Dec 022021
 

As I’m watching the Synology: 2022 AND BEYOND event live I wanted to write this post to share with you some of my favorite parts.

For those of you wanting to tune in (while live) or watch the replay you can view it below.

You can also visit: https://event.synology.com/en-us/annual_event to watch the stream (or replay) and find out more information.

DSM 7.0.1 and DSM 7.1

As an IT professional and enthusiast, here’s a list of some of my favorite new features, functionalities and improvements.

DSM 7.0.1

  • High Availability Improvements
    • 40% less time needed for failovers and switchovers
    • 80% less time needed for system updates
  • System Responsiveness and Performance enhancements
    • 56x faster SMB (Windows File Share) searches
    • 70% speed up in application launches
    • 80% faster RAID 6 performance (for double parity RAID)
  • Enhanced Drive Replacement
    • Replace predicted failure/presumed unhealthy/to-be-retired drives with unused healthy drives that are in other bays.
    • Switch without degrading your array/storage pool
  • Auto Drive Replacement
    • Clones predicted failure/presumed unhealthy drive to available hot spare, switching automatically when the drive fails without requiring RAID rebuild time
  • Volume-wide data deduplication (on all flash arrays)
    • Scheduled or Manual Volume Wide Deduplication on all flash volumes
    • Click here for information on supported models and configurations
  • Synology Directory Server
    • Secondary domain controllers provide additional redundancy and availability of directory services
    • Provides ability to deploy additional domain controllers at additional locations

DSM 7.1 (Coming Soon)

  • SMB Multichannel
    • Utilize multiple network links and network connections to combine speed with SMB (Windows File Share) file transfers
    • Provides redundancy and fault tolerance
  • DFS Support over SMB
    • Combine multiple Synology NAS file servers to provide file services to your network using Distributed File System (DFS)
  • Active Insight
    • Numerous updates to make Active Insight more powerful when it comes to managing numerous Synology NAS units.
    • Enhanced control and information on System Updates
    • Suspicious activity detection recognizes suspicious activity on the NAS units (example: unusual login times and locations, unused accounts being used after being idle, failed logins, etc).
    • Task monitoring for Hyper Backup
  • Synology Directory
    • Read-only domain controller support provides ability to deploy read only domain controllers at remote sites that may not be physically secure while providing local cached copies of the directory.

And that’s not all…

Synology has also made numerous improvements to their Data Protection Services, Surveillance suite, Wireless Networking, Synology C2 Cloud, and more, but you’ll have to check it out for yourself. There are tons of other goodies for office workers, small business owners, photography enthusiast, and more that I haven’t included in this list.

Dec 022021
 

In a VMware Horizon environment with DUO MFA configured via RADIUS on the VMware Horizon Connection Server, you may notice authentication issues when logging in through a UAG (Unified Access Gateway) after upgrading to VMware Horizon 8 Version 2111.

During this condition, you can still login and use the connection server directly with MFA working, however all UAG connections will get stuck on authenticating.

Horzion 8 Version 2111 UAG Stuck on Authenticating using DUO MFA (RADIUS)

Disabling MFA and/or RADIUS on the connection server will allow the UAG to function, however MFA will be disabled. This occurs on upgrades to version 2111 of the UAG both when configuring fresh, and importing the JSON configuration backup.

Temporary Fix

A temporary fix is to deploy an older version of the UAG, version 2106. After downgrading, the UAG functions with DUO and RADIUS even though the Connection Server is at version 2111.

Oct 112021
 
Windows Server 2022 Logo

Today we’re going to discuss and deploy Active Directory Certificate Services on a Windows Server 2022 Server. Additionally, we’ll also be generating a domain certificate request inside of IIS and then assign the resultant certificate to a WSUS Server.

This video will demonstrate and explain the process of deploying a Windows Server 2022 Certification Authority with AD CS.

Check it out and feel free to leave a comment! Scroll down below for more information and details on the guide.

Windows Server 2022: Active Directory Certificate Services Discussion and Installation Guide

Who’s this guide for

This guide is perfect for a seasoned IT professional or a beginner who is looking at getting experience with Windows Server 2022.

