Monday, January 4, 2016

Solution for KB2813430 / KB2982792 issue ( how to configure the 2008 R2 servers to allow it to download the CTLs from internal SCCM server)

Issue: our security scanner (Qualys) tool reported  'Microsoft Improperly Issued Digital Certificates Spoofing Vulnerability (KB2982792)' 'Microsoft Improperly Issued Digital Certificates Spoofing Vulnerability (KB2982792)' in all our windows 2008 R2 servers.

Constrain: Since those servers are corporate internal servers, it is not directly connected to internet.
 if it is  directly connected to internet, the windows patches would automatically get downloaded and fixed automatically.


Solution: We are using SCCM tool for our patching and followed below steps as solutions


11)      Apply the hotfix https://support.microsoft.com/en-us/kb/2813430 on clients. (You have done this step)
22)   On your SCCM server or other server which can connect to Windows Update, create a shared folder.
33)     Run this command line to synchronize a destination directory with the Windows Update site:
Note: DestinationDir is the folder that the files are copied to. When you run the command, the following files are downloaded from Windows Update:
·        *Authrootstl.cab: Contains the CTL of third-party root certificates.
·         *Disallowedcertstl.cab: Contains the CTL of disallowed certificates.
·         *Disallowedcert.sst: Contains the Disallowed certificates.
·         *Thumbprint.crt: Third-party root certificates.

44)     Configure Group policy to change registry key on all clients:
a.       Logon to DC and open GPMC.msc.
b.      Create a GPO and link to domain:



    
C.Edit this GPO and expand the items as following:





d.
 Configure registry as following:
·         HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\RootDirUrl
This registry key configures share paths to retrieve CTLs.




5.The clients will update the registry value when they refresh the group policy. 

Tuesday, December 22, 2015

after re-install the ESXi 5.5 OS on cisco UCS blade, unable to ping ESXI management network and join to the vcenter

Issue: re-installed the ESXi 5.5  on cisco UCS blade and after that the ESXi management IP was not pinging and not able to connect it to vcenter.

finding:

up on checking the esxi configuration, found that somehow vmk0 mac address of the issue ESXi host  is same as physical mac address of other production ESXi host mac address and because of this  mac-address conflict, I was unable to ping the management IP. usually vmk0 mac-address would be automatically generated by ESXi (00:50:56:xx:xx:x)










Solution:

deleted, the vmk0 configuration as below  and created again and now the ESXi generated the VMware mac-address and now I'm able to ping the ESXi host management IP.
refer to: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1031111 



esxcfg-vmknic -d -p 'Management Network' this command could delete all the vmknic on management network port group



 00:50:56:xx:xx:xx mac address automatically assigned to vmk0