Skip navigation

Microsoft ATA is an awesome software which they freshly purchased it from Aorato last year. The current version of ATA is 1.5. If you try to install it in a large company, you will run into heaps issue. Some issues will be fixed by next version of release some are not.

Here are some tricks and what you need to aware.


When you install ATA console, you have choice to choose use self-sign or other certificate. When I choose other certificate which is generated by our Windows 2012 CA certificate, I found I wasn’t able to start service.

The service of Microsoft Advanced Threat Analytics Center with following error in the error log.

2016-03-30 23:22:07.0450 3392 5   00000000-0000-0000-0000-000000000000 Error [Utils] System.Security.Cryptography.CryptographicException: Invalid provider type specified.

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()   at Microsoft.Tri.Infrastructure.Utils.SecurityProvider.DecryptPrivateAsymmetric(Byte[] encryptedData, X509Certificate2 certificate)

   at Microsoft.Tri.Infrastructure.Framework.SecretManager.OnStart(

  at Microsoft.Tri.Infrastructure.Framework.Module.Start()

   at Microsoft.Tri.Infrastructure.Framework.ModuleManager.OnStart()

   at Microsoft.Tri.Infrastructure.Framework.Module.Start()

   at Microsoft.Tri.Infrastructure.Framework.Service.OnStart(String[] args)

After consulting with Microsoft, it turns out there are two issues with my certificate.

ATA doesn’t support new version of CA Root (KSP win2008) and only support CSP(from Win2003) due to DotNet dependency issue.

ATA (version 1.5) only support certificate issued by Root CA (Yes, you read it right). so if you are using issuing CA to generate certificate, then the only choice you have is to use self-gen certificate. This issue should be fixed in the next version.

Update 01:

The way this ATA deploys is very different from traditional software.

The best sequence for installing software is:

Install ATA Center first. Once installed, configure domain connectivity settings (just a read only domain account will do).

Once that is done, DO NOT configure anything else.

Jump on ATA Gateway server and open browser to connect to ATA center, login with domain admin account-> go to configuration page->download gateway software.

The gateway software will be downloaded with zip format which contains JSON(configuration file) and exe file. JSON is composed with current configuration you setup in ATA Center. There is a chance it may screwed up with JSON and best way is to NOT configure gateway and download and use.

Once you run installation of gateway, you will have initial configuration of ATA and it will open ATA center via browser. You can configure it now.

Service on Gateway server make takes 5 minutes to finish start and enter into running state.

Update 02:

After 2 months long and through tests with ATA 1.6, we have decided not using ATA in our Production. The ATA is a fantastic software which has 3 months develop cycle and Microsoft has invested lots of resources. However, with our 50 Pen tests, only 50% of them were caught by ATA. 25% of uncaught was by design(like PTH on box and launch more  RDP session with stolen ticket on the same box) and not able to be detected. The last 25% Pen tests will be monitored in the future version(I’m talking about v2.0 or something similar.

On top of that, current version 1.6 still can’t run in production as PKI (win2012) won’t be supported.

so let’s wait for a year or two till ATA is matured enough. I will run another round test and will post here.


okay, I’m glad I can back and write something newish. This post is all about creating event log forwarding , centralized event log and WinRM.


Why you need centralized event log solution

Windows Event log has always been first line of defense and reflect what happened to your computers.  It will be  your company’s frontier defense line against PTH, or any hack attacks. If any events happened to IT people’s laptop that has privilege account logged in before, it will be great early alert for IT Admin to take action against this account or focus and track it down.

In the ideal world, we would have all events from everyone and understand what exactly happened. But the reality is no one is able to handle that amount of work and whether this can be efficient enough to provide useful information is another question.

If collector servers or clients are offline, the related events will be holding and submit to server once client/server comes back online.

so this is big Yes to nice to have, but how?

Who we are collecting

Because we only monitor very critical and abnormal events (like security logs get wipe out), the chance it happens should be very minimum so we don’t need big space for log collector. We can collect event logs from Laptops, Servers, Desktops which is assigned by computer groups.  We can deploy GPO to enable computers to look for collector for subscriptions. Each computer can submit to multiple collectors at same time.