What’s included in the video

In this guide I will walk you through the following:

  • Discussion
    • SSL Certificates (Host verification)
    • Internal Root Certification Authorities (Root CAs)
    • Internal Root CA vs Public Trusted Root CAs
    • HTTPS Scanning (Web Filtering) and SSL Certificates
    • Intermediate Certificate Authorities
    • Why ADCS?
    • AD CS Certificate Templates
    • Encryption
    • Certificate Issuance
  • Demonstration
    • Server Manager Role Installation
    • MMC Snap-in for Certificates (Local Computer)
      • Root CAs
    • Install Active Directory Certificate Services (AD CS)
      • Add Server Role
      • Root CA Trust Discussion
      • AD CS Installation on Domain Controller Installation
      • AD CS Prerequisites
      • Web Enrollment Discussion
      • AD CS and IIS Discussion
    • Install Internet Information Services (IIS) as pre-requisite
    • Configure Active Directory Certificate Services (AD CS)
      • Credentials
      • Role Configuration
      • Enterprise CA vs Standalone CA
      • Root CA vs Subordinate CA
      • Private Key Creation and Cryptographic options
      • Root CA Naming
      • Validity Period
    • Certification Authority MMC Usage
    • Root CA Replication to Domain (“gpupdate /force” and restart)
    • AD CS Certificate Templates Overview
      • Certificate Templates MMC
      • Duplicate and Customize Web Server Certificate Template
      • Enable Auto-Enrollment for Certificate Template
    • Use IIS to request certificate from Active Directory Certification Authority
      • Create Domain Certificate
    • Enable SSL on WSUS Server using Active Directory Certificate Services Certificate
      • Bind new certificate to IIS Web Server
      • Update GPO to reflect SSL URL and port number
      • Run “iisreset” on elevated command prompt
    • Demonstration Summary

What’s required

To get started you’ll need:

  • 1 x Server (Virtual Machine or Physical Server)
  • Microsoft Windows Server 2022 Licensing
  • A running Windows Server 2022 Instance (OSE)
  • A network router and/or firewall

Hardware/Software used in this demonstration

  • VMware vSphere
  • HPE DL360p Gen8 Server
  • Microsoft Windows Server 2022
  • pfSense Firewall
Oct 102021
 
VMware vSphere 7 Logo

In this post, I wanted to go over some Backup and Restore tips and tricks when it comes to VMware vCSA Updates and Upgrades.

We’ve almost all been there, performing an update or upgrade of the VMware vCenter Server Appliance when it fails, and we must restore from a backup. There’s also times where the update or upgrade has been successful, however numerous issues occur afterwards prompting for the requirement of a restore from backup.

In this post, I wanted to briefly go over the methods of backups (and restores) for the vCSA, as well as some Tips and Tricks which might help you out for avoiding failed updates or upgrades in the future!

We all want to avoid a failed update or upgrade! 🙂

vCSA Update Installation
vCSA Update Installation

VMware vCSA Update Tips and Tricks for Backup and Restore

Please enjoy this video version of the blog post:

vCSA Update and Upgrade – Tips and Tricks for Backup and Restore

vCSA Backup methods

There are essentially two backup methods for backing up the vCenter Server Appliance:

  1. vCSA Management Interface Backup
  2. vSphere/ESXi Virtual Machine Snapshot

vCSA Management Interface Backup

If you log in to the vCSA Management Interface, you can configure a scheduled backup that will perform a full backup of your vCSA (and vCenter Server) instance.

This backup can be automatically ran and saved to an HTTP, HTTPS, FTP, FTPS, SFTP, NFS, or SMB destination. It’s a no-brainer if you have a Windows File Server or an NFS datastore.

vCSA Backup Screenshot
vCSA Backup

In the event of a failed update/upgrade or a disaster, this backup can be restored to a new vCSA instance to recover from the failure.

For more information on backups from the vCSA Management Interface, please see https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vcenter.install.doc/GUID-8C9D5260-291C-44EB-A79C-BFFF506F2216.html.

For information on restoring a vCSA file based backup, please see https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vcenter.install.doc/GUID-F02AF073-7CFD-45B2-ACC8-DE3B6ED28022.html.

vSphere/ESXi Virtual Machine Snapshot

In addition to the scheduled automatic backups configured above, you should snapshot your vCSA appliance VM prior to initiating an update or upgrade. In the event of a failure, you can easily restore the vCSA VM snapshot to get back to a running state.

vCSA Snapshot Screenshot
vCSA Snapshot

Only after you test and confirm the upgrade or update was successful should you delete the snapshot.

You should also have your Backup application or suite performing regularly snapshot based backups of your vCSA.

Additional Tips and Tricks

I have a few very important tips and tricks to share which may help you either avoid a failed update or upgrade, or increase the chances of a successful restore from backup.

