Assigning a Static IP Address in Ubuntu Server 16.04

I always forget all the parameters.  File found at /etc/network/interfaces.

 

Hide Settings Pages in Windows 10 with GPO

The new settings page in Windows 10 provides a nice clean UI for all of the Windows settings, but until the Creator Update (1703) could not be managed via GPO.  Now we have the tools to control this, but you must first start by adding the Windows 10 (1703) Administrative Templates to your Group Policy PolicyDefinitions folder or Central Store.  Once you have done that you will be able to find the “Settings Page Visibility” GPO under “Computer Configuration\Administrative Templates\Control Panel”.

When enabling this GPO you have two different methodologies of accomplishing your task; you can choose to show only certain pages, or choose to hide specified pages.  The syntax for each is as follows:

The page names are pretty intuitively named (ex. the about page name is “about”), but you can find a pretty good listing from this Microsoft Blog post.

Step-By-Step Installation of Active Directory Federation Services (ADFS) using Azure AD Connect

ADFS setup can be nothing but a headache to set up when you are new to it.  You know it.  I know it.  We all know it.  So this is my step-by-step guide for setting up a basic ADFS configuration.  Now, this is going to detail a successful installation without any errors (which does happen once in a blue moon).  To see resolutions to the errors that I have encountered in the past, please reference this post.  I will try to keep adding things as I come across them, but no guarantees.

As with anything that needs to be configured, setting up your prerequisites is key to your success.  Often not setting up your prerequisites properly will become your greatest frustration.  For reference see the Microsoft Official Post, but I will also be going through them now.  For port requirements, see this post.

Prerequisites:

1.   Download Azure AD Connect and copying that to the internal box you will be installing the ADFS role on to be installed later.

2.  Enable TLS 1.2 (Server 2008R2 and later) and configure .Net to use it by adding the following registry values and restarting the machine (I do this on both the ADFS and the WAP box).

3.  Create a Forward Lookup Zone for the domain you are federating in your local DNS.  Add an A record (Host) for adfs pointing at your ADFS server.  This will have internal requests resolve directly to the ADFS server.  In your internal domains forward lookup zone, create an A record for your web application proxy (WAP).

4.  Modify the host file on your web application proxy (WAP) to resolve adfs.domain.com to your internal ADFS server.  Public DNS should resolve adfs.domain.com to the WAP Public IP.

5.  Run the following command on both the ADFS and WAP box to enable Windows Remote Management (WinRM):

6.  On the ADFS box, add the WAP box to you WinRM Trusted Host list with the following:

7.  Confirm WinRM is functional by running the following from the ADFS box:

8.  Obtain a valid SSL certificate for the ADFS subdomain of your federated domain (ex. adfs.domain.com).  See this post about creating a custom csr with an exportable private key from your web application proxy (WAP).  Make sure you use the Legacy key template.  Export that to a PFX with its private key and copy it to your ADFS server.

9.  Add the domain name you plan to federate to your domains UPN Suffixes via Active Directory Domains and Trusts.

10.  Download Microsoft Exchange Server (Current version is 2016 found here).  Copy that to the Domain Controller that holds the Schema Master role, open a command prompt window in that directory and run the following command:

11.  Create a Group on the domain you plan to federate to specify which user accounts will be synced.  This is optional as you can choose to sync all user accounts if you wish.

12.  Create a service account on the domain that you plan to federate and add it to the Domain Admins and Enterprise Admins groups.  You can split this into two accounts if you wish.

13. Pro-Tip: Check the time and date on your servers.

Installation:

1.  Run the Azure AD Connect .msi to install it and agree to the license terms when prompted and select next.

2.  Select Customize

3.  Select the “Use existing service account” option and input the service account credentials you set up during prerequisites and select Install.

4.  After a little while you will be brought to a User sign-in window.  Select the “Federation with AD FS and select Next.

5.  Insert Global Administrator credentials for your Azure AD/Office 365 and select Next.

6.  Add the local domain you wish to federate and select Next.

7.  Confirm the domain you wish to federate with is verified, that userPrincipalName is selected and select Next.  If your domain you wish federate with is not present/says Not Added you need to verify it in your Azure AD/Office 365 tenant.

8.  Confirm the options are selected as below and select Next.

9.  Select “Synchronize selected” option, add the DN of the your local AD group, confirm it resolves, and select Next.

10.  Leave everything unchecked and select Next.

11.  Upload your Certificate .pfx, confirm the appropriate Subject Names appear, and select Next.

12.  Input the FQDN of your ADFS server, select Add, and select Next.

13.  Add the FQDN of your WAP. select Add, and select Next.

14.  Input your service account credentials and select Next.

15.  If prompted, input your service account credentials again and select Next.

16.  Select the appropriate Azure AD domain to federate with and select Next (typically there is only one available).

17.  Select te “Start the synchronization process when configuration completes.” option and select Install.

Phew.  At this point go grab a cup of coffee, and maybe start praying a little bit.  Assuming everything was configured correctly, you will get a success message and be prompted to verify your DNS configuration.  Once that all checks out you’re off to the races!

 

 

Create Custom CSR with Exportable Private Key

This is just one of those things that always seems to slip my mind so I am going to throw it on here.

 

Start by opening MMC and adding the Certificates snap-in for the local computer.

