Reid A Blog

Lab Environment: Set All Users With Non-Expiring Passwords

2011-07-11T16:37:00.001+01:00

Using Active Directory Module for Windows Powershell (part of Windows 2008 R2 Active Directory and downloadable for earlier versions of AD) use the following cmdlet to set all your user to have non-expiring passwords. Great for lab environments:

Get-ADUser | Set-ADAccountControl –PasswordNeverExpires $True

Free/Busy Cross-Forest Working One Way Only

2011-07-08T10:36:00.001+01:00

Or indeed, not working at all! I had the issue of it working one way only (On-Premise Exchange organization > Office 365) but the other way (cloud to on-premise) did not work at all.

The answer is shown in this video

http://www.microsoft.com/showcase/en/us/details/a16a9d39-416a-4b01-a88f-5ff511580424

This covers the reasons why Free/Busy (and the other federation features of MailTips, archive and move mailbox might not work both ways in a Hybrid Coexistence setup for Office 365 or between two Exchange on-premise organizations.

The reason I found was the Organization Relationship contained the wrong list of domains. There are three domains (at least) that are needed in the organization relationship. These are:

Primary SMTP Namespace Domain (i.e. fabrikam.com)
Namespace for other organization (i.e. service.fabrikam.com)
Exchange Delegation domain (i.e. exchangedelegation.fabrikam.com)

In the organization relationship on-premise (or Org A if you are doing two on-premise organizations) set the following domains after the relationship is created. This includes the primary SMTP namespace and the service namespace for the other organization. This can be set with the following Exchange Management Shell cmdlet:

Set-OrganizationRelationship -Identity "To Cloud" -DomainNames "service.fabrikam.com","fabrikam.com" -MailTipsAccessEnabled $True -MailTipsAccessLevel All -DeliveryReportEnabled $True –TargetOwaUrl https://outlook.com/owa/fabrikam.com -ArchiveAccessEnabled $True –MailboxMoveEnabled $True

In Org B (or on Office 365) use a similar cmdlet, but use the Exchange Delegation namespace and the primary SMTP domain. Also Office 365 does not let you set the MailboxMoveEnabled property to $True

Set-OrganizationRelationship -Identity "To On-premises" -DomainNames "exchangedelegation.fabrikam.com","fabrikam.com" -MailTipsAccessEnabled $True -MailTipsAccessLevel All -DeliveryReportEnabled $True -ArchiveAccessEnabled $True

Supposedly Service Pack 2 for Exchange 2010 will do all this and more for you with the Hybrid Configuration Wizard, but its always useful for troubleshooting to discover what changes and why when you run a wizard to do things!

CRM Router and Exchange 2010

2011-07-04T15:56:00.001+01:00

To configure the CRM Email Router with Exchange 2010 you need to do the following. Not all of these points are clearly documented on the internet.

Create a mailbox (CRM_Router@domain.com)
Set password never to expire
Ensure that the mailbox is not hidden from the address list
Login to above mailbox
Enable impersonation with the following Exchange Management Shell command

New-ManagementRoleAssignment –Name: "ApplicationImpersonation-CRM Router" -User: "CRM_Router@domain.com" –Role:"ApplicationImpersonation"

[Optional] See http://blogs.msdn.com/b/crm/archive/2009/12/21/how-to-configure-microsoft-dynamics-crm-4-0-e-mail-router-on-premise-with-microsoft-exchange-server-2010.aspx for EMS commands to limit the scope of the CRM_Router user account
Configure the CRM Email Router as per http://snackbox.microsoft.com/pages/snackdetail.aspx?itemId=152&userId=&caid=&csId=%257b4c712394-1373-4d8e-b85e-369111823def%257d%2540%257b4a9965c4-db36-4193-9e83-32347ea3b0f1%257d
Ensure that CRM_Router@domain.com is a CRM System Administrator level account.

Publishing ADFS Through ISA or TMG Server

2011-06-24T10:59:00.001+01:00

To enable single sign-on in Office 365 and a variety of other applications you need to provide a federated authentication system. Microsoft’s free server software for this is currently Active Directory Federation Server 2.0 (ADFS), which is downloaded from Microsoft’s website.

ADFS is installed on a server within your organisation, and a trust (utilising trusted digital certificates) is set up with your partners. If you want to authenticate to the partner system from within your environment it is usual that your application connects to your AFDS server (as part of a bigger process that is better described here: http://blogs.msdn.com/b/plankytronixx/archive/2010/11/05/primer-federated-identity-in-a-nutshell.aspx). But if you are outside of your organisation, or the connection to ADFS is made by the partner rather than the application (and in Office 365 both of these take place) then you either need to install ADFS Proxy or publish the ADFS server through a firewall.

This subject of the blog is how to do this via ISA Server or TMG Server. In addition to configuring a standard HTTPS publishing rule you need to disable Link Translation and high-bit filtering on the HTTP filter to get it to work.

Here are the full steps to set up AFDS inside your organisation and have it published via ISA Server – TMG Server is to all intents and purposes the same, the UI just looks slightly different:

New Web Site Publishing Rule. Provide a name.
Select the Action (allow).
Choose either a single website or load balancer or use ISA’s load balancing feature depending on the number of ADFS servers in your farm.
Use SSL to connect:
Enter the Internal site name (which must be on the SSL certificate on the ADFS server and must be the same as the externally published name as well). Also enter the IP address of the server or configure the HOSTS files on the firewall to resolve this name as you do not want to loop back to the externally resolved name:
Enter /adfs/* as the path.
Enter the ADFS published endpoint as the Public name (which will be subject or SAN on the certificate and will be the same certificate on the ADFS server and the ISA Server):
Select or create a suitable web listener. The properties of this will include listening on the external IP address that your ADFS namespace resolves to, over SSL only, using the certificate on your ADFS server (exported with private key and installed on ISA Server), no authentication.
Allow the client to authenticate directly with the endpoint server:
All Users and then click Finish.
Before you save your changes though, you need to make the following two changes
Right-click the rule and select Configure HTTP:
Uncheck Block high bit characters and click OK.
Double-click the rule to bring up its properties and change to the Link Translation tab. Uncheck Apply link translation to this rule:
Click OK and save your changes.

ADFS should now work through ISA or TMG assuming you have configured ADFS and your partner organisations correctly!

PowerShell Script To Update All UPN’s

2011-06-15T17:22:00.001+01:00

This quick script will process all your user accounts in the domain and change the UPN for each of them to a new one, which you need to specify in the script in advance of running it. This script is useful for Office 365 Rich Co-Existence scenarios which require that the UPN (User Principal Name) for each account matches their email address.

Before running the below, add the UPN that you are going to use (your verified vanity domain in Office 365) to Active Directory Domains and Trusts and then copy the below to a text file, saving it as Update-UPN.ps1. Then run this script from an Exchange Management Shell.

$users = Get-User * -ResultSize Unlimited
foreach($user in $users)
{
   $UPN = "$($user.sAMAccountName)@new.upn"
    Write-Host "Setting " $UPN
   $user | Set-User -UserPrincipalName $UPN
}

Tip: Comment out the Write-Host line with # if you do not want feedback on each user changed – it will make the script go much faster

Tip: For testing purposes change the * in the first line to the name of a test user or do something like test* to change all users starting with the word “test” in their username.

Changing ADFS 2.0 Endpoint URL for Office 365

2011-06-14T14:38:00.001+01:00

If you are configuring single sign-on for Office 365 then you will need a server running Active Directory Federation Services 2.0 (ADFS 2.0). When you install this you are asked for a URL that acts as an endpoint for the ADFS service, which if you are publishing that endpoint through a firewall such as TMG needs to be on a mutually trusted certificate as either the subject name or alternative subject name.

The documentation uses sts.yourdomain.com which means you need to have this as a valid name of the certificate. I use StartCom SSL, which provide cheap certificates (approx. $100 for as many certificates as you like), but to change a certificate to add an additional alternative subject name requires revoking the current cert, and that comes at additional cost.

So I have a certificate with lots of name on it for my domain, just not sts.mydomain.com so I set about changing the endpoint in ADFS 2.0

Firstly open the ADFS 2.0 administrative console and select the root note:

Click Edit Federation Service Properties in the Action Pane and modify the three values on the General tab:

After clicking OK, restart the AD FS 2.0 Windows Service.

After the restart, create a new Token-Signing Certificate and Token-Decrypting Certificate. These are self signed certificates. To allow you to add these you need to turn off automatic certificate rollover if enabled. This can be done from PowerShell using Set-ADFSProperties –AutoCertificateRollover $false and this cmdlet is available in Windows PowerShell Modules in the Administrative Tools menu.

To update Office 365 start the Microsoft Online Services Module for Windows PowerShell, installed as part of the Office 365 rich co-existence process. In this PowerShell window type Update-MsolFederatedDomain –DomainName yourFederatedDomain.com. You will also need to login to Office 365 in this window first (Connect-MsolService) and set PowerShell with the name of the ADFS server (Set-MsolADFSContext –Computer ADFS_ServerName). Type Get-MsolFederatedDomain –DomainName yourFederatedDomain.com to ensure that the returned URL’s and certificates are correct.

Now its time to update the TMG rule, or create a new one. The listener in TMG must have the same third party certificate and be for HTTPS with the Public Name matching the certificate subject/subject alternative name and the Path value set to /adfs/*. The To page needs to be set with the same URL and internal IP address of the ADFS 2.0 server.

And that should be it – after the Update-MsolFederatedDomain –DomainName yourFederatedDomain.com has completed both sides of the federation trust are aware of the certificate change and automatic login to http://outlook.com/yourFederatedDomain.com should work.

Delegate Approval for Meeting Requests Failing

2011-04-04T12:49:00.001+01:00

If you require delegates to approval all room bookings in Exchange 2010 and you have the following two settings set to True then rooms will automatically be approved

AllRequestOutOfPolicy: True
AllRequestInPolicy: True

To require that rooms are approved by the delegate regardless of when the room is booked set AllRequestOutOfPolicy to False.

These settings require that AllBookInPolicy is False and that BookInPolicy and RequestInPolicy are both null.

Exchange 201o0 Update Rollups and Error 1603

2011-03-11T20:01:00.001Z

You download and begin to install an Exchange Rollup Update only to find after waiting ages for it do the NGen stuff it fails, and on watching it closely you notice it fails on stopping services.

In the event log you are pointed at a website with information on verbose logging for MSI installations.

But you can forget that – the fix is easy! Start and administrative command prompt and run the rollup update from the command line! It will work first time (as long as the update msi file is actually copied to the local machine, it will typically not run from a copy on a network drive.

.DLL Errors and Blackberry Enterprise Server

2011-02-11T15:20:00.001Z

During a configuration of Blackberry Enterprise Server today I found that I was getting .DLL errors when trying to create a MAPI profile on the BES Server (v5.0.2) when running IEMSTest.

Well it was not the usual stuff – it ended up being the alias that had been assigned to the BESAdmin account. The policy at the company where I am installing Exchange 2010 is last_first@domain.com, but the BESAdmin account does not have a first or last name and so got an email address of _9c73@domain.com, and so though I could login in OWA, I could not do a MAPI login (IEMSTest or Outlook – because the alias was not BESAdmin as they default to).

Once I changed the SMTP Address to BESAdmin@domain.com then it all worked fine.

Random Chinese Characters in Exchange 2010 SP1 Emails

2011-01-19T01:47:00.001Z

I have been sent a few emails from a client that start like this:

格tml> 格ead> 猼tyle㰾!-- .hmmessage P { margin:0px; padding:0px } body.hmmessage { font-size: 10pt; font-family:Tahoma } -->⼼style> ⼼head> 㰊body class='hmmessage'>

The HTML characters repeat throughout the message, but not on every message, though those sent from Hotmail are typically affected (but it is not always Hotmail).

The problem is due to the email having character encoding in the charset META tag that differs from the character encoding in the MIME part and a HTML disclaimer having been added. When Exchange 2010 SP1 adds the HTML disclaimer it re-encodes the message and this results in a corrupt message because the wrong character set information is read.

The fix for this has been documented in KB969129, which refers to Exchange 2007, but the same fix is true for Exchange 2010 SP1.

The fix is to add the DisableDetectEncodingFromMetaTag attribute to EdgeTransport.exe.config. This file can be found at \Program Files\Microsoft\Exchange Server\V14\bin and can be opened in Notepad. Make a backup of the file before you change it and then add to the <appsettings> area of the file the following

<add key="DisableDetectEncodingFromMetaTag" value="true" />

After you save the config file you need to restart the Microsoft Exchange Transport service for the setting to take effect.

MCM Exchange 2010 Video Previews

2010-12-28T19:48:00.001Z

Fame at last! Well not really, but here (http://blogs.technet.com/b/themasterblog/archive/2010/12/28/mcm-exchange-video-preview.aspx) is a video introducing the MCM Exchange class posted on the MCM Blog. The video is a 30 minute segment from the class without the interaction amongst the students that the class always has, and the reason for this lack of interaction is that it was recorded in the front room of my house.

Typically this content (the Header Firewall and Connector Permissions) could take one hour or more to cover when you include specific examples, a lab and all the different things to be aware of with regard to the subject.

GoDaddy SSL Certificate Approval with TXT Records

2010-12-21T09:40:00.001Z

I had a bit of an issue with Go Daddy yesterday in that they took 5 days to approve a Subject Alternative Name change to a certificate, and as the usual route of adding a file to a website was unavailable to me I decided to prove ownership of the domain by the addition of a new TXT record to the domain.

Go Daddy’s instructions for doing this are only suitable for domains hosted at Go Daddy and there are no clear instructions for doing this if you do not use Go Daddy for your DNS hosting.

So how do you create an SSL approval with TXT record? You do it by creating a TXT record for a subzone. The subzone is DZC and the value of the record is the seven character string that Go Daddy sent you via email. For example dzc.domain.co.uk TXT AbCdEfG.

Once DNS has replicated to ALL of your DNS servers you can return to Go Daddy’s web form and approve your SSL certificate. You can check if all your DNS servers have your new data by using NSLookup or Dig, but preferred is the use of either of these two tools from an independent third party on the internet – for example www.kloth.net/services/nslookup.php or www.dnssy.com/lookup.php.

Unknown Error, Outlook 2003 and Exchange 2010

2010-12-03T17:11:00.001Z

It’s a well documented issue with Outlook 2003 connecting to Exchange 2010 that means Outlook 2003 is not as responsive in Online mode as it was with legacy versions of Exchange Server (http://support.microsoft.com/kb/2009942).

What is less well documented is an odd error message that can appear because of this interaction.

Imagine the following scenario. User on Outlook 2003 has lots of messages to delete, and deletes them one at a time. Outlook will not refresh the display for up to 5 seconds (the lowest setting that you can tell Outlook to refresh, via the Maximum Polling Frequency registry key). The problem is that if the user deletes a message and it does not disappear from the screen and then (thinking its gone, and the highlight has moved onto the next message) presses delete again. Outlook generates “Unknown Error” – which is not exactly helpful, and could appear as often as every other message that is deleted.

How to fix: Cached mode (though in the scenario I came across the above it was Outlook on a Terminal Server, so that’s not an option), upgrade the client version of Outlook, or use Shift or CTRL select and delete all your emails in one go!

iPhone 4 and Exchange 2003/2010 ActiveSync Slow Performance

2010-11-19T15:51:00.001Z

This is a well known problem now, and has been since the first releases of the iPhone 4 in July 2010. Later updates to iOS (4.1 and later) do not exhibit this problem, but if you are upgrading an Exchange 2003 organization to Exchange 2010 there comes a point where you switch over the endpoints that the users connect to. Its at this switchover that you will experience performance issues if there are any unpatches iPhones in your user population. But, and here is the catch, as you have yet to migrate these users to Exchange 2010 you cannot use the Allow/Block/Quarantine feature (ABQ) of Exchange 2010 to restrict the phones access attempts.

The phones will connect to Exchange 2010 and be proxied to Exchange 2003 and the performance issues will set in. So how do you stop the phones at Exchange 2010?

You use a feature of IIS instead, you can block query string values in the Request Filtering feature of IIS 7.5 (or installable add-on for IIS 7.0).

Add the following to the web.config in c:\inetpub\wwwroot to globally block iPhones, and once you have a list of bad specific devices you can expand this list some more.

<system.webServer>
<security>
    <requestFiltering>
      <denyQueryStringSequences>
        <add sequence="DeviceType=iPhone" />
      </denyQueryStringSequences>
    </requestFiltering>
</security>
</system.webServer>

Windows Search Across The Network

2010-10-14T10:19:00.001+01:00

Windows 7 has Windows Search built in, but it will only index locations on the local PC or folders that you have made available offline.

What about the rest of your network? An error you might see because of this is “This network location can't be included because it is not indexed”. If the servers also get an install of Windows Search on them then Windows Search on the client can talk to the Windows Search instance on the server and produce one set of search results, covering all network locations and local folders.

How do you tell the client which servers to communicate with for search results? You need to add the folders that you are interested in querying the index for to your Libraries on Windows 7. Let’s walk through this process.

Install Windows Search on your servers

If you are running Windows 2008 then add the File Services/Windows Search Server role. You probably have some of the File Services role already installed, and in that case use Add Role Services to add the Windows Search Service role.

If you are running Windows 2003 Server then you can install Windows Search 4.0 as a download from Microsoft.

The installation in Windows 2008 will ask for the storage locations to index, and you need to include the drives that contain your shared folders.

Once installed the index for the search will begin to be created. This can take some time initially, and if you want to be able to index content other than the default content (see http://msdn.microsoft.com/en-us/library/bb233501.aspx for the default filters installed) then you should install these filters as soon as possible (to save the index needing to redo files it does not know first time around). Most importantly you need to install Adobe Reader iFilter if you want to filter .pdf documents and the Microsoft Office 2010 Filter Pack if you want to index the new file formats for Microsoft Office.

Adobe have a free filter (download the correct one based on the version of your server) and Foxit Software have a paid for one, which is more reliable than the Adobe one. Adobe are on version 9 at the time of writing and can be downloaded from http://www.adobe.com/support/downloads/detail.jsp?ftpID=4025 for the x64 version (which is the one needed if you are running SBS 2008).

The Microsoft Filter Pack can be downloaded from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5CD4DCD7-D3E6-4970-875E-ABA93459FBEE&displaylang=en

Other iFilters for other document types exist. If you are running a 32bit version of Windows then an installation of Adobe Reader will include the 32bit iFilter. A search of Google for “iFilter” will show you others.

Finally, via Control Panel > Indexing Options > Advanced you can set the location where the search index data is to be stored. This can total up to 40% of the size of the indexed content and so should be placed on a suitably sized disk. You need to restart Windows Search to move this index.

Configure Windows 7

Once the search is configured, you can add the shared folders to the Libraries feature in Windows 7. To do this open Explorer to Computer and under Desktop you will find Libraries. Create a new Library called “Network” (or a name of your choice)" and add the shared folders on the server that is now indexed to the library. Note you cannot add shared folders that are not included on a server running search to a Library.

Now you can go to Start and type keywords into the Search bar and find documents on the local machine or on remote servers!

Configure Legacy Clients

Windows XP and Vista can have Windows Search installed, but do not support Libraries. For a legacy client to search a network location they need to open the network location (either via mapped drive letter or directly with the \\server\share UNC path format. The client will query the search server remotely and return quick results. There is no way on the legacy clients to do a single search from the Start Menu or Taskbar search box of all your locations in one go, unlike Windows 7.

If you have many servers then consider Microsoft FAST Search Server 2010 for SharePoint instead.

VirtualBox

2010-07-29T10:45:00.001+01:00

I am presenting at Exchange Connections 2010 later this year, and I need to set up some demo machines. I need my demo to run Exchange 2010, which is a 64bit application and I do not have guaranteed internet access so I cannot run my demo’s via my lab machines in the UK.

But I cannot use Virtual PC 7 installed on my Windows 7 laptop. And I do not want to reinstall my laptop with Windows 2008 Server to allow me to run Hyper-V.

So I have installed Oracles VM desktop product, VirtualBox. And this blog is just to describe how to do what we know as base images and differencing files in Virtual PC/Hyper-V on VirtualBox, and to use the VHD disk format which VirtualBox supports so that I have the option of moving my virtual servers between Virtual PC (if it ever supports x64 guests), Hyper-V servers and VirtualBox.

So to create a new VHD hard disk for use in VirtualBox open a command prompt, change to the directory in which you installed VirtualBox (probably C:\Program Files\Oracle\VirtualBox) and run the following command:

VBoxManage createhd --filename "path\filename.vhd" --size 130048 --format VHD --variant standard --remember

This will create a dynamically expanding hard disk in the location specified, in the Microsoft VHD format, and 130048KB (127GB).

Next you create a new virtual guest in the VirtualBox application (or via the VBoxManage command line if you wish) that uses this existing disk.

Boot this virtual guest, and then install the required OS and patches etc. Once this guest is ready to be a base image you can shut it down. If you are going to use this base images as a Domain Controller then you need to reset the SID’s on the device using either NewSID from Sysinternals or Sysprep before you move onto the next step.

Now that you have the base image, you need to mark it as such in VirtualBox. This is done from the command line:

VBoxManage modifyhd "path\filename.vhd" --type immutable

And then you need to delete the virtual guest settings that you used to create this disk. This disk is not deleted.

To create the virtual guests that use the “immutable” disk (aka parent/base disk) in Virtual PC/Hyper-V you would need to make a second disk, but not in VirtualBox. Here you just use the same disk. As you have marked it as immutable a snapshot disk will be created (in the .VirtualBox folder of your profile) and all changes will be written to this disk instead.

Restrictive Throttling Policies in Exchange 2010

2010-01-13T20:40:00.001Z

Exchange Server 2010 has the ability to limit user and administrative actions. But in testing this feature in a lab I set the default policy (which by default affects everyone, including the Administrator account) to a policy that stopped me undoing the policy again!

I ran Set-ThrottlingPolicy def* -PowerShellMaxConcurrency 1 -PowerShellMaxCmdletsTimePeriod 1000 -PowerShellMaxCmdlets 1 which had the effect of saying I could open one PowerShell session (that is okay - its my lab environment), run a single cmdlet (maybe a bit too low) and to run one cmdlet every 1000 seconds. I had not worked out that 1000 seconds is over 15 minutes.

The problem came two days later, starting Exchange Management Shell and connecting to the remote PowerShell endpoint obviously invokes more than one cmdlet. The second cmdlet is terminated, and so Exchange Management Shell cannot start - ever!

The error message I got was:

The WS-Management service cannot process the request. The user load quota of X requests per Y seconds has been exceeded. Send future requests at a slower rate or raise the quota for this user. The next request from this user will not be approved for at least Z milliseconds.

X is the value of PowerShellMaxCmdlets and Y is the PowerShellMaxCmdletsTimePeriod

So to fix I cracked open ADSIEdit - not to be done lightly, as it runs the risk of destroying the entire Exchange organization and Active Directory.

To fix this and reset the Throttling Policy connect to the Configuration Naming Context in ADSIEdit and navigate to CN=Global Settings,CN=organization name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain. Open CN=Default Throttling Policy_guid and edit msExchPowerShellThrottlingPolicyState to read:

v~0~con~18~cmds~-1~per~-1~que~-1~excmds~-1

Once Active Directory replicates you will be able to run PowerShell cmdlets in Exchange Management Shell. The first cmdlet I would run would be one to ensure that you are back to the default policy just in case you made a mistake in ADSIEdit:

Set-ThrottlingPolicy def* -PowerShellMaxConcurrency 18 -PowerShellMaxCmdletsTimePeriod $null -PowerShellMaxCmdlets $null -PowerShellCmdletQueueDepth $null

RegRead and Error -2147024894

2009-12-17T09:58:00.001Z

Error -2147024894 appears when you use the WScript.Shell RegRead object to read a registry key that does not exist. But why would you get this error when the key does exist!

Probably because you are running your code inside a HTA and using a 64bit operating system.

The HTA environment is mshta, which is 32 bit. This means that when your code reads registry entries such as HKLM\Software\Microsoft\Windows via a HTA on a 64bit OS it is really reading HKLM\Software\Wow6432Node\Microsoft\Windows. Therefore if you have values or keys at HKLM\Software\Microsoft\Windows and not at HKLM\Software\Wow6432Node\Microsoft\Windows then you will get error -2147024894 because the value/key cannot be found.

Run the HTA on a 32bit OS and it work fine. But most confusing is that if you take the code from the HTA script and save it to a .vbs or .js file and run it (on the 64bit OS) via wscript or cscript then the script will find the registry key at HKLM\Software\Microsoft\Windows because in this instance the wscript or cscript environment is 64bit.

Of course this is true for any HKLM\Software registry entry.

Scheduling Backup on Microsoft Hyper-V Server

2009-11-17T20:12:00.001Z

To do a backup of the virtual machines installed on your Hyper-V Server (2008 or 2008 R2 editions) you need to complete the following steps.

Install the backup feature by typing start /w ocsetup WindowsServerBackup from the command prompt.
Get a list of the drives on which Hyper-V Server has stored virtual machines. This will be C: unless you have made changes.
Determine the times you want to run the backup at.
Determine the drive letter of the removable disk by typing at the command prompt each of the following commands
1. diskpart
2. list volume
3. The disk drive letter will be displayed for the disk that matches the size of your removable disk.
4. Type exit to exit diskpart.
From the command prompt type wbadmin enable backup -addtarget:x: -schedule:hh:mm,h2:m2 -include:y:,z: -systemState -allCritical to backup to drive X: the contents of drives Y: and Z:, the system state and all drives critical to the running of the server.
Confirm you want to schedule the backup at times HH:MM and H2:M2 (for twice a day). If you want one backup a day use HH:MM and if you want more than two just comma separate a group of times. Enter times as per local timezone. Check the current time on the Hyper-V Server by typing time from the command prompt.
Start a backup now if you want by typing wbadmin start backup and confirming to use the same settings as the scheduled backup.
Backup will proceed in the console. If you log out backup will remain running.
Enter wbadmin enable backup to see the settings you have enabled.
Type wbadmin get versions to see what backups have completed.

Booting a Server with a USB Key

2009-07-08T16:40:00.001+01:00

There are numerous instructions on the internet for creating and booting a server with a USB key, but they were all complex or hard to read – even for a techy like myself.

So I thought I would rewrite a simple list of instructions to allow you to create a DOS bootable USB pendrive/key that you can use for any purpose (i.e. flashing BIOS's and other low level functions, as well as booting into other operating systems).

Download download bootable_usb.zip from www.lowfps.com. This is the website these instructions are based on, but I wanted something clearer than that.
Extract the download to a temporary location (i.e. C:\Users)
Run the HP bootable media.exe program and install the software.
Insert the USB key you want to use – it will get wiped during this process to backup its contents if needed.
Run the HP USB Disk Storage Format Tool from the desktop or Start Menu. If you are using Vista or later then you will need to run the program in elevated mode (right-click program and choose Run as administrator).
Select your USB key and choose to do format the key with the FAT or FAT32 file system. Choose Quick Format and select Create DOS Startup Disk. Pick the sub-option "Using DOS files located at" and select the same "DOS Files" subfolder in the location where you extracted the download too (C:\Users in my above example).
Click OK. The USB key will be wiped during this process and a copy of the core files for Microsoft Millennium DOS will copied to the key.
When complete copy to the key any files that you need to execute in DOS mode on the PC (for example I needed to update the BIOS on a x64 Windows Server 2008 Server Core installation running on a Dell Optiplex 755 and it said this was not allowed). The files you copy to the key must work in DOS though.
Shutdown the server and insert the USB key. You must do a hard reboot, a restart will not work.
Restart the server and press F12 to bring up the one-time boot menu (if you do not have this option then go into setup [Del or F2] and ensure USB booting is enabled and set to the primary option).
In the boot menu choose the USB key option.
From the C:\ prompt run the programs you need to start. Note that this is old style DOS and not the Command Prompt in later versions of Windows – so no command completion using the TAB key. So place the files in or near the root folder.

Windows Backup Failure on Windows Server 2008

2009-07-03T16:02:00.001+01:00

I recently had a case where Windows Backup would fail at approx. 75% complete during a full backup. The backup utility and command line both reported that "The system cannot find the file specified". The Event Viewer/Application... Services/ Microsoft/ Windows/ Backup/ Operational reads "Backup target is running low on free space. Future backups to this target may fail for want of enough space." and then at the same time and immediately after that we get "Backup started at TimeZ' failed with following error code '2147942402'" which means file not found or unknown error.

After a series of email communications with the Windows Backup team at Microsoft India (where, incidentally, the program was developed) the answer came back that I should run chkdsk /r and reboot the server. As this process can take hours this occurred out of hours and actually in my case needed to be repeated twice. A normal chkdsk command, run whilst the server was online, reported that the disk had errors and could not continue.

After running chkdsk /r twice, from an elevated command prompt, the backup started to work again.

Uninstalling Virtual Machine Additions in Hyper-V

2009-06-24T14:37:00.001+01:00

The error message "this installer may only be run inside of a virtual machine" appears when you try to remove old virtual machine additions (from Virtual Server 2005/Virtual PC 2004) when running the virtual machine in Hyper-V.

The migration guidelines recommend the removal (but do not mandate it) of the Virtual Machine Additions. But this is probably because later versions of the additions can be removed from inside Hyper-V, earlier versions cannot.

The problem is the existence of this software stops the installation of the Hyper-V Integration Services.

So to remove the Virtual Machine Additions of the Hyper-V guest (that has been previously used in Virtual PC/Server) you need to do the following:

Shutdown the Hyper-V virtual guest
Share the folder containing the VHD for this guest
Install Virtual PC 2007 or later on another computer
Create a new virtual guest on the Virtual PC, pointing the VHD property to the shared VHD on the network and do not create undo disks.
Boot the Virtual PC guest and uninstall the Virtual Machine Additions. Any prompts about new hardware should be ignored by pressing the Cancel button.
The removal process will require a reboot. Once the reboot has completed you can then shutdown the virtual PC.
Remove the Virtual PC guest, stop sharing the VHD folder and restart the guest in Hyper-V.
Install the Hyper-V Integration Services.

If the virtual guest is so old as to have a Standard PC HAL installed then attempts to install the Integration Services results in the following error "Setup cannot upgrade the HAL in this virtual machine. Hyper-V integration services can be installed only on virtual machines with an ACPI-compatible HAL. For information about hardware requirements, see the Hyper-V documentation".

This cannot be fixed and so if you have an old virtual machine that has a Standard PC HAL (from Device Manager > Computer) then do without the integration services or rebuild the guest from scratch.

Message Tracking Logs ‘And/Or’ Error

2009-06-16T15:11:00.001+01:00

The following message appears in the Exchange Server 2003 message tracking logs:

The object 'and/or' in the message tracking logs can't be found in the directory. The object may have been deleted. The tracking history may be incorrect.

This is an error that can be ignored as it does not mean that the email message that you are tracking has not been delivered (discounting other errors that is).

This error occurs in the Exchange Server 2003 tracking logs because the logs store the name of the recipients server, and if the recipients server is determined to be ‘and/or’ then that is what the log will read.

I have noticed that this error occurs when Exchange Server 2003 talks to Exim 4.69 servers with the following welcome message:

220-server.fqdn ESMTP Exim 4.69 #1 date time
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.

This welcome message is spread across three lines and the last line reads “220 and/or bulk e-mail”. Exchange uses the first word following 220<space> (and not 220<dash>) as the server name.

For example, the following is the welcome banner displayed by Postini/Google, which is a single line:

220 Postini ESMTP 108 y6_19_2c0 ready. CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements.

Therefore Exchange will identify this server in the message tracking logs as “Postini”.

Editing the Registry on x64 Windows Computers

2009-06-08T13:55:00.001+01:00

This is, in the main, just a quick note to myself! When editing the registry on a Windows x64 based computer, but the program that will read those registry settings is a 32 bit application then you need to change the location that you edit to the “Wow6432Node” rather than the usual location.

Note that when blogs and other technical articles write down a registry key they do not often mention that the registry location you need to change is not what they have written down!

For example, there is a problem in the Windows 7 RC release in which Internet Explorer 8 does not show some webpages resulting in an error “A webpage is not responding on the following website:” (see http://support.microsoft.com/kb/970858). The registry key describes setting the hangresistance value, but as Internet Explorer is a 32 bit application you need to set the hangresistance value at HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\ and not at HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\.

If you follow the advice in the Microsoft support article KB970858 then it will not fix the problem on a 64 bit machine. You need to edit the Wow6432Node value instead.

There is an x64 version of Internet Explorer installed, but the common one that people use is the 32 bit version – if you use both, set both registry keys.

Running MOC Courseware Virtual Machines on Windows 7 RC

2009-05-29T13:13:00.001+01:00

Once you have installed Windows 7 RC and downloaded Microsoft Virtual PC you might have the need to run Microsoft Official Curriculum courseware virtual machines. And therein is a problem.

The virtual machines are built to use Virtual Server 2005, but that cannot install in Windows 7, so you cannot use the Lab Launcher. Though you can install the courseware drives, you will need to run the installer in compatibility mode or the VHD installer will not run.

Once you have the VHD files unzipped you need to configure Microsoft Virtual PC to load them up. This though is a problem if you are not located in the same timezone as the creators of the base disks (PST timezone).

The steps to create a virtual machine when you are in a different timezone are:

Start the virtual machine wizard and make a note of the location value. You will need to modify files in this location later on
Set memory and untick the network connections option
Browse to the exiting hard disks folder. Enable undo disks at this time as well
If you are in a different timezone you will get the following cryptic error
Click OK and modify the file used to point to either any of the “allfiles” disks (as these are not differencing disks) or create your own empty vhd for the time being
Complete the creation steps and then bring up the settings of the new virtual machine (with the wrong disk attached)
Modify the network settings to Internal Network and add any additional disks needed (this will be described in the full setup guide for the course) and close the settings dialog.
Browse to the folder that contains the actual settings file (the vmc file). This folder is the location value from step 1 (defaults to C:\Users\username\AppData\Local\Microsoft\Windows Virtual PC\Virtual Machines).
Open the vmc file in Notepad (or an XML editor) and change the settings to that which you require. These changes are for disks. Look for ide_controller 0 and ide_controller 1 (if present) and change the name of the vhd file to the correct disk name.
Modify the time sync. settings as per disabling-time-synchronization-under-virtual-pc-2007. The virtual machines from Microsoft for training purposes have a grace period and if you bring them up with the current date/time on them (which Virtual PC 2007 does automatically) then you will need to activate them.
Save the file when your changes are completed.
Start the virtual machine. You will see this error message - Inconsistency in virtual hard disk time stamp detected - The virtual hard disk's parent appears to have been modified without using the differencing virtual hard disk. Modifying the parent virtual hard disk may result in data corruption. It is strongly recommended that you mark the parent virtual hard disk as read-only to prevent this in the future. If you recently changed timezones on your host operating system, you can safely continue using this virtual hard disk.
This can occur for a number of reasons, but if the reason is timestamps then click OK. DO NOT click the option not to show the message again, or you will not be able to get past this error without modifying the options.xml file in C:\Users\username\AppData\Local\Microsoft\Windows Virtual PC.

The virtual PC will start, and will prompt you about updates to the integration components, but that is only a minor , so that can be ignored when you are presented with that error, unless you want the error to never show again per machine, in which case install (at your own risk and numerous reboots) the integration components.

Finally, you might need to reactivate some machines, as the hardware will have changed.

Create i386 CMAK Profile on x64 Machine

2009-05-28T15:36:00.001+01:00

Informing users and clients how to connect their Windows PC to a VPN connection is easy, but could be easier. There are a few questions to answer and having the user type this in might mean wrong answers, and therefore a supsequent support call would be required.

To ease this issue, and reduce the support call costs Microsoft have made available for a number of years the Connection Manager Administration Kit (CMAK). Lots of websites and blogs describe how to make CMAK profiles but to date none that I can find solve the problem of installing CMAK on a x64 version of Windows 2008 (for example Small Business Server 2008, but any x64 bit architecture will do) and attempting to deploy the resulting executable on a i386 XP architecture.

The CMAK program within Windows 2008 (added to the default installation by adding a feature) has options for the creation of a "downlevel" build (i.e. XP, 2003 and 2000) as well as a Vista build (which covers 2008 and Windows 7 as well) but the resulting executable made from the downlevel option is not valid.

The reason for this is many. Firstly the executable is constructed using iexpress.exe on an x64 machine - resulting in a x64 installer that will not run on a i386 machine. Fix this problem (see below for steps) and you find that the installer runs a program to actually create the connection object in the Network settings area of Control Panel, but this program (cmstp.exe) is also x64 architecture and so will not run on an i386 architecture machine.

Before we go into the steps to do this successfully, here (for the benefit of the search engines) are the different errors that you will see:

This profile was not built for this processor architecture. Please contact your Administrator to get the appropriate profile for this architecture.
profile.exe is not a valid Win32 application.
Error creating process <c:\docume~1\user\locals~1\temp\ixp000.tmp\.\cmstp.exe>. Reason: C:\WINDOWS\system32\advpack.dll

To fix this and create an i386 connection profile on an x64 architecture machine involves modifying the file that controls the creation of the executable (the .sed file) and getting two files from either an i386 Windows Server 2003 installation or an i386 XP installation.

First for those extra files. On the Windows 2008 Server that has CMAK installed, and having successfully created a profile (see windowssecurity.com and uksbsguy for profile creation steps) you need to create a folder called i386 inside C:\Program Files\CMAK\Support\en-US (C: and en-US might be different on your installation). This is best done from an elevated command prompt. Inside this folder place advpack.dll and cmstp.exe from an i386 installation of Windows Server 2003 or XP Professional (ensure latest service packs and patches on the source machine as well). Both of these files are found in \windows\system32 on the source installation.

Secondly, also from the elevated command prompt, you need to create a copy of the .sed file for each architecture you want to build for. The .sed file is named after the profile name that you have created and is located in a subfolder of C:\Program Files\CMAK\Profiles\Downlevel where the subfolder is the name of the profile. The default .sed file will work on x64 XP. Therefore to create a .sed file for i386 XP copy profile.sed to profile-i386.sed and then open this file in notepad (by typing notepad profile-i386.sed from the elevated command prompt).

The third step is to edit this .sed file so that the entries that point to the location of cmstp.exe and advpack.dll are to the new files you copied in the first step. Therefore change the line that starts FILE0= and the line that starts FILE1=. These should read something like the following:

FILE0=C:\Program Files\CMAK\Support\en-US\i386\advpack.dll
FILE1=C:\Program Files\CMAK\Support\en-US\i386\cmstp.exe

Additionally, but not required, I also change the TargetName= value from profile.exe to profile-i386.exe so that it does not overwrite the x64 executable that has already been created by the CMAK wizard and I edit the InstallPrompt= value to include something that indicates that I am about to install the i386 version of the connection object.

Now close and save the changes made to the new .sed file.

Finally you can build the executable. But the fun does not stop here. You might have noticed from the errors above that one of the errors is that the executable is not a valid win32 executable. This occurs if the x64 version of iexpress.exe is used to create the installation program. You need to use the 32 bit version that is installed on the x64 machine. The 32 bit version of the program is found in c:\windows\syswow64 (this stands for Windows On Windows 64) and so from the elevated command prompt type \windows\syswow64\iexpress /N profile-i386.sed (this is one command on one line if your browser happens to wrap the text over two lines). This will create the executable named after the TargetName value in the .sed file. This can then be copied to your software installation share and deployed to your users.

CRM 4 Fails to Run In Outlook on Terminal Services

2009-05-28T15:34:00.001+01:00

If CRM 4 Client is installed on a Citrix/Terminal Services server and the initial installation (done when in CHANGE USER /INSTALL mode) also includes starting Outlook for the first time then a registry key is set in the Terminal Services registry shadow. This means that once you go into CHANGE USER /EXECUTE mode and a new user logs in they get the registry keys set during installation as part of their profile.

This is by design if the registry keys that are set are not needed to be unique per person. And CRM has one registry key that needs to be unique for each user logged into the terminal server. This is the ClientRemotingChannel registry value located at HKCU\Software\Microsoft\MSCRMClient.

If more than one person is connected to the terminal server and running Outlook with CRM configured then behind the scenes the CRM hoster application will be running. The ClientRemotingChannel registry key controls the ability of this application to communicate with Outlook and the CRM server and therefore this registry value must be unique for every logged in user on the terminal server at the same time. If more than one user has the same value (which they will if initial installation is done as above) then the 2nd concurrent user will fail to connect to CRM via Outlook – web access will work fine.

Therefore ensure that the shadow registry value for this (HKLM\SOFTWARE\Windows NT\…\MSCRMClient) is not set and that all users that already have a duplicate value have the registry value deleted. The hoster application will recreate the registry value when it starts with a unique value if the registry setting is missing.

A clue to the existence of this error will be the application event log error "Failed to create an IPC Port: Access is denied".

Hyper-V on the Dell Optiplex

2008-06-14T15:17:00.001+01:00

With the correct BIOS settings enabled on a E8500 processor (see http://processorfinder.intel.com/ for the processors that support EM64T, Virtualisation and Execute Disable which is needed for Hyper-V to work), and with them and the Trusted Execution property set to On in the BIOS I got the following errors with Hyper-V RC1 on Windows 2008 Enterprise Server RTM (running Server Core):

Hyper-V launch failed; Either VMX not present or not enabled in BIOS.
Hyper-V launch failed; at least one of the processors in the system does not appear to provide a virtualization platform supported by Hyper-V.

Fixed this by rebooting and pressing F2 to enter the BIOS and disabling the following settings

Security > Execute Disable (set to Off)
Performance > Virtualization (set to Off)
Performance > VT for Direct I/O Access (set to Off)
Performance > Trusted Execution (set to Off)

Press Esc and save settings. When the server reboots do a hard power off. Power on, and then in the BIOS again ensure that the following is set:

Security > Execute Disable (set to On)
Performance > Virtualization (set to On)
Performance > VT for Direct I/O Access (set to On)
Performance > Trusted Execution (set to Off)

Press Esc and save settings. Hard power off again once the server reboots. Turn power on and let computer boot normally.

At this point I got an Hyper-V error in that the entries in the event log above did not appear anymore, but were replaced by an error indicating that Hyper-V was not installed.

So I removed Hyper-V by running:

ocsetup Microsoft-Hyper-V /uninstall

and reboot.

Reinstall Hyper-V by downloading the latest build and install it using:

wusa

or if you have the latest build already installed, then reinstall using:

ocsetup Microsoft-Hyper-V

Media Player 11 jumps or skips near end of songs

2008-04-09T20:49:00.002+01:00

Finally fixed this one! On Windows Media Player 11, running on Vista on Dell hardware the sound-card (with a SigmaTel device) would ruin the end of every song, but sync the song to a mobile device or use a different media player (VLC for example) and the songs play the bit near the end fine.

The problem is the device and its interaction with Windows Media Player. For the device you need to disable the playback enhancements.

This is done from Control Panel > Sounds. Right-click the Speakers/Headphones entry and choose Properties. On the Enhancements tab select Disable all enhancements. I did not need to reboot or even restart Media Player as I have read reported.

SMTP Server for Orange Mobiles Running Windows Mobile 6

2007-12-06T19:48:00.000Z

For a while now I have been unable to send my personal email from my mobile phone (running WM6 on the Orange network in the UK). I could download email via IMAP from my server (not hosted by Orange), but never send.

So after doing a bit of research I discoved that the SMTP server is smtp.orange.net, but that did not work. Further playing around with the settings on my found found me clicking the Advanced link under the SMTP server field in the account options settings. Here I choose Orange World as the network, and emails were instantly sent.

Instructions: From your IMAP account in WM6 click Menu > Tools > Options. Click your IMAP account in the list (or add a new account), click Next (filling in fields correctly if adding a new account) until you get to the Outgoing (SMTP) mail server page. Here enter smtp.orange.net and click Advanced Server Settings.

Under Advanced Server Settings select Orange World for the value of the Network Connection. Click Done and then Next a few times until Finish.

Blogger Blogs in Outlook - Incorrect Dates

2007-12-05T09:14:00.000Z

This has been obvious to me for a while - whenever I viewed this blog in Outlook 2007 via the common RSS feed store, the dates were all incorrect and so new posts appeared at random within the list.

I finally found a fix yesterday - the post was based upon ATOM technology and not RSS technology. I have therefore changed the subscribe link on the site to add ?alt=rss to the end of the link.

If you subscribe to this blog please delete it from your feed store in IE 7 and resubscribe at http://reidablog.blogspot.com/feeds/posts/default?alt=rss.

Exchange Server 2007 Rollup Update 5

2007-10-26T10:40:00.000+01:00

The latest version of the Exchange 2007 update is Update Rollup 5 for Exchange Server 2007 - this can be downloaded from here (64 bit and 32 bit versions now available).

Microsoft plan to do these releases rather than issue hotfixes as the method of engineering Exchange has changed since the previous versions, and KB937194 describes why this is. Each update rollup contains all the previous updates, so you only need to deploy this patch and not any earlier patches as well.