  1. Gracefully Shutdown and Restart the vCSA Appliance before Upgrading
  2. Application Consistent Snapshot – Snapshot after graceful shutdown

Let’s dive in to these below.

Gracefully Shutdown and Restart the vCSA Appliance before Upgrading

I noticed that I significantly reduced the amount of failed upgrades by simply gracefully shutting down and restarting the vCenter Server Appliance prior to an upgrade.

This allows you to clear out the memory, virtual memory, and restart all vCenter services prior to starting the upgrade.

Please Note: Make sure that you give the vCSA appliance enough time to boot, start services, and let some of the maintenance tasks run before initiating an upgrade.

Application Consistent Snapshot – Snapshot after graceful shutdown

Most VMware System Administrators I have talked to, usually snapshot the running vCSA appliance and do not snapshot the memory. This creates a crash consistent snapshot.

If you follow my advice above and gracefully shutdown and restart the vCSA appliance, you can use this time to perform a VM snapshot after a graceful shutdown. This will provide you with an application consistent snapshot instead of a crash consistent snapshot.

If you perform an application consistent snapshot by gracefully shutting down the VM prior to creating the snapshot, the virtual machine and database inside of it will be in a cleaner state.

Conclusion

Some of the Tips and Tricks in this post definitely aren’t necessary, however they can help you increase the chance of a successful upgrade, and a successful restore in the event of a failed upgrade.

For more information on upgrading the vCenter Server Appliance, please visit https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vcenter.upgrade.doc/GUID-30485437-B107-42EC-A0A8-A03334CFC825.html.

Oct 092021
 

One of the new real cool features of the Synology C2 Cloud and Synology DSM 7.0 is the ability to back your Synology DiskStation NAS up to the cloud.

Using the Synology’s “C2 Storage” service, you can use Synology Hyper Backup on DSM 7.0 to backup your your File Shares, NAS, applications, and data to the cloud.

Below, I will show the process of creating a Hyper Backup Backup task to backup a few Synology File Shares to the Synology C2 Storage Service.

NAS Backup (and Restore) with Synology C2 Cloud Video

For a full video guide and demonstration, please enjoy this video! Please continue scrolling for a text guide (with images).

Synology DiskStation NAS Backup (and Restore) with Synology C2 Storage Cloud!

Backup NAS to Synology C2 Storage

It’s very easy to back your NAS up to the cloud. Here’s a quick guide showing how it’s done.

We’re going to assume you already have some File Shares configured on your NAS. These can be Windows File Shares, NFS Exports, and even Active Backup for Business storage repositories. In my case, I want to back up 2 Windows File Shares to the Synology C2 Storage service.

  1. Open Hyper Backup
  2. If you have no existing backup jobs, the “Backup Wizard” should automatically open to configure a new job. If you have existing jobs, select the “+” on the top left of the window.
  3. Under “Backup Destination”, choose “Synology C2 Storage”.
    Hyper Backup Destination
  4. This will open a new window asking you to log on to the Synology C2 Storage Service. You may have to create a new account, or log in with your existing Synology credentials. From here you can start a free trial.
    Synology C2 Storage - Get Free Trial Now
  5. Choose a subscription and plan. You should get a 30-day free trial.
    Synology C2 Storage - Select your C2 subscription
  6. Confirm your subscription
    Synology C2 Storage - Confirm Subscription
  7. Accept the TOS (Terms of Service)
    Synology C2 Storage - Terms of Service
  8. You must now “Grant access to C2 Storage”. This will allow your user account to access the C2 Storage service.
    Synology C2 Storage - Grant Access
  9. You will now be presented with information on your Synology C2 Storage Account
    Synology C2 Storage Account Information
  10. You will now be redirected back to Hyper Backup. You’ll need to create a name for the new backup task destination directory.
    Hyper Backup Destination Settings
  11. Here’s where you will configure which File Shares (or volumes) to backup to Synology C2.
    Hyper Backup Choose Data Backup Sources
  12. You also have the ability to backup Synology Applications. This is helpful should you wish to backup your entire Synology NAS to Synology’s C2 cloud. I’m only doing shares, so I hit next without selecting anything.
    Hyper Backup Application Backup
  13. Now we will configure the Backup Task settings. This includes the task name, notifications, file change logs, bandwidth limits, backup schedule, and integrity check schedule. We can also “Enable client-side encryption” which we will use to encrypt the data on the cloud.
    Hyper Backup Backup Settings
  14. After proceeding, we will now configure backup rotation settings. I enabled backup rotation with “Smart Recycle”.
    Hyper Backup Rotation Settings
  15. If you enabled encryption, you will be prompted to download your encryption key. Save this file in a safe location as you will need it in the event your NAS fails and you need to access your cloud storage.
    Hyper Backup Synology C2 Encryption PEM key file

And that’s it! You have now configured your NAS to backup to Synology C2 Cloud!

