Windows Admin Center (WAC) ACME certificates with PFsense

In this guide I will show you how to setup automatic certificate renewal for Windows Admin Center (WAC) with the PFsense ACME package. The starting requirement for this guide is that you have already setup the ACME solution within PFsense, if not you can use this guide.

Creating a certificate user

Assigned privileges for the certificate user
  • First navigate to this github script i created and download it to your Windows Admin Center instance.
  • Second you should create a custom Pfsense user with restricted access, do this by going to System -> User Manager -> Add. After that, create a user and name it accordingly.
  • After creating the user, you should create a PFsense group to assign this new user to. In addition, edit the group to assign correct privileges. Under assigned privileges add “WebCfg – System: Certificate Manager” and “WebCfg – Dashboard (all)”. Set the variable $PFSENSE_USERNAME and $PFSENSE_PASSWORD in the script for the certificate user we have created and change the $SITE variable to the PFsense FQDN or ip-address.

Setting the certificate variables

The certificate ID for *.ictguru.nl as example.
  • Head to System -> Certificate manager -> Certificates. You should hover over the export certificate button of the certificate you’ll want to enroll for your WAC instance. We are looking for the certificate id, this is the red string in the screenshot. Set this as value for the $CERTID variable.
  • In addition we should set the following variables. $CERTNAME will be the name for your certificate once downloaded, $CERTDIR is the location where the certificates will be downloaded and merged into a .pfx file. $PFXPASSWORD is the password that will be set for your certificate file and $WACPORT is the port on which your Windows Admin Center instance will be running.

Creating the scheduled task for automatic renewal

After that, we can create scheduled task on the WAC server. Preferably a service account with administrative privileges for running the script. Create the scheduled task according to the screenshots below, for running script i recommend setting the program to powershell.exe and the arguments to -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File c:\PfsenseACME-WacSSL.ps1.

Test the scheduled task that you have created above and check the results by going to your WAC server in you browser. After that, you should be greeted with a smaal green lock inside your web browser like so.

Exchange 2016 with 4GB RAM

I was doing some exercises for school with exchange server 2016 when i had a fun idea, i was wondering what would happen with 4gb of RAM. The bare minimun is 8GB of ram to get past the prerequisites. On 8GB it ran quite well, so i wondered: what would happen? what could happen?

Testing Exchange 2016 with 4GB RAM

Hyper-V status for ‘Mail1’, It is asking for 10GB of RAM while 4GB of RAM has been assigned.

Now on to the experiment, i decided to boot the server for the fun with 4GB of ram. It booted just fine, that was until i tried to log into the server. I could not access it via RDP, only the Hyper-V native console. After that i decided to check the server memory. The server was asking about 6GB of non-existant RAM.

Trying to access the OWA portal surpised me, login screen presented itself. When my login finally processed i was disappointed to see the server ‘officially’ ran out of memory.

Okay, back to the drawing board. What if i created a 15 to 20 GB pagefile?

Setting up Exchange 2016 with a pagefile

So i did create a 20GB pagefile, rebooted the server, waited a long time for it to initialize, and bingo! After the reboot i tried logging into OWA again, and to my surprise i was greeted with the inside of my mailbox. Now lets try to use the actual mailbox, i sent a mail to my own mailbox and waited for the magic to happen. Only for it to never be sent, it completely dissappeared. So i sent another email and decided do investigate using the ECP.

.

Conclusion

To conclude, it is not possible to run Exchange 2016 with 4GB of ram, i don’t think that 6GB will change much, 8GB is the bare minimum for a reason. It was a fun experiment. Here are some of the eventlogs:

Event ID 7000: The Microsoft Exchange Diagnostics service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Event ID 7009: A timeout was reached (30000 milliseconds) while waiting for the Microsoft Exchange Diagnostics service to connect.

Event ID 2004: Windows successfully diagnosed a low virtual memory condition. The following programs consumed the most virtual memory: w3wp.exe (8528) consumed 455249920 bytes, noderunner.exe (6748) consumed 442880000 bytes, and w3wp.exe (2320) consumed 403537920 bytes.

Event ID 1000: Faulting application name: dwm.exe, version: 10.0.14393.0, time stamp: 0x578999ab
Faulting module name: dwmcore.dll, version: 10.0.14393.1715, time stamp: 0x59b0d15f
Exception code: 0xc00001ad
Fault offset: 0x00000000000f5956
Faulting process id: 0xf10
Faulting application start time: 0x01d619b841150774
Faulting application path: C:\Windows\system32\dwm.exe
Faulting module path: C:\Windows\system32\dwmcore.dll
Report Id: e2e48ab6-8839-4c86-9bd7-c2e956165c3c
Faulting package full name:
Faulting package-relative application ID:

Event ID 3154: Active Manager failed to mount database EXC-DB01 on server Mail.school.test. Error: An Active Manager operation failed with a transient error. Please retry the operation. Error: Database action failed with transient error. Error: A transient error occurred during a database operation. Error: MapiExceptionNetworkError: Unable to mount database. (hr=0x80040115, ec=-2147221227)

Sysprepped server not automatically AzureAD joined

Around the start of the corona crisis a client of ours needed a big upgrade for his RDS farm. The current farm existed of 5 RD servers and 1 gateway. We would sysprep 5 servers for a total of 10 RD servers.

I should mention that those RD Servers are hybrid joined, local and via AzureAD. We configured the 5 servers en went about our day. Until users started complaining about conditional access policies on the RD servers. Five of them were not AzureAD joined and that caused problems.

DsrDeviceAutoJoinFederated failed with -2146893802
wmain: failed with error code 0x80090016.

Manually running the workplace join task (Task scheduler>Microsoft>Windows>Workplace Join>Automatic Device Join) dit not help, it just created these errors. After a long internet search i found the solution.

Rename-Item -Path "C:\ProgramData\Microsoft\Crypto\Keys" -NewName "KeysOLD"
New-Item -Path "C:\ProgramData\Microsoft\Crypto\Keys" -ItemType Directory
Get-Acl -Path "C:\ProgramData\Microsoft\Crypto\KeysOLD" | Set-Acl -Path "C:\ProgramData\Microsoft\Crypto\Keys"