Countdown to TechEd 2010 in New Orleans, LA: 2010-06-07 00:00:00 GMT-08:00

Thursday, January 21, 2010

How to Configure Change Password for OWA 2003/2007/2010 Mixed Environments

The Change Password feature in OWA will break when you reconfigure the environment to use Exchange 2007 or Exchange 2010 CAS servers as front-end servers for Exchange 2003 mailbox servers.  This is because the the CAS server don't have the necessary ASP pages installed that OWA 2003 links to.

telnetPORT25 wrote a great article explaining the step-by-step process, along with screenshots, to fix this problem.  I'm listing the high-level steps here (mainly to act as my long-term memory).
  • Logon to the Exchange 2007/2010 CAS server
  • Copy the %SystemRoot%\System32\inetsrv\iisadmpwd folder and files from the OWA 2003 FE server to the CAS server's %SystemRoot%\System32\inetsrv folder
  • Open IIS Manager and add a new Virtual Directory off the Default Web Site named IISADMPWD with a physical path of %SystemRoot%\System32\inetsrv\iisadmpwd
  • Right-click the new IISADMPWD virtual directory and select Convert to Application
  • Select the MSExchangeOWAAppPool
  • Restart IIS (iisreset /noforce or select the server in IIS Manager and click Restart)

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Tuesday, January 19, 2010

How to Fix Internet Explorer Cannot Download FileName from WebServer

You may find that when you create a link to a file from your web server that Internet Explorer cannot download or open the file.  When the user clicks the link, Internet Explorer returns the generic 404 error, as shown:

They also may receive an error stating, "Internet Explorer cannot download filename.ext from  Internet Explorer was not able to open this Internet site.  The requested site is either unavailable or cannot be found. Please try again later."

This happens when IIS doesn't understand the file extension and associated content type of the file.  Examples of such file extensions are .reg or .gadget.  To fix this problem you must add the extension and MIME type to IIS.

Here's how you do it in IIS 7.0 (Windows Server 2008) and IIS 7.5 (Windows Server 2008 R2):
  • Open Internet Information Services (IIS) Manager
  • Expand servername > Sites > Default Web Site
  • Select the website you want to configure, or select Default Web Site if you want to configure all websites on the server
  • Double-click MIME Types in the IIS section of the center pane
  • Click Add in the Actions pane
  • Enter the extension you wish to add, including the . prefix (i.e., .reg or .gadget)
  • Enter the MIME type (i.e., text/plain for .reg files or application/x-windows-gadget for .gadget files)
  • Click OK
The changes go into effect immediately - there's no need to restart IIS.

For a quick reference of MIME types, see MIME Type Detection in Internet Explorer.

Labels: , ,

Subscribe in a reader Subscribe by Email

Exchange 2010 DAG Replication Port

Michel de Rooij, a Dutch technology consultant, posted a nice concise article about the port used by Exchange 2010 for DAG replication.
"... the port used for DAG log shipping and seeding, which is 64327 by default. Looking back at Exchange 2007 this is good; the port is static and DAGs use regular TCP, where CCR/SCR in Exchange 2007 uses 445 for log shipping (over SMB) and a dynamic port for seeding. And if it’s two things some network people hate it’s SMB and dynamic ports. On the other hand, 64327 in the dynamic range defined by IANA; according to IANA dynamic ports cannot be registered (claimed).
Fortunately, the port can be changed when required. To change the port for a DAG use the Set-DatabaseAvailabilityGroup cmdlet with the ReplicationPort parameter like this, where can be any number between 1 and 65535:
Set-DatabaseAvailabilityGroup -Identity DAGID -ReplicationPort

Note that Exchange will not adjust the Windows Firewall rules accordingly, so you need to create a firewall exception on each DAG member to make replication work. Even better, you should do this before changing the DAG port to prevent interrupting the replication longer than necessary."
For a full list of the ports used by Exchange 2010, see the Exchange Network Port Reference.

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, January 5, 2010

How to Enable Reverse DNS Lookup in IIS

This article explains how to enable reverse Domain Name System (DNS) lookup for all versions of Internet Information Services (IIS).

When reverse DNS lookups are enabled on the web server, the IP address of each web client that connects to the IIS server is resolved to a DNS name, and the DNS name instead of the web client IP address is placed in the IIS log files.  Enabling reverse DNS also affects what CGI and ISAPI extensions see as a value of the Remote_Host variable.

Microsoft KB article 297795 gives a step-by-step demonstration how to enable RDNS for IIS4, IIS5 and IIS6, but all you need to do is run the following in a command prompt from the ADScripts folder:

For IIS4 run:
adsutil set w3svc/EnableReverseDNS TRUE
For IIS5 and IIS6 run:
cscript adsutil.vbs set /wesvc/EnableReverseDNS "TRUE"
In IIS7, you must install the IP and Domain Restrictions role service for the Web Server (IIS) role.  You can do this in Server Manager or from the command line using the following command:
ServerManagerCMD -install Web-IP-Security
In Windows Server 2008 R2, the ServerManagerCMD.exe program is deprecated and has been replaced with the ServerManager Powershell cmdlets.  The following two cmdlets are used to install the IP and Domain Restrictions role service:
Import-Module ServerManager
Add-WindowsFeature Web-IP-Security
Now that the role service is installed, you can configure reverse DNS lookups, as follows:
  • Open Internet Information Services (IIS) Manager.
  • Navigate to the Server Name in the Connections pane.  If you only want to enable reverse lookups on a particular website, navigate to that website.
  • Double-click IP Address and Domain Restrictions in the center pane and click Edit Feature Settings in the Actions pane.
  • Put a checkmark in Enable domain name restrictions and click OK.
You will see the following warning:
Restricting access by domain name requires a DNS reverse lookup on each connection. This is a very expensive operation and will dramatically affect server performance. Are you sure you want to enable restrictions based on domains?
Clicking Yes will enable reverse lookups for all clients connecting to the web server.  I have not noticed any more than a 1-2% increase in CPU performance and the websites are just as performant as before.

Each of these changes go into effect immediately.  There is no need to restart IIS.

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, December 29, 2009

Hotfix ID – What Does This GUID Stand For?

Recently, I came across a problem when running the Cluster Validation Wizard where the two nodes did not match in the Validate Software Update Levels section.

You must run the Validate test on fully configured solutions before you configure the Failover Cluster to verify the proposed solution. All tests must pass with either a green checkmark (passed) or a yellow yield sign (warning), in order to obtain product support from Microsoft. See the Microsoft Support Policy for Windows Server 2008 Failover Clusters.

The yellow yield sign indicates that this particular aspect of the proposed solution is not in alignment with Microsoft best practices. However, this aspect will still work and will be considered a supported configuration. Personally, I never deploy a production cluster unless I get a completely green result.

As shown above, one of the Windows Server 2008 servers was indicating a warning of "Software Updates missing on 'servername'" and the missing updates are listed only as a GUIDs, with no description.

