Microsoft Forefront TMG 2010 invalid certificate

In this case Forefront TMG 2010 was installed on Windows Server 2008 R2, and for web publishing purposes (rule), server certificate from public CA was installed in local machine store. The certificate request was created with mmc using custom certificate request. Private key was successfully associated with certificate, but from TMG console this certificate was invalid with incorrect key type:

The reason for this behavior is that during custom certificate create wizard on custom request page for template was chosen CNG key instead Legacy key. Forefront TMG does not support certificates created with CNG

Another important worth to notice is that for Private Key (tab) options for the Key type usage must be selected Exchange instead the default one Signature :

Step by step instruction how to create certificate request using mmc can be found on one of my previous posts .

VSS Error Event 8194 on Windows Server 2012 Failover Cluster

In this case I was running Windows Server 2012 Hyper V Failover Cluster with CSV, and I was trying to backup the nodes from cluster using DPM 2012 SP1 RU 2. I have scheduled BMR system protection to all cluster member nodes. The backup of nodes was finishing successfully without any errors on DPM server. But, on all cluster nodes application log was having error logs 8194 from VSS source :

Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
This is often caused by incorrect security settings in either the writer or requestor process.
Gathering Writer Data
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
I have opened support case with Microsoft, and support engineer has confirmed that this behavior is bug. This behavior will probably not be changed, and should be ignored.

Failover Cluster validation test on Windows Server 2012 with warning

This case is connected with the previous post Unidentified network on teamed interface where Windows Server 2012 had teamed adapter in switch dependent / address hash / LACP mode. I had two identical server boxes configured the same, including network configuration. Both servers were planned to be part of failover cluster. Teamed adapter was having multiple interfaces with different VLAN ids. One of the interfaces was management interface with specified VLAN ID, and one interface with different id for internal cluster communication.
Failover cluster validation configuration wizard was finishing successfully with warning on Network part for Validate IP configuration test. The Validate IP configuration test was complaining about duplicate physical address on management and "private" (cluster communication) interface on both nodes. This warning is expected since both servers were using teamed adapter, and interfaces for management and cluster communication were with different VLAN ID created from same teamed adapter.
The configuration is valid and supported from Microsoft, and is published in following KB .

Unidentified network on teamed interface

In this case I was configuring Windows Server 2012 with two network interfaces. Both network interfaces were added to a team interface. Team was configured in switched dependent / Address Hash / LACP mode. Server was connected on Cisco Catalyst 4507. Initial port configuration was like this:

interface Port-channelX
switchport trunk encapsulation dot1q
switchport trunk allowed vlan Y
switchport mode trunk

interface GigabitEtherneta/b
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group X mode active

interface GigabitEthernetc/d
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group X mode active

After rebooting the server, Windows Server 2012 was unable to identify the network even though the server was properly configured, connected and domain joined. After disconnecting and connecting the network, the server was able to identify the network and apply the right domain firewall profile. The reason for this behavior was Network Location Awareness service, which was unable to test the network for connection type, since the network was not available during boot time. And, the reason why the network was not available, were spanning tree blocking and learning states. To change this kind of behavior, and to skip spanning tree blocking and learning states
spanning-tree portfast trunk should be added to interface Port-channelX configuration.
After adding the spanning-tree portfast trunk, the server was able to determine the network during boot, and applied the appropriate network profile, which in my case was domain firewall profile.
If the server was connected on Cisco switch with NXOS, the port channel should be configured with spanning-tree port type edge which will skip the spanning tree blocking and learning states. More info on .

Unable to deploy Adobe Flash Player using GPO

I was trying to deploy Adobe Flash Player 11 using Group Policy Object Software installation feature. The msi package of Adobe Flash Player was assigned to computer part of the GPO. GPO was applying successfully and Adobe Flash Player was installing successfully on start up on most of the computers that were in the scope for the GPO to be applied. On some workstations, GPO was failing to apply with following events in Application Log :

Log Name:      Application
Source:        MsiInstaller
Event ID:      10005
Task Category: None
Level:         Error
Keywords:      Classic
User:          SYSTEM

Product: Adobe Flash Player 10 ActiveX -- Error 2753.The File 'InstallAX.exe' is not marked for installation.

And in System Event Log couple of messages from Source Application Management Group Policy with Event ID 108,303,102, followed by:

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Event ID:      1085
Task Category: None
Level:         Warning
User:          SYSTEM

Fatal error during installation.

I tried to execute the msi package with administrative account and the setup was failing with following error message:

From control panel, Programs and Features there were now signs for any Adobe Flash Player Installation. But, in registry HKEY_Classes_Root\Installer\Products\ there was info for some Adobe Flash Player 10 ActiveX component:

After deleting the key from registry, Adobe Flash Player has installed successfully.

How to check EMBG (Unique Master Citizen Number) using regex

In this post, I will share my implementation of how to check if some number looks like EMBG or Unique Master Citizen Number. For those of yo...