James Edmonds's questions

I am trying to import a PFX using PowerShell, that has been created by OpenSSL from a cer and key file (the key was generated by OpenSSL along with a CSR, which was submitted to internal AD CA to generate the cer)

When viewing cert info in OpenSSL, I can see the PFX contains just a single cert and a private key, which is what I expect

If I run the below command, the cert is imported into intermediate certificate authorities, rather than the machine personal store as I have specified:

Import-PfxCertificate -FilePath $SharedPFXPath -Password (ConvertTo-SecureString -String $PFXPassword -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\My -Exportable

What could be the reason the Import-PfxCertificate command might be ignoring my cert store location?

EDIT: Just for some additional info, I thought I'd detail the commands used to generate the source cert and key files etc:

Start by creating a key and CSR

openssl.exe genrsa -out $KeyFilePath 2048
openssl.exe req -new -key $KeyFilePath -out $CSROutputPath -config $ConfigFilePath

The CSR config file contains this (actual DN values removed):

[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
C = COUNTRY CODE
ST = COUNTY/STATE
L = TOWN
O = ORG
OU = OU
CN = COMMON NAME

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = SAN

Then I submit the CSR to AD CA, and save the BASE64 encoded cert. I use this and the key file to create the PFX

openssl.exe pkcs12 -export -in $CertPath -inkey $KeyFilePath -out $PFXPath -passout pass:$PFXPassword -nomac

I had to add -nomac to my PFX command, as otherwise I got an incorrect password error every time I tried to manually import the PFX into the cert store. Not sure if this would contribute to my issue, or if some of my earlier commands might be causing me some problems?

Is there a way to disable the warning that is displayed in the notifications area, telling you that the Windows firewall is disabled?

Edit: We would specifically like to achieve this via group policy, not a manual process.

We disable the Domain firewall profile via GPO, which means Windows 10 machines constantly put warning notifications in the notification area about this. This generates user calls asking what the warning is about. We know it is disabled, so want to suppress the warning.

We are looking to deploy a new file server cluster, one of the things of which to be stored on it, will be Server 2012 R2 remote desktop User Profile Disks (UPDs).

My question is, is it best practice to store these on a standard file server cluster, or on a scale out file server cluster (SOFS).

My understanding is, that SOFS is intended for Hyper-V vmdk files as they are constantly open and that is the intent of SOFS. It is not intended for standard files and folders that have a high number of metadata changes.

As user profile disks will be long opened files and not ones that are constantly opened and closed, I would have thought they would be best placed on a SOFS cluster.

Hoping someone can point me in the direction of best practices for user profiles disks on a file server cluster, and what type should be used.

I am trying to manage our two QLogic SANBox 5800v fiber switches from my Windows 10 workstation.

Unfortunately, due to I think Java and IE compatibility issues, the web UI does not work on a Windows 10 machine. Firstly you have to jump through hoops with compatibility mode, trusted sites and Java security settings, but using the latest build of Java I just get a Java exception (Access denied) message.

Currently the only way for me to manage these switches using a GUI, is from an old Vista PC with an outdated version of IE and Java, and this is obviously less than ideal. SANSurfer is also now deprecated, and I can't get that to run on Windows 10 either anyway.

QLogic cannot tell me how to manage via Windows 10 using a GUI, and suggest I just use the CLI. This involves having to learn commands and syntax etc. which I am wary about as I have no proper training in QLogic CLI management, and will likely end up doing something that brings down the live switches.

I have started having an issue when trying to change a user/mailboxes country/region through Exchange Admin Center in Exchange 2016.

When attempting to do so, I get this error:

Active Directory operation failed on DC. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active Directory response: 00002098: SecErr: DSIS-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Other reports of this error do not seem to have a resolution that applies to us. Oddly, If I go into ADUC, and find the same user account, I can easily change the country/region using my same domain login (member of domain admins and enterprise admins).

Does anyone have any thoughts on why I can change this attribute directly through AD but not Exchange?

EDIT: Also have this post on the TechNet forum trying to identify the cause of this issue: Technet Post

I have had a bit of a search for clarification on this, but have only found info on draining session hosts.

I need to make some amendments to our 2012 R2 gateway server VMs, but due to the nature of our business, the gateway servers are in use most hours of the day.

My plan is to put one of the gateway servers into drainstop mode through Microsoft NLB, but have concerns that currently connected users may see some disconnects when the active connection refreshes.

Can anyone confirm that if I put the server intro drainstop mode, current connections will remain unaffected until the user disconnects from their end?