I searched the Interwebs for anything on related to either GUID, with no luck. Then I came across a nifty script by Guy Teverovsky, a Premier Field Engineer for Platforms at Microsoft Israel. You run the script on the node that's missing the updates.

Here's the syntax:

C:\>cscript GetPatchInfo.vbs /?
Displays details of installed patches/hotfixes
Usage: cscript GetPatchInfo.vbs [/guid:]
/guid: The GUID of the hotfix
Running the script without parameters will enumerate all
the patches installed.

Sample output:

C:\>cscript GetPatchInfo.vbs /guid:{47740627-D81D-4A45-A215-03B075A18EC7}
Patch Name: Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1)
Patch Code: {47740627-D81D-4A45-A215-03B075A18EC7}
More Info URL:
State: Installed
Product Code:{90120000-00A4-0409-0000-0000000FF1CE}
Product Name: Microsoft Office 2003 Web Components

I'm also hosting the script here on my blog, just in case it becomes unavailable from his site sometime in the future.


In my case, the GUIDs {DEBD1C94-5AAB-4E46-A130-359A52D2bb65} and {2B3A711E-1265-4D05-ACBB-B7677EA6E860} refer to the SCOM 2007 agent, which was missing on one of the nodes.

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Tuesday, December 22, 2009

Fix for Cannot Logon to OWA Using ISA 2004

A client had a problem where users could not logon to Outlook Web Access (AKA, OWA or Webmail) from the Internet. Users would get the logon page, but would be returned to the same logon page after entering their correct username and password.

Accessing OWA from the internal network would present the same logon page, but the user can successfully logon and access their mailbox. It turns out that the fact that they get the same logon page internally is a clue to the solution. Internal (non-ISA) users will only see the OWA logon page if Exchange is configured to use Forms Based Authentication (FBA). In order for ISA to work properly with OWA, Exchange should NOT be configured for FBA. It should only be configured on the ISA server.

Here's how the two systems should be configured:
  • Install the Exchange server's SSL certificate in the ISA computer's Personal certificate store
  • On the ISA server, configure a Mail Server Publishing firewall rule to allow External users to access the OWA server using HTTPS. Configure an OWA web Listener for HTTPS using the Exchange server's SSL certificate that you imported. Configure the Listener's authentication to use OWA Forms-Based. Ensure that ISA is redirecting requests to the SSL port 443 on the Bridging tab.
  • Ensure that the Exchange server is NOT using Forms Based Authentication. In Exchange System Manager, go to [OrgName] > Administrative Groups > [AdminGroup] > Servers > [ServerName] > Protocols > HTTP. View the properties of the Exchange Virtual Server. Clear the Enable Forms Based Authentication checkbox on the Settings tab.

The customer was using ISA 2004 in front of Exchange 2003, but I assume this problem/solution will also occur with ISA 2006.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Monday, December 14, 2009

Is Microsoft Forefront Protection 2010 for Exchange Server x86 or x64?

After installing Forefront Protection 2010 for Exchange (FPE), I ran Task Manager to see what processes were running. I was surprised to see almost all of the Forefront processes are 32-bit. I asked Microsoft why this is, since Exchange 2007 and Exchange 2010 are 64-bit only applications.

It turns out that this is because the antivirus engines are still 32-bit. FPE uses up to five different scan engines from different vendors to scan emails (Authentium, Kaspersky, Microsoft, Norman, and VirusBuster). The AV vendors are working to create 64-bit versions of their scan engines, but there is no ETA at this time.

Each scan engine requires approximately 250 MB of memory. Less memory is required if Intelligent Engine Management (IEM) is not enabled and fewer than 5 engines are selected.

Considering that each scan engine is runs in its own discreet process, there may not be much of an advantage running 64-bit, anyway. 32-bit scan engines also mean that they can be used on the 32-bit non-production versions of Exchange for testing. Even so, I'd rather see the Forefront Team create a 32-bit version for testing and a 64-bit version for production once the AV vendors have 64-bit scan engines.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Tuesday, November 24, 2009

NTFS Inheritance Rule Change

Up until recently, NTFS permissions have followed these inheritance rules:

  • If a file or folder is copied to some other location, it will inherit the new location's NTFS permissions.
  • If a file or folder is moved to some other location on a different disk drive, it will inherit the new location's NTFS permissions.
  • If a file or folder is moved to some other location on the same disk drive, it will retain the original location's NTFS permissions.

One of the NTFS inheritance rules changed in Windows 2008, R2, Windows Vista, and Windows 7. Now if you move a file or folder, it will inherit the new location's NTFS permissions, even if the new location is on the same disk drive. This is a radical shift that you need to taken into account when you're moving files.

You can find a reference to this change in the Notes section in the Microsoft article "Inherited permissions are not automatically updated when you move folders".

Thanks to Murat Yildirimoglu, an MCSE and MCT in Istanbul, Turkey, for the article.

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Friday, November 20, 2009

Microsoft Exchange Server 2010 Transport Server Role Architecture Diagrams

Microsoft has produced two Exchange 2010 Transport diagrams:
  • Exchange 2010 Hub Transport Extensibility

  • Exchange 2010 Hub Transport Role Architecture

Both diagrams are produced as PDF files that can be printed out in almost any size.

While I think these diagrams are visually beautiful, I rarely (if ever) refer to diagrams like this. They do, however, add a certain je ne sais quoi to the geekiness of any Exchange architect's office.

Labels: ,

Subscribe in a reader Subscribe by Email

Wednesday, November 18, 2009

How to Test LDAP over SSL Connections

This article explains how to test that a directory server (typically, a Domain Controller or ADLDS server) is configured properly for LDAP/SSL connections. The tools described work with Windows-based systems (Windows XP and above).

First, you will need the LDP.exe utility. LDP is a Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory, ADLDS or ADAM.

LDP can be found for different platforms in the following locations:

To test LDAP over SSL connections, do the following:

  • Run the LDP utility (typically, click Start > Run > LDP)

  • In the LDP menu, click Connection > Connect

  • Enter the directory server name or IP address, the port (typically, 636 for secure LDAP), and check the SSL checkbox, as shown below, then click OK:

  • If the connection is successful, you will see a list of output similar to this:

  • Note that the connection string in the title of the LDP window indicates that the connection is made using ssl
  • If you get an error saying, "Cannot open connection," LDP cannot establish a secure connection to the directory server. In this case, it's very likely that the server is not configured properly for LDAP over SSL. Verify the server name/IP address and port number. You can also use the Portqry tool to verify that the directory server is listening on the correct port. Use "portqry /n servername /e 636" to check that servername is listening on endpoint (port) 636.

  • The following LDP output indicates that the connection failed because the certificate used in the SSL connection cannot be trusted:

ld = ldap_sslinit("dc01", 636, 1);
Error <0x0> = ldap_set_option(hLdap,LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: {empty}
Error <0x51>: Fail to connect to dc01.

