewrite rules to all incoming requests - and the URL rewrite rules would only be evaluated when a matching host name came in. Looking at the existing logs traffic to the legacy URLs is < 1%

I have 3 windows 2012 R2 servers that our sys admin guys are having trouble getting to talk to our KMS server properly.

I'm sure in time they'll work out whatever issue they're having since we're properly licensed - but I'm wondering in the meantime how much of a grace period I have on these servers, and what happens after that grace period expires? I couldn't really find any concrete info for 2012 R2 - will it throttle the number of connections or put in place other limitations?

Windows 2012 is registering/licensing ok so depending on the grace period / consequences I may just go with that.

Is it possible to get windows to trust a certificate, without getting it to trust the root CA as a trusted root CA?

say I have the following certificate chain,

Dept-Root-CA
Dept-Intermediate-1
Server-Certificate

I want to trust the Server-Certificate, but do not want to trust Dept-Root-CA because then it could sign any certificate and my servers would trust it. Just because I am willing to trust the certificate on Server-Certificate for a specific operation, doesn't mean I'm willing to trust that Dept-Root-CA has been properly secured.

thanks