What we collecting

We only collect critical events like security logs get wipe out, local administrator account get logged in laptop or local administrator group membership has been changed, service get installed at beginning level. Those events will be absolutely critical. We can control which event we want easily for each subscriptions.

What we do with those logs

SCOM can be used to monitor those security logs and alert to related teams for further investigation. SIEM can be used to collect logs from log collect server and log server can overwrite old logs to save disk space.

Enough to say, let’s take some action here.

I’m going to build 1 collector server to collect one client log. Yes, you can use multiple collectors as active active solution just in case one of collectors is down.

In this lab, I’m going to use HTTPS as protocol rather than HTTP.



Tasks on Collect server

We have quite few things to do on the collect server. The first step is to enable Winrm on the server.

WinRM configuration

WinRM is acting as proxy and interface on the server and passing the request to event log service in the background. Hence we must enable WinRM.

One of precondition to enable WinRM is to enable firewall service. Because when you run winRM qc, following things happened.

The above command will perform the following steps:

  • Start the WinRM service.
  • Set the WinRM service type to auto start.
  • Create an HTTP listener on port 5985 to accept requests on any IP address.
  • Enable firewall exception for WS-Management traffic (for http only)


In old WinRM, it’s using port 80/443. From WinRM 2.0, it starts to use 5985/5986.

Hence, yes, windows Firewall must be on.

Next, we need to create a new Rule as we are going to use HTTPS 5986.

So You must create Inbound Rules to allow TCP 5986 to work.

If you enable windows firewall, you might want to open following ports as well.

Remote Desktop – User Mode (both TCP/UDP)

File and Printer Sharing (Echo Request – ICMPv4-In)


Then, you can run Winrm qc

Winrm qc is Winrm quick config to configures this machine to accept WS-Management request from other machine. (think about Web Proxy)

By default, WinRM can be used for different Resource URIs. It can be used by WMI, IPMI, WinRM Configuration and of course, Eventlog URI.(think about Web proxy acting as front listener and pass information to Exchange or other servers behind firewall).

When client hit on listener, depends on the path of files client API is access, different URIs will respond.

After you run winrm qc, (you also need to start WinRM service on all clients, just need to start service, no need to create listener). you can use following command to test.

You can run Winrm id


This information to prove WinRM is starting correctly. Also it tells you which URI responsible for security profiles.

For detecting client firewall and server whether they can reach to each other, following command can be used.

Winrm id -r:dest_server

Winrm id -r:source_server


now, we need to check whether listener is present.

Winrm e winrm/config/listener



Great, now we have a listener which accept request.

But notice it is HTTP protocol, there is no HTTPS?

In terms of getting HTTPS, you would need to have a Web Server certificate. A standard web server certificate will suffice there is no need to create a template for it. Just make sure you put FQDN in common name and DNS name as well. nothing special.

Once the certificate in place, you need to run mmc->Add Certificate snap-in ->Computer account

Double click the certificate (you generated from CA), go to Details and select Thumbprint


Now, you need to high light all details of certificate thumbprint and Ctrl+C to copy the content

winrm create winrm/config/Listener?Address=*+Transport=HTTPS  @{Hostname=”ServerFQDNhere”;CertificateThumbprint=”9d0a10cbafd10fb34ff234a9c3ebbe7bee876d96″}

Modify above commandline with new content from thumbprint and also ServerFQDN, run it in Server command windows.

Use Winrm e winrm/config/listener to double check

You should see HTTPS appears as well.


Notice you got hostname, IP, and Certificate Thumbprint here.

If you somehow want to delete and reset everything because you did something wrong, use following command.

winrm invoke Restore winrm/Config @{}

Be aware this reset winrm configuration. so if you have other important thing on WINRM, you need to be more specific

Now, Winrm is ready to use on Server.

Setup SPN for your server

WinRM is using kerberos as authentication by default, hence SPN is required.

after finishing WinRM, you can double check whether SPN is registered by running

setspn -l servername

then, you are looking for WSMAN/servername and WSMAN/ServerFQDN

If you can’t find it, you must use setspn to create one.


