Server 2012R2 Install Issues on Hyper-V using Dynamic Memory

Posting this hoping I can help someone else out. I had a customer who wanted a Server 2012R2 VM built for a new accounting application… so I downloaded the ISO, created a VHD and built the VM using Dynamic Memory with a 512MB . Upon booting, I get as far as clicking “Install Now” when I received a similar error message:

 

Server2012R2ErrorWithDynamicMemory

For Google, it reads: “Windows installation encountered an unexpected error. Verify that the installation sources are accessible, and restart the installation.”

The error in the screenshot is easily searchable and resolvable, but initially I had a different error. The screenshot reads “Error code: 0xE0000100″, but when I first ran into this problem it read “Error code: 0xC0000005“. As I write this post, I wonder why the error code changes after one successful startup of the installation program, but alas …

If you try to install Server 2012R2 as a Hyper-V Guest and you get the “Error code: 0xC0000005″ message using Dynamic Memory – check your Startup RAM value. Despite this TechNet Article stating that 512MB is the minimum needed for Server 2012R2, there must be a RAM Disk or additional software that is utilized during the install process. I was successful with a Startup Memory value of 1024M. However, that was after I spent over an hour checking to make sure the HyperV services had access to the ISO files, re-downloading the ISO twice, checking MD5 hashes of the file against a known-good and making sure the VHD files were not corrupt…

Customizing DirSync Installs

The majority of companies I work with who utilize an Office365 service will utilize the DirSync service at least for password synchronization. However, a company with 80 users in Office365 might have many hundreds on their Active Directory database. It’s probably not desirable to have all of those users synchronizing each time, so let’s restrict it down to just who you want.

  1. First, you’ll want to install the DirSync tool as normal. Download the installation from Office365 and save it somewhere. Then run the tool as an administrator. Enter your Office365 and local credentials, select Password Sync and proceed almost to the end – just don’t leave the Synchronize your directories now box checked as we’re going to customize it first.
  2. DirSync is built on the Forefront Identity Manager software – you’ll want to open the Synchronization Service Manager located  (on my machine) at C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe:
    DirSyncSetup1
  3. You may get the error Unable to connect to the Synchronization Service when you start this up. The key to resolving this is almost always Reason #2 – your account needs to be a member of the locally created FIMSyncAdmins group on this machine. Confirm that you are, and remember that you have to log back in for it to be effective:
    DirSyncSetup2
  4. Open the software and click the Management Agents section at the top. You’ll see two agents available – one for Active Directory and one for Windows Azure. Not surprisingly, the Active Directory agent interacts locally and the Windows Azure agent interacts with Office365. We’re going to customize the Active Directory connector by selecting it and then clicking the Properties action:
    DirSyncSetup3
  5. Here’s where life gets interesting … there are many places to customize this. What’s essentially happening here is that the Active Directory database is being dumped out to a local SQL installation, which then exports that data to the Windows Azure service. There are obviously many parts to this: Where does the data come from? What objects should be transferred? For those objects, what attributes? Should we filter those objects?
    We’re going to take advantage of that last question.
    In the Properties window that you last brought up, select Configure Connection Filter and then select the rules for the User object type:
    DirSyncSetup4
  6. Notice there are over a dozen rules for user objects alone – we’re filtering out some by sAMAccountName, others by the msExchRecipientType attribute. How you filter your users is up to you. For many of my setups, I’ve already got my two UPN suffixes, so I set people who should have an Office365 account to the public @example.com suffix and filter users who don’t have it. Note that you can have more than one condition per filter:
    DirSyncSetup6
  7. Once you click the OK button, your filter appears in the list. You can OK out of the rest of the boxes:
    DirSyncSetup7

If you want to test, you can run a full sync of the Active Directory connector by right-clicking it, selecting Run, and then running with the Full Import Full Sync profile. You’ll get statistics that will show you what was imported and kept:

DirSyncSetup8

Permissions of MachineKeys Folder on Server 2012

I just had a customer whose Exchange 2013 machine was acting … weird. There were issues with the OWA site loading, and some bizarre event log messages regarding SChannel errors. I began investigating these by opening the IIS console and looking at the bindings for HTTPS, which appeared good.

And then I clicked OK … the server slowed significantly (wrote thousands of messages to the event log), and then I received this message:

A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: [...])

