The IT Crownd

We are rolling out Citrix and wanted to use the email discovery - whilst this has issues due to our choice of network IP addresses (don't ask!) I found a couple of web pages which assisted in getting this sorted. https://www.jgspiers.com/configuring-citrix-receiver-email-based-discovery/ https://www.virtualexperience.no/2012/08/25/configure-citrix-receiver-email-based-discovery/ I only have need for this process internally as we are not running netscalers.  Yet.  So my DNS requirements are somewhat simplified. This all boils down to three things. an internal SRV record for _citrixreceiver._tcp.domain.com port 443 a certificate from internal (trusted) PKI with a SAN of discoverReceiver.domain.com - I used a web server template and included the FQDN as CN and FQDN, shortname of the server and discoverReceiver.domain.com as SANs install this certificate into IIS default website - or whatever website you are using to host the Store.  Change "domain.com" to

Oh dear. We implemented site wide 802.1x when we moved. This has caused numerous issues which we are still tracking down and killing with fire. Again "only-when-we-needed-it" struck as we had a new starter and need to build a machine. Ah.   No PXE.  However thankfully we were able to make a bootable USB using 802.1x and get our build working again from MDT in our 802.1 environment. Here's how we did it.   Caveats:  I'm assuming you know MDT and how PXE works. We use Computer certificates as the 8021x auth method. 802.1x is working in our environment GPO is used to start the wired 802.1x service on built machines. GPO is used to configure the network profile to use 802.1x What you need Get a USB stick to take your WinPE 4GB may be enough Make sure you are running an up to date working MDT installation! Create a machine certificate which has a long expiry date, you don't want to be making USB WinPE images every month!! Export the machine

Recently our SQL servers broke. Big time. Totally unrecoverable. This box "only" ran small infrastructure databases. MBAM being the main one. We only noticed when we needed to unlock a bitlocker locked machine and MBAM wasn't responding.   Our backups we toast too as the SQL server box had been unusable for longer than our retention period and we now had backups of a broken machine. Not great.  We now monitor this server.  Like a hawk.  Horse. Bolt. Stable.  Oh well.  We did have the data on separate disks so we were able to get the bitlocker database itself back and mount this on a new SQL box so not all lost. We took this opportunity to upgrade MBAM and the MBAM client we delivered to the end points. Then Windows 1903 was released and we began piloting this to certain users.  Due to the recent "interest" in MBAM we noticed that bitlocker was not enabling on these machine despite the GPO being in place. This GPO worked fl

Our VPN solution is based on RRAS running on Windows Server 2016 running on ESX 7.5, through a Fortinet Firewall. For a while we've been having VPN connectivity issues.  Users who could connect one day were failing to connect or connections were dropping.   It is your typical IT nightmare - nothing changed in either client or server config and things just worked or failed randomly. It got so bad (Execs got involved!) and we are now implementing a new solution and moving away from RRAS. In any case I began last month by finally "giving-in" and rebooting the servers each night (I've an Orchestrator job which checks the VPN connections and reboots the server if there are none) This seemed to help and connections were a lot better. I did some more trawling the internet and found some really old posts that VMXNET3 adapters caused issues with RRAS and NAT (which I am doing)  So I reconfigured to use E1000. Again another level of stability!   Finally I remembe

Messing around with VPNs last week I found that it is easier (sometimes) to have a one liner for VPN creation! Here's how I make a PEAP\MSChapV2 VPN profile...using the users Windows creds! Change ServerAddress, DnsSuffix and choose a better L2tpPsk!! $a = New-EapConfiguration -UseWinlogonCredential $b = New-EapConfiguration -Peap -TunnledEapAuthMethod $a.EapConfigXmlStream Add-VpnConnection -Name "VPN (SSL)" -ServerAddress vpn.fqdn.com -AuthenticationMethod Eap -DnsSuffix my.domain.com -EapConfigXmlStream $b.EapConfigXmlStream -EncryptionLevel Maximum -Force -RememberCredential -AllUserConnection -TunnelType Sstp Add-VpnConnection -Name "VPN (L2TP)" -ServerAddress vpn.fqdn.com -AuthenticationMethod Eap -DnsSuffix my.domain.com -EapConfigXmlStream $b.EapConfigXmlStream -EncryptionLevel Maximum -Force -RememberCredential -AllUserConnection -TunnelType L2tp -L2tpPsk "shared secret key"

We have a pair of 2019 core servers running our file shares. We also use System Center Orchestrator to automate some things. Here is how I set up Orchestrator to take initate VSS snapshots. Ensure that VSS is running ok on your fileserver and you can manually take a VSS snapshot - using vssadmin. Decide on your schedule - we do a snapshot every 2 hours. Create a Monitor Date/Time step configured to the required VSS schedule I found the only way to get VSS to run correctly was using PSEXEC to run the actual VSS snapshot  So make a Run Program step for each File Server, to run the following command line (replacing values where needed) psexec.exe -h -accepteula \\fileserver01 vssadmin create shadow /for=F: M ake sure you enter an account in the Advanced and Security sections.  The account needs the correct permissions to create VSS snaps on the fileservers! I then do some error checking and logging based on this with failures also raising an email notification