Eventlog configuration

Next step is configure Event forwarding subscription.

go to services.msc to make sure Windows event Collector service is running

Remember client will reach server to download subscription to find out what they need to upload.

First, we need to create subscription, open event viewer




Notice I select Source computer initiated.



the reason I select event 999 is I can only create my event between 1-1000. so 999 is selected here.


select HTTPS and Minmize Latency for the lab fact

click OK, OKAY, then it’s finished.

GPO configuration

Now, we need to create GPO.

There are two basic items you must put into GPO.

first one is the link lead client to server.



This is where you configure the link for client seeking collector server. As you can see from the picture, I have setup two servers and one for http, one for HTTPS. Client is able to send events to both servers.

Be aware the format of link has to be Server=http://serverFQDN:5985/wsman/SubscriptionManager/WEC,Refresh=10

The refresh here means how often client contacts server for subscription information. 10 means 10 minutes.


If you want to refresh client to download latest subscription, best way to do is run gupdate /force


The second part of GPO item is security for event log Service.

Event log service on client must allow Network Service to access and transfer events to collector Server. hence, you need to grant permission for it.

The way you do is as following:

log on to client and run following command line

wevtutil gl security


noticing everything after ChannelAccess:, which is start with O:BAG:SYD:xxxxx this is the one we after.

now, let’s read this line, it doesn’t contain (A;;0x1;;;NS). If it doesn’t, you need to add this one at the end of this line.

now, put it into GPO.



and push the policy to client.

Client Configuration

Client configuration is relatively easy. Just make sure WinRM service is running(don’t need to be configured). Group policy has been pushed and applied.

Now, we do can use command line to manually create event to verify whether collector has got it.

eventcreate /T Error /ID 999 /L application /D “Test0001”

run this command in CMD window, it will create event in the application.



The main troubleshooting log is from server and client end.

Event logs

check Forwarded Events from  Windows Logs of Server to see forwarded events

Check Applications and Services->Microsoft->Windows->EventCollector

Check Applications and Services->Microsoft->Windows->Eventlog-ForwardingPlugin

Check Applications and Services->Microsoft->Windows->Windows Remote Management

Errors I have encountered

Access denied, error code 5


I had a terrible experience on my first run which I spent days trying to resolve it.

If you can recall that network service is used from client to communicate to server, well, network service will act as computer object over the network. so from server point of view, this is request from Client computer account. My server somehow get default setting in security to block all computer account access.



by default, there should be a group called “Everyone”. but it’s missing. After I added authenticated users group into this security, everything works.


Encountered an internal error in SSL library


this is one of silly mistake I made in my life. After successful test with HTTP, I switched to HTTPS to make it work. but clearly, I forget to change port from 5985 to 5986. For trying to fix that, I even created a whole new template of cerificate….


If you replacing certificate, you need to reboot your server. Restart WINRM service is not enough.


Leave comments if you want




Today, we are talking about some tricks about how to promote Windows Server 2016 server core to Domain controller.

Windows Server 2016 (currently on TP4) has default install with server core mode which lacks of GUI and normal configuration doesn’t work. This post will walk through an example about how to setup second domain controller in the domain and errors I encounter and also how to fix.

First of all, let me introduce my environment.

It’s a simple environment with one domain and two domain controllers. The domain name is Marvel. Server names are MarvelDC01 and MarvelDC02.

They are both windows 2016 server but DC01 is with GUI while DC02 is Server Core. You would need a GUI windows 2016 as remote management server. Both servers are running on Hyper-v with Surface 2.0 Windows 10.


Build first Domain and Domain Controller

After I deploy first DC01 with GUI interface, I add Directory Service and promote it to first Domain controller without any issues.


I have setup FFL and DFL as 2016 preview level. server_core002

The schema version is 85. (will this be different after GA? ;))

Configure Server Core

Now, here comes the server core

as you know, we need to change Computer name, IP, setup DNS and personally, enable ICMP for ping test as well.