Hyper Backup NAS Backup to Synology C2 Cloud
Hyper Backup NAS Backup to Synology C2 Cloud

We have now configured the backup job. Let’s go ahead and kick off a backup by clicking on “Back up now”.

And that’s it! After some time, your backup should complete and you data should be safe on the Synology C2 Cloud.

What happens when your run of out space

This is a question many of you will be asking, and I was curious myself. I went ahead and uploaded a bunch of garbage data to max out my plan.

Synology Hyper Backup C2 Storage - Not enough quota available on the target
Synology Hyper Backup C2 Storage – Not enough quota available on the target

To my surprise Synology allowed me to exceed my plan by a decent amount of storage until the backup job went in to a “Suspended” state reporting “Not enough quota available on the target”. I actually exceeded the storage by 128GB!!! This is extremely generous!

Synology C2 Storage - Storage overage
Synology C2 Storage – Storage overage

To find out how well the NAS would recover from this situation, I logged on to the Synology C2 Storage service and increased my purchased storage. I was able to simply click on “Action” and “Resume” the backup without any issues… It actually resumed where it left off.

Conclusion

The Synology C2 Storage Cloud service is a great option for backing up your DiskStation NAS and all your important files to the cloud. In my case I use my NAS as a backup, and then further backup my NAS both to a removable hard drive, and the Synology C2 Cloud, keeping me compliant with the 3-2-1 backup rule.

The pricing is amazing and there’s extra cost to backup and restore, which means no upload or download costs. They even provide de-duplication so you’re not paying to store duplicated data.

As part of the backup process, Hyper Backup only copies over blocks of data and files that have changed, which significantly helps bandwidth usage as only what’s changed is copied.

I highly recommend using Synology C2 Storage with your Synology DiskStation NAS!

Oct 092021
 
Windows 11 Logo

When attempting to do a fresh install of Windows 11 using the ISO, you may receive the message “This PC can’t run Windows 11”. Additionally, “This PC doesn’t meet the minimum system requirements to install this version of Windows.”

Windows 11 has a new set of minimum system requirements and these include certain CPUs as well as a TPM 2.0 (Trusted Platform Module Version 2.0) chip, Secure Boot, and 8GB of RAM.

If you’re trying to do an upgrade instead of a fresh install, please see Windows 11 Upgrade – This PC doesn’t currently meet Windows 11 system requirements.

Below you’ll find an explanation of the problem, and two different methods to workaround it.

The Problem

You’ll see this message while performing a fresh install if your system does not meet the minimum requirements.

Windows 11 Fresh Install - This PC can't run Windows 11
Windows 11 Fresh Install – This PC can’t run Windows 11

Just like my previous post on upgrading to Windows 11, you’ll encounter this when attempting a fresh install because some pre-requisite checks are failing:

  • CPU is not supported
  • Windows 11 Installer cannot find a TPM 2.0 chip
  • Secure Boot is not enabled
  • EFI or UEFI is Required

One thing to note is that you may see these messages even if your system has a TPM 2.0 chip.

Most computers purchased in the last 6 years probably have a TPM 2 chip that just needs to be enabled via the system UEFI/EFI. If you boot to your UEFI, you can attempt to enable the TPM 2.0 chip.

It may already be enabled, however it may be configured to run at version 1.2. If this is the case, change it to version 2.0. You’ll also need to make sure you have “Secure boot” enabled.

If this doesn’t work, please see below for multiple workarounds.

The Fix

At this point in time, there are two different methods to workaround the minimum system requirements:

  1. Method 1 – Use Rufus to create a modified Windows 11 Installer from ISO and disable the TPM 2.0, Secure Boot, and 8GB of RAM requirement.
  2. Method 2 – Use native Windows 11 installer and ISO to modify registry during Windows Setup.

You can either either method, depending on which one you may find easier or more convenient.