If you have not yet installed Exchange 2007 yet, copy this patch to the Update folder on your installation point and it will get slipstreamed into the installation automatically upon running Setup.

Note that unlike updates #1 and #2, a 32bit version of this update is available so this update can be applied to test and virtual computer systems and labs.

Error Code: 500 Internal Server Error. The network logon failed. (1790)

2007-10-03T12:28:00.000+01:00

This is an error visible in the web browser when connecting to a HTTPS web site behind an ISA Server.

The problem is that the firewall access rule for this web site in ISA Server is forwarding the requests to an internal server on a port that it is not listening on. For example you connect to https://server.example.com and the ISA Server forwards this request to http://internalsrv. On the Bridging tab check that the mentioned port(s) are actually working on the internal server. For example if you are listening in ISA Server on 443 for a SSL connection and the SSL/HTTPS port is ticked make sure that the port is 443, and that the web server internally is listening on 443. If its another number make sure that it is meant to be the other number and not really 443 or not ticked at all. Ditto for the HTTP port, which is 80 by default.

Can't Update Media Player Library on Windows SmartPhone

2007-09-21T10:42:00.000+01:00

I have found for a while now that I could not view the Windows Media Player library on my phone, and everytime I viewed the library I got a dialog saying "An unexpected error occured". But now I have fixed it. It must have been a corrupt copy of the libary database on the SDCard in my phone.

To fix:

Delete the MSMETADATA folder in the root of the Storage Card.

If using File Explorer on your device note that it's not visible by default. You have to select the "Show All Files" option in File Explorer. Once deleted rebuild your library using Media Player, and see if that helps.

Fixing Error 1324.The path xxx contains an invalid character.

2007-06-19T13:30:00.000+01:00

When installing software I have now seen a number of times the following error "Error 1324.The path My Documents contains an invalid character.". My Documents could be replaced by a number of other special folders, and I have seen this issue on Windows XP and Windows Vista.

The problem seems to stem from having UNC paths for folders (i.e. \\server\share\user\my documents). So, to fix the issue you need to temporarily change the path to a local path and change it back after installation. These steps will help (based on Vista, but XP is similar):

Click Start
Right-click Documents (or Pictures etc.)
Choose Properties
Make a note of the path currently used
Change path to the Default by clicking Restore Default button
Click OK
If prompted about creating folder say Yes
When prompted about moving all your files say no (you are going to move the folder back shortly) and then wait a bit - this might take some time.
Install your application
Repeat above instructions to move the folder back again, but this time do move the files. This will merge changes to the folder back to your actual folder.

Setting MP3 ID Tags with CDDBControl.dll

2006-07-16T20:25:00.000+01:00

The CDDBControl DLL that can be downloaded from here can be used in VB or Java Script to programatically set and read the ID3 tags on an MP3 file. Lots of documentation exists on Google which shows you how to write the script, but today I discovered that this control will only operate if the user calling it has Administrator privileges.

Using tools from Sysinternals did not give me any additional information on why this restriction was true (as the file I was changing had got full control for the limited user that runs the script) so I added the DLL to Component Services as described below to solve the problem.

Create a new user account with administrative permissions on the local machine. Give this account a very complex password and require that the password never expires.
Login as this account and start Component Services (in the Administrative Tools area of Control Panel)
Expand the Component Services tree until you get to COM+ Applications and right-click this node of the tree
Choose New Application, Create an empty application and provide a name such as ID3Tag for the application. Keep the default of Server Application set.
On the Set Application Identity page choose This User and enter the details for the current user account. It is important that you select this option and do not leave the default value of Interactive User set.
Once the component is created, right-click the component and select the Pooling & Recycling tab. Set 1 minute for the Expiration Timeout value (unless your script takes longer to run) and click OK.
Expand Component Services so that the contents of Components under your component are visible (this area will currently be empty)
If you have already registered the control with regsvr32 then you need to unregister it using regsvr32 -u "path\CDDBControl.dll"
Find the folder in which you have copied CDDBControl.dll and drag the dll into the Components container in Component Services
You will get an error about some components not being able to be installed. You can click OK at this point.

You can now run your script as a limited user and when you call the id3.SaveToFile function the script will not fail with error 0x82fc100c

Virtual PC's Crashing With IntelPPM.sys and Processor.sys

2006-05-06T11:07:00.000+01:00

Today I booted a virtual machine that was provided for me by a client so that I could prep a training course, but I could not log into the virtual machine because it blue-screened with a driver called intelppm.sys failing (and supposedly processr.sys can cause the same problem, but I have not experienced that one yet). Note that the virtual machine might just reboot rather than blue-screen because that is what it is configured to do.

The blue-screen is due to the virtual machine running on an AMD K8 or Centrino platform and the above device driver attempting a unsupported command that was supported on the platform that the virtual machine was originally created under. You can disable these drivers without issue in the virtual machine - just you cannot login to disable them!

So you need to use Safe Mode. Press the F8 key repeatedly as the virtual machine boots and then choose Safe Mode from the on-screen menu. Once you have logged in run these two commands from a command prompt (note that where the spaces are is important):

sc config processor start= disabled
sc config intelppm start= disabled

You should get a SUCCESS message returned. Once you do you can shutdown the virtual machine (and commit changes if you are have undo disks enabled) and then start the machine up normally.

This problem has been fixed under Virtual Server 2005 R2, but is still an issue with Virtual PC 2004 and Virtual Server 2005.

Adding Routes Using CMAK

2006-02-23T11:53:00.000Z

I have just put together a Connection Manager VPN client (CMAK) and within it have specified the extra routing information that I needed. When I ran the client I got the following error message and could not find anything on the web with an answer, so here is the answer...

Error 1: Connect action to update your routing table failed (80070057) - shown in the VPN client

Error 2: ErrorCode = -2147024809 ErrorSource = to update your routing table - recorded in the VPN log file

The reason! It was because I had entered an incorrect routing record in the text file. So to get this right, add the routes manually when connected and make sure they work, and then duplicate these entries in the text file. If the routes cannot be added on the command line then the VPN connection will fail with the above error message.

P1 and P2 Headers in SMTP

2006-02-13T18:21:00.000Z

P1 = the value on the MAIL FROM command of the SMTP connection (the message envelope) as defined in RFC 821.
P2 = the email address in the message body as defined in RFC 822. These include the FROM, REPLY TO and SENDER fields

For example, the following SMTP command sequence describes where P1 and P2 are used:

HELO server
MAIL FROM this_is@my_p1_address.com
RCPT TO: recipient@domain.com
DATA
FROM: this_is@my_p2_address.com
TO: recipient@domain.com
SUBJECT: This is a blog on P1 and P2

This is the text of the message
.

The MAIL FROM value should be your email address, but it does not have to be (ie one of the reasons why spam is so prevalent)
The FROM: header should match this, but this value is what is displayed in the email in Outlook (and other clients). The P1 address is used for routing and not display.

If the connection to an Exchange Server is anonymous then the P2 address will contain the display name and the email address, but if it is an authenticated connection then the P2 email address will be resolved to the value in the address book and this value will be displayed.

Invalid Visibility When Sending Email in Microsoft CRM

2006-02-02T10:05:00.000Z

Having recently installed Microsoft Dynamics CRM 3.0 I found that when I wanted to send an email to a contact in the system it failed with the error message "Invalid Visibility".

This error occurs because the code that sends the email does not complete successfully, and in my case because of anti-spam restrictions enabled on the Exchange Server that was being used as the SMTP gateway. The Exchange Server is the organisations only SMTP server, and the corporate firewall allows SMTP inbound and outbound only from this machine. Therefore this Exchange Server has a series of global message filters enabled which where activated on the SMTP virtual server on this machine. One of these anti-spam settings was to reject any mail on the SMTP virtual server that was from the domain name of the company and not authenticated. This stops lots of spam from outside the network that poses as if it where from inside the network, but as the CRM SMTP session was not authenticated, it too fell into this category.

So when CRM tried to send email, it received behind the scenes a 550 error - Sender Denied and so it generated the Invalid Visibility message.

Therefore, in this case, the fix was to authenticate the session, but alternatives exist such as providing a dedicated SMTP virtual server for the CRM application and additional routes outbound through the firewall for SMTP.

In addition to the above, the same error can be caused by other SMTP failures, so if you are getting the same error then open a command prompt on the CRM server and enter the following commands, waiting for an error and then using this to diagnose the reason why CRM 3.0 will not send emails for you (if anonymous email is allowed).

  TELNET smtp_server_name 25
  HELO crm_server_name
  MAIL FROM: email_address@yourdomain
  RCPT TO: recipient@externaldomain
  DATA
  TO: email_address@yourdomain
  FROM: recipient@externaldomain
  SUBJECT: CRM Test
blank line needed here
  Some text to act as the body of the message
  .
Always finish the email with a full-stop on a line on its own

VSWebApp and 404

2005-11-11T16:09:00.000Z

When I have started too many virtual machines in Microsoft Virtual Server 2005 I find that the administration application (http://server/virtualserver/VSWebApp.exe) stops working.