We can use Powershell, command line, but I prefer to use sconfig.vbs which is the fast way to configure all these above.


sconfig was introduced from Windows 2008 R2 with vb script. Now, it is a CMD file. current version is 5.812 and in Windows 2012, the version is 5.8. so not too much change.

sconfig.cmd can easily configure firewall and basic tasks you would to do on server core. But it is not faultproof which I will mention later.


How to reboot server core server?


Shutdown -r -t 1




How to check whether system is domain joined or not



Join to Domain

Once that is done, you would need to join the Server Core(MarvelDC02) into domain. That can be done via sconfig as well.

Prepare for Promoting to Domain controller

If you think you are ready, then you are wrong. In terms of promoting a member server to domain controller, we would need domain admin rights to have full control on member server. That should be done via GPO (Default Domain Policy). When the server just joined the domain, it’s in the computer container which doesn’t accept any policies.

Hence, I create a Servers OU and move member server object in to this new folder.

Then, you would need to use gpupdate /force and gpresult /r to check whether the default domain policy GPO is applied on this member server.

In terms of promoting member server to domain controller, we would need to use dcpromo.exe which was deprecated in the GUI version. You DO NOT need to install Directory service components like GUI version, as this will be automatically installed during the process. However, we would need to create an answer file instead of typing all parameters all the time.

Same of of answer file is following:


createOrjoin= join

replicaDomainDNSName = domain.tld

ReplicaOrNewDomain = Replica

UserDomain = DOMAIN

Username = administrator

Password = “P@ssw0rd1”

InstallDNS = Yes

ConfirmGc = Yes

CreateDNSDelegation = No

SafeModeAdminPassword = “P@ssw0rd”

We can call it dcpromoanswer.txt. The reason I use Red on actually password is once the file been used once, those password (mark in the red) will disappear. so if you need to run the dcpromo again, you need to open the text file and retype the password.

Promote to Domain controller

After reboot member server, you would need to login into server as Marvel\administrator. You need to hit “ESC” key to get this screen

First screen which remembers last user login, you hit “ESC”


strange enough to see this screen, not quite sure what’s meaning behind it, but you would need to hit “ESC” key again


This is what we want, you can select “other user” to login differently



Believe it or not, I struggled on hitting “ESC” key quite bit. It just doesn’t work!!It turns out that you MUST high light the Windows (not your virtual machine) before you hit “ESC” key.

Now, you can run dcpromo.exe /unattend c:\dcpromoanswer.txt


If you are lucky, then you will see following screen and it’s all good.server_core008

If you are not lucky..

Well, not everyone and everyday is a lucky one. You may run into following errors just like I did.


That above error tells you your password in the answer file has been wiped out. You need to retype the password.


This above error tells you you didn’t move our computer object(MarvelDC02) away from computer container.


Believe it or not, after multiple trying with failure, your member server somehow made half way through. so it’s not domain controller yet, but it is registered in the NTDS database. Hence, we need to use ntdsutil to do metadata cleanup as following.


Unfortunately, after cleaning up NTDS, your server object doesn’t exist in AD anymore. so you would need to quit domain and rejoin. However, sconfig failed when your object is not in AD so it is not able to quit domain and join workgroup.

What I did was run a sysprep to regenerate ID. That resolves the issue.

Group Policy not applied

This is another issue with my MARVELDC01. It flaps on time every couple of hours. MARVELDC02 is not able to sync GPO due to time difference.

After investigation, you need to turn off time sync service in Hyper-v Layer for that domain controller.


That’s all for now, As usual, please leave feed back


hi, guys:

Thank you for reviewing this blog. Sorry for not updating this site for a very long time as myself going through few changes.

Recently, I have got a new job which allows me to dig deep on technology again but this time, I will mainly focus on Microsoft product and Windows server 2016.


Thank you for reading this site again.



hi, folks:

I didn’t realize that would be case for Vmware. But when I check and open the file, I noticed this file contains user and password(in plain txt) regarding my RSA database on SQL server!

Is this by design?

