Encryption with errors

I had task: I can create encrypted folder. OK, thi is easy, nothing special¬†ūüôā

First error was: I¬†didn’t¬†able to encrypt our folder, becouse i get this error message:
Recovery policy configured for this system contains invalid recovery certificate

My Recovery Agent certifcate was expired.

You can solve this problem, when you are going to

1 – Group Policy Editor, and Edit Default Domain Policy
2 –¬†Click¬†Computer Configuration, expand Policies,¬†expand Windows Settings, expand Security Settings, expandPublic Key Policies, and then click¬†Encrypting File System
3 – Here you will see Administrator’s expired certificate
4 – Add other user, i did this (or enroll now certificate to Administrator)
a Рright click Encrypting File System and click Create Data Recovery Agent option
5 – Update group policy on file server (cmd -> gpupdate)

Secund error message:
Ok, i able to encrypt our folder, thats good, but now a couldn’t add new user to ACL, which are able to access to file.

A geted this error message:
The revocation function was unable to check revocation because the revocation server was offline

I checked CRL list, i can download from browser (for eximple: IE), the lists ware up to date, and i try turn off revocation check, but the problem was not disapired.

I exported my user certificate, and checked my pc with this command.

Certutil ‚Äďverify ‚Äďurlfetch <CA cert>.cer

On my desktop pc that was right, but when i ran the file server i can saw error messages. When the server tried read crl list, i can see timeout message.

netsh winhttp show proxy

I reconized, this query show wrong proxy address.

netsh winhttp set proxy IP-ADDRESS:80

I¬†changed the old proxy address from old to new one, and woalaa, i’m able to add new users to acl list.

File server: Windows Server 2012 R2
CA: Windows Server 2008 R2

Reverse Proxy for Exchange Server 2013 using IIS ARR

Microsoft blogbejegyz√©s foglalkozik vele, hogy a nemr√©giben megsz√ľntetett TMG-s Exchange publik√°ci√≥t, hogyan is lehet kiv√°ltani.
Már csak az a kérdés, hogy megy ez 2010-en is, mert mindenhol csak 2013-as verzióval van publikálva.

A l√©nyege a dolognak, hogy a CAS szerver(ek) el√© be lehet rakni egy IIS szervert, amihez let√∂lthetŇĎ egy kis kieg√©sz√≠t√©s, ez a ARR ami k√©pes MS protocolokat felismerni, √©s load balancingolni.

http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx

How to manually delete a DFS Namespace using ADSIEdit

M√ļlth√©ten valamilyen okn√°l fogva, a file szerver teljesen megadta mag√°t. Nincs mit tenni, kellett egy √ļj, ment√©sbŇĎl visszat√∂lt√©s megt√∂rt√©nt, de a ment√©s m√©g a DFS telep√≠t√©se elŇĎtti √°llapotr√≥l volt. Mivel sok hivatkoz√°s van a DFS-hez k√∂tve (a fileokat nem e-mailben nem csatolm√°nyk√©nt, hanem linkk√©nt k√ľldik a Felhaszn√°l√≥k egym√°snak) ez√©rt fontos volt, hogy a namespace ugyan az maradjon.

Ahhoz, hogy az √ļj szerveren fel tudjuk venni, ugyan azt a namespace-t, elŇĎtte ADSIEdit-bŇĎl t√∂r√∂lni kellett:

  1. Nyissuk meg az ADSI Edit MMC-t, és jobb egér csatlakozás opció választása után
  2. √Āll√≠tsuk le a DFS Namespace Service-t (net stop dfs)
  3. Csatlakozzunk az “Default Naming Context”-re
  4. Keress√ľk meg a CN=System,CN=DFS-Configuration mapp√°t
  5. A jobb oldalon t√∂r√∂lj√ľk ki a m√°r megl√©vŇĎ namespace-eket
  6. Indítsuk el a DFS Servicet (net start dfs)
  7. Hozzuk l√©tre √ļjra az √ļj file szerveren
  8. Kliens gép(ek) restart