To get it to restart, change the authentication settings on the IIS virtual directory to something other than what you have already (but not anonomyous). For example if it is Basic and Integrated set it to Basic only.

Open the admin page again and you will be prompted for authentication and it will now work.

Mouse Pointer Delays in Virtual Server

2005-11-10T19:35:00.000Z

I am running Microsoft Virtual Server 2005 and every 10 seconds or so I get a pause in the mouse movement on the screen - very annoying.

Examining the performance logs of the server I see that the Virtual Server service "vsssrv" goes to 0% CPU utilisation when this happens - so something is interupting the service.

Stopping my anti-virus software solves the problem, but introduces another problem in that my computer is now unprotected, so I will post back here later my results on not have the AV software (McAfee Managed Anti-Virus) from scanning the filesystem where my virtual machines are installed and the vsssvc.exe application ("C:\Program Files\Microsoft Virtual Server" folder).

Unable to Delete Active Directory Object

2005-10-19T12:02:00.000+01:00

Whilst doing some tests on an Active Directory to do with permissions I removed all the permissions apart from SYSTEM. This proved what I wanted to prove, but I then could not delete the object or reset its permissions etc. to tidy up my test environment.

A search on the web for the problem returned one page and they had not solved it either. This was found here. Though they had deleted a user object and I had set permissions on an Exchange Server address list object I think the answer might be the same.

The problem in Exchange System Manager was "The specified directory service attribute or value does not exist" and "8007200a" when I tried to delete the object. Opening ADSI Edit would not let me delete the object (which appears as a notepad icon and not the folder icon it is supposed to be). Opening the object returns "An invalid directory pathname was passed" and deleting the object returns "This folder or one of its children has one or more property sheets up. Please close the property sheet before continuing with this action."

So taking the advice in the above link, and going a few steps further I managed to delete the object.

The key (in Windows Server 2003) is to use a command line tool called DSRM. This deletes active directory objects, but before it can be deleted the permissions need to be reset using another command line tool called DSACLS.

Determine the distinguished name of the object. This is easiest to do in ADSI Edit by opening the parent item and copying the value of the distinguishedName property.
Paste the copied distinguished name into Notepad and prepend to the text the name of the child object in the form of CN=child,distinguishedname.
On the command line enter DSACLS "Distinguished Name" /A. The quotes are needed if there are spaces within the distinguished name. This will display the current permissions on the object for your interest.
Repeat the above command but change the ending to /G Everyone:GA (remove the /A). This will grant full control to Everyone to this object. Remember that you are deleting this item so these permissions are temporary. This should be successful.
Finally you can delete the object using DSRM if the object is a leaf object, but if not a leaf object then DSRM distinguishedName -subtree. It might also be possible to use ADSI Edit or the valid Active Directory administration tool to delete the object if the permission fix has worked.

Dell Notebook System Software (NSS) Failure to Install

2005-10-10T15:13:00.000+01:00

I recently had to rebuild a Dell Latitude D610 as it was not working properly on purchase. The reinstall instructions for Windows XP SP2 included installing the relevant Dell drivers from the Dell CD (or internet download if they were later versions). The Notebook System Software (NSS) always failed to install - it would crash upon starting the program.

After phoning Dell Technical Support to fix this problem, the answer was to run the software whilst in Windows XP Safe Mode. To get to this reboot your computer and press F8 just before the Windows logo appears (easiest thing to do is press F8 repeatedly as soon as the computer boots and you are sure to get the option for Safe Mode).

After installing it in Safe Mode you can reboot into normal Windows XP.

Vonage Installation with NTL as Your Broadband Provider

2005-09-15T09:24:00.000+01:00

Connecting the router was easy, just followed the instructions, the only thing that I had to do (as I did not turn off my NTL cable modem) was clone the mac address of the current firewall onto the Linksys VoIP router (this is a setting in the Linksys admin pages).

Voice quality over a 2Mb line is good, and the 200K upload speed that I currently have will allow me to have two phones on the line as each uses 90K per call.

Role on NTL's upgrade to 10Mb lines in 2006

ntl Netguard Installation with Roaming Profile

2005-09-10T09:13:00.000+01:00

I installed ntl Netguard yesterday, the free antivirus software provided by this broadband provider. The comments on various forums where that it was easy to install but I found this to be incorrect advice. The main issue, and the one I blog about here is the creation of the required product folders when you have a remotely stored profile folder caused due to Active Directory/Group Policy folder redirection policies.

For the software to install you need to create the "logs" and "test" folder in the "ntl netguard" folder, which needs to be in the "ntl" folder in your Application Data folder. All the folders in quotes you need to create.

Windows Vista on Virtual PC's

2005-08-12T19:30:00.000+01:00

As I do not have any spare PC hardware I decided to install a copy of Windows Vista (Beta 1) on virtualization software. I have a choice of both VMWare Workstation 5.0 and Microsoft Virtual PC.

And the winner is - Microsoft Virtual PC

The reason is simple - I can see what I am doing and what is happening with Virtual PC as it runs with a decent virtual graphics adapter. VMWare Workstation 5.0 runs at 4bit colour until after installation has completed and you install the VMWare tools (which installed fine) but compare that to Virtual PC and the experience is so different.

Start Menu and Multiple Monitors

2005-07-25T14:19:00.000+01:00

When you enable multiple monitor on Windows XP, which I did by installing an ATI Radeon card in addition to my existing Nvidia card I found that after changing some of the settings (like which is the primary display), the Start Menu and Task Bar appears on the secondard display. What seemed to happen was the Start Menu etc. moved to one of the display's managed by the ATI card and then I set the primary display back to the Nvidia card it became the primary display (programs and dialog boxes opened on that display) but the Task Bar did not move back.

Eventually, after much reconfiguration and reseting/rebooting I decided to see if I could drag the Task Bar across. Now this is not supposed to work (maybe it has been added in SP2 for XP). So I unlocked the Task Bar and dragged it first to the side of the current screen (the displays are lined up left to right) and then across to the other display - you cannot drag it straight across the bottom of the displays.

This worked a treat, so I relocked the Task Bar and all works now.

Improving the Performance of IIS 6.0 Applications

2005-07-05T09:28:00.000+01:00

Whilst working at a client doing some performance testing of an intranet, web-based, application we came across a little documented way to improve the network performance of the application if the web server is running IIS 6.0 on the Windows Server 2003 platform.

When the IIS 6.0 web server uses Windows Integrated authentication to log users onto a web application it goes through the following process, which is different to how it behaved on IIS 4.0, IIS 5.0 and IIS 5.1 (the versions that run on Windows NT 4.0, Windows 2000 and Windows XP):

Client connects to the web server with an anonymous connection for the first object required.
The web server rejects the connection with a 401 status message, which means that authentication is required.
The client sends the request for the page to the server again, along with the current authentication information. The format of this authentication will differ based on whether NTLM or Kerberos is being used.
Server responds with a 200 status indicating success and the object is transferred from the server to the client.
So far nothing has changed in IIS 6.0 compared to the earlier versions of the software, but now the client makes the request for the second object (maybe a graphic within the page, or a second page on the same server). This second request, even if it is across the same HTTP session as the first, will be seen by the server as an anonymous request and it will be rejected with a 401 status message. In earlier versions of IIS this second (and subsequent requests on the same HTTP connection) were treated as being authenticated because the first object request was successfully authenticated.

This can be seen using the following information from an IIS 6.0 log file that was generated by a web browser making a GET request for four pages called auth1.htm through to auth4.htm.

cs-uri-stem cs-username sc-status sc-bytes cs-bytes
/auth1.htm  -           401       1872     516
/auth1.htm  DOMAIN\user 200       509      2307
/auth2.htm  -           401       1872     557
/auth2.htm  DOMAIN\user 200       510      2348
/auth3.htm  -           401       1872     557
/auth3.htm  DOMAIN\user 200       510      2348
/auth4.htm  -           401       1872     557
/auth4.htm  DOMAIN\user 200       510      2348

The client makes a request for the page auth1.htm. This page is only available to a user via Windows Integrated authentication and so the request is seen as rejected with a 401 status. The second line shows the successful request for the same page and the fact that a Windows domain account was used to authenticate the request. From that point on, each request can be seen first as an authentication failure and then a success. This means additional round trips to the web server, and longer page load times – especially to web servers that are across low latency WAN connections. For example, the above log data shows that the total bytes sent and received by the web server (the sum of the sc-bytes and the cs-bytes columns) is 21065 bytes. We will compare this value to one where the IIS 6.0 server has had performance changes made to it later in this article.

IIS 4.0, IIS 5.0 and IIS 5.1 worked by allowing all subsequent requests for objects over a single HTTP session that had already been authenticated to use the authentication information of the first successful request. With the increase in security that is part of IIS 6.0 this potential security hole has been closed – it might be possible to take over another session and become authenticated with the credentials of that previous session. This security improvement though, as with many security changes, decreases performance by an increases the number of round trips to the server and the bytes transferred on the network. If the risk is considered unlikely within your environment and users connect to the web server from remote locations then you can set the IIS metabase setting AuthPersistSingleRequest to false. This means that the IIS 6.0 web server acts in terms of authentication persistence like an IIS 5.0 web server.