To be honest, I’m very disappointed that such big security breach exists on vCenter server.

I would recommend everyone runs vCenter 5.x to check your server and see whether you can see it as well.

7-08-2014 2-29-44 PM


7-08-2014 2-30-34 PM



It seems like it only exists in vCenter 5.1x. File doesn’t exist in vCenter 5.5.


Normally, I wouldn’t directly forward a link.

but this is too good to pass.

Here it is. 



From my last Post, we have discussed about what we need to achieve in the Lab.  I’m pasting the diagram here again so we can use that as reference. For more details, you can click last post to get it.



What a Windows 2012 file server can do?


A Windows 2012 File server can provide storage via SMB 3.0 Share and iSCSI. If you are looking for how to do SMB 3.0 share, please follow this link. Windows 2012 also provide native version of iSCSI feature which includes a iSCSI Server end and iSCSI initiator (client end). It’s all free.

With SCVMM 2012 SP1, the installation CD even comes with a SMI-S provider driver which you can install on Windows 2012 so VMM can import Windows 2012 File server into Library as iSCSI array rather than SMB Share.

Import Win2012 File Server via SMB share


I have mentioned this before. VMM can import a File Server via only one method. For example, if you have import this File server via SMB Share, you won’t be able to import this File server via iSCSI. You must remove the server from Library and import again.

Here is the procedure to import a Win2012 File Server into VMM.

Before you do anything, you need to add your VMM service account (For example, svc_vmm) into local administrator group on Win2012 File server.


You can’t add a Active Directory Group into local administrator group and you must user individual user instead. Otherwise, it won’t work.

Like following:


After you have done that, open VMM console and choose Fabric,



Clearly, you have 3 options here. Let’s choose Windows based File (SMB Share).


Provide server’s FQDN


Now, what it does is to push/install VMM agent on File server with credential of account you choose before, that service account must have load admin rights on File server.


Now, remember those are SMB shares.



the storage provider type is Native Windows WMI? That’s how VMM get all information by executing WMI remotely. But that native window WMI doesn’t support iSCSI.



If you click file Servers, you will see it.

Let’s check a Hyper-v Host properties



Import Win2012 File Server via iSCSI Protocol


With SMB Share, you can’t create storage pool from VMM, nor Logical Unit which sort of defeat purpose of VMM. At the end of the day, it is a Virtual Machine Manager. What happen if it can’t allocate resource inside of VMM with multiple tenants scenario?

With Windows File Server, you don’t need to download StarWind FreeNas or any other third party SAN/NAS tool, you can just build a iSCSI box base on Native Windows.

First of all, we need to install iSCSI features on Windows File server.


Now, the next thing we need to install is SMI-S provider on Windows file Server. SMI-S will allow us to connect VMM with iSCSI.

so From VMM installation folder, you will find this file.


copy that file to File server. You need to check whether the stability patch has been installed already on File server. KB2770917


Now, you can install this SMI-S provider.


You MUST reboot File server after installation otherwise, you will ran into some strange issues.



Don’t forget to reboot.


On the client end, Testhyp01 and Testhyp02, you can do following.

Install iSCSI Initiator


Run this iSCSI initiator


just type the IP of File server and click quick connect. It may not work for iSCSI, but at least, it creates an iSCSI initiator.

Install Multipath I/O



If you have already import File server, remember to remove it first.

Then, you can add storage again


This time, we choose SMI-S provider


after a scan




Now, you are able to see all drives on File server.



If you don’t have any classification, you will get this. Then, you can build classification. Classification is just resource tag which you use it to label different storage resource. I use Gold and Silver here.









Allocate storage resource in SCVMM 2012 SP1


When you allocate your storage resource in VMM, you should do it from Host Group folder level.



Only iSCSI or SAN can be allocated to Host group. SMB share can only be allocated via host cluster level.

You can allocate Storage Pool



Create logical Unit base on your new storage pool,

On Host Cluster level


Convert this Available Storage to CSV


You can convert CSV back to available storage but only it has no VMs sitting on that.



