xPfxImport DSC Resource for Importing Certificates and Keys

I’m very proud to have contributed the xPfxImport DSC Resource to Microsoft’s xCertificate module. This resource is included in version 1.1.0.0 of xCertificate which was released on .

xCertificate on GitHub
xCertificate on PowerShell Gallery
ServerFault thread that pushed me to publish (thanks in particular to jscott).

The purpose is to distribute SSL certificates (and optionally the private key) to nodes via PowerShell Desired State Configuration. The PFX is loaded from a network share or file path, and is typically encrypted with a password. DSC Encrypted Credentials are used to store the PFX extraction password securely in the configuration.

My primary use case in writing this concerned distribution of commercially purchased SSL certificates; particularly something like a wildcard cert which needs to be distributed to many nodes and will be need to be updated periodically as renewals happen.

This will also be nice for use with shorter term certificates like 90-day certs offered for free by Let’s Encrypt.

Continue Reading »

Throw an Exception Instead of Prompt for an Unsupplied Mandatory PowerShell Parameter

I came across this question on StackOverflow about throwing when a parameter is not supplied by pipeline . There have been many questions about this (without so much emphasis on the pipeline), so it seems to be a common request that PowerShell not prompt on a missing mandatory parameter, but instead throw an exception.

The short answer is that there is no way to do it if the parameter is in fact mandatory, so what we usually settle for is a simulation of required-ness that’s usually handled with a default value expression that throws an exception, like so:

function Get-Thing {
[CmdletBinding()]
param(
    $MyParam = $( throw 'MyParam is required' )
)
}

But this approach has its disadvantages.

Continue Reading »

Use Variables in a DSC Script Resource

Every PowerShell Desired State Configuration resource must have at least one Key property that’s used to uniquely identify it within a single configuration. For the DSC Script Resource the keys are the GetScript, TestScript, and SetScript properties. Basically this means that each Script resource can’t contain the same content. Makes sense on the surface, but when you consider variable substitution, and looping through collections in $ConfigurationData, it’s easy to come up with a configuration that ends up with this error:

Add-NodeKeys : The key properties combination ‘your script here’ is duplicated for keys ‘GetScript,SetScript,TestScript’ of resource ‘Script’ in node ‘nodename’. Please make sure key properties are unique for each resource in a node.

This is quite annoying, but there are ways around it so you don’t have to resort to manually unrolling your loop.

Continue Reading »

Could not establish trust relationship for the SSL/TLS secure channel

Sometimes we run web services internally that don’t use a trusted SSL certificate. It’s not good practice, but in the real world this will be encountered.

In PowerShell, we often see this error come up when using Invoke-WebRequest or Invoke-RestMethod or even the [System.Net.WebClient] class. All of these rely on the .Net framework which is set up to validate SSL certificates, so an exception gets thrown when we try to connect to a site over SSL that isn’t trusted.

For a while, a lot of people created a class that implemented the ICertificatePolicy interface, provided a method that always returned true, and then set System.Net.ServicePointManager.CertificatePolicy to an instance of the new class. This is also the method I have used for a while, and in PowerShell it didn’t seem to complain. But I’ve recently found that this method is in fact deprecated .

It seems the correct way is to set the ServicePointManager.ServerCertificateValidationCallback property to a callback function. Ok, no problem. It’s almost the same thing.

Continue Reading »

Test for Verbose in Powershell

I was looking for a way to determine whether I was in Verbose mode in Powershell. My web searches came up with various solutions that all suffer from problems. Most of them use $PSBoundParameters. The most obvious problem with this is that it only works when -Verbose was called directly on the script or function whose context you’re currently in. Since the Verbose state is inherited by child scopes, this is less than ideal.

Continue Reading »

Splatting with $PSBoundParameters and Default Values for Optional Parameters

Splatting is a really great feature in PowerShell that lets you take a [hashtable] of parameters and call a function or cmdlet with the hash instead of having to type out every parameter name and value. It seems natural then that if you’re writing a wrapper or proxy function, where your function takes the same or nearly the same parameters as the function you’re calling, you could use $PSBoundParameters to do the heavy lifting (this special variable contains all of the parameter values passed into the function).

The problem comes when your proxy function has defaults for its optional parameters. $PSBoundParameters only includes the values of parameters that were explicitly supplied by the caller. There is no such variable that contains the default values.

Continue Reading »

DNS Manager Can't Set TXT Record to Expire

I finally got DNS scavenging configured in our environment. It’s working great, no big disasters. I was browsing the DNS manager (so much faster now that we got rid of those 6,000+ resource records we didn’t need) and I noticed two TXT records that I created as a test last week. I didn’t need them anymore, but instead of deleting them I thought I’d just set them to expire and let scavenging take care of it. Funny thing is, the setting just wouldn’t stick. No errors, nothing preventing me from doing it, it just kept reverting to static.

