With November 2015 public CAs do not issue new certificates that uses internal names or reserved IP addresses in
subjectAltName or in
commonName. Furthermore such certificates will be revoked on October 1st, 2016.
Internal names are hostnames that do not end with an Top Level Domain ending (.com, .de, …). For example: .local, .internal. Also NetBIOS names without any domain extension are affected.
Reserved IP addresses are defined by Internet Assigned Numbers Authority (IANA). You can look reservations for IPv4 here (RFC 1918 range) and IPv6 here (RFC 4193 range).
If you are using an internal CA you are not affected. For more information about this change of public CAs click here. For more information about VMware products click here.
Here are some very useful links and commands to implement and troubleshoot Microsoft KMS (Office and Windows).
Steps to install KMS for Windows (Link: here):
- Install KMS Server, install the KMS Key:
slmgr.vbs /ipk kms-key
You should get an success-message after a few seconds. If not, maybe the key is not an KMS Key or the wrong key.
- Activate the KMS Server online:
- Check Information about the service
slmgr.vbs /dlv (less information)
slmgr.vbs /dli (more information)
Steps to install KMS for Office 2010 (Link in german: here):
- Download Office 2010 KMS Host License Pack here and install it on KMS Server. During the installation you fill in you KMS Key for your Office 2010 license.
- Check Information about the service
slmgr.vbs /dlv all (for Windows and Office)
slmgr.vbs /dlv bfe7a195-4f8f-4f0b-a622-cf13c7d16864 (just for Office)
Stuff for troubleshooting:
This is a rather short post for a checklist respectively a step-list of things you should know/do to create certificates for VMware products like VMware View. The steps in this post should work for Windows 2008 and later. Furthermore you can use Step 1 and 2 for other products next to VMware View like vSphere.
If you don’t have a Windows CA but want to use it to assign certificates, you have to create it. You can either install it onto a domain controller or a member sever. When you install the CA onto a domain controller, you have to remove the CA before you demote the domain controller. This is the only limitation I know respectively I was told. But it is quite easy to move the CA to another server within the domain. So the limitation is important to know but it is no showstopper!
- Install a Windows CA if not already exists
- Add the role Active Directory Certificate Services to a server.
- Install and configure CA to meet your requirements.
- Export the root-certificate into a text-file.
- Create a GPO to share the certificate as Trusted Root Certification Authority within the domain. To do this import the certificate into the GPO beneath
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities.
- Link the GPO to the AD level you need it.
- Check that the certificate is installed as Trusted Root Certification Authorities on domain members.
- Create a certificate template for VMware products. This Step is optional but it is quite useful if you plan to create more than one certificate.
- Log into Windows CA using
- Manage Certificate Templates.
- Duplicate Web Server template and configure the copy:
- Leave compatibility to Windows Server 2003.
- Rename the copy and set a recognizable name.
- You can change validity and renewal period.
- For older versions (for example vSphere 5.0) consider to set Signature is proof of origin (nonrepudiation) and Allow encryption of user data in Extensions –> Key Usage. Furthermore add Client Authentication in Extensions –> Application Policies.
- To enable the creation of SAN certificates, ensure Subject Name –> Supply in the request is selected.
- Add the groups of computer accounts in Security and allow them to Read and Enroll the template.
- To enable it, you have to issue the template using New –> Certificate Template to Issue.
- Now domain members should be able to select the template for requesting certificates.
- Request a certificate for View Connection Server.
I will describe the way to use
mmc.exe to request a certificate, because this is a quite simple way.
- Open the local computer certificate store using
- Open the Personal folder and Request New Certificate… and select the newly created template to configure the required settings:
- In tab Subject add FQDN as Common name and as type DNS beneath Alternative name. Also add the hostname as type DNS. If you plan to provide your user a single hostname to connect to more than one connection server, provide the FQDN as DNS too.
- In tab General set “vdm” as Friendly name.
- In tab Private Key enable Make private key expotable beneath Key options.
- Enroll the certificate.
- Check the personal certificates of the server. If there is more than one certificate using freindly name “vdm”, delete the unwanted self signed certificate.
The list does not claim to be comprehensive. Use this information at own risk!
User or device CALs
- Take user CALs when user uses more than one device to access the desktop.
- Take device CALs when there are more or equal devices than users.
- Microsoft licenses the physical person (named user) NOT an Active Directory-User!
RDS CALs and VDA licenses
- VDA license includes the license for the virtual desktop.
- If you use a Windows Server OS instead of a Client OS to present to a user, you need a RDS-CAL instead of a VDA license to allow a user to connect to this server. The price are almost the same for server-CAL and VDA. Anyway this is just a good idea if a Windows Datacenter license is mapped to the Host.
- Virtual desktop (no Software Assurance) accessed by Linux/Windows embedded/Windows Home/… –> VDA license
- Virtual desktop (with Software Assurance) accessed by any client –> already licensed
- A windows device with active Software Assurance that connects to a virtual desktop –> virtual desktop and connection is licensed by Software Assurance
- To use RDS (Applications or Desktops) you need RDS-CALs.
Additional server CALs
- Connection Brokers needs also windows CALs for users or devices.
- If external user are not countable, you can license them with an External Connector license for Windows. If you know how many, you need CALs for users or devices.
- Licenses for SQL Server based on CPUs are bases on core number NOT socket number.
Installation and how to use:
- Install the client by adding the feature “nfs client for windows” – straight forward … no reboot required
nftadmin to configure the client, if necessary
mount to map shares
umount to remote mount points
mount \\nas-device\nas\share u:
could be interesting:
- -o mtype=soft|hard
hard: in case the nfs-server goes offline, the nfs client for windows will try to reconnect until the server is online again.
- –o nolock
better performance in case of just read-access
- -o fileaccess=mode