SQL Server 2014 on a Domain Controller ?

Thinking to install a SQL instance on your Domain Controller ? Think twice, as it got bad implication if you do.

I will quote the Microsoft’s article: (there )

You cannot run SQL Server services on a domain controller under a local service account.

That mean that you will have to create an Active Directory account to run the service with higher right than a local service account.

After SQL Server is installed on a computer, you cannot change the computer from a domain member to a domain controller. You must uninstall SQL Server before you change the host computer to a domain controller.

After SQL Server is installed on a computer, you cannot change the computer from a domain controller to a domain member. You must uninstall SQL Server before you change the host computer to a domain member.

Plan it right, don’t plan to add an ADDS’s server on your SQL’s server, as you will end up to create another server in the end. Planning it right to prevent unplanned cost to your customer.

SQL Server failover cluster instances are not supported where cluster nodes are domain controllers.

SQL Server Setup cannot create security groups or provision SQL Server service accounts on a read-only domain controller. In this scenario, Setup will fail.

Now we fall into the limitation.

As you can see you are winner to plan your deployment correctly 🙂

ps. there it’s another reference there that show that it’s not something new.

Thanks
Posted in Uncategorized | Leave a comment

Windows VDA + Pre Deploy Juniper client / Pulse Secure

Today I will talk a small tip if you want to deploy a golden image to make it possible to pre-configure the pulse secure application (formerly knew as the juniper client)

If you don’t do the tip the error you will face if pulse secure is already installed is only one simultaneous machine will be able to connect the VPN. (One user will connect, and the other will be disconnected)

In the base image you need to edit the connstore.dat

10-24-2016 9-30-01 AM.png

After you open the file with notepad, and remove that machine GUID’s line:

10-24-2016 9-29-04 AM.png

10-24-2016-9-29-35-am

Save the change., after we need to erase the Device ID in the registry.

I did a script that do it that way:

net stop juniperaccessservice
REG delete “HKLM\SOFTWARE\Wow6432Node\Juniper Networks\Device Id” /v DeviceId /f
REG delete “HKLM\SOFTWARE\Juniper Networks\Device Id” /v DeviceId /f

After you can copy the .dat, and put in the same folder and name it connstore.new. It will be used if you re-change the golden image, and you need to re change fast the GUID. We can add those line to our script:

   copy “C:\Program Files\Common Files\Juniper Networks\ConnectionStore\connstore.new” “C:\Program Files\Common Files\Juniper Networks\ConnectionStore\connstore.dat” /y
copy “C:\Program Files (x86)\Common Files\Juniper Networks\ConnectionStore\connstore.new” “C:\Program Files (x86)\Common Files\Juniper Networks\ConnectionStore\connstore.dat” /y

Updated: Pulse added a command line parameter for shared install, SHAREDINSTALL=1

The command line make the installer to not write the GUID and it does not start the service (so the registry key is not wrote).

I keep my tip there as if you need to restart your golden image for a reason X, then you will still need the script.

Thanks

Posted in Uncategorized | Leave a comment

How to add non latin entry in the Windows Host file ? (%SystemRoot%\System32\drivers\etc\hosts)

There is a small tip if you need to add a non latin entry in the host file.

An example;

127.0.0.1         www我等主营.com

or

127.0.0.1   локалхост

The file itself does not accept any non latin encoding, thus those two example over would not work, but you can bypass the problem with punycode. (Look there for a generator)

A description from Wikipedia of what is punycode;

Punycode is a way to represent Unicode with the limited character subset of ASCII supported by the Domain Name System. For example, “München” (German name for the city of Munich) would be encoded as “Mnchen-3ya”.

 

That tip would transform our two test domain to that;

127.0.0.1 xn--80atccmdviy

or

127.0.0.1    xn--tiq769bnnsi9h.com

 

Thanks

 

ps. Some post referencing that problem in Serverfault : 1, 2

 

Posted in Uncategorized | Leave a comment

Windows Remote Desktop Service – Manually creating a .RDP file

I will talk about a small tip; how to manually create a .RDP’s file.