At this moment, IIS went down. Knowing this message can happen because of a certificate validity issue, I checked the certificates console and found the certificates showed valid, with private keys in place. The event log yielded Schannel #36870 messages reading:

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.

Some quick Google-fu yielded the potential that my private keys were missing, or had some access issues. There are many articles out there to deal with this, such as this one at MSDN or this MS KB Article. But it’s a bit lacking for Server 2012. Here’s some stuff to know:

  • Some articles reference C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA, while others reference C:\Users\All Users\Application Data\Microsoft\Crypto\RSA. The one above references C:\ProgramData\Microsoft\Crypto\RSA. On Server 2012, these are all hard links to one another.
  • I had issues making this fix without first stopping the Cryptographic Services service first.
  • The article wants you to confirm that Administrators has Full Control of the MachineKeys folder, and that Everyone has the following individual permissions:
    – List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Read Permissions
  • None of the articles discuss inheritance. In my case, I had every one of the permissions right, but the Applies To section was “This folder” only. It has to be This folder, subfolders and files.
  • I had to take ownership of the directory and all files within, because the files themselves had inheritance turned off.

After the above work, I restarted the service and found that I could re-bind the certificates in IIS.

A Long Post on LGBT Experience

As I was browsing through the interwebs today, I came across an article written by Sierra Mannie for Time Magazine’s opinion section, available here. After reading it, I feel compelled to respond. There are times when you read something and the message begins to deviate from the delivery – this article left me straddling one hell of a median after just the first paragraph from a legitimate gripe to a full-on bashing of White Gay men and their own struggles.

First, let me begin by saying this: I’m one of the White Gay males you refer to. I don’t appreciate the tone of your article. You clearly don’t understand the struggles that the LGBT community, particularly Gay men, have to deal with. While there’s no excusing the mockery of traditionally Black, female names, you go way beyond this. So let me throw a little bit of truth tea your way.

Gay men are 500% more likely to be physically attacked than Persons of Color, and 250% more likely to be attacked than Gay women (here’s some proof). Those are 2012 numbers, mind you, which is a long way from the electroconvulsion “therapy” that many in the LGBT community experienced only a few decades ago.  Gay youth have a 300% higher suicide rate, and it only improves slightly from there. Did you know that two whole decades after schools were desegregated, homosexuality was still considered a mental illness by our country? Did you know that sodomy – the law used to terrorize and ruin the lives of many Gay men and force them into the hiding you so forcefully suggest they can be comfortable in – was only struck down in 1996? That’s less than two decades ago. Were you afraid of being arrested or worse when you met your first love, or had your first sexual experience?

Is Racism alive? Sure, but we’ve been talking about it for almost a half century, and there has been progress. There’s a good chance you weren’t alive when Jim Crow terrorized your family, and it’s feasible you weren’t watching live television feeds of young Black children being shot with rubber bullets or water in the sixties. Everything my first boyfriend and I did was illegal, and I watched my first crush get beaten so badly that he was placed in a hospital, his family forced to leave our town because he “acted like a faggot”. At my current age, I still have to remind myself that it’s okay to love someone. To have feelings, and to be myself.

The first long-term relationship I saw in-the-flesh was ended after over five years when a group of 6 Black men beat him so severely he had his jaw wired closed. He physically never looked the same again. He had his head curb-stomped, literally, by a half-dozen men for walking out of a Gay club. In the ten years since that happened, I’ve seen him exactly once since. His relationship is over and he’s comfortably living by hiding who he is from everyone, enjoying all his new-found privileges.

I should mention to you that every time I’ve been attacked, physically or verbally for ‘acting’ Gay, it was by a Person of Color. Of all the people I know, the people who have it worst are Gay men of color, who have struggled to be accepted by both the Gay community and their own community for ‘acting Gay’. Your own community has an abysmal record in how they treat their own people when they are gay.

Your suggestion that privilege floats back when you hide your sexuality shows your lack of understanding. You are not privileged when you have to “make up” a girlfriend during company meetings to explain that you’re travelling to Florida with your partner of 7 years this Christmas, and you can bring your hetero-normative boyfriend (of color, or not) to company holiday parties with almost no fear of reprisal. You can even walk up to someone at a bar and tell them they are attractive, and they have a nice smile. The only place Gay men can do this (without a likely fistfight) is a Gay bar, which aren’t known as incubators of healthy relationship.