I have a Hyper-V VM that will not boot, bluescreening saying PAGE_FAULT_IN_NONPAGED_AREA

I can boot into WinPE (recovery), but cannot boot in safe mode.

Is it possible to run DISM from WinPE, and do a restorehealth command on the installed Windows Image?

I have a 2012 R2 server running hyper-v, with several 2012 R2 guest VMs.

These were stored on a small raid 5 volume of 4 disks, and 2 of them failed. I managed to recover the array to the point of moving the VM storage to another volume.

When starting two of the VMs, one has a BSOD that complains about a page fault in non paged area. Even after removing and recreating the VM using the existing disk, I got the same error. Bit confusing as this references a memory issue, so not sure why this would persist after a recreate?

Mounted the VHD and did a check disk, and came back ok. Not sure if there are any other things I can try to recover this?

The other VM oddly, boots but exhibits some odd behaviour. Pressing start, the start menu is blank and search doesn't work. Also, the only application that was on that VM seems to have it's install directory, but the main executable is missing?!

EDIT As Massimo pointed out, you cannot recover a RAID 5 volume from two failed disks. What I should have said, was 1 failed disk and 1 unconfigured bad disk. The unconfigured bad disk was marked good, and re-added to the array to allow it to mount again.

We have a remote desktop farm built on 2012 R2. Due to our users having to run Outlook in cached mode, we have not installed the windows search service on these session hosts as it breaks the Outlook search without additional configuration.

The users store all of their data on a mapped drive, which points to a share on a 2012 R2 file server.

What is the minimum configuration required to allow users to search based on file contents, in this remote share? The option to search file contents is greyed out, which I assume is because of the missing search service on the session host?

Is there anything that can be configured on the file server side to index there, and when searching, use the remote index to return results?

I am looking to move our DFS-R file servers to SoFS to accommodate our User Profile Disks in Windows Server 2012 R2 remote desktop services.

DFS-R does not give us any fail over capability as it stands, so if we lose the primary file server, user's profiles will become dismounted.

I intend to create two nodes as VMs in VMware, and need a solution for the shared storage. Our VMware cluster has datastores on our SAN, so I am wondering if I can just use shared VMDKs at VMware level for this kind of scenario? If this is possible, can anyone point me in the direction of a good set of instructions on how to configure shared storage in this way?

Are there any dos/don'ts for shared storage in this scenario?

Has anyone created a SoFS setup on VMware before and have any advice that may be of use?

We have a Windows server 2012 R2 remote desktop farm, which we have applied a GPO to, to control site to zone assignments.

This was working fine up until recently, but just lately, we have found that this setting is not applying.

If I toggle ESC on, and then back off on the server I am on, the sites now show up in IE zone list for the currently logged in user. It does not however, seem to apply to all users. That list of sites will then follow them to other servers and that user will be ok moving forward.

We use user profile disks, so the users registry hive is not available on that server unless they are logged in, which might explain why it only occurs for the logged in test user.

EDIT: I can see the registry entries being created under HKCU ZoneMapKey and HKLM ZoneMap.

According to this article, IE should read settings from both of those locations, but they simply do not appear in the site list in IE control panel.

Is it possible that there has been an update for 2012 that has altered some ESC registry setting that causes us this issue?

I have been battling with Office365 support on this case for a little while, as what they have been telling me is/isn't possible, contradicts the documentation they have directed me to.

Some info:

• We have a 365 subscription with E3 licenses.
• We use ADFS and Azure AD connect, to provide single sign on and sync user objects from AD to Office365
• We wanted to extend our schema to include Exchange attributes to allow control of certain features currently not available to us
• We wanted to install Exchange on premise to allow proper supported management of Exchange attributes

I found Microsoft will provide a free Hybrid edition license key for Exchange 2016, so I decided we would be able to install and deploy an Exchange server in Hybrid mode. We have the server installed, and are preparing to deploy the Hybrid configuration.

The support rep advised me that all mail flow must go through Exchange on prem, and cannot go via 365. Essentially I think this is nonsense, as the on prem license does not allow us to host mailboxes, so this server should not be involved in mail flow at all. All it should do is act as the bridge between Exchange online and Active Directory.

He also said wildcard certificates are not supported in a Hybrid configuration, but couldn't tell me why.

Am I wrong in thinking that this scenario should be really straight forward and should work? We simply want all mail to continue going to 365, and it should not even touch our Exchange. All Exchange does is provide attributes, management tools and the organisational trust between AD and Exchange Online.