Why would I do that you may ask me, well, if you got a new Remote Desktop Server in 2012R2 you may seen that the wizard to create and deploy the icon is no longer there.

You may deploy all the icon with the correct way with RDWeb, but what if you need a onetime connection to another server that you just want the RemoteAPP icon on the desktop ?

This tip is meant for that;

There is a small .RDP file’s example edited in notepad :

redirectclipboard:i:1
redirectposdevices:i:0
redirectprinters:i:1
redirectcomports:i:1
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
span monitors:i:1
use multimon:i:1
remoteapplicationmode:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
authentication level:i:2
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:0
gatewaycredentialssource:i:0
full address:s:SERVERNAME.CONTOSO.COM
alternate shell:s:||AcroRd32
remoteapplicationprogram:s:||AcroRd32
gatewayhostname:s:
remoteapplicationname:s:Adobe Reader 9
remoteapplicationcmdline:s:

As you can see the layout is pretty simple, 3 things must be edited to have that work;

1- Servername (full address:s:FQDN)

2- The application name (alias) (alternate shell:s:||AcroRd32)

3- The application name (remoteapplicationname:s:Adobe Reader 9)

To see what those name mean, there is an example from an older 2008R2 display:

acrobat9.png

 

Now with that information, you can now publish that small icon with GPP, or any other mean ( and at the same time we demystified that .RDP’s file 🙂 )

 

Posted in Uncategorized | Leave a comment

Microsoft Office 2013 32-bit over 64-bit error

Today I will blog about a small bug that happened to me on a Terminal Server, but the KB was really hard to find, the why I’m spotlighting it 🙂

This message is displayed with Outlook :

3064206.png

“Microsoft Office 64-bit Components 2013” with a progress bar stating “Please wait while Windows configure Microsoft Office 64-bit Components 2013”

“Error 2503: an internal error occured. Contact Microsoft support”

The KB2643974 is “Please wait while Windows Configures Microsoft Office 64-bit Components 2013” message when you start Outook 2013

The way to correct the bug :

To resolve this issue, install the Windows Search Service. To do this, following the steps that are appropriate for your version of Windows.

Windows 7 and Windows 8
Close Outlook.
Start Control Panel.
Click Programs and Features, and then click Turn Windows features on or off.
Enable Windows Search, and then click OK.
Restart the computer if you are prompted to do this.

Windows Server 2012
Start Server Manager.
Click Manage, and then click Add Roles and Features.
On the Before You Begin page, click Next.
On the Installation Type page, select Role-based or Feature-based Installation, and then click Next.
On the Server Selection page, select the server or virtual hard disk on which you want to install the Windows Search Service.
On the Features page, select Windows Search Service, and then click Next.
On the Confirmation page, verify that Windows Search Service is listed, and then click Install.

Windows Server 2008
Start Server Manager.
Click Roles in the left navigation pane.
Click Add Roles in the Roles Summary pane.
On the Server Roles page, select the File Services role, and then click Next.
On the Role Services page, select the Windows Search Service role service, and then click Next.
On the Confirmation page, verify that Windows Search Service is listed, and then click Install.

If you prefer not to use or install the Windows Search Service, you can disable indexing in Outlook. To do this, follow these steps:

Exit Outlook.
Start Registry Editor. To do this, use one of the following procedures, as appropriate for your version of Windows.
Windows 8: Press Windows Key + R to open a Run dialog box. Type regedit.exe and then press OK.
Windows 7, Windows Server 2008, or Windows Server 2012: Click Start, type regedit.exe in the search box, and then press Enter.
In Registry Editor, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search

Point to New on the Edit menu, and then click DWORD (32-bit) Value.
Type PreventIndexingOutlook, and then press Enter.
Right-click PreventIndexingOutlook, and then click Modify.
In the Value data box, type 1, and then click OK.
On the File menu, click Exit to exit Registry Editor.

