Category Archives: Windows 2003 Server

Windows 2003 Server

Renew a custom IIS Certificate that is about to expire, without affecting clients

A custom (non paid) certificate is about to expiry and you are afraid that your web clients won’t be able to login, or have problems logging in due to that certificate expiration?

A great example of this would be OWA (outlook web access) certificates renewal.

1.Go to your IIS web server.

2.Right Click on the website having the expiring certificate and click properties

3.Click on Directory Security tab and then on Server Certificate and click next

4.Click on Renew the current Certificate and then Prepare the request now, but send it later.

5.The wizard will save the Certificate request on a file on your drive (c:\certreq.txt)

6.After the wizard finishes you should fire up your certificate authority web site. IE is recommended for this job!

http://certificate_authority_server/certsrv

This should look like this.

7.Click on Request a Certificate link and then on “advanced certificate request”

8.Click on the second link saying:

Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Browse for a file to insert (take the file you created on your certificate request back on step 5). If your IE has its security settings enabled then you may just copy and paste the contents of the txt file created on step 5.

REMEMBER!!! Certificate template should be “Web Server”

Click on submit on your bottom right.

9.Download the certificate created and in case you need it in the future its chain as well.

10.Go back to your IIS that waits for the renewal. Do again steps 2 and 3 in order to go back to Security>Certificates configuration.

11.This time the server waits for the certificate you created and downloaded on step 9.

12.Proceed with submiting the certificate.

13.Export the certificate in pfx format directly from your IIS using the appropriate button on your Certificate Wizard. You will need this in order to publish this certificate again on your firewall/ISA/TMG

Now there is a case that in front of your web server you have an ISA or other Firewall to initially do the “talking” with your external clients. Therefore you need to install this certificate (step 13) to the “talker”

In case of an ISA/TMG:

14.Launch mmc>Add Certificates>LOCAL COMPUTER

15.Remove all old expiring certs from your Personal Directory

16.Import new pfx file (step 13)

17.Check your rule in OWA Publish in SSL/https Web listener –change Certificate.

Have a nice day 🙂

Creative People

Advertisements

Can ping server while it boots, but ping fails after start – IPSEC service loading issue.

Have seen this problem more than 10 times, but last night it was the first on a hyper v hosted w2k3 machine.
You may ping the machine while it boots but it fails after it goes on the ctrl+alt+del.  A message for a failed service comes up and when you log in no network connectivity is present. 
 
As a matter of fact, the NIC works perfect, looks connected, packets come and go, but no ping in and out the machine!
 
This is due to a Microsoft update that I am currently in the process of finding it, that actually damages the policy concerning the IPSEC service.
 
I tried to understand if there was a problem with the nics. I revealed all hidden devices by running (admin privileges for w2k8) on command prompt:
 
set devmgr_show_nonpresent_devices=1
and then showed device manager by
start devmgmt.msc
After View>Show hidden devices
and removed all older nic driver installations that I did not need to.
Unfortunately this was not the case…. This issue is dealt FAR EASIER! If you examine carefully your event viewer you may find that there is something wrong with your IPSEC service, which apparently should appear with Automatic start, but not started on your services. You fire up your services console and disable the IPSEC service. Reboot your server and after it boots all network connections will have been restored.
It is likely that if you try to start the IPSEC service again (which is highly recommended for corporate environments) it will fail saying that it didn’t find the file needed.
 
You may find a good workaround on the link below

, but a simple
“regsvr32 polstore.dll”
(Without quoteon my command prompt did the job I needed. It actually repairs the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\IPsec\Policy\Local as the above article describes.

Change back the service from disabled to automatic and it should start if you try it manually. Make a reboot and check again. This worked for me, hope it does for you and go back home earlier than you expected!

Have a good day 🙂

The Microsoft VSS snapshot provider selected returned: "Unexpected provider error". Volume shadow copy creation: Attempt 1. "COM+ REGDB Writer" has reported an error 0x800423f4. This is part of System State. The backup cannot continue.

I came up to this error yesterday with a W2k3 SP2 DC/Exchange (also seen on W2k8).Volume shadow copy creation: Attempt 1. “COM+ REGDB Writer” has reported an error 0x800423f4. This is part of System State. The backup cannot continue.

Error returned while creating the volume shadow copy:800423f4
Aborting Backup.

———————-
The operation did not successfully complete.

This is actually a Microsoft VSS snapshot provider error (“Unexpected provider error”) causing the backup process to fail.

The resolution is quite simple if you are lucky and you don’t need to re-register COM+ objects.

Fire up dos prompt (Start>Run>Cmd) and give the following command:

C:\>vssadmin list writers

A list of the availiable writers will follow.

vssadmin 1.1 – Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001 Microsoft Corp.
Writer name: ‘System Writer’
Writer Id:…………………….
Writer Instance Id:……………..
State: [1] Stable
Last error: No error

Look carefully on this list. The writers with State: [1] Stable and Last error: No error are ok.

But if you see

State: [9] Failed
Last error: Retryable error

The writer having this is the problematic one.

In my case (with the backup failing) the following had a state of fail:

‘COM+ REGDB Writer’

If you are using BackupExec it is possible to find the following with error as well:

‘TermServLicensing’
‘WMI Writer’
‘FRS Writer’

This is resolved easily like this.

The VSS Provider needs to be removed. Delete the associated registry key for the Provider Id by using the following DOS command:

C:\>REG DELETE “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Providers\{xxxxxx}” /F

where xxxx is the provider id of the problematic vss provider/object.

Then simply restart the VSS service

C:\>net stop vss
The Volume Shadow Copy service is stopping.
The Volume Shadow Copy service was stopped successfully.

C:\>net start vss
The Volume Shadow Copy service is starting.
The Volume Shadow Copy service was started successfully

Remember that if you don’t try the windows backup the command “vssadmin list writers” will show as not in error. Try to start the backup again and check if it runs.

In another case I had to register the vss by using the following in a batch file.

cd /d %windir%\system32
Net stop vss
Net stop swprv
regsvr32 ole32.dll
regsvr32 oleaut32.dll
regsvr32 vss_ps.dll
vssvc /register
regsvr32 /i swprv.dll
regsvr32 /i eventcls.dll
regsvr32 es.dll
regsvr32 stdprov.dll
regsvr32 vssui.dll
regsvr32 msxml.dll
regsvr32 msxml3.dll
regsvr32 msxml4.dll
pause

Hope this helps some of us. 🙂

Creativepeople.gr

%d bloggers like this: