1. Войдите в систему как пользователь с правами администратора.
2. Удалите все запланированные задания. Чтобы сделать это, выполните следующие действия.
   1. Нажмите кнопку Начало, Запустить, тип элемент управления schedtasks, а затем нажмите клавишу ВВОД.
   2. Проверьте список заданий, которые зарегистрированы в окне «назначенные задания».
   3. Удалите все зарегистрированные задачи.
   4. Закройте окно «назначенные задания».
3. Нажмите кнопку Начало, нажмите кнопку Запустить, тип cmd, а затем нажмите кнопку ОК.
4. В командной строке введите следующие действия, чтобы перейти к указанной папке:
   CD %SystemDrive%\Documents и Data\Microsoft\Crypto\RSA\S Users\Application Settings\All-1-5-18
5. Удалите все файлы, которые начинаются с d42 *, введя следующие команды:
   DEL d42 *
6. В командной строке введите: Exit.
7. Изменить расписание задачи копирования теневых томов. Файлы, которые начинаются с d42 * создаются повторно после перепланирования задачи копирования теневых томов.

Бился несколько дней с проблемой обновления сертификата на продукт self-service-password aka

ADSelfService Plus

По официальной инструкции делал всё правильно, только SSL не стартовал.
http://www.manageengine.com/products/self-service-password/help/admin/general-settings/ssl-installation.html
После долгих попыток решения данного вопроса пришло в голову конвертнуть текущий PFX в формат JKS
C помощью утилиты:
http://portecle.sourceforge.net/
Конвернул, подсунул серверу.
Вуаля ...

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
1.  Extract from PFX file key and cert in PEM format   

 openssl pkcs12 -nocerts -in %_PFXFILE% -out %_KEYPEM% -passin pass:%_PASSWD% -passout pass:%_PASSWD%    

openssl pkcs12 -clcerts -nokeys -in %_PFXFILE% -out %_CERTPEM% -passin pass:%_PASSWD

2.  Convert both cert and key from PEM to DER format     

 openssl pkcs8 -topk8 -nocrypt -in %_KEYPEM% -inform PEM -out %_KEYDER% -outform DER -passin pass:%PASSWD%

 openssl x509 -in %_CERTPEM% -inform PEM -out %_CERTDER% -outform DER

3. Use java code to combine Cert and Key to JKS store format 

java ImportKey %_KEYDER% %_CERTDER% %_KEYSTORE% %_ALIAS% %_JKSPASSWD

keytool does not support management of private keys inside a keystore. You need to use another tool for that. If you are using the JKS format, that means you need another java-based tool. extkeytool from the Shibboleth distribution can do this.

Create an empty keystore

keytool -genkey -alias foo -keystore truststore.jks
keytool -delete -alias foo -keystore truststore.jks

Generate a private key and an initial certificate as a JKS keystore

keytool -genkey -keyalg RSA -alias "selfsigned" -keystore KEYSTORE.jks -storepass "secret" -validity 360

you can also pass the data for the DN of the certificate as command-line parameters: -dname "CN=${pki-cn}, OU=${pki-ou}, O=${pki-o}, L=${pki-l}, S=${pki-s}, C=${pki-c}"

Generate a secret key that can be used for symmetric encryption. For this to work, you need to make use of a JCEKS keystore.

keytool -genseckey -alias "secret_key" -keystore KEYSTORE.jks -storepass "secret" -storetype "JCEKS"

Generate a Certificate Signing Request for a key in a JKS keystore

keytool -certreq -v -alias "selfsigned" -keystore KEYSTORE.jks -storepass "secret" -file MYCSR.csr

Import a (signed) certificate into a JKS keystore

keytool -import -keystore KEYSTORE.jks -storepass "secret" -file MYCERT.crt

add a public certificate to a JKS keystore, eg the JVM truststore

keytool -import -trustcacerts -alias "sensible-name-for-ca" -file CAcert.crt -keystore MYSTORE.jks

If the JVM truststore contains your certificate or the certificate of the root CA that signed your certificate, then the JVM will trust and thus might accept your certificate. The default truststore already contains the root certificates of most commonly used sommercial CA's. Use this command to add another certificate for trust:

keytool -import -trustcacerts -alias "sensible-name-for-ca" -file CAcert.crt -keystore $JAVA_HOME/lib/security/cacerts

the default password of the Java truststore is "changeit".
if $JAVA_HOME is set to the root of the JDK, then the truststore is it $JAVA_HOME/jre/lib/security/cacerts
keytool does NOT support adding trust certificates to a PKCS12 keystore (which is very unfortunate but probably a good move to promote JKS)

delete a public certificate from a JAVA keystore (JKS; eg JVM truststore)

keytool -delete -alias "sensible-name-for-ca" -keystore $JAVA_HOME/lib/security/cacerts

the default password of the Java truststore is "changeit".
if $JAVA_HOME is set to the root of the JDK, then the truststore is it $JAVA_HOME/jre/lib/security/cacerts

List the certificates inside a keystore

keytool -list -v -keystore KEYSTORE.jks

-storetype pkcs12 can be used

Get information about a stand-alone certificate

keytool -printcert -v -file MYCERT.crt

Convert a JKS file to PKCS12 format (Java 1.6.x and above)

keytool -importkeystore -srckeystore KEYSTORE.jks -destkeystore KEYSTORE.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass mysecret -deststorepass mysecret -srcalias myalias -destalias myalias -srckeypass mykeypass -destkeypass mykeypass -noprompt

Windows Server 2008 R2 New Active Directory Features

Performance optimization tips

http://www.vmware.com/files/pdf/solutions/vmware-citrix-xenapp-best-practices-EN.pdf

 "Асинхронное выполнение сценариев загрузки" в Enabled (по умолчанию он не задан, т.е. сценарии Startup выполняются синхронно, ожидая завершения предыдущего). Находится этот параметр в Computer Configuration/Administrative Templates/Система/Сценарии. также необходимо разрешить параметр "Всегда ожидать инициализации сети при загрузке и входе в систему" (если он у вас уже не разрешён в какой-либо другой политике). Он находится в соседней ветке Computer Configuration/Administrative Templates/Система/Вход в систему. Иначе может возникнуть ситуация, при которой сеть ещё не проинициализирована, а мы уже пытаемся обратиться к сетевому ресурсу с пакетом установки.

На всякий случай привожу окончательную версию скрипта, вдруг кому-нибудь ещё пригодится. Я изъял оттуда все всплывающие сообщения, которые пригодились на этапе отладки, и вставил дополнительную проверку на соответствие версии операционной системы.

Dim WshShell, WinDir, objFSO, strComputer, tFile

'Указываем, что оперируем локальным компьютером
strComputer = "."

Set WshShell = WScript.CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set WinDir = objFSO.GetSpecialFolder(WindowsFolder)

Set objSWbemServices = GetObject("winmgmts:\\" & strComputer)
Set colOperatingSystems = objSWbemServices.InstancesOf("Win32_OperatingSystem")

'Местоположение бэкапа исполняемого файла клиента RDC старой версии, создаваемого при установке обновления RDC 6.1
tFile = WinDir + "\$NtUninstallKB952155$\mstsc.exe"

'Проверяем, что обновление ещё не установлено
If Not objFSO.FileExists(tFile) Then
 For Each objOperatingSystem In colOperatingSystems
 'Проверяем, что операционка — это Windows XP pro
  If objOperatingSystem.Caption = "Microsoft Windows XP Professional" Then
  'Проверяем версию сервис-пака
   If objOperatingSystem.ServicePackMajorVersion = 2.0 Then
   'Проверяем языковой стандарт операционки
    If objOperatingSystem.Locale = 0419 Then
    'Запускаем установку обновления
     WshShell.exec("\\domaindc\gpshare$\WindowsXP-KB952155-x86-RUS.exe /quiet /norestart")
    Else
    End If
   Else
   End If
  Else
  End If
 Next
Else
End If

Optimizing XenApp on VMWare ESX

• Align the drives - use DISKPART to create a 64k Partition, formatted using 32k allocation unit sizes
• 1 vCPU - assuming your application can run effectively in single CPU mode. Although there are many valid reasons to NOT do this, I recommend it because this reduces CPU %READY and CPU scheduling requirements by single threading the OS. Of course, if your app set requires multiple processors, or you risk pegging the single CPU, then this may not be an option.
• 2 GB RAM - this is a good starting point for baseline testing. Depending on the Host RAM and the app requirements, you may need to move this up or down accordingly.
• Set Page File Min and Max at 1.5 x RAM
• Installed latest VMTools, including the Memory Manager (aka the Balloon Driver)
• Please note, there are a lot of recommendation to disable this, but I believe that to be a fallacy:
• a lot of the information and recommendation out there is still based on ESX 2.x
• The Balloon Driver is a safety net, which should not be normally called on when designed properly
• when in doubt, and until proven otherwise, go with the standard package
• Disconnect/Disable the CD Rom - Windows guests poll CD devices quite frequently. When multiple guests try to access the same physical CD drive, performance suffers. Disabling CD devices in virtual machines when they are not needed alleviates this.
• Adjust the Disk timeout valie to the storage vendor's recommended: HKLM/SYSTEM/CurrentControlSet/Services/Disk/TimeoutValue = REG_DWORD Hex value 3c (60)
• Disable Last Time Access Atrribute for NTFS, this setting that keeps track of the last time a file was accessed. Removing the necessity for the system to keep reading and writing this information may speed up performance. The command is: fsutil behavior set disablelastaccess 1
• Disable screen savers
• Disable animations
• Disable USB

• Citrix ActiveSync Service
• Citrix XML Service - enable this on your ZDCs, disable on your production app servers
• DHCP Client - if you are using static IP addresses
• Distributed File System
• Help and Support
• Human Interface Device Access
• Indexing Service
• Messenger
• Netmeeting Remote Desktop Sharing
• WebClient
• Windows Audio - unless, ofcourse, you truely need sound for your apps
• Wireless Zero Configuration

How to automatically upgrade VMware Tools

The following how-to is from this VMware KB  —  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1010048

Before you begin

• Windows PowerShell 1.0. This version of Windows PowerShell is installed as Microsoft KB926139-v2.

  For more information, see http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx.
  Note: The preceding link was correct as of July 23, 2008. If you find the link is broken, please provide feedback and a VMware employee will update the link.

• VI Toolkit. For more information, see http://vmware.com/download/download.do?downloadGroup=VI-WT-15.

Note: VMware recommends that you install NET 2.0 SP1 to avoid slow operations.

Setting all virtual machines to automatically upgrade VMware Tools

1. Start VI Toolkit from Start > Programs > VMware > VMware VI Toolkit > VMware VI Toolkit.
2. Connect to the VirtualCenter Server with the command:

   connect-viserver -server <VirtualCenter Server IP address> -user <VirtualCenter User> -password <VirtualCenter password>

3. Copy the following command into the Windows VI Toolkit window:

   Foreach ($v in (get-vm)) {
   $vm = $v | Get-View
   $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
   $vmConfigSpec.Tools = New-Object VMware.Vim.ToolsConfigInfo
   $vmConfigSpec.Tools.ToolsUpgradePolicy = “UpgradeAtPowerCycle”
   $vm.ReconfigVM($vmConfigSpec)
   }
   
   The VI Toolkit window does not display any output until the command has completed for each virtual machine. When the command is done running, a reconfigure task displays in VirtualCenter for every virtual machine.

Creating and Deploying a Citrix Template on VMWare ESX

Base OS configuration:

• Create the base VM per my Citrix on VMWare article.
• Update OS (Windows 2003 R2 SP2) to the latest updates
• Windows Server Configuration: Using Add/Remove Programs, Windows Components:
• If installed, remove Remove .NET Frameworks 2.0 & 3.0
• Application Server: Message Queuing (default)
• Management and Monitoring Tools: Simple Network Management Protocol
• Uncheck Internet Explorer Enhanced Security Configuration
• Terminal Server / Full Security / Use Auto Discovery / Per Device Mode
• Windows System Configuration: Modify the System Properties:
• Advanced > Performance Settings > Data Execution Prevention: essential programs
• Advanced > Performance Settings > Virtual Memory: Initial & Maximum: 6144MB
• Advanced > Environment Variables: update paths for custom applications
• Advanced > Error Reporting: Uncheck Force Queue Mode
• Remote > Check Enable Remote Desktop
• Copy App Install sets to local Data Drive\INSTALLS

Application Configuration:

• Run DriveReMap.exe from INSTALLS\PS 4.5 INSTALL directory, assign C to M (will require a reboot)
• Supporting Applications: Use the content copied to the INSTALLS folder
• Framework 2.0.50727.42
• Framework 3.0
• Frameworks 3.5 SP1
• Install SNMP Informant & Configure SNMP Settings (if used)
• Copy any standard tools (including PSKILL, PSEXEC, UPTIME)
• Install the any viewer Applications: Office, Notepad++, Acrobat, etc.
• Install Citrix Presentation Server 4.5 for Windows 2003 (assume an existing Farm)
• Apply Approved Citrix Patches for Presentation Server 4.5
• Hotfix Roll Up #3
• Configure Citrix Services (deviation from defaults are listed):
• Citrix ActiveSync Service: DISABLED
• Citrix Print Manager Service: Automatic. Set to Run as (DOMAIN ACCOUNT)
• Citrix XML Service: DISABLED
• Check for any additional Windows Updates
• Apply Citrix Registry Changes, as needed, such as:
• Seamless Windows
• Citrix Universal Printer
• System Page Pool Manager
• System Beep
• Modify Printers and Print Drivers
• Remove any unwanted printers and drivers
• Install any required native print drivers
• Delete Contents of INSTALLS directory
• Delete Service Pack Uninstall Files
• Clear all Event Logs
• Empty Recycle Bin
• Stop the Following Services and set to Manual Startup:
• Citrix IMAService
• Citrix SMA Service
• Citrix Print Manager Service
• Shut down VM

Prepare and Deploy Template

• Clone VM to Template
• Deploy VM from Template, select Customize
• Using SysPrep from customization, assign Machine Name and join Domain
• Assign Static IP and AltAddr (if necessary)
• Move computer account to proper OU
• Run DSMAINT RECREATELHC
• Set IMA, SMA, and CPSVC to Automatic
• Reboot Server
• Verify Farm Connectivity (QFARM)
• Verify Remote Desktop Connectivity
• Assign Election Preference and Zone in Presentation Server Console
• Assign Load Evaluator, Hierarchy, and Published Desktop in Access Management Console
• Verify ICA Connectivity, local and remote
• Test/verify pre-configured applications
• Perform any final application or system updates
• Publish necessary applications

В данной статье приведены рекомендации специалистов компании Citrix по настройке антивирусного приложения, установленного на одном сервере с Citrix Presentation Server. Данные рекомендации адаптированы применительно к Антивирусу Касперского 6.0 для Windows Servers Enterprise Edition.

• В задаче Постоянная защита файлов установите режим проверки объектов Интеллектуальный режим (команда Свойства контекстного меню задачи Постоянная защита файлов, закладка Режим защиты).


• В задаче Постоянная защита файлов установите проверку только локальных дисков.



• В задаче Постоянная защита файлов исключите из проверки файл подкачки (pagefile).



• В задаче Постоянная защита файлов исключите из проверки папку заданий принтера (Print Spooler directory) для повышения скорости обработки заданий.
  
  Если при установке Антивируса вы согласились с добавлением некоторых системных папок в доверенную зону (по рекомендациям Microsoft), то этот каталог уже исключен из проверки всеми задачами Антивируса.



• В задаче Постоянная защита файлов исключите из проверки папку \Program Files\Citrix. В ней хранится кэш доступа локальных хостов и база данных Resource Manager.



• При использовании сквозной проверки подлинности (ICA pass-through connections), на клиентских машинах исключите из проверки локально установленным антивирусным приложением папку Presentation Server Client и папку кэша для растровых изображений (Documents and Settings\<учетная _запись>\Application Data\ICAClient\Cache).



• Если пользователи соединяются с сервером в режиме публикации рабочего стола, то, с целью повышения скорости работы клиентов сервера, в контекстном меню узла Антивирус Касперского вызовите команду Свойства, в открывшемся окне перейдите на закладку Дополнительно и снимите флаг Показывать значок приложения в панели задач.
  



• В доверенной зоне Антивируса Касперского отключите проверку файлов, к которым осуществляется доступ во время операций резервного копирования (установите флаг Не проверять файловые операции резервного копирования  на закладке Доверенные процессы).

Специалисты компании Citrix рекомендуют прежде, чем установить антивирусное приложение на основной сервер, провести полный цикл тестирования на тестовом стенде.

• Set the task Real-time file protection to scan objects in Smart mode (right-click the task Real-time file protection, select Properties, tab General).



• Set the task Real-time file protection to scan local disks only.



• Exclude pagefile from scan in the task Real-time file protection.



• Exclude Print Spooler directory from scan in the task Real-time file protection. Tasks will be processed faster in this case.



• If you agreed to add certain system folders into trusted zone during Anti-Virus installation (Microsoft recommendations), this folder is already excluded from scan in all Anti-Virus tasks.



• Exclude the folder \Program Files\Citrix from scan in the task Real-time file protection. This folder houses access cache for local hosts and Resource Manager database.



• If you are using ICA pass-through connections, exclude folders Presentation Server Client and Documents and Settings\<account_name>\Application Data\ICAClient\Cache (bitmap images folder) from scan by local Anti-Virus on client hosts.



• If users connect to server by RDP, delete the value Anti-Virus system tray load indicator (kavtray.exe) from registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run on the server to raise server clients performance.



• Disable scan of files accessed during backup operations in Kaspersky Anti-Virus trusted zone (check the box Do not monitor file activity of the specified processes on the tab Trusted processes).
  
  You should also exclude from scan the following files:

• • 
    <sytemroot>windows\system32\drivers\BNNS.sys
  • <sytemroot>windows\system32\drivers\BNNF.sys
  • <sytemroot>windows\system32\drivers\BNPort.sys
  • <sytemroot>windows\system32\drivers\BNNS.sys
  • <sytemroot>windows\system32\drivers\bnistack.sys
    
• Add the process BNDevice.exe into the trusted list.
  