I found a cool utility on Novell's website that can be used to view the SSL certificate on a remote directory server. Download the View Directory Certificate utility and extract the files to a temporary folder. Then run ViewDirCert.exe:

Specify the directory server or IP address and click View Certificate. The certificate details will be displayed in a new window. If the certificate was generated by an untrusted Certificate Authority (CA) or is a self-signed cert that the host does not trust, you will see a warning as shown below:

You can configure the host to trust this certificate by either adding the CA to the local machine's Trusted Root Certifications Authorities store or by importing the self-signed certificate into the local machine's Trusted Root Certifications Authorities store.

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Wednesday, November 11, 2009

Speed up Outlook 2007 Access

I've heard several clients complain that Outlook 2007 takes too long to start up compared to previous versions of Outlook. In most cases I've found that this is because Outlook 2007 is configured to connect to Exchange using Outlook Anywhere, even on their corporate LAN/WAN.

Here's how to correct this:

  • Open Outlook and click Tools > Account Settings, or in Control Panel open Mail and click E-mail Accounts.
  • Double-click the Email account name that's using Exchange to edit its properties
  • Click the More Settings button
  • Click the Connection tab
  • Clear the Outlook Anywhere checkbox that reads, Connect to Microsoft Exchange using HTTP
  • Click OK > Next > Finish
  • Restart Outlook

Labels: , , ,

Subscribe in a reader Subscribe by Email

Tuesday, November 10, 2009

Exchange Server 2010 RTM Upgrade and Installation - Phase 3

This is the third and final phase of my Exchange 2010 / Windows Server 2008 R2 / Hyper-V migration. Phase 1 can be read here and phase 2 can be read here.

At this point, my Hyper-V host server is still running Windows Server 2008 SP2 and also functions as my Exchange Edge Transport server (currently Exchange 2007 SP2). It is hosting three VM guests: a Windows Server 2008 R2 domain controller/global catalog server; an Exchange 2007 SP2 server running the Hub/CAS/Mailbox roles; and a new Exchange 2010 server running the Hub/CAS/Mailbox roles. All mailboxes have been moved to the new E2010 server.

In phase 3, I will uninstalled the Exchange 2007 Edge Transport server role from the host, upgrade the host server to Windows Server 2008 R2, install the Exchange 2010 Edge Transport role, and decommission my last Exchange 2007 Hub/CAS/Mailbox server.

I began by uninstalling Forefront Security for Exchange Server from the Exchange 2007 Hub/CAS/Mailbox server. In order to do this, you must stop all the Exchange services and then uninstall the product using Programs and Features in Control Panel.

Next, I created a new Public Folder database on the Exchange 2010 Mailbox server and enabled replicas on the E2010 mailbox server using the Exchange 2010 Public Folder Management Console in the Exchange Management Console (EMC). I then removed all the Public Folder replicas from the Exchange 2007 Mailbox server role using the Exchange 2007 Public Folder Management Console in the EMC.

You cannot decommission an Exchange mailbox server that contains active mailboxes. They must be moved to another server or disabled. Since I had already moved all my user and resource mailboxes to the new Exchange 2010 server, all that was left was the system CAS mailbox which must be disabled (it cannot be deleted or moved). This is accomplished using the following command from the Exchange Management Shell (EMS):

Get-Mailbox -Database "EX\Mailbox Database" Disable-Mailbox

Now I'm finally ready to uninstall Exchange 2007 from the Hub/CAS/Mailbox server using Programs and Features in Control Panel. However, removal of the Mailbox role fails with the error, "Object is read only because it was created by a future version of Exchange: 0.10 ( Current supported version is 0.1 (8.0.535.0)." I also discover I get the same error if I try to delete the E2007 Public Folder database.

After some research, I found that the only way to delete the "upgraded" Exchange 2007 Public Folder store is using ADSIEdit. This is detailed here, but the basic steps are to navigate to the Public Folder store in ADSIEdit and delete it, which I've done here.

Once the Public Folder database was removed, I ran the uninstallation again, which then succeeded. After Exchange 2007 was uninstalled, I completed the decommissioning by dis-joining the Exchange 2007 server from the domain and turned it off. I then tested mailflow to ensure that inbound/outbound SMTP email is working properly.

Next, I began the operating system upgrade of the Hyper-V host server by uninstalling Forefront Security for Exchange Server and the Exchange 2007 Edge Transport role. This went very smoothly with no issues.

In preparation for my OS upgrade, I shutdown and exported my two Hyper-V VMs to a new folder, H:\Exports. Exporting an VM exports the VM configuration, which includes the hardware, drives, networks (and most importantly, MAC addresses) to an XML file. This allows you to import the VM into a new Hyper-V host server without further configuration.

My process for upgrading the host server was to perform an in-place installation, not an upgrade. This is performed by booting to the Windows Server 2008 R2 DVD and choosing a new installation. Setup will warn that there is already a copy of Windows installed and prompt to continue. When you continue, setup will copy all the old user folders (Documents and Settings), Program Files, and the Windows folders to a new folder named C:\Windows.old, which can be accessed later from the new operating system. When setup completed, I was left with a base Windows Server 2008 R2 server.

I then installed the Hyper-V role and imported the VMs from H:\Exports. I started them up and verified that everything was running properly. I was very pleased to see that the VMs performed faster, due to R2's improved handling and performance of dynamic VHDs.

Next, I installed the Exchange 2010 Edge Transport server role on the host server, reconfigured my anti-spam settings, and created a new Edgesync subscription. After importing the Edgesync subscription in the Exchange 2010 Hub Transport server, I tested Edgesync and mailflow, which worked as expected.

I hope this series helps some of you out!

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Friday, November 6, 2009

Fix for 'The server name is invalid' error when installing Exchange 2007 Management Tools

You may receive the following error when installing the Exchange 2007 management tools on a computer:

The server name is invalid. It contains characters other than 'A'-'Z', 'a'-'z', '0'-'9' and "-".

While the error indicates that the problem is with the server, it's actually with the name of the local computer where the Exchange 2007 management tools are being installed. The most common reason for this I've seen is when there's a underscore "_" in the local computer name.

The fix for this is to replace the exbpa.prereqs.xml file on the Exchange Server 2007 installation source with the RTM version of the file.  Here are the steps to do this:
  • Download the RTM version of exbpa.prereqs.xml from this blog (right-click the link and choose Save target as...) and save it to a temporary location
  • Disable automatic updating for Exchange 2007 setup. Otherwise, setup will automatically download the most recent version of the file and replace it. Run the following command at the CMD prompt:
reg add "HKCU\Software\Microsoft\Exchange\ExBPA" /v "VersionCheckAlways" /t REG_DWORD /d 0 /f
  • Copy the exbpa.prereqs.xml file you downloaded earlier to the \setup\serverroles\common\en folder on your Exchange 2007 installation media.
  • Now run setup and install the Management Tools, as usual.  You will still see the same error message, as shown above, but you will see an Install button instead of a Retry button.
When the installation is complete, remove the VersionCheckAlways registry key to reenable the automatic update feature using the following command:

reg delete "HKCU\Software\Microsoft\Exchange\ExBPA" /v "VersionCheckAlways" /f
Keep in mind that you may have to do this same procedure again in future update rollups and/or service pack updates.

