So last time we created a Master-VHDX on Hyper-V with Windows Server 2019 in order to save space. Today we are installing the first Domain Controller with a fresh domain. Very straight forward stuff.

Before installing Active Directory Directory Services, the computer should have a decent name.

Give it a fixed IP address. Since this is going to be a lab, I am not going to plan the IP design. The Default Gateway does not exist yet. Also, the secondary DNS server will be installed later on a Server Core version.

From Server Manager Add Roles and Features, Select Role-based or feature-based installation

Select the Active Directory Directory Services Role

Everything else can be left on default.

Once the installation is completed, the server can be promoted to a Domain Controller.

Since there is no existing forest, the root domain name must be defined:

Define a new password for the Directory Services Restore Mode (DSRM). DSRM allows you to perform an authoritative restore of single or multiple AD objects through ntdsutil (from cmd).

This warning can be safely ignored.

The NetBIOS domain name can be used when logging into a domain computer, for example AJNI\Domainuser. The UserPrincipalName can be also used – domainuser@ajni.it.

The rest can be left to default.

The server will restart, after that the domain will be up and running!

The next blog post will be covering the installation of an additional Domain Controller (the second DNS server 10.10.10.11) with Windows Server 2019 Core Edition.

Stay tuned !

Hyper-V has a very interesting feature that allows to save a lot of space: By creating a golden VHDX Disk with the base operating system, you can then use so called “Differencing” disks, which reference the Master VHDX and only save the changes on their disk.

So, first things first: Just create a normal VM to prepare the golden image for later use.

Specify Generation 2

Give the Golden disk a self-explanatory name

Before starting the VM, disable automatic checkpoints (in VMware known as Snapshots) and give it more juice. Do not forget to apply changes:

Install the OS (standard procedure)

Once the OS installed and custom settings are made, the machine is ready to be Sysprep’ed.

Delete the VM once stopped, the disk will not be deleted. Then locate the VHDX and set it into Read-Only mode.

Now a new VM can be created in Hyper-V with a Differencing disk. Note: In the VM creation wizard specify “Attach a virtual disk later”:

Now in the VM settings under SCSI Controller add a new Hard Drive:

Select the last option for Differencing:

This will be the new disk name:

And finally, the base disk we created previously:

Before powering on the machine make sure the new disk is first in the boot order.

The VM is up and running!

Notice the size of the new VHDX. Only 1.4 GB!

In the VM settings you can once again inspect the disk and see the relationship with the golden disk.

MS Edge Beta has been out for some days now and the Group Policy Templates are already available for download, which are crucial for IT Pros.

You can download them here.

How to import them in the GP Editor? Easy. You can test them on your local machine first. Just copy the files msedge.admx and msedgeupdate.admx to C:\windows\PolicyDefinitions and the language .adml files to C:\windows\PolicyDefinitions\en-US.

In an Enterprise environment you normally move these files into the central group policy store, located under \\domain.com\SYSVOL\domain.com\policies\PolicyDefinitions.

After opening Group Policy Editor (gpedit.msc), under Computer Configuration > Administrative Templates you will see the newly imported Policies:

Now let’s specifically configure the IE Mode feature. For that we need to configure two settings. The first will configure the IE Mode and the second one lists the websites that are affected by IE Mode.

Under Microsoft Edge > Configure Internet Explorer Integration you want to select Internet Explorer Mode in order to integrate IE with the new Edge in case one of the specificied URLs is visited:

The second one is located under Windows Components > Internet Explorer > Use the Enterprise Mode IE Website List. You can use a file:///C:/local/path.xml, a \\network\path or a https://URL that hosts the XML file. I will be using a local path here.

With the MS Tool Enterprise Mode Site List Manager you can easily add or edit the site list. Just add a new URL, select the IE Mode you want to use and save it as an XML.

Now do a gpupdate /force, restart Edge and test your site. You will know that the policy has applied if you see the IE icon when you visit a site you have specified in the Enterprise Mode Site List Manager.

If you are having issues getting this to work, make sure your device has the latest Windows Updates installed, like stated in the Microsoft documentation.

Also this feature is not yet supported on Windows Server 2016 and some older versions of Windows 10.

If you have problems with MS Edge on Windows Server 2016 RDS with Citrix XenApp, you will have to exclude the process msedge.exe from Citrix hooks:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook
REG_SZ “ExcludedImageNames”
Value “msedge.exe”

Are you trying to delete a local Windows User Profile because something doesn’t behave the way it should? Here is a quick and easy tip to remember.

