[問題描述]︰Vista/7 - "The User Profile Service failed the logon. User profile cannot be loaded"

[問題說明]︰使用者設定檔服務無法登入。 無法載入使用者設定檔

[解決方法]:

1. 使用另一個本機管理者的帳號來登入試著刪除機碼 (如果有的話)

2. 若沒其他管理者的帳號, 可使用 Vista的光碟片來進入 Win PE環境, 試著用系統還原到上次沒問題的狀況

· 若之前您要做還原的話，必需先在BIOS裏設定光碟機開機為第一順位，之後放入光碟片開機後，就會出現以下的畫面，這個時後您點選空白鍵，即會進入光碟機開機。

· 在這個畫面中，請點選下方的「修復您的電腦」。

· 在這個畫面中，直接點選「下一步」即可。

· 點選系統還原

· 尋找最近一個還原點來回復系統後,重開機試著登入

3. 若可以登入 domain的環境, 請試著用 domain admin的權限來登入電腦後再刪除機碼來解決問題

4. 使用連線網路登錄的方式 (需要有另一台電腦在旁才可以操作)

· 若您有該台電腦的管理者權限帳號和IP則可以透過連線網路登錄的方式將機碼刪除

· 打開 regedit之後選連線網路登錄, 選擇要連接的電腦

· 找到要刪除的SID後再刪除 (建議可先行備份), 把有問題的帳號的機碼刪除 (以下用我的帳號 pennka例)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

5. 將此台電腦的HD接到可開機的電腦 (載入登錄區的方式)

· 以另一個系統開機，執行regedit。

· 點選到 HKEY_LOCAL_MACHINE。

· 點選上方的「檔案」>「載入登錄區」。

· 將路徑瀏覽到有問題系統裏的Windows\system32\config目錄，然後點選Software檔案。在出現以下的畫面時，給予一個臨時的名稱，例如123，再按下確定。

· 此時，您會看到在HKEY_LOCAL_MACHINE下會有一個機碼名稱為123，此123 的機碼即是原來有問題系統的HKEY_LOCAL_MACHINE\Software機碼。

· 找到要刪除的SID後再刪除 (建議可先行備份), 把有問題的帳號的機碼刪除 (以下用我的帳號 pennka為例)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

· 點選 HKEY_LOCAL_MACHINE\123，再點選上方的「檔案」>「Hive解除載入」。

· 關機，將HD還原至原來的機器，再重新開機。

1.CA server 本身的 生命期限

How to renew the CA certificate:

Go to the Certificate Authority and highlight the server name.

Right click and go to All Tasks. At the bottom is the option to renew CA certificate.

This will ask you to stop the Certificate Services. Select yes. It brings up a dialog box with the option to generate a new public and private key. Select yes. 

It will now start the Certificate Services and your CA certificate will be renewed. Go to start, run and type in mmc.

Go to the conosole and highlight Add/Remove Snap-in.

Click on the add button.  Then choose the Certificates snap-in. 

Add the snap-in for the Computer Account, hit the next button and select for the local computer and hit finish.

You should now have the console open for the certificates for the local computer.

因CA Server 預設有此網頁伺服器的憑證 . 預設是兩年.故如果要依照指定年限,以下有三個必要條件要成立
1.憑證rootca 有效期.離到期日還有多久時間
2.憑證範本中的年限
3.CA 需要修改機碼指定最大年限
依照以上三項,選擇最小者才可以使其憑證正確發佈及運作
1. 檢視 RootCa 憑證期限
開啟Certificate Authority (CA) 在 RootCA 上,按右鍵,內容.請您檢視 [一般]頁面 您亦可以看到 CA憑證" 憑證#0" 請點選[檢視憑證] 您亦可以看到目前憑證資訊 其中包含發佈及到期日
如何檢是目前 CA 視為獨立CA 還是企業 CA?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{Your CA name}\CAType
CAType = 0 (This means it is installed as Enterprise Root CA)
CAType = 1 (This means it is installed as Enterprise Subordinate CA)
CAType = 3 (This means it is installed as Stand Alone CA)
CAType = 4 (This means it is installed as Stand Alone Subordinate CA)
2. 新增新範本,並指定年限

如何建立新憑證?

請開啟MMC 新增[憑證範本],並憑證範本.右邊視窗您可以看到所有內建範本.請在此新增您要的憑證類型範本,在此以 [程式碼簽署] 為例 您可以按右鍵[複製範本]

針對此範本給予一個顯示名稱.您亦可以再此定義有效期限及相關設定

您需要針對此憑證給於安全性設定, 例如: 此憑證是要發行給Domain Users 使用的.請您給予 [讀取]及[註冊] 權限

設定完成後您亦可以在[憑證範本]上看到此憑證已經建立完成

如何發佈新憑證?

請您使用MMC 開啟[憑證授權單位] ,在您的CA Server 下可以看到[憑證範本] .請您按右鍵.選擇[新增]\[要發行的憑證範本]

3. 設定CA Server 機碼, 參考KB 254632 http://support.microsoft.com/kb/254632/en-us
To change the validity period settings for a CA, follow these steps.

1. Click Start, and then click Run.

2. In the Open box, type regedit, and then click OK.

3. Locate, and then click the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>

4. In the right pane, double-click ValidityPeriod.

5. In the Value data box, type one of the following, and then click OK:

o Days

o Weeks

o Months

o Years

.