Labels: , ,

Subscribe in a reader Subscribe by Email

Fix for Remote Desktop Gateway authentication error from clients

If you use Remote Desktop Gateway Manager (formerly, Terminal Services Gateway) in Windows Server 2008 R2, you may find that Windows clients are unable to authenticate to the RD Gateway server.

This happens because the default configuration in Windows Server 2008 R2 Remote Desktop Gateway is to request that clients send a statement of health before the connection can be made. If this option is selected and you do not have a Remote Desktop connection authorization policy (RD CAP) for Network Access Protection (NAP) configured, clients will be unable to connect to the RD Gateway. They will repeatedly be prompted for Gateway Server Credentials as shown below:

To fix this issue, ensure that you have a valid statement of health configured in NAP. Alternatively, as in the case of clients that cannot or do not provide a statement of health (I'm looking at you, Windows XP), you can disable requesting statements of healthy entirely. Here's how to do that:
  • Logon to the Remote Desktop Gateway computer and open the RD Gateway Manager (Start > Administrative Tools> Remote Desktop Services > Remote Desktop Gateway Manager)
  • Right-click the RDG server and select Properties
  • Click the RD CAP Store tab and clear the checkbox for "Request clients to send a statement of health", as shown below and click OK.

It may take a moment for the change to go into effect. Occacionally, I've had to restart the Remote Desktop Services service.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Monday, October 26, 2009

Paused Hyper-V VMs Do Not Release RAM

Windows Server 2008 Hyper-V allows the administrator to pause a running Hyper-V virtual machine.  When a VM is paused, the VM system state is written to a file on the host server and the VM no longer will process operations.  This is similar to the sleep feature in other versions of Windows.

When the VM is resumed, Hyper-V will read this saved state information back into its working set and the VM will continue to function as it was when the VM was paused.  This is a very quick operation.

Pausing a VM is handy when you want to quickly and temporarily take a machine offline without shutting it down.  For example, you may want to test cluster failover or you may need to briefly free up main processor resources.

Be aware, however, that pausing a VM does not free up the RAM associated with the VM.  I've seen several customers make this mistake, thinking that they could essentially "over-subscribe" their Hyper-V host server by pausing running VMs to free up resources (RAM) and run other VMs.

When you pause a virtual machine, the RAM allocated to the paused VM is not released back to the host.  Take a look at the sample perfomance monitor screenshot below:

This perfmon example shows available megabytes free on a Windows Server 2008 Hyper-V host server with 8GB RAM.  RAM drops when a 4GB VM is started up, as expected.  The VM is then pause and the available megabytes free remains steady at about 3289MB free.  RAM utilization remains steady when the VM is resumed a short time later.  RAM is only released back to the Hyper-V host when the VM is powered off.

If you want to free up RAM from a running VM, you need to either turn off the VM or use the Hyper-V "Save" action.  Save is similar to the Windows hibernate feature, where both the system state and the RAM working set are written to disk files and then released to the host server.  When the VM is started, it will read these files back into memory and restore the VM to its previous state.

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, October 23, 2009

Hyper-V-Worker Event 23012 Explained

If you load a Windows Server 2008 R2 virtual machine on a Windows Server 2008 Hyper-V host server, you will get an error on the host server similar to the following:

Log Name: Microsoft-Windows-Hyper-V-Worker-Admin

Source: Microsoft-Windows-Hyper-V-Worker
Date: 10/23/2009 7:56:48 AM
Event ID: 23012
Task Category: None
Level: Error

Device 'VMBus' in 'EX1 ENT x64' cannot load because it is incompatible with virtualization stack. Server version 13 Client version 65537 (Virtual machine 98EEEED7-A97D-48CF-87F5-E1E8F698D169).
This happens because the Windows Server 2008 R2 Hyper-V Integration Components are not compatible with the Hyper-V v1 release components. 

Incompatible does not mean they won't work - because they do.  It's just that the R2 version includes enhancements and changes that are beyond the capabilities of Hyper-V v1.

If you want to run an R2 build in a VM on Hyper-V v1 and you don't want to see this error, use a Legacy NIC for the R2 VM.

The Integration Components are already present in Windows Server 2008 and Windows Server 2008 R2.  You do not need to install them on these VMs.  You can only upgrade the Integration Components, not downgrade them.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Tuesday, August 25, 2009

How to Create Custom Error Notifications for IP Block List Providers in Exchange 2007

This doesn't seem to be documented anywhere in Microsoft TechNet, so I figured I'd write up a post about it.

IP Block List Providers in Exchange 2007 are a means to reduce spam from entering your organization. They are configured on the Edge Transport servers, which is detailed in TechNet here. This article explains how to use variables to create a custom error message when an email is rejected by an IP Block List filter.

In Exchange 2003, you can pass parameters to the custom error message using the %0, %1 and %2 variables.

  • %0 = IP address of the sending mail server
  • %1 = Rule name of the connection filter (Provider name)
  • %2 = The RBL provider (Lookup domain)

In Exchange 2007 the variables are the same, but the way you call the variables has changed.

  • {0} = IP address of the sending mail server
  • {1} = Rule name of the connection filter (Provider name)
  • {2} = The RBL provider (Lookup domain)

Using these variables we can craft more helpful error messages, in the event that a real person (not a spammer) is blocked by your block list (aka, RBL) provider.

In the custom error message example above, the following error message would be returned from blocked server

Host was blocked by Trend Micro Email Reputation Services (ERS). Please see

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, August 21, 2009

Name that Port, Powershell Style!

In a previous post, I presented a VBScript that displays the service assigned to common port numbers. You can also enter a search string to find any ports whose service (protocol) contain the search string.

Richard Siddaway suggested that the script should be written in Powershell instead, so here it is: Get-Port.ps1


Get-Port.ps1 portnumber
This command gets the specified port number and displays the associated service

Get-Port.ps1 searchstring
This command displays all ports and services that match the search string. Searchstring is case insensitive.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Thursday, August 20, 2009

Name that Port!

I wrote a simple VBScript that helps you identify TCP/UDP ports and their well known services.

Download port.vbs and place it anywhere in your system path.

To use it, enter port [portnumber] (i.e., port 389) and the script will display the well known service associated with the port, as shown above.

Alternatively, you can enter port [searchstring] and the script will show all ports that contain that search string. For example, port ldap will show all the ports with ldap in the service name.

The script works best from the command line when WScript is set to be your default script handler. Simply enter wscript from the command line to do this. Otherwise, you'll need to type cscript port [search] from the command line.

Update! See this post for the same script in Powershell.

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, July 13, 2009

How to turn off the "Do you want to view only the webpage content that was delivered securely?" security warning in IE8

A common question I hear from users of Internet Explorer 8 is, "How do I disable the 'Do you want to view only the webpage content that was delivered securely' in IE8?", as shown below.

