Saturday, March 25, 2006

Scripting Certificate Requests with a Subject Alternative Name...

Man I can't believe how difficult it was to track this down... it seems everywhere on the web has 99% of the info, but give examples for uses like DC auth and SmartCard enrollment... I finally figured it out with a bit of trial and error though, so here's how you would issue a certificate for plain old server authentication (ie SSL) with a subject alternative name.

First, create a certreq.inf file with the following contents:
[NewRequest]
Subject = "CN=hostname"
KeySpec = 1
KeyLength = 1024
Exportable = FALSE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1

Next, create your request file by running certreq on the target machine as follows:

certreq -new c:\certreq.inf c:\servercert.req

This requires certreq from the 2003 admin tools (i think... maybe it's the reskit or support tools... can't remember) and the certreq.inf file in the root of C.

Jump onto your issuing CA (it is Windows Server 2003, isn't it?) and run the following (the first command should all be on one line):

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop "certificate services"
net start "certificate services"

Now take that servercert.req file and transfer it to your issuing CA. On the issuing CA, run (again, all on one line):

certreq -q -attrib "SAN:DNS=whatever.alternate.name.you.want" -submit c:\servercert.req

And that's it. Man I lost some sleep over that... glad it's sorted!
Posted by at No comments:

Wednesday, March 22, 2006

SQL Server 2005 Express setup...

So anyway I decided it's about time I start installing SQL Server 2005 Express wherever I can, instead of MSDE. There are a lot of changes in the installer from MSDE. Aside from the thousands of parameters, there are some other fundamental changes like INSTANCENAME being a required parameter and 3 user accounts are required to install the core SQL_Engine component.

So here is how to automate that:

1. First create an ini file, lets call it 'sqlsetup.ini'
2. Copy the following into sqlsetup.ini
[Options]
INSTALLSQLDIR=E:\SQLEXPRESSADDLOCAL=SQL_Engine,SQL_Data_Files,SQL_Replication,Client_Components,Connectivity
INSTANCENAME=MSSQLSERVER
SQLBROWSERACCOUNT="NT AUTHORITY\NETWORK SERVICE"
SQLACCOUNT="NT AUTHORITY\SYSTEM"
AGTACCOUNT="NT AUTHORITY\LOCAL SERVICE"
SQLAUTOSTART=1
SAPWD=P@ssw0rd
DISABLENETWORKPROTOCOLS=2

3. That's it - you should now be able to run a silent unattended setup with:

start /wait setup.exe /qb /settings D:\sqlsetup.ini
Posted by at No comments:

Monday, March 20, 2006

Altiris Deployment Server Setup Error

Funnily enough, the Altiris Deployment Server 6.5 setup is able to determine that SQL is installed on a machine, and determine the instance name, but can't determine if the correct network connectivity is present for it to actually work.

So when going through the install you think all is well, until you get a "Setup was unable to run "DBinstaller.exe" to create the "express" database" and get told the installer will quit.

Rather cryptic... and it's because no network protocols are enabled by default in MSDE 2000 + SP4 installs (ie DISABLENETWORKPROTOCOLS=1 by default now). The way to fix the error is to go into %programfiles%\Microsoft SQL Server\80\Tools\Binn and run srvnetcn.exe. You'll see all network protocols disabled by default - just enable TCP/IP, restart the SQL Server service and then re-run the DS 6.5 install, and all actually will be well.
Posted by at 6 comments:

Sunday, March 19, 2006

Unlimited Linux iSCSI Target in 5 minutes

After finding there were no suitable Windows iSCSI products around for me to play with at home, I ended up using a Linux one and had it running in VMWare quicker than you can say 'iscsitarget.sourceforge.net'. Here's how:

1. Download the free RHEL4 Virtual Machine from here.

2. Add another virtual SCSI disk to the prebuilt VM.

3. Follow these installation instructions to download and install iSCSI Enterprise Target.

4. Use the following as your ietd.conf file


Target iqn.2006-03.local.domain:rhel4.storage.lun1
# Users, who can access this target
# (no users means anyone can access the target)
#IncomingUser
#OutgoingUser
#Lun definition
Lun 0 Path=/dev/sdb
# Alias name for this target
Alias GOiSCSI


5. Restart the iscsi service with service iscsi-target restart

6. Configure your iSCSI initiator now - if you need a hand have a look at this

And that's it. I wasted more time looking for a trial version of a Windows based product that had a reasonable asking price for the full version, and actually felt like I learned a little something in the process.

Now all I have to do is download Fedora Core 4 and do the same on a physical box.
Posted by at

Tuesday, March 14, 2006

Using Poolmon to find kernel memory leaks...

Just so it's easier for me to find, here is the technet site that covers all the Support Tools

http://technet2.microsoft.com/WindowsServer/en/Library/eb0d5bd1-89c3-4ee7-975f-596b2e37e3aa1033.mspx

I was going to post up some stuff about using Poolmon and Memsnap, but you might as well just read the overview, syntax and example pages for these tools from the Technet site! Just make sure you enable gflags first on a Windows 2000 box, which requires a reboot before it becomes active. It's on by default in 2003.

I will add some small things... so when you've identified and offending tag, if the tag name isn't in pooltag.txt then open %windir%\System32\Drivers and do a search within files for the tag name. So thats search for files named '*' containing text 'tag'... or you could use findstr /m /l tag *.sys too I guess.

Also, while poolmon.exe comes with the Support Tools, pooltag.txt actually comes with both the Resource Kit and WinDbg. It's not a static file, so your best bet is to go with the most recent version, which is usually WinDbg. You'll find it in the /triage subdirectory.

Speaking of WinDbg, here is the symbol search path I always use (and lose - that's why it's going up here!)

C:\Windows\symbols\2000BASE;C:\Windows\symbols\2000SP4;
C:\Windows\symbols\2000SP4U1;C:\Windows\symbols\2003BASE;
C:\Windows\symbols\2003SP1;
SRV*C:\Windows\symbols\download*http://msdl.microsoft.com/download/symbols

Hmmm I'm gonna have to do something about this stylesheet eh!
Posted by at No comments:

Sunday, March 05, 2006

Remove Removed Devices...

One of the most annoying errors IMHO is the one that you get when you change out a NIC (or remove a NIC from a VM) and try to reuse the IP address on the same machine.

So to get rid of that, first set the following machine environment variable:

DEVMGR_SHOW_NONPRESENT_DEVICES

... and give it a value of 1

I'll seriously consider adding this to the next SOE I work on, probably with a

setx DEVMGR_SHOW_NONPRESENT_DEVICES 1 -m

This will allow you to see the removed devices in Device Manager when you go into the View menu and tick 'Show Hidden Devices'
Posted by at No comments:
Subscribe to: Posts (Atom)