Continue Reading »

Get-DnsServerResourceRecord returns duplicate records when a sub-domain matching the zone exists

While writing a PowerShell script to fix some DNS records, I came across some very strange behavior. I was calling Get-DnsServerResourceRecord and it was returning duplicate results for every record. One result was correct, and the other one looked like it was the fully qualified domain name. The results made no sense to me, and I couldn’t figure out how now to return these extraneous records.

Continue Reading »

Get Progress on DFS Replication Database Cloning Import

As I wrote in a previous post, I began using the new DFS Replication database cloning technique to speed up initial sync. Thanks to Ned Pyle’s great How-To on the subject, I was able to tell exactly which events to look for in the event log to get an idea of progress: 2412 for the start of the process, 2416 for progress, 2404 for successful finish, and 2418 for an unsuccessful end (found that one out on my own, whoops!).

Since I clearly had a few hours to kill while the import happened, I wrote up a quick script to show the progress, with estimated time remaining.

Continue Reading »

DFSR Database Cloning Import Fails - 0x00001129 - Error 4393 - The tag present in the reparse point buffer is invalid

Windows 2012 R2 introduces a great feature for speeding up DFS Replication initial sync: Database Cloning. The details are covered very well by Ned Pyle’s excellent blog posts, especially this one. Seeing as how this is pretty new stuff, there doesn’t seem to be a lot of documentation about the possible errors, and I encountered the one in the title.

Continue Reading »

Remote Desktop Gateway Server is Temporarily Unavailable on SBS 2011 After Uninstalling Exchange Server

There are several causes of the error “Your computer can’t connect to the remote computer because the remote desktop gateway server is temporarily unavailable” in Windows SBS 2011. There are a lot of articles that deal with the specifics so I’ll go over those more common causes briefly before explaining my issue (which related to uninstalling Exchange).

Continue Reading »

Configure Confluence SMTP with TLS via JNDI for Office 365 Relay

or

How To Fix: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection in Confluence JNDI

I’ve been doing Exchange to Office 365 migrations lately and that means on-premises applications and devices can’t use the local Exchange server to send mail anymore.

Your options are to use the credentials of an Office 365 mailbox to send mail, set up a local SMTP relayer, or use a third-party SMTP service.

If you’ve opted to use an Office 365 login to send mail via SMTP, then you must use TLS, so the applications/devices sending mail must support sending mail with TLS on port 587.

This article focuses on Atlassian Confluence but may apply to other java applications using JNDI to configure mail.

Atlassian Confluence, Secure SMTP, and JNDI

Confluence has no way to set up secure SMTP with SSL or TLS from within the administration, so unfortunately you’re forced to configure Confluence to use a JNDI Location for SMTP. This involves moving around JARs and changing configuration files, which will end up slowing down your upgrades (see my script to make Confluence upgrades easier).

Continue Reading »

Junk Mail Not Syncing on Android Exchange ActiveSync

Junk Email - No Messages

I was asked recently to look at an Android phone that was connected to Exchange via ActiveSync. It was working fine for regular email, but Junk mail was seemingly not coming through.

Doesn’t sound like too bad a problem to have, but if you have clients (or worse, prospective clients) end up in Junk mail from time to time, and you don’t know it, it can seem like you’re ignoring them. Not good!

Continue Reading »

Failed to clone the repository in GitHub for Windows

failed-to-clone-the-repository-please-check-your-internet-connection

I recently installed GitHub for Windows for the first time so I could compile an open source project. While trying to clone the repository, I got this error:

failed to clone the repository ‘whatever
Please check your internet connection.

I knew my internet connection was working. A web search revealed answers that didn’t apply or didn’t work for me (an issue that was resolved in an earlier version, and an issue that was fixed by re-installing).

Continue Reading »

Last Result of 0xFFFD0000 for Powershell Scheduled Task

In my environment I push out a scheduled task which runs a PowerShell script. The PowerShell script sits on a network share. Recently, we changed the share where our scripts are stored, and as a result we updated the task to point to the new script location. The task used to work, but now it throws a Last Run Result error, with the return code 0xFFFD0000.

Continue Reading »

Windows Server 2012, VMware ESXi, and Strange Permissions Errors - Removable Storage Auditing what?

Update: There is now an update available via KB2811670 from Microsoft to address this (thanks Owen).

I’ve been getting ready to roll out Windows Server 2012 to be used for new production hosts, and one of the first machines I tried to deploy was a web server. I created my VM, installed Windows 2012, got IIS all set up. This web site was to be used for uploading and serving files, so I added a data disk and put the web site on this drive. The web app runs on Perl so I installed that, configured it, and no matter what I kept getting 500.19 errors. I don’t set up Perl all that often on IIS, and I thought for sure that it must have been some quirk in the process that I was missing.

Instead it turned out to be an unholy combination of factors with the way that VMware presents disk drives to Windows and how Windows 8 / Server 2012 handles removable drives. It effects things other than IIS too. The symptoms are strange, the errors are unhelpful, and the fixes aren’t obvious.