Method 1 – Use Rufus to create a modified Windows 11 Installer from ISO and disable the TPM 2.0, Secure Boot, and 8GB of RAM requirement.

You can use a utility called “Rufus” (Reliable USB Formatting Utility, with Source) to convert the Windows 11 ISO in to a bottable USB key to install Windows.

Using the latest version of Rufus, you can modify the Windows 11 Setup installer to bypass the requirements for TPM 2.0, Secure Boot, and 8GB of RAM.

To use this method, you’ll need the following files:

Please enjoy this video demonstrating the process:

Windows 11 Fresh Install – TPM and Secure Boot Bypass for “This PC can’t run Windows 11”

To use this method as a workaround:

  1. Download Rufus and place in a folder
  2. Download Windows 11 ISO and place in a folder
  3. Insert USB key that is larger than the size of the Windows 11 ISO (larger than 5.5GB)
  4. Open Rufus
  5. Select your USB key under “Device”
  6. Under “Boot Selection”, click on “SELECT”
  7. Navigate to and select the Windows 11 ISO file
  8. Under “Image option”, choose “Extended Windows 11 Installation (no TPM/no Secure Boot/8GB- RAM”
  9. Click “Start”.
    PLEASE NOTE: This will erase and repartition your USB drive. All existing data on the USB drive will be deleted.
Rufus – Windows 11 Fresh Install TPM, Secure Boot, and RAM bypass

Now simply wait for the USB key to be created. It can take 30-90 minutes depending on the speed of your USB drive.

Once you have created the USB key, make sure your computer is configured to use UEFI and make sure you disable Secure Boot in the UEFI.

Simply boot from the USB Key your created above, and install Windows 11.

Method 2 – Use native Windows 11 installer and ISO to modify registry during Windows Setup.

Bypass the check for TPM 2.0

If you don’t have TPM 2.0 or it’s not working, you can disable the TPM 2.0 check on the Windows 11 installer. Please note, you still require TPM 1.2 for this bypass to function. This workaround only disables the requiremnt for TPM 2.0. You still need to have Secure Boot enabled, and you must have a TPM 1.2 chip.

To do this, boot from the Windows 10 ISO:

Windows 11 Installer
Windows 11 – Installer

When you see the above screen, press “SHIFT + F10” and a Windows Command Prompt should open.

From the command prompt, type “regedit” and press enter.

Windows 11 Installer with command prompt and Registry Editor "regedit"
Windows 11 Installer – Registry Editor “regedit”

Now we must create a registry key called “MoSetup” and a DWORD Value to disable the TPM and CPU check.

  1. Navigate to “HKEY_LOCAL_MACHINE\SYSTEM\Setup”
  2. Right click on “Setup”, select “New”, and choose “Key”, name it “MoSetup”
  3. Navigate to “MoSetup”
  4. On the right pane, right-click an empty space, select “New”, and select “DWORD (32-bit) Value”
  5. Name it: “AllowUpgradesWithUnsupportedTPMOrCPU” (without quotations)
  6. Set it to “1” (without quotations)

After performing the above, it should look like this.

Windows 11 Installer - MoSetup and AllowUpgradesWithUnsupportedTPMOrCPU
Windows 11 Installer – MoSetup and AllowUpgradesWithUnsupportedTPMOrCPU

Now simply close the Registry Editor, type “exit” to close out of the command prompt and continue with the Windows 11 Installer.

After performing the above, you should now be able to successfully perform a fresh install of Windows 11 with the TPM and CPU check disabled.

Oct 072021
 
Windows 11 Logo

When attempting to upgrade to Windows 11, you may receive the message “This PC doesn’t currently meet Windows 11 system requirements”.

Windows 11 has a new set of minimum system requirements and these include certain CPUs as well as a TPM 2.0 (Trusted Platform Module Version 2.0) chip.

I ran in to this issue on a Lenovo X1 Carbon as well as an HP Z240 Workstation. The Lenovo X1 Carbon does have a TPM 2 chip, however still would not install.

If you’re trying to a fresh installation instead of an upgrade, please see Windows 11 Fresh Install – This PC can’t run Windows 11 for instructions on performing a Fresh install with TPM and Secure Boot bypass.

The Problem

You’ll see this message if your system doesn’t meet the minimum requirements.

Windows 11 installer failing with "Windows 11 - This PC doesn't currently meet Windows 11 system requirements"
Windows 11 – This PC doesn’t currently meet Windows 11 system requirements

On most systems, you’ll see the following 2 prequisite checks fail:

  • “The processor isn’t supported for this version of Windows”
  • “The PC must support TPM 2.0.”