We have a 2003 domain with two 2003 domain controllers on 2008 R2 functional level.

Over the past week, when a user's password expires, they attempt to change it when logging into a 2008 R2 remote desktop server. They get the normal message saying that their password needs to be changed:

After pressing ok, they are taken to the password change screen:

After entering a new password (which meets all of our password policy requirements), they simply receive the same message again, stating that they must change their password before logging in for the first time.

Don't think this is NLA, as the machine I am connecting from support NLA, and the users' client device has not changed.

When logging in to a 2003 server, I receive the prompt and am able to reset my password successfully.

If I do not set the user to require a password change on next logon, they are able to logon and reset their password successfully through CTRL+ALT+DEL.

Does anyone have any idea what would have caused this behaviour?

We have several Windows Server 2003 boxes, and over night, they had their automatic updates installed.

This morning, users cannot access shares they were previously able to, and are prompted for credentials. When entering their credentials, authentication seems to fail.

What is more worrying, is that I as an administrator, am also always prompted for credentials, which I did not use to be. When I enter my credentials, authentication also fails.

This happens even when trying to go to the root of the servers to see all shares, i.e "\Server_name\"

Has anyone else found this to be the case?

We have a user who has had access to his old mailbox restricted by management. However, they want them to continue to receive mail in a new mailbox using the same SMTP address.

The situation is, the old and new mailboxes both exist, so internal mail is still going to the old mailbox when using the autocomplete feature in Outlook, for people that have typed the SMTP address previously.

What is the process for moving the X400 internal address from the old mailbox to the new one, so that we don't have to get the entire company to clear their autocomplete cache?

I have tried simply changing the X400 address on the new mailbox to match what it was on the old, but has proved fruitless. I have also added an X500 address matching the X400, but guess this is not correct.

Any help is appreciated. Thanks

We will be implementing a remote desktop server farm, where users' profiles will be hosted on a file server. I believe that doing this will allow users to delete files from their desktop/documents folder etc, and still provide a way to restore from the recycle bin.

We also need to provide shared folders for users, so they can store documents pertinent to their department. The way we would normally do this would be using mapped drives to a SMB share on the file server.

The drawback to this, is that when deleting a file on a mapped drive, it is a permanent deletion, and unless we use shadow copies or somethin of that nature, we would have to restore from a tape/disk backup.

Are there any other recommended ways to provide access to shared folders on a central server, which are not permanent deletions?

I have a test environment for a remote desktop farm with a connection broker load balancing logins across remote desktop session host servers. All servers are built on Server 2012 R2. Using rd web access, we can access this farm from anywhere.

When logging in via web access, you can choose the screen resolution or use full screen. If you have two monitors when selecting full screen, it will always use both your monitors.

Does anyone know how to adjust the RDWeb page so that you can choose whether or not to use both your monitors?

This option is in the GUI from RDP 6.1 onwards, so I would imagine there is a way to also add it the web access page.

I have a windows 8.1 machine that I have installed the Hyper-v role on. We also have a couple of 2012 servers running hyper-v. I am currently managing them from my PC to make life easier.

When I connect to a remote host, I can see all of the VMs. However, when I close the manager, the connection to that host is not remembered, meaning when I next open it, I have to manually re-connect.

Not the end of the world, but was just wondering if there was a way to make the manager keep these connections as persistent so I don't have to go through this process on every start up?

My IT director was walking me through setting up a Server 2012 VPN/RA server. We did not do this in our test environment, and now I would like to remove it.

I know that when installing this server it makes domain changes such as creating group policies etc, and I want to make sure when I remove it I do it properly.

The only documentation I can find from Microsoft, is regarding the Uninstall-RemoteAccess powershell command.

Will running this correctly remove the role, and undo any changes made to the domain and group policies?

I've found several guides and tutorials on public folder replication from 2003 to 2010, but am still a little bit confused.

What we have, is a 2003 exchange server obviously holding all of our public folders, and two 2010 exchange servers in a DAG, that we want to move the public folders to.

On each of the exchange 2010 servers, we have run AddReplicaToPFRecursive.ps1 script and then update-publicfolderhierarchy script.

I can see that the data base has grown in size, although it is now double the size of the database on 2003. If I run get-publicfolderstatistics then it lists all of the public folders, and I can see they have items in them, and they have appropriate sizes.

However. If I open the public folder management console on a 2010 server, then I can see the folder hierarchy, but non of the folders actually show any items in them.

Is there something else I have to do before moving all replicas to 2010?