Continue Reading »

Missing Computers in ESET NOD32 Remote Install Tab

The ESET Remote Administrator Console hasn’t caused me much grief over the years when it comes to pushing out installations. But recently I was helping a client upgrade the workstations to version 5 of NOD32, now called ESET Endpoint Antivirus, or ESET Smart Security. Things seemed to be going fine, but then I noticed that at least 2 computers were not in the Remote Install tab’s computer list.

Continue Reading »

Hide Pages from the 404 Page in a Genesis Wordpress Theme

If you run your Wordpress blog on the wonderful Genesis Framework (as I do did), then you know that the 404 page is pretty nice out of the box. It gives the user a way back to the homepage, and lists of Pages and Posts and all kinds of ways to get people to find the content they wanted.

Wordpress Genesis Theme 404 Page

It lacks customization options though. In most of the sites I work on, there are a few pages that don’t get linked from the menus because they’re specialty pages. It could be a “thank you for purchasing” page, or a landing page for traffic from a specific site or campaign.

I’ve come up with a quick modification that lets you hide pages from the 404 listing by setting a field in the page’s metadata.

Continue Reading »

DFS: Properties cannot be set on the namespace server - Access is denied

I ran across a strange problem the other day with DFS. I needed to override the referral ordering for a namespace server, but the change wouldn’t take. I got a status of Error during the Commit changes task. In the detail, it showed Properties cannot be set on the namespace server \\SERVER.domain.local\Share. Access is denied.

Properties cannot be set on the namespace server - Access is denied

This error must be uncommon, because all of the search results are for a similar but differently worded error about changing the properties of a folder and that issue’s resolutions don’t apply here.

I finally figured out the problem, and thought I’d share!

Continue Reading »

Use jTDS NTLM Authentication in Confluence with SQL Server

I run Atlassian’s Confluence in several organizations. It’s a great product and runs on many platforms. Being a Windows admin I tend to stick to the existing Microsoft stack where possible, so I typically run Confluence on Windows against Microsoft SQL Server. The jTDS driver that comes with Confluence wants to use a SQL server user and can’t use NTLM/Windows authentication out of the box. With a few simple changes, we can have Confluence using NTLM auth to connect to SQL Server.

Continue Reading »

Configure a Viking ATA-100 / Cortelco 8211 Analog Telephone Adapter

Last week I had to diagnose a VoIP problem for a client wherein an intercom which acted as a regular POTS “phone” was connected to their IP-based PBX. The intermediary was a small box called an Analog Telephone Adapter. The Viking model number appears to be ATA-100 while the actual Cortelco model is 8211 or 821121-ATA-PAK. The ATA registers as a generic SIP device with the PBX, but it wasn’t registering. I needed to log in to the web interface, and the client didn’t have the login.

Continue Reading »

Simplify Confluence and JIRA Upgrades on Windows

The new installer for Confluence and JIRA on Windows simplifies upgrades, but it also overwrites added or modified files in your program directory. If you have added or modified a lot of files, it can be tedious to restore those modifications after the upgrade. To that end, I’ve written a simple powershell script which will back up all of the modified files and then optionally restore the files once the upgrade is complete.

Continue Reading »

Enable Powershell Remoting via Group Policy

Powershell really is a game changer when it comes management and scripting on Windows, but one of the areas where it really shines is in its remoting capability. Powershell remoting lets you connect to a remote system and run commands locally, then returns the results to the calling machine. This can be done as an automated block or as an interactive session.

Remoting requires Powershell 2.0 which comes built-in on Windows 7 and Windows 2008 R2, but it needs to be installed on Windows Vista / Server 2008 and below. The WinRM service will also have to be configured and enabled.

I’ll show you how to accomplish this with group policy for the range of operating systems that can run it.

Update 2013/02/20: I have confirmed that this method is working on Server 2012 (core and GUI) as well.

Update 2013/05/07: With the help of Jacob in the comments below, I was able to fix a problem in the VB Script. Since Powershell requires the .NET framework, this whole process will fail on Windows 2003 / XP if .NET is not installed. The VB Script now installs .NET as part of the process. The GitHub Gist has been updated. Thanks Jacob!

Update 2013/10/09: Updated the name of the WinRM policy setting based on user comments. Thanks to Micahel M. of Miller Computers and Giorgi Gordeziani.

Continue Reading »

Fix Incorrect Dates in uTorrent

A bug in uTorrent (which may or may not have been fixed) causes the Added On and Completed On dates to be incorrect after a reboot. If you are using fuzzy dates the affected torrents will appear to have been added/completed “less than a minute ago” or if you turned off fuzzy dates, you’ll see that the dates are set in the future.

I’ve written a short ruby script that will correct those dates (more or less) on Windows. I’m sharing this as a GitHub gist for easy downloading.

Continue Reading »