Before I explain how, you should understand what it's warning you about. You will see this warning whenever HTTP (non-secured) elements are displayed on an HTTPS (secured) web page, which means these elements are not encrypted. Typically, these elements are just embedded images, but they could also be areas of the page where information can be entered.

By clicking Yes (the default), you will only see the secure areas of the page and will know what areas are secured. If you disable the warning, you will not know which (if any) of the elements are the page are not secured.

To disable the security warning, follow these steps:

  • Click Tools > Internet Options
  • Click the Security tab
  • Click the Internet zone and click the Custom Level button
  • Scroll down to the Miscellaneous area and change Display mixed content (shown on the left) from Prompt to Enable
  • Click OK

Labels: , , ,

Subscribe in a reader Subscribe by Email

Wednesday, June 17, 2009

Is it down for just me?

Here's a great tip I got from my friend and co-worker, Pete Handley.

Have you ever gone to a website, found out it was down, and wondered if it was just you? Check out You enter a website to check and it'll tell you if it's down for everyone or just you!

Simple and elegant!

Labels: ,

Subscribe in a reader Subscribe by Email

Friday, June 12, 2009

Failure of FSW Causes Cluster Group to Failover

The following information was written for Exchange 2007 CCR mailbox clusters, but it pertains to any clustering solution that uses the Windows Server 2008 Node and File Share Majority cluster quorum configuration.

How Does Node and File Share Majority Clustering Work?

Exchange 2007 CCR uses two clustered Exchange mailbox nodes, called a Clustered Mailbox Server (CMS). In order for Windows to know which node is active, it utilizes a File Share Witness (FSW) to maintain quorum. The FSW is a network share on a third computer (typically a Hub Transport server in the normally active node's physical site). The active node writes information to files in that share and locks them for writing, preventing the passive node from writing to the FSW and taking quorum. It always take two out of three votes to maintain quorum.

If the active node becomes unavailable, the passive node can write to the FSW and the cluster group fails over. In the case of a total site failure where both the active node and the FSW are offline, both the cluster group and the CMS will fail since there is no quorum (there's only one vote).

What Happens When the FSW Becomes Unavailable?

When the FSW fails, the active CMS node (Exchange) does not fail over because there are still two votes (the active and passive nodes). However, the Windows cluster group will fail over to the other node if the FSW does not come back online within 60 seconds. This is because File Share Witness resource in Windows Server 2008 is configured to fail over the cluster group when the FSW fails, as shown below.

Worse, the FSW resource will not come back online for another 60 minutes. During this time, a failure of either one of the nodes will cause the cluster to fail, even if the FSW is back online.

These default settings are provided so that the cluster event logs don't fill up with constant "Trying to start the resource", "The resource failed to start" events during a prolonged outage.

This is what happens when the FSW server is rebooted (during patch management, for example):

  • The server holding the FSW resource is rebooted.
  • The cluster tries to connect to the FSW one minute after failure is detected.
  • If the FSW is still unavailable (which usually happens - most servers take longer than 60 seconds to restart), the cluster group fails over to another node.
  • Wait one hour and try connecting to the FSW again. The FSW is finally brought online.
Note: This behavior only pertains to Windows Server 2008. Windows Server 2008 R2 does not have this issue.

It's important to know that even though the cluster group fails over, there really is no effect on Exchange, even with a geographically disbursed CCR cluster (geo-cluster). However, if you're like me, you like symmetry and order. The cluster group should be with the active CMS node.

Here's how to minimize the time that the cluster group is on the (normally) passive node:

  • Open the Failover Cluster Management console
  • Add the cluster name, if necessary, and select it
  • Double-click Cluster Core Resources in the middle pane to expand it
  • Right-click File Share Witness (\\servername\sharename) and select Properties
  • Click the Policies tab
  • For optimal restart performance, change "If all the restart attempts fail, begin restarting again after the specified period (hh:mm)" to 15 minutes, as shown below:

This configuration will cause the cluster service to attempt to bring the FSW resource to online once every 15 minutes, instead of an hour.

Next, logon to the server holding the FSW resource (typically a Hub Transport server in the active site and install the Failover Clustering Tools feature. You'll find it in Remote Server Administration Tools > Feature Administration Tools.

Now create a batch file called FSW_Online.bat. Enter the following two lines:

  • cluster EXCLUSTER1 res "File Share Witness (\\server\mns_fsw_excluster1)" /online
  • cluster EXCLUSTER1 group “Cluster Group” /

Note: Replace EXCLUSTER1 with your cluster name. Replace \\server\mns_fsw_excluster1 with the name of your FSW resource (enter "cluster res" at a command prompt to find it). Replace with the FQDN of the CMS node you want to keep the cluster group on.

Lastly, configure FSW_Online.bat to run at startup on the FSW resource server:

  • Open Local Group Policy Editor
  • Navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) > Startup
  • Click Add and browse to the FSW_Online.bat file you created
  • Click OK twice and close Local Group Policy Editor

This is my current best practice for configuring the File Share Witness resource failure policy.

Special thanks go to Tim McMichael, Senior Support Escalation Engineer on the Exchange product support team, for assisting me with this article.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Wednesday, June 10, 2009

Be Aware: Windows Server 2008 SP2 Re-enables Disabled NICs

Be aware installing Windows Server 2008 Service Pack 2 (SP2) will re-enable any network adapters that were disabled prior to the update. This will also affect computers updated with Windows Vista Service Pack 2.

[Before installing SP2]

[After installing SP2]

This is important for several reasons. It is best practice on Hyper-V servers to disable the virtual NIC assigned to VM guests, so that a host with a dedicated management NIC does not use the NICs assigned to VM guests. SP2 re-enables all these virtual NICs, as well.

Sometimes disabled NICs should only be enabled for disaster recovery purposes. Enabling these NICs at startup could have dire consequences in these rare situations.

It's important to understand that if you're using the Windows Firewall, the server uses the most secure firewall network profile for all NICs. If your domain joined computer has more than one NIC, but only the NIC that is used to connect to the domain is enabled, the Windows Firewall uses the Domain Network profile. However, after installing SP2 the computer will start up with all NICs enabled. If the previously disabled NICs are not connected, the Windows Firewall will use the Public Network profile, which uses much different firewall policies -- potentially causing service interruptions.

My advice is to document your network connections prior to installing Windows Server 2008 SP2, so you can reconfigure them when your done with the update.

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Wednesday, June 3, 2009

Fix for having to supply credentials when connecting to a Hyper-V guest

One of my customers complained that he was getting the following prompt for credentials whenever he connected to a Hyper-V guest from the host.

Your credentials did not work
Your system administrator does not allow the use of default credentials to log on to the remote computer (computer name) because its identity is not fully verified. Please enter new credentials.

The host Hyper-V server is in a workgroup and the guests are in either a domain or workgroup.