HP Printer Administrator Resource Kit
 

•HP Driver Configuration Utility

•HP Driver Deployment Utility
•HP Managed Printing Administrator
•HP UPD Active Directory Administrative template

Для настройки\установки драйверов HP

 recompile WMI ,
•Windows WMI
cd /d %windir%\system32\wbem
for %i in (*.dll) do RegSvr32 -s %i
for %i in (*.exe) do %i /RegServer
 
•Citrix WMI
cd C:\Program Files\Citrix\System32\Citrix\WMI
for /f %s in (‘dir /b *.mof *.mfl’)do mofcomp %s

Если подключён допольнительный ящик
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Preferences]
"DelegateSentItemsStyle"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Options\General]
"DelegateWastebasketStyle"=dword:00000004

Scripts Collection

Please click on one of the following categories:

• Computer Management
• Disk and File Systems
• Enterprise Scripts
• Files and Folders
• Logs
• Miscellaneous
• Monitoring
• Networking
• Printing
• Processes
• Registry
• Security
• Services
• Task Scheduling
• Users and Groups
• Users and Groups
• Users and Groups

Manual uninstall procedures for Symantec NetBackup (tm) 6.x and 7.x

Solution

• When the normal method of uninstall using Add-Remove Program fails.
• When the file-system and the registry needs to be cleaned up after a failed installation of the product.
• Uninstall using Add-Remove has been done successfully, yet some other product is reporting a presence of Veritas NetBackup on the system.

FTP over SSL in IIS 7.5, Windows server 2008 R2 and Filezilla Client

FTP over SSL is named FTPS, FTP-SSL and FTP/S is a new feature of Microsoft FTP for IIS 7.0 and 7.5 its freshly introduced support for SSL/TLS.

Testing this new feature I configured my FTP site with SSL:

In advanced settings:

When I try to open my FTP site. Ohhhh, suprise Microsoft not have a FTPS client, Intenet Explorer 7 and 8 don't work Error:
534 Policy requires SSL.

Now then I open this FTP site with Filezilla Client 3.3 connecting with FTPS using Explicit SSL/TLS and it work sucessfully.

PortQryUI – Troubleshoot TCP/IP connectivity issues

Отключение экрана Welcome Internet Explorer 8

After configuring the settings, a new tab window opens automatically, redirecting to Microsoft IE8 Website.

The setup modifies the following registry keys under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

1. REG_DWORD IE8RunOnceLastShown from 0 to 1
2. REG_DWORD IE8RunOncePerInstallCompleted from 0 to 1
3. REG_DWORD IE8TourNoShow from 0 to 1
4. REG_BINARY IE8RunOnceCompletionTime
5. REG_BINARY Window_Placement

It adds a REG_BINARY key called IE8RunOnceLastShown_TIMESTAMP.

Solution:

There are two ways which can be used to disable it

1. Disabling the setting on the local machine directly.

1. Open Registry editor (regedit.exe) and navigate to the following key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
2. Create a new REG_DWORD value named DisableFirstRunCustomize
3. Set its value data to 1.
4. Exit the Registry Editor.

NOTE: We can also use the Group Policy Management Console to create this particular registry key and populate it to all clients.

2. Using Group Policy Editor

1. Launch the Group Policy Editor (gpedit.msc)
2. Navigate to the following branch:

Computer Configuration | Administrative Templates | Windows Components | Internet Explorer

3. Double-click “Prevent performance of First Run Customize Settings”
4. Set the value to Enabled and make the choice in the drop-down below. The details about this setting are as follows (taken from the gpedit console)

This policy setting prevents performance of the First Run Customize settings ability and controls what the user will see when they launch Internet Explorer for the first time after installation of Internet Explorer.

If you enable this policy setting, you must make one of two choices:

1: Skip Customize Settings, and go directly to the user’s home page.

2: Skip Customize Settings, and go directly to the "Welcome to Internet Explorer" Web page.

If you disable or do not configure this policy setting, users go through the regular first run process.

5. Click Apply, close the dialog and exit the Group Policy Editor.
6. Perform a gpupdate /force for the settings to apply on the machine.

To assign Calendar Editor permission use the following command:

Set-MailboxFolderPermission -Identity Granter_Username:Calendar -User ‘Granted_username’ -AccessRights Editor

You can review calendar permissions with following PS command

Get-MailboxFolderPermission -Identity Granter_Username:calendar

You can use the same PS command to provide all available access rights.
Just replace the attribute after -AccessRights