Deleting a user profile is very straightforward, if you know how to. Just deleting C:\Users\<username> is not enough though. In fact stranger things might occur if you just delete the user’s folder.

There are two ways of deleting a user profile:

Method 1: Advanced System Settings (Very easy)

By going into the Advanced System Settings you can delete a user profile. The user obviously has to be logged off, otherwise the “Delete” button will be greyed out.

Method 2: Regedit

Note: It is always a good idea to make a backup of your current Registry entries BEFORE making any changes. You could for example rename the registry key or “Export” it by right clicking on the key you want to backup. Sub-keys are also backed up.

There are cases where the user profile is not listed in the Advanced System Settings, but the user folder is present under C:\Users. In that case you can firstly delete the profile SID under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\

You do not have to know the user’s SID, the Key “ProfileImagePath” will help you determine the username associated with the SID.

After deleting the whole key (left side), you can also delete the user’s folder under C:\Users.

Today my free SSL certificate expired, so I decided I could guide you to claim yours as well.

You will generate a Certificate Signing Request (CSR) on your local machine (I have a Linux VM hosting my site on Apache2), send the request to www.sslforfree.com and after that download your new signed certificate.

The process of obtaining a certificate is very simple and painless, however there is a catch: these kinds of certificates usually have a validity period of 4 months. Which means you have to renew it every so often.

Like mine here:

So let’s get started.

Generating your Certificate Signing request with openssl

First of all, you will need a config file, which contains all of the certificate’s attributes. Mine is named ajni.conf. Here is the content of the config file. I have highlighted the attributes you need to adapt based on your environment.

[ REQ ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ DN ]
CN = ajni.it #Common Name
emailAddress = ajnik@outlook.com
O = Non Profit #Organization
OU = Ajni #Organizational Unit
L = Meran #Locality
ST = Suedtirol #State
C = IT #Country
[ REQ_EXT ]
subjectAltName = DNS: www.ajni.it, DNS: ajni.it

Now that you have a config file, you can execute the openssl command to generate a CSR. Once again, I have marked the variables.

openssl req -new -config ajni.conf -keyout ajni_key.pem -out ajni.csr

Copy the content of your CSR (in my case ajni.csr) somewhere for later use. The string should have the following format

—–BEGIN CERTIFICATE REQUEST—-
dUKFAPtXm076zSFdoriy4v7p1Xa4N9nteRxkbi66bK0GqsqoeoUMprOOoOLMwzPOlvkLS0= dUKFAPtXm076zSFdoriy4v7p1Xa4N9nteRxkbi66bK0GqsqoeoUMprOOoOLMwzPOlvkLS0=
—–END CERTIFICATE REQUEST—–

Send your CSR to SSLforFree.com

Go to www.sslforfree.com, insert your domain name and hit Create Free SSL Certificate

You have 3 options to prove to SSLforFree that the domain belongs to you:

I chose to use the DNS verification (option 3). You will need to create 2 TXT records on your domain (for domain.it and for www.domain.it).

Once you have added both TXT records you can proceed to download the certificate. Select “I Have My Own CSR”, since you created one with openssl. It is, from a security standpoint, safer than letting SSLforFree create a private key for you.

Note that DNS records can take some time to replicate, so you might need to wait a few minutes before downloading the certificate.

You can verify the records at https://mxtoolbox.com/SuperTool.aspx.
The verify link on www.sslforfree.com didn’t always work for me.

Now copy the content of the public certificate itself and the CA Bundle (which contains the Root and Intermediate Certificate).
You will need them in order for the browser to trust your site/certificate.

Create 2 more text files, each containing the content of the 2 certificates. The files need a .pem extension:

Modify your Apache2 config file

At this point you have 3 files in total: your public certificate, your private certificate and your CA certificate. Now change the config file of your apache virtual site under /etc/apache2/sites-enabled/domain.conf or default-ssl.conf.

The relevant parameters are SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile. Set the path of your files. For example, /etc/apache2/cert.pem. You might need to enable the SSL apache2 module.

The www-data user needs read permission on those files.

a2enmod ssl

Restart Apache2

Lastly, restart the apache2 service

service apache2 restart

One browser refresh and my site has already the new certificate:

If you have any questions feel free to comment down there, I will happily assist you.

Cheers!