Archive for the 'Windows Server' Category

Windows 2012 R2 Single Sign On with RemoteAPP Web Access

It took me quite long to figure it out to get RemoApp on WebAccess working with “Web Single Sign On”.

Here the steps to get it done:

1. ISS Certificate for https

If you have an internal CA you need to create a certificate for IIS and make sure it is trusted on your client computer to connect via https to:

Certificate can be created or imported here in IIS:
1. Run inetmgr
2. Choose your IIS Server
3. Import or create a certificate in Server Certificates

Follow these steps to activate it in IIS:
1. Run inetmgr
2. Go to IIS Server\Sites\Default Web Site\Bindings\https:
3. Edit Setting and pick there the SSL Certificate

If you have an internal CA and it is already trusted on your client computer then you don’t require to do anything otherwise you need add the Root Certificate into the Trusted Root Certifications Container.

Important: You should also have valid certificates for your connection broker and rdp etc.

2. Change “Form Based Authentication” to SSO
1. Run inetmgr and enable only Windows Authentification in RDWeb Authentication

2. Backup and edit %SYSTEMROOT%\Web\RDWeb\pages\web.config

3. Change Authentification Method (Comment Forms out)
<authentication mode=”Windows”/>
<authentication mode=”Forms”>
<forms loginUrl=”default.aspx” name=”TSWAAuthHttpOnlyCookie” protection=”All” requireSSL=”true” />

4. Change Security Mode (Comment it out)
<windowsAuthentication enabled=”false” />
<anonymousAuthentication enabled=”true” />

4. Backup and edit %SYSTEMROOT%\Web\RDWeb\Pages\en-us\Default.aspx

5. Change to private mode
public bool bShowPublicCheckBox = false, bPrivateMode = true, bRTL = false;

3. IE Security
In my environment it just worked when I didn’t use you the FQDN for my Server in Internet Eplorer. As soon as I used the FQDN it asked me to put in the credentials and to avoid that I made sure that our internal domain is added to the Intranet Zone in Internet Explorer.

Create a GPO:
Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List

* with value 1

4. Trusted RDP Connection
Even you can login to the webapage now without beeing prompted you will still get a warning dialog as soon as you click on an icon.

Create a GPO:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client

And add the thumbprints of the RDP Certificates in “Specify SHA1 thumprints of certificates representing trusted .rdp publishers”

5. Allow Delegation of Default Credentials for RDP
So finally you get a last dialog which will ask yo to put in the credentials. If you don’t like that you can solve it with following GPO.

Create a GPO:
Computer Configuration\Policies\Administrative Templates\System\Credential Delegation\Allow delegation default credentials

And add: TERMSRV/*

No Comments »

admin on February 12th 2015 in IT, Windows Server

How to make a member Domain Controller to the primary Domain Controller in an emergency

So if you can’t recover the Primary Domain Controller then you have no other choice than making a member DC to a PDC. You can seize the roles with ntdsutil.

Run command prompt with domain admin rights:
1. ntdsutil
2. roles
3. connections
4. connect to server MyMemberDC
5. q
6. Seize domain naming master
7. Seize PDC
8. Seize RID master
9. Seize schema master
10. q q
11. dsa.msc

* We don’t seize Infrastructure Master because it should be on another DC where the Global Catalog isn’t installed.
* You can get help in ntdsutil anytime if you just write help and press enter

No Comments »

admin on January 17th 2015 in Windows Server

Shows Printer as Offline even you can Ping

Deactivate it in the ports settings SNMP Status Enabled.


No Comments »

admin on July 8th 2014 in IT, Windows, Windows Server

Checking DNS Server in Windows

To check if the DNS Server is working probably you can do so:
server [servername_query_from]

No Comments »

admin on June 27th 2014 in Internet, IT, Windows, Windows Server

Find User’s SID

Run following command:
wmic useraccount get name,sid

No Comments »

admin on June 6th 2014 in IT, Windows, Windows Server

GPO Network Drive Mapping over DFS isn’t working

I experienced the problem that it didn’t map one network drive over GPO. I searched for a long time and found out the problem was that the GPO didn’t like the backslash at the end.





After that it worked like a charm;-)

No Comments »

admin on April 25th 2014 in IT, Windows, Windows Server

Configure Windows 2012 Server from Command Prompt

Run the following configuration utility:


No Comments »

admin on January 13th 2014 in IT, Windows Server

Sync Computer Time manually with Domain Controller


No Comments »

admin on August 27th 2013 in IT, Windows, Windows Server

How to create Group Managent Service Account

Useful for Network Load Balancing and Clusters

Same steps as in How-to-create-a-Managed-Service-Account

You need to create a security group and add computers to it.

New-ADServiceAccount –Name GroupMSA –DNSHostName ServerName –PrincipalsAllowedToRetrieveManagedPassword MSAComputers –passthru

No Comments »

admin on July 15th 2013 in IT, Windows Server

How to create a Managed Service Account

New since Win2k8 R2

Instead of using User Accounts for services you can create Managed Service Accounts now. The advantage is that it also changes the password every 30 days automatically like in the computer accounts. You can find the managed user accounts here:
Active Directory User and Computers\Managed Service Accounts

1. Run Active Directory Module for PowerShell
2. Add-KDSRootKey
     For LAB Environment to not wait the 10 hours to repliacte type instead:
     Add-KDSRootKey –EffectiveTime ((Get-Date).AddHours(-10))
2. New-ADServiceAccount –Name WebTest –DNSHostname servername –Passthru

    Without –Passtrhu you don’t have any feedback

3. Add-ComputerServiceAccount –identity web01 –ServiceAccount WebTest –Passthru

You can check the settings in more details if you run adsiedit.msc.

Now you can use this service for example for services.

1. Run services.msc

2. Right Click on a Service\Properties\Log On\
    This Account:


3. You don’t need to put a password

No Comments »

admin on July 15th 2013 in Windows Server

Check out new movies online website. Download and buy movies now.