The two metabase keys that need to be set are:

NTAuthenticationProviders
AuthPersistSingleRequest

NTAuthenticationProviders can be set at the web service or web site level and AuthPersistSingleRequest can be set at the web service, web site, virtual or real directory or at the file level.

To set these two metabase values open a command prompt, change to the \inetpub\adminscripts folder and run each of the following commands:

cscript adsutil.vbs SET w3svc/1/NTAuthenticationProviders "NTLM"
cscript adsutil.vbs SET w3svc/1/AuthPersistSingleRequest FALSE

The “1” in both the above commands will cause the property to be set on the Default Web Site. Change “1” to affect another web site or remove “1/” from the command to affect the entire server.

Once the two commands have been executed enter the following to ensure that they have run correctly:

cscript adsutil.vbs GET w3svc/1/NTAuthenticationProviders
cscript adsutil.vbs GET w3svc/1/AuthPersistSingleRequest

Finally run IISRESET from the command line to restart the web server.

The following data from an IIS 6.0 log file shows the same sequence of GET requests as described above after the NTAuthenticationProviders value has been set to NTLM and the AuthPersistSingleRequest value set to false.

cs-uri-stem cs-username sc-status sc-bytes cs-bytes
/auth1.htm  -           401       2043     622
/auth1.htm  DOMAIN\user 200       259      774
/auth2.htm  DOMAIN\user 200       260      557
/auth3.htm  DOMAIN\user 200       260      557
/auth4.htm  DOMAIN\user 200       260      557

This data can be compared to that above quite easily. First you can see that the number of round trips is just over half the number on an IIS 6.0 server in its default configuration, as only the first request fails with a 401 status message – the subsequent requests now use the authentication of the first request within the session rather than per request authentication. Secondly the total number of bytes required within the HTTP session to download these four objects is 6149 bytes. This is 29% of the bytes transferred under the default IIS 6.0 configuration.

Therefore, if you run web applications that use NTLM authentication and have high latency networks then you can generate significant improvements in page load time at the browser, and at the client I am working at we reduced page load times from their India offices to the USA servers from 18 seconds to less than 10 seconds.

Links

Enabling ASP.NET Session State without Installing IIS

2005-05-23T14:34:00.000+01:00

At a client site, I needed to enable within a web cluster the ASP.NET session state service (ASP.NET State Service) and initially this was going to go on one server within the web cluster. The only problem though, as this configuration is easy, was what happens if the one server in the cluster that this is running on is the server that fails!

The solution we decided was to place the service on the SQL Server back-end database. Though this is not clustered (as it is not mission critical), if the database is unavailable then so is the application so why not run the ASP.NET State Service on that machine.

So we changed the web.config file to read:

<sessionState mode="StateServer" cookieless="false" stateConnectionString="tcpip=db_server:42424"/>

We went to the SQL Server (which was running Windows Server 2003 and so had the .NET Framework installed), but found that the service did not exist as ASP.NET was not installed.

So we ran the following, which claims to require IIS to be installed, but successfully enabled the ASP.NET State Service:

aspnet_regiis -i (this is in WINDOWS\Microsoft.NET\Framework\version folder

Set “HKEY_LOCAL_MACHINE\SYSTEM \ CurrentControlSet \ Services \ aspnet_state \ Parameters \ AllowRemoteConnection” to 1 on the server in the above step, set the service to Automatic and started it running.

And it all worked fine.

Exchange 2003 Resource Kit Published

2005-04-18T19:58:00.000+01:00

Now available, the Exchange Server 2003 Resource Kit in which I wrote all the security chapters (chapters 11 through 13).

Current Clients

2005-03-04T14:55:00.000Z

Brian is currently writing documentation and doing software testing for InfoBasis.

C7 Solutions Blog

2005-03-03T19:46:00.000Z

Following a prompt from Microsoft, I have started a more company based blog on C7 Solutions web site. Maybe I will update that more than this one (which I suppose is the point of a blog anyway)

Enabling Remote Desktop Remotely

2004-12-21T14:42:00.000Z

Run the following from a Windows XP or Windows Server 2003 PC:

WMIC /NODE:"client" /USER:"nwtraders\administrator" RDTOGGLE WHERE ServerName="client" CALL SetAllowTSConnections 1

Two Logins To Install Software

2004-12-06T18:47:00.000Z

With Windows XP you sometimes see that your Group Policy settings take two reboots or two logins to work. This is because Windows XP operates (by default) in a mode called Fast Logon Optimization. This means that the computer boots and logs in quicker, but it does mean that events that should occur during the computers boot or login will be delayed until the second boot or login.

Examples of events that this effects are software installations via Group Policy and folder redirection (i.e. home folders). During (or usually just after) the first boot/logon XP sets a flag and then during the second boot/logon Windows operates one time only without the Fast Logon enabled.

An example of the two events that appear in the event log (in chronological order) are:

Event Type: Warning
Event Source: Application Management
Event Category: None
Event ID: 108
Date:
Time:
User: NT AUTHORITY\SYSTEM
Computer:
Description:
Failed to apply changes to software installation settings. Software installation policy application has been delayed until the next logon because an administrator has enabled logon optimization for group policy. The error was : The group policy framework should call the extension in the synchronous foreground policy refresh.
Event Type: Warning
Event Source: Application Management
Event Category: None
Event ID: 101
Date:
Time:
User: NT AUTHORITY\SYSTEM
Computer:
Description:
The assignment of application Microsoft Office XP Professional with FrontPage from policy IT Suite Software failed. The error was : The group policy framework should call the extension in the synchronous foreground policy refresh.

This behaviour can be changed by turning the Fast Logon Optimization off. This can be switched on and off via Group Policy and the following setting:

Computer Configuration
Administrative Templates
System
Logon
Always wait for the network at computer startup and logon

More on Fast Logon Optimization can be found in article 305293 at Microsoft Support.

Outlook Profile Wizard

2004-12-06T18:44:00.000Z

Fill in the information at the form here to create a valid profile for configuring Outlook 2003 to allow the client to connect to the Exchange Server without the need of a VPN from the internet (known as RPC over HTTP).

This will create a .PRF file that you can offer for download to users. Users will need to log-in twice for this to work though (or rather, be prompted twice for username and password, after which it will work)

Setting Remote Desktop to an Alternate Port

2004-12-06T18:39:00.000Z

The default port for Remote Desktop is 3389, but there are cases where it is useful to change this port, for example on the external interface of a firewall should you be providing remote support of said firewall. These steps are known to work on Windows XP and Windows Server 2003. They have not been tested by me on other versions of Windows.

On the Remote Desktop Server

Start Registry Editor (Regedt32.exe).

Locate the following key in the registry:
HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Control\ TerminalServer\ WinStations\ RDP-Tcp\ PortNumber
On the Edit menu, click Modify, click Decimal, type the new port number, and
then click OK.

Quit Registry Editor.

On the Client

Click Start, click All Programs, point to Accessories,
point to Communications, and then click Remote Desktop Connection.

In the Computer box, type the computer name or IP address of the
computer to which you want to connect, followed by a colon (:) and the port
number you want to use.
For example, to connect to port 3390 on a computer named "MyXPPro,"
type the following information: MyXPPro:3390
To connect to port 3391 on a computer with IP address 10.10.10.1,
type the following information: 10.10.10.1:3391

More information at

http://support.microsoft.com/default.aspx?scid=kb;en-us;306759 and

http://support.microsoft.com/default.aspx?scid=kb;en-us;304304

Enabling Remote Desktop During Installation

2004-12-06T18:37:00.000Z

If you are installing a number of servers and you want to ensure that Remote
Desktop is enabled on each then add the following lines to the unattend file
that you are using to build the Windows servers (or XP client)

[TerminalServices]
AllowConnections=1

How to enable remote desktop remotely

2004-12-06T18:34:00.000Z

Lots of sites on the internet discuss how to enable remote desktop in Windows XP and Windows 2003 Server, but the majority of them require you to have physical access to the computer first. So how do you enable remote desktop when you do not have physical access to the computer. It is all to do with the registry!

Make a network connection to the remote computer to ensure that you have administrative access to the machine (i.e. \\computer\c$). This will prompt for a username and password of the administrator. Enter the correct details.

Start the registry editor regedit.exe (and not the older application regedt32.exe if it exists - it does not in later releases of Windows)

Choose File, Connect Network Registry

Enter the computer name as above.

Navigate to HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Terminal Server for the registry settings for the remote computer (take care not to select your own desktop)

Double-click fDenyTSConnections.

Change the value of this setting to 0 to enable Remote Desktop or 1 to disable it, and click OK.

If your remote computer has multiple network cards and you want to ensure that Remote Desktop is operating only on a selected card then navigate to the following registry location: (as above)\WinStations\ RDP-Tcp and note the LanAdapter value. If this is 0 Remote Desktop operates on all networks, and if this is another number then it operates only on the network as identified in the (as first)\lanatable registry key

Disconnect the remote computer from the registry editor using File, Disconnect Network Registry, and selecting the correct remote computer in the list.

Finally, you need to restart the computer remotely.

Note: Subsequent to publishing this I have discovered a much quicker way using Windows management Instrumentation command line (WMIC). See here for more on this.