The fix is to allow saved credentials with NTLM-only server authentication on the Hyper-V host. You can do this in the Local Group Policy Editor.

  • Run GPEDIT.MSC on the Hyper-V host
  • Expand Local Computer Policy > Computer Configuration > Administrative Templates > System > Credentials Delegation
  • Double-click Allow Saved Credentials with NTLM-only Server Authentication
  • Enable the policy
  • Add servers to the list by clicking the Show button and adding your Hyper-V hostname
  • Click OK twice and close Local Group Policy Editor

Now run GPUPDATE on the Hyper-V host to apply the new settings.

Connect to one of the Hyper-V guests, enter your username and password, and check the Remember my credentials checkbox. Hyper-V will no longer prompt for credentials when connecting to any of the guest VMs.

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, April 20, 2009

Stop Spamming Yourself!, Part 2

Frequently, you may receive spam from the Internet that appear to come from your own domain name. This is a common tactic used by spammers to bypass spam filters.

In an earlier article, I showed how to configure Exchange 2007 to reject all SMTP emails from the Internet that supposedly come from your own domain name. We did this by adding your domain name to the Sender Filtering / Blocked Senders configuration on the Edge server.

While this works perfectly, it goes against a Microsoft best practice and doesn't provide for any exceptions. This article will show how to accomplish the same thing using an Edge Transport Rule, as well as how to configure an exception. Let's get started.
  • Logon to the Edge Transport server, open the Exchange Management Console, and navigate to Microsoft Exchange > Edge Transport > Transport Rules tab.
  • Click New Transport Rule in the Actions pane to open the New Transport Rule wizard.
  • Enter a name for the rule and any comments, as shown below, and click Next.

  • For the Conditions in Step 1, click "when the From address contains text patterns" and "from users inside or outside the organization"
  • In Step 2, click the words "text pattern" and add your domain name (i.e., Click the work "Inside" and change it to "Outside". Click Next

  • Now we will set the Action to take upon these messages. In Step 1, click "set the spam confidence level to value" and "reject the message with status code and response"
  • In Step 2, set the SCL to "-1". We do this so that the exceptions configured on the next page will not go to the users' Junk E-mail folders in Outlook. Click Next.

  • For the Exceptions in Step 1, click "except when the text specified words appear in a message header"
  • In Step 2, click "specific words" and add the domain of the sending server (i.e., is an online restaurant reservation system that emails invitations to people when a reservation is made. It spoofs the emailed invitation to looks like it came from the sender. Because of this, it would normally be rejected if it weren't for this exception.
  • Click "message header" and enter "Receive". Click Next.

  • Click New and Finish to create the new Transport Rule.

The rule will now reject all emails from the Internet that claim to be from your domain name, unless the SMTP Receive header contains the text "". It will also set the SCL so that the exception will not be classified as spam by Outlook.

The rule above can also be configured using the Exchange Management Shell using the following command:

new-TransportRule -Name 'Reject inbound emails from' -Comments 'Exception:' -Conditions
-Enabled $true -Priority '0'

The code above is meant to entered as one single line.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Wednesday, April 15, 2009

Fix for Duplicate Contacts Lists in Outlook

Sometimes you may find that a user has multiple Contacts address books listed in Outlook. This can occur when invalid references exist in the Outlook Address Books.

Remove the invalid reference to a contacts folder in Outlook:

Tools > E-mail Accounts > View or change existing directories or
address books > Outlook Address Book > Change... >

Select the duplicate Outlook Address Book(s) and click Remove Address Book for each duplicate.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, April 3, 2009

Fix for 0x8024400E Errors on WSUS Clients

You may have problems with WSUS clients that are not able to download updates from WSUS. Check the %SystemRoot%\Windows\WindowsUpdate.log file for the following error:

2009-03-27 11:55:29:193 1044 afc PT WARNING: SyncUpdates failure, error = 0x8024400E, soap client error = 7, soap error code = 400, HTTP status code = 200

Resetting the client by clearing the SoftwareDistribution folder and forcing the Automatic Updates client to detect new updates results in the same error.

This is caused by a revision to the 'Office 2003 Service Pack 1' update. It results in some WSUS 3.0 servers enter an inconsistent state with respect to the update's approvals. When computers with products related to Office 2003 sync to a WSUS server with this revision, the web service is unable to process the approvals resulting in the detection failure.

To fix this problem, approve and then decline the Office 2003 Service Pack 1 update in WSUS. Here are the steps to do this:

  • Open the WSUS Administration console

  • Find the Office 2003 Service Pack 1 update in the updates list. You may have to change the Approval and Status filters to find it. Set the Status to Any and the Approval to Declined. If you still don't see it then set the Approval to Any except Declined.

  • First, make sure the update is declined. If the update is not yet declined, right click on the update and decline it.

  • Next, approve the update. Right-click the update and select the Approve... option in the context menu. Click OK in the Approve Updates dialog that opens (no need to change any options here). Dismiss the Approval Progress dialog that appears.

  • Next, decline the update. Right-click the update and select Decline.

The computers that were failing detection will now successfully complete detection against the WSUS server and receive any applicable updates.

Note: If you have a hierarchy of WSUS servers, these steps must be performed on each server, starting with the top-level server. If one of the servers is a replica downstream server, you must first change it to be autonomous, then perform the steps above, then change it back to being a replica. This can be done from the Options/Update Source and Proxy Server Dialog in the WSUS Administration console.

Also, take a look at KB 954960 - Some computers do not receive updates from the WSUS server. It includes a hotfix for WSUS 3.0 SP1 servers that prevents the problem from reoccurring.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, March 27, 2009

Exchange Server Remote Connectivity Analyzer

More Exchange 2007 goodness from the Microsoft Exchange Team!

Have you ever installed an Exchange server and wanted to verify your Internet facing services were setup and configured properly? Things like Exchange ActiveSync, AutoDiscover, Outlook Anywhere (RPC/HTTP), and inbound email. Sure there are cmdlets included in Exchange 2007 like test-ActivesyncConnectivity and test-OWAConnectivity, but these tests can only be run inside your network and effectively only test your internal network connectivity. Or what if you get a call or an escalation regarding one of these services not working? How do you verify if just this user or everyone has a problem? And if there is a problem, where do you start troubleshooting? Is it a DNS problem? Is it a certificate problem? Is a port not open on the firewall?

I'd like to introduce you to the Exchange Remote Connectivity Analyzer (ExRCA) tool which can be accessed at

In this version, the tool will allow you to remotely test the following client types and services:

Exchange ActiveSync

  • Windows Mobile 5, 3rd party devices

  • Windows Mobile 6.1+ with AutoDiscover

Outlook Anywhere (aka RPC/HTTP)

  • Outlook 2003

  • Outlook 2007 with AutoDiscover

Inbound SMTP

The tool will simulate the protocol logic used by the specific client and not only tell you if the scenario was successful, but if it fails, it will tell you exactly where in the process it failed as well as try to guide you to the problem resolution.