6. In the right pane, double-click ValidityPeriodUnits.

7. In the Value data box, type the numeric value that you want, and then click OK. For example, type 2.

8. Stop, and then restart the Certificate Services service. To do so:

a. Click Start, and then click Run.

b. In the Open box, type cmd, and then click OK.

c. At the command prompt, type the following lines. Press ENTER after each line.

net stop certsvc
net start certsvc

d. Type exit to quit Command Prompt.

To disable the Restore button

To disable only the Restore button on the Previous Versions tab on individual client computers, follow these steps:

1. Click Start, click Run, type regedit in the Open box, and then click OK.

2. Locate and then click either of the following registry subkeys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer

3. On the Edit menu, point to New, and then click DWORD Value.

4. Type NoPreviousVersionsRestore, and then press ENTER.

5. Right-click NoPreviousVersionsRestore, and then click Modify.

6. In the Value data box, type 1, and then click OK.

7. Quit Registry Editor.

Alternatively, you can use the Reg.exe utility to disable the Restore button. To do this, type either of the following commands at the command prompt, and then press ENTER:

REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer /v NoPreviousVersionsRestore /t REG_DWORD /d 1
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer /v NoPreviousVersionsRestore /t REG_DWORD /d 1

問題描述︰
DC authentication issue
-DC generate Event id 675 (0x19) from Win2k8 machine

解決方式︰
這是Windows 2003 和Windows 2008 在驗証協定上設計的不同點，有兩種方式可以避免:
1. We can check "Do not require Kerberos pre-authentication" of User account in AD user & computer console, we will not longer get the same event for users.
We can reference to KB: http://support.microsoft.com/kb/954415/en-us

2. Due to this shows that issue is with pre-authentication from machines. And we identified that issue was only with Vista and Windows 2008 machines and not with Windows XP and Windows 2003 machines.
Because of design change pre-authentication is not forced on Vista and Windows 2008 machines. We forced pre-authentication on Windows Vista machines using following registry value:
HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters
Value Name = DefaultEncryptionType
Type = Reg_DWORD
Value Data = 0x17(23)

問題描述︰
Using W2K8 remote app, WinXP client cannot  redirect print
======================================
當您使用W2K8 的Remote App 功能，而Client 目前有Windows 7, Windows Vista & Windows XP SP2三種作業系統。
而您發現當Windows XP SP2 client 使用Remote App想要列印文件時，無法看到本機redirect 的local printer，但是Windows 7 & Windows Vista client 並不會有這樣的問題。
======================================

建議與解決方案︰
我想您的W2K8環境應該有啟用Easy printer功能，如果您並沒有特別在W2K8 TS server上安裝Client 端的printer driver(以往如果要RDP到W2K3的TS server, 您必須要在W2K3上安裝相應的Printer driver, 才支援將Client 已連線的printer, redirect 成功), 但是Windows 7 & Windows Vista client 即可直接redirect printer, 這說明應該有啟用W2K8的Easy printer功能。而這也將間接說明為何您的Windows XP client 無法redirect printer成功，因為Windows XP要能做用Easy printer的功能，有一些基本的要求如下:

==================================================

To use the Terminal Services Easy Print driver, clients must be running both of the following:

• Remote Desktop Connection (RDC) 6.1

• At least Microsoft .NET Framework 3.0 Service Pack 1 (SP1)

The following list provides information about which operating systems support the Terminal Services Easy Print driver, and whether additional configuration is required.

• Windows Vista® with SP1 includes both of the required components. By default, Windows Vista with SP1 supports the Terminal Services Easy Print driver with no additional configuration.
• Windows XP with Service Pack 3 includes RDC 6.1. However, you must install a supported version of .NET Framework separately. You can download Microsoft .NET Framework 3.5 (which includes .NET Framework 3.0 SP1) from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=109422).

==================================================
根據以上官方文件的建議，要能夠成功的在Windows XP上redirect printer，您必須將Windows XP的Client 升級到SP3的版本並且另外安裝.NET Framework 3.0 SP1元件。

PS.上述.NET Framework 3.0 SP1連結, 是.NET Framework 3.5版本, 並包含.NET Framework 3.0 SP1.

參考資訊連結︰
Terminal Services Printing
http://technet.microsoft.com/en-us/library/cc753853(WS.10).aspx

How to enable easy print?
=================================
What settings have been added or changed in Windows Server 2008?

Group Policy settings

The following Group Policy settings have been added for Terminal Services printing:

• Use Terminal Services Easy Print printer driver first
  This policy setting is located in the following node of the Local Group Policy Editor:
  Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection
  The possible values are:

· Enabled or Not configured: If this policy setting is enabled or not configured, the terminal server will first try to use the Terminal Services Easy Print driver to install all client printers. If for any reason the Terminal Services Easy Print driver cannot be used, a printer driver on the terminal server that matches the client printer will be used. If the terminal server does not have a printer driver that matches the client printer, the client printer will not be available for the Terminal Services session. By default, this policy setting is not configured.

· Disabled: If you disable this policy setting, the terminal server will try to find a suitable printer driver to install the client printer. If the terminal server does not have a printer driver that matches the client printer, the server will try to use the Terminal Services Easy Print driver to install the client printer. If for any reason the Terminal Services Easy Print driver cannot be used, the client printer will not be available for the Terminal Services session.

• Redirect only the default client printer
  This policy setting is located in the following node of the Local Group Policy Editor:
  Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection
  The possible values are:

· Enabled: If you enable this policy setting, only the default client printer is redirected in Terminal Services sessions.

Disabled or Not configured: If you disable or do not configure this policy setting, all client printers are redirected in Terminal Services sessions. By default, this policy setting is not configured.