One thing to note is that you may see these messages even if your system has a TPM 2.0 chip.

You’ll also need to make sure your system has UEFI/EFI and has Secure Boot enabled.

The Fix

You have TPM 2.0 but can’t upgrade to Windows 11

Try to check and see if you have a TPM 2.0 chip. Most systems purchased in the last 6 years probably have a TPM 2 chip that just needs to be enabled via the system BIOS or UEFI.

If you boot to your BIOS/UEFI, you can attempt to enable the TPM 2.0 chip.

You may also already have it enabled, however it is configured to run at version 1.2. If this is the case, change it to version 2.0.

You’ll also need to make sure you have “Secure boot” enabled.

Bypass the check for TPM 2.0

If you don’t have TPM 2.0, you can disable the TPM 2.0 check on the Windows 11 installer. Please note, you still require TPM 1.2 for this bypass to function.

To do this, we must make a registry key.

  1. Start -> Run -> “regedit.exe” (without quotations)
  2. Navigate to “HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup”
  3. On the right pane, right-click an empty space, select “New”, and select “DWORD (32-bit) Value”
  4. Name it: “AllowUpgradesWithUnsupportedTPMOrCPU” (without quotations)
  5. Set it to “1” (without quotations)

After creating this, it should appear like so:

REG_DWORD: AllowUpgradesWithUnsupportedTPMOrCPU set to “1”

After setting this you should now be able re-launch the Windows 11 installer, and successfully install Windows 11. You’ll now notice the new message below:

Windows 11 – Bypass TPM and CPU Disclaimer

Simply “Accept” the warning and continue!

Please Note: Microsoft has warned that by using this TPM 2.0 bypass, you may run in to compatibility issues: “Your device might malfunction due to these compatibility or other issues. Devices that do not meet these system requirements will no longer be guaranteed to receive updates, including but not limited to security updates.”

You’ll see this disclaimer and warning on the Windows 11 installer after enabling the TPM 2.0 check bypass.

Additional Resources

Sep 302021
 
ISRG and Let's Encrypt

Today, the DST Root CA X3 certificate expired, leaving many devices on the internet having issues connecting to services and certificates that use this Root CA, including those using Let’s Encrypt certificates.

Some of these problematic devices include Samsung Galaxy phones, iPhones, VDI zero and thin clients, and even Sophos UTM firewalls.

In my environment, I noticed a number of issues when browsing to websites that use the free Let’s Encrypt certificates, as the Web Protection Web Filtering service on my Sophos UTM firewall would report the certificate has expired and not allow me access to the websites using it.

The Problem

Let’s Encrypt originally used the “DST Root CA X3” certificate to issue Let’s Encrypt certificates. However, as time has passed and the service has been used more, they now use “ISRG Root X1” and “ISRG Root X2” as Root CA’s and “Let’s Encrypt R3” as an intermediate certificate.

Older devices may be using the older Root CA which expired today (September 30th, 2021). Please see https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ for more information.

The Fix

To fix this issue, you need to add the 2 new Root CAs to your computer or device.

Root CA Certificates (PEM format):

Intermediate Certificate (PEM format):

You can download them by clicking the links above or go to https://letsencrypt.org/certificates/ for more information and to download if you don’t trust the above links.

After downloading and adding these Root CAs and the Intermediate CA to your computer or device, you should have the full certificate chain to validate the Let’s Encrypt certificates. You only need to add the two root certificates. The Let’s Encrypt certificates that are used on websites that you visit and that you might have deployed on your servers should now work without any issues.

If you’re still having issues, you can try deleting the “DST Root CA X3” certificate from your existing Root CAs. Also, you may need to close and reopen any software and/or browsers for it to work with the new certificate.

HTTPS Scanning/Filtering Firewall Fix (Sophos UTM as example)

If you have a firewall that scans HTTPs traffic, you’ll need to add the two root certificates above to the HTTPS Certification authority list.

As an example, to fix this on the Sophos UTM firewall, follow the instructions below:

  1. Download the 3 certificates above.
  2. Log on to your Sophos UTM
  3. Navigate to “Web Protection”, “Filtering Options”, and “HTTPS CAs” tab.
  4. Disable the old “Digital Signature Trust Co. DST Root CA X3” Certificate in the list.
  5. Using the “Upload local CA”, browse to and select 1 of the 3 certificates, then click upload.
  6. Repeat step 5 for each of the 3 certificates listed above.
  7. The issue has been fixed! You should now see all 3 certificates in the “Local verification CAs” list.