Young gay men of today grow up in a bizarre world, where everyone is assigned a supposed gender identity. Many are regarded as feminine and weak (and they spend their entire lives being treated as such – sound familiar as a women?) or end up developing hyper-masculine personalities to compensate for how they are treated. There are no healthy role models. When Clay Aiken came at the time, the news was awash with rumors of his fisting fetishes, and not his attempts at having a normal, healthy relationship and family. At least Black females have role models like Beyonce – there are no strong and self-determining Gay role models. Instead, our media is awash in incredibly distasteful representations and role models for LGBT people. And tons of Gay jokes, jokes that are still made on the air today. It’s not okay for anyone to make black jokes, in or out of the media. But jokes about faggots, fudge packers, fanny bandits and countless other colorful references to who my heart loves are still made today.

Do you know what it’s like to be so afraid of being with someone you love that you completely disregard any feelings you may have? That any emotions begin to hurt, because you know they can only go so far before you have to make great sacrifices to keep it? To be so desperate for connecting with another human being that you have to resort to the online meat-markets you ignorantly submit as evidence in your case? Did it occur to you that these places started out as safe spaces where men could talk to each other openly and safely and have since morphed into places that men, stripped of the right or desire to have normal in-person conversations and relationships, go to experience something? Before this were Gay bars (constantly raided by police, or nutjobs with guns, hatchets and other weapons) or even public parks, where the most desperate would go at night in the twisted sense of safety that others there were – just maybe, if you were careful, Gay? I’ve seen more acts against Gays in recent than anyone else, and the media doesn’t seem to pay it nearly the attention it deserves.

So let’s get out from underneath your delivery and back to your message. The next time you see one of these men, do yourself a favor and challenge your point of view. They might just be trying to relate to you, to be accepted, to identify. Sure, mocking Shaniqua’s name isn’t the right way to do it, but it’s completely short-sighted of you to twist an appreciation for Beyonce – at one point, a top-selling artist in America, into a rant about appropriation and privilege. You might add more to the world by being yourself and showing them a more compassionate, strong, nuanced and thoughtful person – and if they emulate those qualities, two people have benefited.

Using IPs Outside WAN Subnet/On Second Subnet with an ASA

I have a customer who needed to set up some external services through to an internal machine – they have a Cisco ASA 5505 running the 8.2(1) firmware. The catch?

Their usable WAN IP was something like 95.24.87.77 and was assigned as the Cisco’s outside interface, with a 95.24.87.76 gateway on a /26 network – I figured there would be plenty of IPs in that range to use, but I couldn’t – none of them worked. After some time, I called the ISP and was told they had a second subnet of usable IP addresses – 95.24.174.232/29 – with a 95.24.174.233 gateway.

I did some quick Google-foo and found a number of answers, but none demonstrating how easy and simple it is. Hoping to make this easy for the next guy – here’s how you do it. If you provide a route to the second subnet, a static NAT entry and an access-list entry allowing that traffic, it’ll work just fine:

route outside 95.24.174.232 255.255.255.248 95.24.174.233 1
static (inside,outside) tcp 95.24.174.234 https 192.168.1.50 https netmask 255.255.255.0
access-list outside_in extended permit tcp any host 95.24.174.234 eq https
access-list outside_in in interface outside

As soon as I entered these commands, the ASA began translating this traffic and life was good.

Two Interesting Exchange 2013 Errors

I ran into two issues today with an Exchange 2013 CU3 machine that was migrating mailboxes over from an Exchange 2007 box. The webmail application would work just fine, but the ActiveSync interface bombed out with an HTTP 500 error. I used Microsoft’s Remote Connectivity Analyzer and saw no additional error information – how unusual.

Initially, I removed and re-added the virtual directory without success – this usually fixes it. So I did what I should have done in the first place: I checked the error logs. Knowing there were a number of phones trying to connect through the new server’s ActiveSync interface, I saw dozens of these errors a minute:

EXCH2013-Error-RBAC-Machine

(MSExchange RBAC Event #17: Process w3wp.exe, PID 8044) “RBAC authorization returns Access Denied for user local.<domainname>.com/BB Member Servers/<SERVER NAME>. Reason: No role assignments associated with the specified user were found on Domain Controller DC08.local.<domainname>.com“)

It was clear that some important permission had not been assigned when Exchange was installed – and my customer had issues from the start, unfortunately not just reloading from scratch. After searching a number of forums and checking a number of log files, I stare-and-compared another Exchange 2013 installation and found that the machine account needed to be a member of the Organization Management group in the Microsoft Exchange Security Groups OU. A quick Google search found a few other forums where members had the same issue.

