Today, the moment of glory comes. I am glad to tell you about my success. From now I am Microsoft Certificated Technical Specialist – Windows Vista.
The exam is not the hardest one, but i need to forewarn all who prepare for this not to take take Windows built-in applications and installation procedures topics lightly. These are the hardest parts imo.
Today I’ll write about something completely new. Certification Authority Services, called AD CS (Certification Services) was added to the Windows Core distribution only in the R2 release. Windows Core themself was introduced as an installation option in the Windows 2008 release.
There is a lot of materials covering the Core installation, so I won’t describe it wider. For example, I suggest to read this Nataniel Zieliński’s article. For the moment, it is enough to know, that there is almost no graphical user interface. The system is managed from command promt. There is also very good Getting Started Guide what can help start up with Core installation, but most of new features introduced in R2 relase are still poorly documented.
The CA server installation requires using Add Role Creator on regular Windows 2008 R2, which is unavailable under Core version. So the first step is installation of service’s binaries. It can be done with following command:
1 | start /w ocsetup.exe CertificateServices /norestart /quiet |
Next really usefull step is to check corectness of installation. We can do that typing the following in the command prompt:
1 | oclist find /i "CertificateServices" |
After getting sure, that we have whole service’s package, we need to configure it. It can be done with VBScript program, which performs the automatic installation. It is available under following link. This script can help us avoid our headaches through simple and quick installation of our CA Service. But we still need to provide set of parameters which regulates its work. Full set of possible switches is provided on the script’s web page. Here, we need to pay attention that parameters:
1 | /interactive |
and
1 | /iw |
are not supported under Core installation.
Moreover, before performing CA Service installation process in Core as well as Regular distribution we need to prepare the CApolicy.inf file, what must be placed under %SYSTEMROOT% directory. There is example code of such file:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | [Version] Signature="$Windows NT$ [PolicyStatementExtension] Policies=LegalPolicy [LegalPolicy] OID=1.1.1.1.1.1.1.121 NOTICE=Certificate issued under Test CA Policy URL="http://pki.test.domain.lab/repozitory/cps.html" [certsrv_server] renewalkeylength=2048 RenewalValidityPeriodUnits=5 RenewalValidityPeriod=years CRLPeriod=days CRLPeriodUnits=14 CRLOverlapPeriod=days CRlOverlapUnits=7 CRLDeltaPeriod=hours CRLDeltaPeriodUnits=0 |
After the installation it is worthy to set up CDP (CRL Distribution Point) parameters with following commands:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | certutil -setreg CA\DSConfigDN CN=Configuration,DC=DOMAIN,DC=LAB certutil -setreg CA\CRLPeriodUnits 14 certutil -setreg CA\CRLPeriod "Days" certutil -setreg CA\CRLOverlapPeriod "Days" certutil -setreg CA\CRLOverlapUnits 7 certutil -setreg CA\CRLDeltaPeriodUnits 0 certutil -setreg CA\CRLDeltaPeriod "Hours" certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n79:http://pki.test.domain.lab/repozitory/%%3%%8%%9.crl\n65:file://\\%%1\CertEnroll/%%3%%8%%9.crl" certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n3:http://pki.test.domain.lab/repozitory/%%1_%%3%%4.crt\n1:file://\\%%1\CertEnroll/%%1_%%3%%4.crt" certutil -setreg CA\AuditFilter 127 certutil -setreg CA\ValidityPeriodUnits 2 certutil -setreg CA\ValidityPeriod "Years" net stop certsvc & net start certsvc certutil -crl |
Creation of such, or simillar script will help us ommit of “clicking off” Certificate’s parameters under remotely connected Management Console. At the end I would add, that the first article what helped me with start working with CA Services on Windows Core was this Eyalestrin’s article.
Nmap is one of the most intesively used by linux admins tools. It is widely known one can check out TCP port’s state on given hosts. As far as now, I was unable to find correctly working replacement for windows. Of course, there are many of migration’s attempts based on CygWin or SFU/SUA, but they require wider permissions in contrast to those that users usually have on their machines.