 

Post related to that bug

Posted in Uncategorized | Leave a comment

Windows – How to easily deploy XenApp’s multiple farm config for a user

You got a network with a remote desktop’s farm, you use the citrix receiver with SSO to connect to another’s farm and you need a third receiver configuration ?

It seem an overkill setup, but I seen it often as usually when like two enterprise merge, you can have the internal resource, and one another in another domain/forest.

I talk about simple stuff, the .ica, but be advised it’s info hard to find in citrix, so kinda why I wrote it.

The limitation of the receiver can be hit pretty fast as :

  • Only one farm/pn agent’s site can be used at the same time.
    • In the citrix web interface you can’t add citrix server from another realm.
  • Only one type of authentication used when the receiver is loaded.

In that scenario, you can imagine that if you need to connect to a third farm, you can hit the limitation pretty fast.

With those limitation in head, you can easily deploy a .ica file with GPP, and place the icon on the user desktop to open the connection.

A simple .ICA to connect to MS Word :

Word.ica

[Encoding]
InputEncoding = ISO8859_1
[WFClient]
Version=2
ProxyType=Auto
HttpBrowserAddress=X.X.X.X:80
ConnectionBar=0

[ApplicationServers]
Word 2013=

[Word 2013]
Address=X.X.X.X
InitialProgram=#Word 2013
CGPAddress=*:2598
ClientAudio=Off
DesiredColor=8
TWIMode = True
KeyboardTimer = 0
MouseTimer = 0
ConnectionBar=0
Username=
Domain=
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
BrowserProtocol=HTTPonTCP
Compress=On
EncryptionLevelSession=Encrypt
[Encrypt]
DriverNameWin32=PDCRYPTN.DLL
DriverNameWin16=PDCRYPTW.DLL
[Compress]
DriverName=PDCOMP.DLL
DriverNameWin16=PDCOMPW.DLL
DriverNameWin32=PDCOMPN.DLL

There is a ICA to connect to a bigger farm in balancing.

[Encoding]
InputEncoding = ISO8859_1
[WFClient]
Version=2
HttpBrowserAddress=X.X.X.X:80
HttpBrowserAddress2=X.X.X.X:80
ConnectionBar=0
CDMAllowed=Off

[ApplicationServers]
Excel=

[Excel]
Address=excel
InitialProgram=#Excel
ClientAudio=Off
DesiredColor=8
TWIMode = True
KeyboardTimer = 0
MouseTimer = 0
ConnectionBar=0
UseLocalUserAndPassword=Off
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
BrowserProtocol=HTTPonTCP
EncryptionLevelSession=Encrypt
[Encrypt]
DriverNameWin32=PDCRYPTN.DLL
DriverNameWin16=PDCRYPTW.DLL

You could add the line username, clearpassword and domain if you need to make it automatic and that you can’t use SSO.

Username=
clearpassword=
Domain=

 

ps, you can use that tip to connect to a old metaframe/presentation server’s farm with the newer receiver without the program neighborhood

 

Posted in Uncategorized | Leave a comment

Windows Server 2012 R2 KB3185279 & KB3185331 seem to break Google tip to block Youtube with DNS

In enterprise Google offered a tip to block youtube with the DNS;

10-21-2016 4-05-08 PM.png

Some users posted that nslookup started not working after KB3185331

If we dig in the KB’s text, we find that itselft that KB include nothing that can touch the DNS server, but digging farther show that;

10-21-2016 4-11-09 PM.png

The update 3185279 include that fix :

Addressed issue that causes Wildcard CNAME queries with Domain Name System Security Extensions (DNSSEC) enabled to not return Next Secure (NSEC) records.

 

Be sure to test out correctly if you need to make such tip after the update, as you may need to create a *.youtube.com’s zone to bypass the problem (or remove the update)

 

Posted in Uncategorized | Leave a comment