Select the Personal store, right click in the open area, hover All Tasks, hover Advanced Operations, and select Create Custom Request…

Select Next on the Before You Begin page.  On the Select Certificate Enrollment Policy window, select Custom Request: Proceed without enrollment policy and select Next.

Confirm the Template option on the Custom request window is set to No template with PKCS #10 format and select Next.

Select Details on the Certificate Information window and then select properties.

Type in a Friendly name and, if you wish, a Description and select the Subject tab.

In the Subject name section select Common name, fill in the value appropriately, and select Add.  You can also add others such as Locality, State, Country, etc. if you wish and select the Private Key tab.

Under the Cryptographic Service Provider select 2048 for the Key size and select the Make private key exportable option.

Select Apply/OK and select next.  Browse or type in where you would like to store the csr and select finish.

Send that csr off to the CA your working with, or sign it with an internal CA and you’re off to the races.

Enable “Single-Click” with GPO

If you have ever worked with touchscreen computers, you will certainly understand how much of a pain it is to try and double-click a desktop icon without dragging it.  As I have many kiosks in my environment currently, I hunted down how to enable the single-click option by pushing a couple registry updates with GPO (see comment by Sergio Calderón here).  The registry updates are as follows:

The second is optional, it just underlines the icon when is selected.  Little quality of life feature.

Server 2016 WSUS Clients: Windows Update Client failed to detect with error 0x8024401c.

So I just got done deploying WSUS on Server 2016 and everything seemed to be going fine.  Got my client side targeting rocking and a rolling, got the automatic update check time interval shortened up (I prefer 12 hours to the 22 hour default), and all the other nonsense.  A few machines report in no problem so I decide to add in all the servers for one of my customers.  And so down the rabbit hole I went.

About two of the ten machines I added would actually report in.  The eight that did not would show up in the MMC console, in the appropriate Computer Group, but would not report their status.  I went to one such client and was faced with this error: Windows Update Client failed to detect with error 0x8024401c.  I went and checked out the log at C:\Windows\SoftwareDistribution\ReportingEvents.txt and found essentially the same thing (see below).

I did some digging around and followed all the troubleshooting steps from Microsoft’s Support Page to no avail.  At long last I stumbled upon this serverfault article.  Granted the client machines I was working with were Server 2016 and the article pertains to Windows 10, but in the end the kernel isn’t all that different so I figured it applied.  As the answer recommended I made the following changes to the IIS App Pool on the WSUS box:

I wasn’t out of the woods yet, it was still only working intermittently; I went from two reporting in successfully to four.  So I started digging around the boxes that were not working and noticed that BITS was set to manual.  I’ve found this is normal on Server 2016 (strangely), but I said “Hey, let’s try getting that running and try reporting in.”  Sure enough that did the trick.  Checked for updates successfully and reported in seconds after running wuauclt /reportnow.

It’s been a couple days since and I’ve added a few hundred client machines with no issues.  Updates are running smooth (knock on wood).

Connect to Specific Wireless SSID Pre-Logon

Just one of those good to know things I learned back when I was on the Help Desk.  Push this little regedit with GPO, or add it by hand (gross), and the computer will connect to the specified wireless network prior to logon.

Add a new string value here and call it whatever you want (ex. ConnectPre-Logon).  Add the following as its value:

 

Disabling User Account Control on Server 2012R2/2016

User account control can be a pesky Windows feature, especially on File Servers.  To disable it, open up regedit and navigate to the following:

Once there, you will see the DWORD named EnableLUA.  Set its value to 0 and restart the machine.  All done!

Installing Office 2016 on RDS Server with Shared Computer Licensing

When installing Office on an RDS Server accessed by multiple users, you need to configure the installation for shared computer licensing.  To do this, you begin by downloading the Office Deployment Tool.  Once you have that downloaded, run the executable.  This will provide you with two files; configuration.xml and setup.exe.  Edit the configuration.xml file and you should see something similar to what is below:

This is missing a few key configuration options, such as the “SharedComputerLicensing” which is the primary reason for this post.  Also, I’m personally not all that interested in adding Visio to most of my RDS environments, but I am interested in deploying the 64-bit version of Office.  See this Office Support page to see all of the configuration options.  It should look more like what is below:

Once you have that done, save the configuration.xml file.  Shift + right-click somewhere in the file explorer window and select the “Open command window here” option to make your life a little easier.  Then run the following two commands:

The second command will take a while as it is actually installing.  Once it is done, you are done!

vSphere HA Agent Has an Error: vSphere HA Agent Cannot Be Installed or Configured

Had a weird issue the other day with one of my ESXi hosts in my cluster.  I was actually spinning up a new VM, and after I finished installing VMware Tools and all the usual nonsense I saw this error on the VM in VMware:

Virtual machine failed to become vSphere HA Protected and HA may not attempt to restart it after a failure.

I checked the ESXi host that was running the VM and saw the following error:

vSphere HA agent for host <Hostname> has an error in <Cluster Name> in <Datacenter Name>: vSphere HA agent cannot be installed or configured.

I did some searching on the internet and found some people suggesting to restart the management agents on the host and select the “Reconfigure for vSphere HA” option in the right click menu.  I tried both of those to no success.  I then vMotioned all the VM’s off of the host and restarted it.  Still no dice.  I vMotioned everything back, ripped our HA config off of the cluster, and reconfigured it with a few quality of life changes.  That did the trick!  Probably just a fluke, but it was weird one to say the least.