Read more about the tool and how it works here!

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, March 26, 2009

Breaking the Artificial Database Size Limit in Exchange 2007 Standard Edition

Exchange Server 2007 has a theoretically unlimited database storage capacity. In reality the limit is 16TB, and this limit is the same in both Standard and Enterprise editions. The storage differences between these two editions have to do with the maximum number of storage groups and databases that can be placed on each server.

Exchange 2007 Standard Edition:
Storage Group – up to 5, Database per SG – up to 5, Database limit – 16 TB.

Exchange 2007 Enterprise Edition:
Storage Group – up to 50, Database per SG – up to 50, Database limit – 16 TB.

Even though E2K7 Standard has a hard 16TB database size limit, there is an artificial limit imposed in the registry. The default cap in RTM is 50GB and the default cap in SP1 is 150GB. Here's how to change this artificial limit:

  • Open RegEdit and navigate to:

HKLM \ SYSTEM \ CurrentControlset \ Services \ MSexchangeIS \ servername \ Private-{respective-DB-GUID}

  • Create a new DWORD value "Database Size Limit in Gb"

  • Assign its decimal value (in GB). For example, enter decimal 200 for a 200GB artificial limit.

  • Restart the Microsoft Exchange Information Store service

Note: E2K7 Enterprise Edition does not have an artificial limit.

Note: If the Exchange Server Best Practices Analyzer (ExBPA) finds that the Database Size Limit in Gb value is present and configured, the Exchange Server Analyzer displays a non-default configuration message.

Labels: , ,

Subscribe in a reader Subscribe by Email

Wednesday, March 25, 2009

How to Invoke the Window Update Dialog from the Command Line

To run the Windows Update client from the command line, run the command WUAUCLT /ShowWU.

This is useful when the Windows Update icon disappears when you click it. Typically, this means that the Windows Update client is corrupt. When you run wuauclt /ShowWU on these machines, it will bring up the Windows Update dialog box above, but it will show some type of error indicating that it could not download updates. Installing the current Windows Update client will fix this.

You can download the latest Windows Update client (7.2.6001.788) from these locations:

Labels: , , ,

Subscribe in a reader Subscribe by Email

Wednesday, March 18, 2009

How To Enable Change Notification On All Site Links

Normally, there are two replication intervals for Active Directory in a Windows domain: Intra-site (replication between DCs in the same site) and Inter-site (replication between DCs in different Active Directory sites).

Intra-site replication is very fast - typically around 15 seconds. This schedule can be configured via the registry using the following values in the HKLM\SYSTEM\CurrentControlSet\Service\NTDS\Parameters key:

Replicator notify pause after modify (secs)
It is a REG_DWORD value of 15 by default

Replicator notify pause between DSAs (secs)
It is a REG_DWORD value of 3 by default

See Microsoft TechNet (Active Directory Replication Tools and Settings) for a thorough explanation of what these keys do.Inter-site replication is dictated by the schedule associated with the replication connection in Active Directory Sites and Services. Using this GUI you can specify that the connector never replicates or to replicate once, twice or four times per hour.

Note: The inter-site replication schedule runs based on the server startup time. For example, if the DC starts up at 12:10pm and the replication connector's schedule is set to twice per hour, replication on this connector will occur at 12:10pm, 12:40pm, etc.

But what if you want Intersite replication to occur more frequently than every 15 minutes? For this, you must enable Change Notification on the Active Directory site link. How you do this depends on which OS is on your DC.

For Windows 2003 Domain Controllers:

  • Open ADSIEdit.msc (in the Windows Support Tools) as a Domain Admin

  • Open the Configuration naming context

  • Navigate to Sites > Inter-Site Transports > IP

  • Right-click the siteLink to modify in the results pane and click Properties

  • Locate the options attribute and edit the value from to 1

  • Click OK and repeat for other siteLinks, as necessary.

For Windows 2008 and Windows 2008 R2 Domain Controllers:

You can use the same method as Windows Server 2003 DCs or you can edit the values directly from AD Sites and Services, as follows.

  • Locate the Site Link to modify in AD Sites and Services

  • Right-click the Site Link and choose Properties

  • Click the Attribute Editor tab

  • Locate the options attribute and edit the value from to 1

  • Click OK and repeat for other Site Links, as necessary.

I also wrote two VBScripts for displaying and configuring Change Notification:

  • DisplayChangeNotification.vbs displays the current value of the options attribute on each site link in the Active Directory domain where it is run.

  • EnableChangeNotification.vbs will enable Change Notification on all site links in the Active Directory domain where it is run by changing the options value to 1.

Both scripts are in the file, located here.

Labels: , , , , , , , , , ,

Subscribe in a reader Subscribe by Email

Thursday, March 5, 2009

Changing the Default Users and Computers Containers in AD

In Active Directory, the default container for user objects is the Users container and the default container for computer objects is the Computers container.

If you create user or computer objects programmatically and do not specify a target OU, the objects will be created in their default container. Also, whenever you join a new computer to the domain the computer object will always be created in the default Computers container, unless you pre-stage the computer object in an OU.

It's important to note that the Computers and Users containers are just that, containers. They are not OUs. Consequently, you cannot apply Group Policy objects directly to these containers. These containers will, however, inherit GPOs from parent objects, such as the Default Domain Policy.

A lot of my customers have large OU structures where user and computer objects are always placed in specific OUs so that the objects get the correct GPOs. Typically, the default Users and Computers containers are empty for these customers. Even so, user or computer objects will sometimes be created in the default containers for various reasons. This can cause problems for these objects because GPOs are not applied correctly.

Here's how to change the default container that Active Directory will use for new user and computer objects:

  • Log into a Domain Controller (Windows Server 2003, 2008 or 2008 R2) as a Domain Admin
  • Open a CMD prompt
  • To change the default container for user objects, enter:

ReDirUsr Container-DN

where Container-DN is the distinguished name of the container that will become the default location for newly created user objects.

For example:

ReDirUsr "OU=Managed Users,DC=mydomain,DC=com"

  • To change the default container for computer objects, enter:

ReDirCmp Container-DN

where Container-DN is the distinguished name of the container that will become the default location for newly created computer objects.

For example:

ReDirCmp "OU=Managed Computers,DC=mydomain,DC=com"

Please note that the domain functional level must be at least Windows Server 2003 for these commands to work.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Tuesday, March 3, 2009

Add RunAs Functionality to Windows Server 2008 for All Users

You may be aware that Windows Server 2008 does not allow you to "Run As a Different User", only "Run As Administrator."

You may also be aware of ShellRunAs, by Sysinternals. ShellRunAs adds command-line RunAs funtionality to the context menu of executable programs. Once installed using the command "ShellRunAs /reg", you can right-click on any program, select "Run as a different user," and enter the credentials of the user you want to run the program as.

This RunAs functionality allows you to logon to a server with low level permissions and still run programs that require higher permissions, thereby keeping your server safe and happy.