The steps should be similar for other firewalls that provide HTTPS Scanning and Filtering.

Sep 252021
 
Windows Server 2022 Logo

Today, I will be showing you howto install, configure, and deploy Windows Server Update Services (WSUS) on Windows Server 2022. I’ll also show you how to use the WSUS MMC interface, approve/manage updates, and more!

This video will demonstrate the process of the WSUS role installation, post-installation tasks, first-time WSUS configuration wizard, and the WSUS MMC.

Check it out and feel free to leave a comment! Scroll down below for more information and details on the guide.

Who’s this guide for

This guide is perfect for a seasoned IT professional or a beginner who is looking at getting experience with Windows Server 2022.

What’s included in the video

In this guide I will walk you through the following:

  • Server Manager
    • Windows Server Update Services Role Installation
  • WSUS Considerations and Requirements
    • WID (Windows Internal Database)
    • SQL Express
    • GPO Group Policy Objects
    • WSUS Maintenance
    • Upstream and Downstream WSUS Servers
    • Bandwidth Optimization
  • WSUS Usage and Platform
    • WSUS Infrastructure Design
    • WSUS Synchronization Schedule
    • WSUS Language, Products, and Classifications selections
    • WSUS MMC Overview
    • “gpupdate /force” command usage
    • WSUS Update Approval
    • WSUS Reporting

Additional Information

Please see below (click to enlarge) for a WSUS GPO Configuration Example.

GPO Settings for WSUS Configuration
WSUS GPO Configuration Example

Please Note: This example contains configuration to automatically install updates. This example should only be used for workstations and not servers. Please use this example as a guide for your own study.

What’s required

To get started you’ll need:

  • 1 x Server (Virtual Machine or Physical Server)
  • Microsoft Windows Server 2022 Licensing
  • A running Windows Server 2022 Instance (OSE)
  • A network router and/or firewall

Hardware/Software used in this demonstration

  • VMware vSphere
  • HPE DL360p Gen8 Server
  • Microsoft Windows Server 2022
  • pfSense Firewall

Blog Posts mentioned in this video

Sep 232021
 

Synology C2 Cloud, C2 Backup and C2 Storage are new ways to backup smart! Using Synology’s C2 Cloud, you can not only back up your Synology DiskStation NAS and all of it’s contents to the cloud, but you can also backup your endpoints directly to the cloud as well now, including Workstations and Servers providing “Centralized protection for Microsoft workloads”.

I want to give a brief overview with what you can do with it, and yes I’ve tried it and so far love it! It works great!

With DSM 7, came a big expansion of Synology’s C2 Cloud Offering

I first heard about Synology C2 Cloud during a VMUG User Group presentation that was sponsored by Synology a few months ago.

I was very impressed with the presentation on the new Synology DSM 7 operating system, it’s capabilities, and the integration with the new Synology C2 Cloud. It really peaked my interest!

With the release of DSM 7.0 (on June 29th 2021), Synology also launched a number of Cloud initiatives delivered by their C2 Cloud platform. This included C2 Transfer, C2 Identity, and C2 Storage. As of today, they have released C2 Backup!

With the fresh release, I want to go over Synology’s C2 Backup, and C2 Storage.

What can we do with C2 Backup and C2 Storage?

The possibilities are almost endless, but let’s list some of the main uses that come to mind:

  • Backup Synology DiskStation NAS to Synology C2 Cloud
    • Backup your Synology DiskStation File Shares
    • Backup your Synology Photo Collection and Videos
    • Backup your Synology Apps
    • Backup your backups to the cloud (disk to disk to cloud)
  • Active Backup for Business
    • Backup Workstations and Servers to NAS, then replicate to Cloud
    • Backup Microsoft 365 to NAS, then replicate to Cloud
    • Backup Virtual Machines to NAS, then replicate and/or archive to Cloud
  • Endpoint Backup direct to Synology C2 Backup
    • Backup a Windows Desktop or Laptop directly to Synology C2 Cloud

One of the biggest threats we have today is ransomware. Ransomware has been ravaging businesses and corporations, destroying and deleting their backups and holding the companies at hostage. It’s even effected the home user, holding their private and valuable files on their computers and NAS devices hostage.

