Changes for page Windows Server 2012 R2

Summary

• Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

...	...	@@ -57,7 +57,7 @@
57	57
58	58	By installing a language pack, we can change the language of nearly everything in the system. However, there is one prominent thing that is not affected by the language pack: the name of the local users and groups. We change those manually of course, but who want to do that? Therefore, I wrote two little scripts that can be used to copy the names of the users and groups created during installation from one system to another one. This way, if you already have a system where the user and group names are in the language you want, you can use the [[export script|attach:export_users.ps1]] to create a text file, copy this file to the target system and run the [[update script|attach:update_users.ps1]] there. For [[English|attach:users_and_groups_en.txt]] and [[German|attach:users_and_groups_de.txt]] I already created these text files. The update script has to be run in a PowerShell with elevated privileges, so it can potentially mess up your system. Test the script in a test environment before using it on a live system and always make backups before running the script.
59	59
60		-# Adding an IP address that is not registered in DNS
	60	+# {{id name="additional-ip-address-no-dns-registration"/}}Adding an IP address that is not registered in DNS
61	61
62	62	The `netsh` command can be used to add an extra IP address to a network interface, without automatically registering this address in DNS. Example:
63	63
...	...	@@ -81,7 +81,7 @@
81	81
82	82	This section describes a solution for the following situation: You want Windows Server Update Services (WSUS) to use SSL (in general, it is a good idea to use encryption, even in a private network). However, you do not want to issue a certificate for the FQDN of the host WSUS is running on, because you want to be able to move WSUS to a different server without having to issue a new certificate and update the client configurations.
83	83
84		-The first step is to assign an additional IP address to the server. You do not want this address to be registered with the server's FQDN in the DNS, so follow the [instructions given above](https://sebastian.marsching.com/wiki/Windows/Windows_Server_2012_R2#additional-ip-address-no-dns-registration). The next step is to register the alternative host name you want to use for WSUS in your DNS by creating an A (and possibly an AAAA) record pointing to this address. For the rest of the instructions we assume that you are using the FQDN `wsus.example.com` as the virtual host name for your WSUS server. In general, it is also a good idea to add a PTR record for the IP address (or addresses) pointing back to the FQDN.
	84	+The first step is to assign an additional IP address to the server. You do not want this address to be registered with the server's FQDN in the DNS, so follow the [[instructions given above||anchor="additional-ip-address-no-dns-registration"]]. The next step is to register the alternative host name you want to use for WSUS in your DNS by creating an A (and possibly an AAAA) record pointing to this address. For the rest of the instructions we assume that you are using the FQDN `wsus.example.com` as the virtual host name for your WSUS server. In general, it is also a good idea to add a PTR record for the IP address (or addresses) pointing back to the FQDN.
85	85
86	86	Now you have to add the SSL certificate to the trust store of the system and to the list of certificates in IIS. This process depends on how you created the certificate, so please refer to one of the many instruction manuals available on the web.
87	87
...	...	@@ -89,15 +89,15 @@
89	89
90	90	If you want to force clients to use SSL for some of the services, you should also follow the [instructions on TechNet](http://technet.microsoft.com/en-us/library/bb633246.aspx).
91	91
92		-This leaves us with only one problem: If you want to connect from the WSUS console on the same host, you have to use the regular host name of the server, not the virtual host name for WSUS. However, you cannot use SSL for the connection, because the name in the certificate will not match (after all it is using the virtual host name). If you force SSL like described in the [TechNet](https://sebastian.marsching.com/wiki/TechNet) article, the connection from the local host will not work. This is the point where the trouble starts and while trouble-shooting this, I messed up the configuration where WSUS would not work at all. If this happened to you as well, see the [instructions below](https://sebastian.marsching.com/wiki/Windows/Windows_Server_2012_R2#configuring-wsus-with-ssl-what-to-do-if-you-messed-up) on how to fix things.
	92	+This leaves us with only one problem: If you want to connect from the WSUS console on the same host, you have to use the regular host name of the server, not the virtual host name for WSUS. However, you cannot use SSL for the connection, because the name in the certificate will not match (after all it is using the virtual host name). If you force SSL like described in the [TechNet](https://sebastian.marsching.com/wiki/TechNet) article, the connection from the local host will not work. This is the point where the trouble starts and while trouble-shooting this, I messed up the configuration where WSUS would not work at all. If this happened to you as well, see the [[instructions below||anchor="configuring-wsus-with-ssl-what-to-do-if-you-messed-up"]] on how to fix things.
93	93
94	94	This problem is caused because by default NTLM authentication does not work if the client is the same host and the request uses a host name that is different from the system's host name (or FQDN). There are [two](http://support.microsoft.com/kb/896861) [articles](http://support.microsoft.com/kb/926642/en) in Microsoft's knowledge base and a [more detailed blog post](http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx) describing this problem. The solution is adding your virtual host-name (`wsus.example.com` in the example) to the list of allowed host names. This list is stored in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0` and is a Multi-String Value with the name `BackConnectionHostNames` and taking one host name per line as a value. You edit the registry using the registry editor or [using the PowerShell](http://sharepointadam.com/2010/07/20/add-backconnectionhostnames-to-the-registry-via-powershell/). After making this change, you should restart the server. Maybe it is sufficient to restart IIS, but I did not test this.
95	95
96	96	Now you should be able to connect the WSUS console to `wsus.example.com` on port 443 with SSL being enabled.
97	97
98		-If after following this guide WSUS still does not work as expected, you first should clean-up you configuration like described in the [following section](https://sebastian.marsching.com/wiki/Windows/Windows_Server_2012_R2#configuring-wsus-with-ssl-what-to-do-if-you-messed-up) and repeat the steps from this section. If it still does not work, you might be interested in the [section even further below](https://sebastian.marsching.com/wiki/Windows/Windows_Server_2012_R2#configuring-wsus-use-virtual-ip-address-only), which tells you how to make sure that WSUS uses the virtual IP address exclusively. This might be needed in some environments where clients cannot access the WSUS server using its regular IP address.
	98	+If after following this guide WSUS still does not work as expected, you first should clean-up you configuration like described in the [[following section||anchor="configuring-wsus-with-ssl-what-to-do-if-you-messed-up"]] and repeat the steps from this section. If it still does not work, you might be interested in the [[section even further below||anchor="configuring-wsus-use-virtual-ip-address-only"]], which tells you how to make sure that WSUS uses the virtual IP address exclusively. This might be needed in some environments where clients cannot access the WSUS server using its regular IP address.
99	99
100		-## What to do if you messed up
	100	+## {{id name="configuring-wsus-with-ssl-what-to-do-if-you-messed-up"/}}What to do if you messed up
101	101
102	102	If you messed up (e.g. by running `wsusutil configuressl` after adding the virtual IP address to the bindings in IIS), WSUS will not start correctly and in the event log you will find one or several of the following messages:
103	103
...	...	@@ -112,7 +112,7 @@
112	112
113	113	You should be able to fix this by removing all bindings from the "WSUS Administration" site in IIS manager and just add the two bindings for `http://*:8530` and `https://*:8531`. After this you can restart the WSUS server and it should work again. Subsequently, you can follow the instructions given above for configuring SSL.
114	114
115		-## Configuring WSUS to use a virtual IP address only
	115	+## {{id name="configuring-wsus-use-virtual-ip-address-only"/}}Configuring WSUS to use a virtual IP address only
116	116
117	117	In order to understand what we are going to do here, it makes sense to first understand what we did in the sections above:
118	118