However, no dice! The Remote Connectivity Analyzer was only one step closer to working – I was still getting HTTP 500 Errors, this time thankfully with error messages. The ActiveSync interface worked, up to the FolderSync step, where it failed. Reading through the encoded error message, I saw “Domain Controller dc08.local.domain.com returned Access Denied”. On that DC, I checked the Security log and found the following audit failure:

An operation was performed on an object.

Subject :
 Security ID: <DOMAIN>\EXCHANGE01$
 Account Name: EXCHANGE01$
 Account Domain: <DOMAIN>
 Logon ID: 0x904510a

Object:
 Object Server: DS
 Object Type: user
 Object Name: CN=<Vendor Acct>,OU=IT Staff,OU=BB Users and Computers,DC=local,DC=<DOMAINNAME>,DC=com
 Handle ID: 0x0

Operation:
 Operation Type: Object Access
 Accesses: Create Child

Additional Information:
Parameter 1: CN=ExchangeActiveSyncDevices,CN=<Vendor Acct>,OU=IT Staff,OU=BB Users and Computers,DC=local,DC=<DOMAINNAME>,DC=com
Parameter 2: {6dd8476f-656d-42bf-a758-ff648512deed}

Well, we’re still dealing with permissions issues it seems. I checked the EXCHANGE01 account’s permissions to my vendor account and saw it clearly did not have the Create/Delete msExchActiveSyncDevices Objects permissions necessary. I checked the first thing you do with Active Directory – was the Include inheritable permissions from this object’s parent checkbox checked? Indeed, it was not. Checking it immediately fixed up the necessary permissions and my ActiveSync interface immediately began working.

Because I like to check my work, I found this MS Technet article that explains how this issue affects Exchange 2010 – and obviously, Exchange 2013.

(Don’t forget you might have wait for or force DC replication for the above changes to hit the DC used by Exchange).

 

 

Incorrect RPC/HTTP URL in Exchange

I recently ran into an issue where the Test-OutlookWebServices cmdlet failed with the following message:

Id      : 1013
 Type    : Error
 Message : When contacting https://mail.company-name.org/Rpc received the error
            The remote name could not be resolved: 'mail.company-name.org'

Id      : 1017
 Type    : Error
 Message : [EXPR]-Error when contacting the RPC/HTTP service at https://mail.company-name.org/Rpc. The elapsed time was 109 milliseconds.

After a shameful hour of searching for the answer, I thought: What if I disable and re-enable the Outlook Anywhere service?

[PS] C:\Windows\system32>Disable-OutlookAnywhere -Server EXCHANGESRV

Confirm
 Are you sure you want to perform this action?
 Disabling Outlook Anywhere "EXCHANGESRV\Rpc (Default Web Site)".
 [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
 (default is "Y"):Y

[PS] C:\Windows\system32>Enable-OutlookAnywhere -Server EXCHANGESRV -SSLOffloading $false -ExternalHostname mail.company.org -ClientAuthenticationMethod Basic

After running an IISRESET I’m able to run my Test-OutlookWebServices cmdlet without error.

Configuring a Sonicwall for AD-Integrated VPN Access

This article builds off of the previously written article on configuring a Sonicwall for Active Directory integration – you’ll need to follow those steps here before proceeding.

Once the Sonicwall is successfully connected to Active Directory, you’ll likely want one (or more) groups that will give VPN users access to the system. Simply create a group in Active Directory and add some users to it:
Sonicwall-AD-VPN-12

Once done, we’ll make the Sonicwall aware of the group by importing it. Log into your Sonicwall and navigate to the Users>Local Groups section. Click the Import from LDAP… button. The Sonicwall will load all groups within the containers you’ve configured it to look for them in and display them. Select the group you just created for your VPN users and click the Save selected button:
Sonicwall-AD-VPN-13

That user will now show up in the Local Groups list within the Sonicwall. Click the Edit… button for that group, and add whatever subnets you wish to allow VPN access to:
Sonicwall-AD-VPN-14

… and that’s it! Once the user starts their VPN client, they’ll authenticate with their normal Active Directory username and password and they’ll be granted access to whatever subnets you’ve specified.