That is why I want to introduce you to real Microsoft replacement of this tool: PORTQRY. This tool is as usable as nmap and I can recomend it for use in every Windows Enviroments. It has one more important advantage in comparition to nmap. It can follow dynamic RPC ports used by DCOM. RPC and DCOM are heavily used by most of Windows enviroment services such as Active Directory, Certificates Service or Exchange. These are only examples of usage this technology.
Finally I wish everyone as little as possible time with network time down in yours enviroments.
The error, which this post is about, can have a variety of causes. I will focus on this, which I have encountered again only because i haven’t written about it before.
The error message usually suggests improper processing of the VC Agent RPM; however, it can also signify problems running the new vpx process. vCenter reports installation success only when it receives first heartbeat from the service. It is quite possible that the service fails to start, although
1 | service vmware-vpxa restart |
is executed correctly. Similarly, causes suggested by
1 | /var/log/messages |
can be wrong.
This time, the problem was incorrect certificate file format. Unfortunately, VMware doesn’t recognize standard and widely used PEM format, which is provided by most Certification Authorities. Instead, it uses its own version of PEM format. It is the so-called, text PEM representation. To create such, you need to issue the following command:
1 | openssl x509 -text -in /etc/vmware/ssl/rui.crt -out /etc/vmware/ssl/rui.crt |
A chance for diagnosing this mistake is interpreting of a little known log file
1 | /var/log/vmware/vpxa.log |
. After experiencing this situation, the vpx agent logs there a message about impossibility of certificate file interpretation.
I think that in this log file can be helpful in other problems with vpx agent, too.
Popular copy commad do (for the first look) the same with one difference. It can’t handle copying recursive directories. For resolving this issue, microsoft has released newer version of this tool called Xcopy (eXtended Copy). The new one is present in Windows up to today and helps me in situation, which looks as hopeless (for example when the GUI copy methods fail). It has one serious issue. It raises error cited in post title. It is reported when copied file has absolute path (including the drive letter) longer than 254 characters. Because novadays file systems handles longer path, this factitiously small issue comes to really hard problem.
Solution is, of course, find an alternative tool what will have similar syntax. First shot was xxcopy what behaves similars, not exactly the same way. This one has failings too. Most important of them is fact that it requires license for some important features. Closer info can be obtained from program home site.
Tool what I suggest to all (happy 😉 ) Windows 7 Users and (not) happy users of Windows Vista is Robocopy. It is available for users of those systems as buildin one. Others can obtain it as part of resource kit. This tool, what name is derivied from “Robust File Copy”, is really powerfull during manipulation with huge number of files. Good description of it can be found in Wikipedia.
Sorry, this entry is only available in Polish.
Sorry, this entry is only available in Polish.
Dzisiaj poszukując łatwego sposobu na dokumentację swojego projektu znalazłem taki oto plugIn do Visual Studio. Plugin po instalacji i odrobinie konfiguracji potrafi z powietrza wygenerować zupełnie sensowny zalążek komentarza dokumentującego:
Było:
1 2 3 4 5 6 7 8 9 10 | class archive { public: void log(response resp ) ; void store( response resp ) ; int getNextSerialNumber() ; void init() ; private: int actualSerial ; } ; |
Po ustawieniu karetki przed każdą deklaracją funkcji oraz na początku klasy i wywołaniu skrótu CTRL+SHIFT+D otrzymałem:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | /** * <summary> * The <c>archive</c> Class is responsible for logging the service user activity and storing * issued tokens for future verification. * </summary> * * <remarks> Root, 2009-08-30. </remarks> **/ class archive { public: /** * <summary> Logs. </summary> * * <remarks> Root, 2009-08-30. </remarks> * * <param name="resp"> The resp. </param> **/ void log(response resp ) ; /** * <summary> Stores. </summary> * * <remarks> Root, 2009-08-30. </remarks> * * <param name="resp"> The response to store. </param> **/ void store( response resp ) ; /** * <summary> Gets the next serial number. </summary> * * <remarks> Root, 2009-08-30. </remarks> * * <returns> The next serial number. </returns> **/ int getNextSerialNumber() ; /** * <summary> Initialises this object. </summary> * * <remarks> Root, 2009-08-30. </remarks> **/ void init() ; private: int actualSerial ; } ; |
Tak, dokładnie – to narzędzie potrafi wywnioskować (SIC!!) do czego służą poszczególne funkcje.