Another common threat is general disasters, including hardware failure, fires, and other events causing complete loss of data.

Using both the Synology DiskStation and the Synology C2 Cloud we can mitigate these risks by backing up your data.

And with any backup, we should always abide by the 3-2-1 rule having 3 copies, on 2 different platforms/media types, and one off-site. Backing up to your Synology NAS and then replicating it up to Synology C2 cloud, you can achieve this level of protection.

Synology C2 Cloud also provides C2 Identify and C2 transfer for business services, which I won’t cover in this post.

Use Case Examples

Below I’ll list a few of the most common uses cases I would expect.

Home or Small Business File Share backup

For home or small business users, file and data storage is typically handled via Windows Shares, and the Synology DiskStation NAS is perfect for providing this type of storage.

Using the Synology DiskStation, you can back these shares to Synology’s C2 Storage Service further protecting your data and also keeping it off-site. You can still also backup to other sources such as removable hard drives.

Complete NAS backup

You can now fully backup your entire NAS to the Synology C2 Storage service. Providing an easy way to restore it, should you ever have a disaster including ransomware, a catastrophic failure, or fire, and have lost your unit needing to replace it fully.

Active Backup for Business Replication

If you’re using Active Backup for Business, you probably already know you can backup the following to your NAS:

  • Microsoft Windows Servers
  • Microsoft Windows Workstation
  • Microsoft 365 (Office 365) data
  • VMware Virtual Machines
  • And more!

Now we have the ability to replicate these backups to Synology’s C2 Storage service, to further protect our backups and also archive data.

Endpoint Backup (new with Synology C2 Backup)

Now you can backup Microsoft Windows endpoints (workstations, laptops, and tablets) directly to the Synology C2 Backup service!

You can backup an unlimited numbers of Microsoft endpoints with the only limitation being how much storage you’re paying for.

Endpoint backups include full-system backups (using incremental updates to save bandwidth), and provide bare mental restore capabilities, as well as file-level recovery when you only need to grab a few files from a backup without restoring the entire system.

You also have the ability to deploy the C2 Backup agent via Active Directory GPOs for ease of deployment.

And don’t forget, this is a perfect way to backup mobile users with laptops!

Is it Encrypted?

One question you might be asking is if the data is safe and encrypted. It sure is (if you enable it)!

The Synology C2 Cloud provides client-side encryption using AES 256-bit encryption with private keys.

In my testing when enabled, the data is encrypted on my Synology DiskStation NAS and then uploaded to Synology’s C2 Cloud. Encryption is handled via a password and a PEM key (AES 256) that you must save and keep safe (preferably not on any of your computers, but on a USB key somewhere safe)! Hold on to this, because you’ll need it in the event of a disaster.

In the case of C2 Storage, while the data is encrypted and then stored on Synology’s servers, there are some actions you can take via a web interface to view/download your data to your computer, instead of restoring to your NAS. Keep in mind if you do this, you’ll need to enter your password in to Synology’s servers, however they state the password will not be saved and will be destroyed after the task completion.

In the case of C2 Backup, you’ll have a powerful web interface where you can manage backups, restore backups, restore files, and more.

How much does it cost?

For the C2 Storage Service, the pricing table below (US Dollars):

For the C2 Backup Service, the pricing table is below (US Dollars):

You’ll notice that right now the C2 Backup Service is limited to only a 300GB plan and 2TB plan.

Features to come

While you can today deploy any of the features listed in this post, there are some future capabilities that are coming soon…

Soon, using Synology C2 Backup, you’ll be able to automatically backup your Microsoft 365 data (including Exchange Online and OneDrive for Business) direct to Synology’s C2 Backup.

While you can already back this data up to your NAS (and then replicate to C2 Storage), soon you’ll be able to cutout the NAS and have it go direct.

In conclusion

I’d highly recommend checking out the Synology C2 Cloud portfolio of services as I’ve already deployed and am currently using the Synology C2 Storage service in my homelab with my Synology DiskStation NAS.

Synology also has another datacenter available to choose from Germany.

More information can be found at the following links:

C2 FAQ

Synology C2 Backup (for business)

Synology C2 Transfer (for business)

Synology C2 Identity (for business)

Synology C2 Storage (for business)

Pricing information can be found at the following links:

Synology C2 Backup Pricing (for business)

Synology C2 Storage Pricing (for business)

I’ll be posting some tutorials and reviews so stay tuned! In the meantime, leave a comment if you’ve used any of these products in your environment!