Credentialing a Sonicwall for Active Directory Integration

One of the many benefits of the Sonicwall OS is its ability to integrated into Active Directory (or any LDAP-based Directory Service). This allows you to keep one database of user information instead of two, reduces security holes, tightens policy enforcement, reduces Administration … you get the idea.

The first step is to create a user in Active Directory. This account will be used by the Sonicwall to authenticate user information, obtain group membership and interact with anything else it may need. Ensure you note the user’s User Logon name field, which will be in the form user@domain.local – this is used by the Sonicwall to bind to the LDAP service:
Sonicwall-AD-VPN-01

Because this is a service account, you want a nice, strong password – and remember, you want to prevent it from being changed or expiring:
Sonicwall-AD-VPN-02

This user will need access to enumerate group membership for all AD users you intend to allow access to the Sonicwall down the road. I’ve found that these permissions have changed in Server 2012 – older AD permissions allowed any user this right, more modern ones seem more restricted out of the box. I’ve found that the RAS and IAS Servers group suffices for this. If in doubt, pick a user and check out the Effective Permissions for the Sonicwall LDAP user you’ve created by enabling Advanced Features in the Active Directory Users and Computers console, then viewing the Security properties for a given user. Under the Effective Permissions tab, you should see Read group membership as one of the granted rights for the Sonicwall User:
Sonicwall-AD-VPN-03Sonicwall-AD-VPN-04

You should be done with the user setup at this point. Let’s get to configuring the Sonicwall. Log into the device and navigate to Users>Settings. For Authentication method for login, you’ll want to choose LDAP + Local Users and then click the Configure button:
Sonicwall-AD-VPN-05

Under the Settings tab, you’ll want to enter the DNS Name of IP address of your LDAP Server/DC, the LDAP port you wish to use, the Bind DN (in username@domain.local form) and password of the Sonicwall’s AD user. You’ll notice I’ve turned TLS off on this setup – this is for testing. I suggest turning this off to prove everything else out first, because the TLS setup tends to be the most difficult to configure. Once done, click the Apply button before moving on:
Sonicwall-AD-VPN-06

Under the Schema tab, the options are pretty sparse – you get to choose essentially what property your Sonicwall will authenticate the username value to – I use the sAMAccountName value to match what the user enters at their workstations. Once done, click Apply to move forward:Sonicwall-AD-VPN-07

Under the Directory tab, you’ll have more to fill in – if you want to. You can also let the Sonicwall sniff out the proper values for you. Enter your domain in the Primary Domain field as shown. When you change this, it’ll ask if you want to update the User and Group Trees (the values below the domain) to contain the new Domain – feel free to click Yes to this, but either way those trees are probably not the correct values. I’m a big fan of clicking the Auto-configure button, which will read all user and group containers from AD holding those objects for you – and then you can remove the ones you know will not hold users that are logging in:
Sonicwall-AD-VPN-08
(If you have any authentication of server communications issues, this is where they’ll happen – the Auto-configure button will be the first time the Sonicwall attempts to communicate with the LDAP service)

Under the LDAP Users tab, you’ll have the option to allow only users who have a matching account in the local database to log in, to allow fuzzy-logic membership of local group names if they have a matching LDAP group membership, and to determine the default group used by the Sonicwall for all authenticated users. Again, once done click the Apply button before proceeding:
Sonicwall-AD-VPN-09

Lastly, we want to test. If you have gotten this far, you should be able to authenticate any user to Active Directory and see what groups they are a member of. Here I’m using the Administrator account, but any user account should suffice:
Sonicwall-AD-VPN-10

Lastly, I wanted to mention two frequently-asked options supposed by the Sonicwall – these are available by navigating back to the Users>Settings page:
Sonicwall-AD-VPN-11

The Case-sensitive user names option is pretty obvious – but, often overlooked. If the user has a login name of JDoe, they’ll have to know this in order to authenticate successfully to the Sonicwall. Since the Windows login screen does not enforce this, it’s unlikely your users will know what is capitalized and thus better to keep this off.

The Enforce login uniqueness option prevents the user from logging in from numerous workstations – it will only allow one session at a time, which increases security but may prevent them from logging in from more than one device.