Z pewnością to ułatwi i uprzyjemni żmudne godziny tworzenia dokumentacji.
Strona administracyjna serwera wirtualizacji pod IE 8 zachowuje się bardzo dziwnie. Większość feature’ów działa, jednak miejscami nie można kliknąć na rozwijanych listach wyboru, którą to akcję przeglądarka kwituje błędami na stronie w działaniu VSWebApp.exe.
Rozwiązaniem tego problemu jest zadziwiający fakt przejścia w tryb kompatybilności z IE7. Microsoft chwali się, że nowa przeglądarka potrafi to zrobić sama w przypadku wykrycia problemów z wyświetlaniem. W odniesieniu do niektórych stron jest to faktycznie prawda, jednak niestety w tej sytuacji wygląda to niefajnie. Ciekawym jest to, iż nowy browser jest wybitnie uczulony na aplikacje wypuszczone przez sam M$.
Od kuchni, czyli od strony samego serwera hostującego MS Virtual Server 2k5 objawy są jeszcze ostrzejsze – IIS odpowiada błędem wewnętrznym 500; w logu pojawiają się od czasu do czasu błędy odnoszące się do serwera DCOM o clsid nie znajdującym się w przystawce Component administration.
Podsumowując, chcąc swobodnie pracować pod IE8 ze stroną administracyjną VS należy włączyć tryb wstecznej kompatybilności. Rozwiązanie to jest sugerowane na stronie Microsoft Connect
Wraz z wprowadzeniem technologii HyperV Microsoft utworzył zupełnie nowy model wirtualizacji sprzętu serwerowego. Windows Server 2008 z HyperV na pokładzie działa jak typowy Hypervisor, z tą różnicą, iż architektura zakłada przeniesienie warstwy sterowników sprzętu obsługiwanego przez systemy z poziomu zarządcy do samego guesta.
Manewr ten został w książce “Introducing WINDOWS SERVER 2008” nazwany przez Mitch’a Tulloch’a jako “Enlightenment”. Określenie to jest wykorzystane dla odróżnienia systemów wspierających nową architekturę od starszych, nieświadomych faktu, że żyją w środowisku wirtualnym. Takie systemy są nazywane “legacy OS”, hypervisor obsługuje je poprzez tradycyjną emulację sprzętu.
O właśnie, ta świadomość bycia zakładnikiem W2k8 (wooooow, już im zazdroszczę ;P) została nazwa przez Microsoft oświeceniem. Kilka stron dalej Autor wspomnianej książki wyjaśnia zmianę frontu w walkach z otwartym oprogramowaniem i wprowadza czytelnika w nową erę, gdzie dobroć i łaska Projektantów z Redmont spływa pod postacią oświecenia także na unixowe systemy operacyjne. I tak powstaje “Enlightened Linux Guest”. W oparciu o tę koncepcję dokonałem ogólnego projektu pewnej wizji, której konkretny kształt nadał TeMPOraL w takiej oto tapecie:
Należy tutaj przyznać projektantom HyperV ogromnego “plusa” za tę architekturę, jednak sam termin oświeconego pingwina pod wpływem windows tak bardzo wydaje się być abstrakcyjny, że aż śmieszny.
Więcej na temat poprawy stosunków dyplomatycznych Bill’a Gates’a z Rodem Pingwinim wkrótce.