The end

Now, in this post. I’m going to talk about Storage in SCVMM 2012 SP1 and also how to build a Windows 2012 File server to connect with SCVMM.

One thing I’m very sure about Microsoft is they must love Onions. Because a SCVMM 2012 combining with Windows File server 2012 is like a huge onion which has many layers.

With embedded VHD technology, Microsoft deployed one layer after another layer of VHD which makes me worried because VHD can be corrupted. What would happen if one of VHD layers corrupted and you will loss all data on top of this layer? Or shall we wait for Windows 2012 R2 which may use VHDX instead of VHD?

Anyway, with no further ado, let’s cut Onion open.

Following is the diagram of File storage I used in my lab.


Let me walk you through with this diagram first so you will have better understand instead of lossing yourself in a million picture of wizard.

Layer 1(Physical Disks):

Target: File Server

Let’s start with physical disk layer on physical Host.

Windows 2012 File server has 3 physical disk. 2 x RAID 1 for 0S which only 70GB. 1 900GB disk with Raid 0.

Let’s see a screenshot from File server



Layer 2 (Storage Pool):

Target: File Server

With Windows File server 2012, You can build a storage pool which we call it VMMlib01



Layer 3(Virtual Disks):

Target: File Server

Now, we build a virtual Disk on top of Storage Pool.


Since this is my File server, I have built number of Virtual disks (the virtual disk concept equals normal physical disk back in Win2k8). I have built 2 quorum disks size are 1GB for VMM cluster, and Hyper-v cluster.

VHD50, Virtual Disk 01 and VHD200 are my test virtual disks to store VMs.

for test purpose, I have setup both Fixed and thin disks.


Layer 4 (Volumes):

Target: File Server

Same thing as volume in old OS. You will give drive label to each volume.


I have create each volume for each virtual disk. Those disks will be shared via iSCSI.

Layer 5(Storage Pool):

Target: VMM server

In the VMM, there are multiple ways to import storage into VMM library. With same target host (like File server here), only one way of connection will be accepted.

For example, if I choose to use SMB share to connect to File server, then I can’t use iSCSI to connect in VMM.

You can choose to use simple SMB 3.0 share, but then you will loss lots of storage function.

If you choose using FC/iSCSI as storage, you will be able to define your storage as different classification. You may want to put fast storage pools into gold classification and slow storage to Silver or Brown.

The storage Pool you will find here is same thing as volume from File Server.





Layer 6 (Logical Unit)

Target: VMM Server

This logical Unit is created base on Storage Pool in VMM server. You can choose use some part of space to assign to Host group (Not cluster) and reserve some logical Units for future.

Layer 7 (Clustered Share Volume)

Target: VMM Server –> Hyper-v Cluster

Believe it or not, once you assign Logical Unit to Host group and it doesn’t mean your hyper-v Cluster is going to use it. From Cluster point of View, it just got available space.

You need to convert it to Cluster shared Volume





Now, if you switch to Hyper-v cluster, you will see your shared volume is there.





To be continued …..

Well, this is very stupid thing for me who is working with Vmware product for years.

As you all know, I have a Hyper-v Cluster (2 nodes) which I connect with iSCSI storage (Windows file Server 2012). I have built CSV share and allocate to cluster via SCVMM 2012. But when I tried to clone (yes, clone, not even deploy),

I ran into following error.


I checked everything up and down, cluster configuration, destroy LUN, format LUN , etc. Finally, I found this resolve this issue.


Why the Microsoft just setup as default?

Anyway, that resolves my issue. Hope this post can help you.


This issue has same cause as you can’t shutdown VM from VMM console.





Well, don’t worry about file format (VMM 2012 SP1 supposes both VHD/VHDX, don’t worry about location of your VM, it can be on local disks of Hyper-v or Share storage, it has something to do with virtual Guest Services, or you can call it “Integrated Service” from Hyper-v.


If you go to Hyper-v, and try to install Integrated Service on that VM, system will tell you you are on latest version already.

So what to do?



Just click “Refresh” from VMM Console



This is clearly a bug of VMM which import VMs into VMM but not checking integrate service properly!