The only problem with ShellRunAs is that it is a per user installation. That means that it needs to be "installed" for each user on the server. This is because "ShellRunAs /reg" actually updates the registry for the current user (HKCU) hive. This can be a real problem for servers where a lot of different people logon, such as a Terminal Server.

So how do you provide this functionality for all users on the server? Read on to find out how.

  • Download ShellRunAs from Sysinternals and extract ShellRunAs.exe to %SystemRoot%\System32

  • Use Notepad to create a reg file called ShellRunAs.reg with the following content:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Classes\lnkfile\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" \"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" "%1\"%*"

[HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" \"%1\" %*"

  • Finally, double-click the ShellRunAs.reg file to import it into the registry.

Now right-click an application or program and you will see the new "Run as a different user" menu option. Best of all, it will work for all users on the server without having to register it for each user.

Note: When a user selects Run as a different user for the first time, they will have to accept the end user license agreement. This only happens once because the EULA acceptance is written to the HKCU hive for each user.

By the way, this Run as a different user and Run as Administrator functionality is native in Windows Server 2008 R2.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Monday, February 23, 2009

Fix for Paused-Critical Virtual Machine State

Your Hyper-V virtual machines may be happily running along, when suddenly they go into a "Virtual machine state : Paused-Critical" condition. If you resume them, they run for a few seconds and then pause again.

This happens when the volume hosting your dynamically expanding VHDs runs low on disk space.

Either free up space on the host volume, move one or more VHDs to another volume with sufficient space, or free space in the child partition and compact the VHD.
To compact a Hyper-V VHD, shutdown the virtual machine and open its Settings. Select the VHD and click the Edit button. Select Compact > Next > Finish.

Ben Armstrong also has an excellent article explaining how to compact a VHD file using PowerShell or VBScript.

Labels: , ,

Subscribe in a reader Subscribe by Email

Sunday, February 22, 2009

Windows 2008 Default Background Colors

Have you ever changed the default Windows Server 2008 desktop color and wanted to change it back? The blueish-green color is not shown in the default palette, so you have to enter the RGB values manually.

Red = 29
Blue = 95
Green = 122

While I'm at it, here is the formula for the cool smokey blue background for Windows PowerShell 2:

Red = 1
Blue = 36
Green = 86

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, February 13, 2009

Windows 7 Problem Steps Recorder

Here's a 4-1/2 minute video by Keith Combs showing a great new feature in Windows 7, the Problem Steps Recorder, or PSR.

PSR allows end users to record the actions they took to produce a problem.

The user enters PSR in the start menu, clicks Record, and then performs the steps to produce the problem. When the user clicks Stop Record, they can optionally enter comments and save the recording to a single ZIP file. Then they email it to the support staff.

The ZIP file contains an MHT file with screen shots and written actions that documents everything the user typed or clicked during the recording session.

This will be very useful for help desk and support staff in corporate environments, not to mention all those calls I get from my parents.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Wednesday, February 4, 2009

How to Configure the Filter Limit in ADSIEdit

When viewing a container with a large number of items in ADSIEdit, you may receive the following error:

There are too many items in the folder DC=xxxxxx. Please refine the query parameters or increase the maximum number of items per folder.

The default filter for each container is 10,000 items. To increase the filter, select the parent naming context (Domain, Configuration, Schema, etc.) and click View > Filter in the menu bar. Then enter an appropriate value.

Labels: ,

Subscribe in a reader Subscribe by Email

Monday, January 26, 2009

How to Disable Subnet Prioritization

Windows uses a scheme called "subnet prioritization" to attempt to reduce network traffic by re-ordering DNS round-robin records so that the records that are "closest" to the host are the only records used.

For example, suppose there are three A records for the same name in DNS, One with IP, one with, and one with

If a Windows client with the IPv4 address of performs a DNS query for, subnet prioritization will re-order the IP addresses so that it will always use the address.

Subnet prioritization is enabled by default in both the Windows DNS server and the DNS client.

DNS server subnet prioritization (AKA, netmask ordering) can be demonstrated using the Windows NSLOOKUP command. Repeated lookups of from the client always give the same results:



Here, the DNS server is reordering the IP addresses, based on the requestor's IP address. If true DNS round-robin is working, the records would rotate in a (A, B, C), (B, C, A), (C, A, B) fashion. Subnet prioritization obviously throws a wrench in round-robin DNS if you're using that as your load balancing or fault tolerance solution.

To disable subnet prioritization on DNS servers:
  • Open the DNS Management console

  • Navigate to the DNS server and open its properties

  • Click the Advanced tab

  • Uncheck Enable netmask ordering and check Enable round robin

  • Click OK

But this only solves half the problem because the Windows client will reorder the DNS results, too. Repeated nslookups will now show that the IP address for is rotating correctly, but pinging from the client will still always resolve to You must still disable subnet prioritization on the client.

To disable subnet prioritization on Windows DNS clients:

  • Run Regedit

  • Navigate to HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

  • Click Edit > New > DWORD Value

  • Name the new value PrioritizeRecordData (its value data will be 0)

  • Close Regedit

Note: Both of these changes go into effect immediately. There is no need to restart services or the computers.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Monday, January 19, 2009

The Case of the Missing E-Mail Addresses Tab

Recently a customer came to me with a problem. One of his users was missing the E-mail Addresses tab on the user object in Active Directory.

The user had been sending and receiving email for months without a problem, and the other Exchange tabs in AD Users and Computers (Exchange General, Exchange Features, and Exchange Advanced) were present. Here's an example:

This happens because the Exchange Alias is missing and the Exchange Recipient Update Service (RUS) cannot update the email addresses. The fix for this is simple -- enter an Alias for the user on the Exchange General tab. Once you do this, the E-mail Addresses tab becomes visible, as shown below.

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, January 15, 2009

How to Install a new Certificate on ISA 2004

If you use ISA 2004 to secure an SSL-enabled website such as Outlook Web Access (OWA), you need to install a web listener in ISA. This web listener intercepts (listens) for SSL web traffic destined for the HTTPS server.

Usually, you'll set this up when you configure your ISA server, but eventually the certificate you installed will expire and need to be replaced. This post describes how to do this.

In a nutshell, you have to install the certificate on the OWA server, configure IIS to use it, and then export it with the private key as a PFX file. Then you import the PFX file to the Personal store for the local computer on ISA. Just follow the bouncing ball...

First, you need to request and order a new SSL certificate. This can be done several ways, but usually ends with you getting an email from the certificate authority (i.e., Verisign) with your new certificate. The certificate is in the format of:


You simply need to copy and paste the certificate into Notepad and save it as something like C:\Webmail.cer. Be careful to only save the text between the BEGIN and END CERTIFICATE statements (including the leading and trailing dashes).

Now you need to import the certificate into IIS on the web server. Again, there are several ways to do this depending on how you ordered your cert, but this should work everytime:

  • Click Start > Run and enter MMC
  • Click File > Add/Remove Snap-in and add the Certificates snap-in
  • Select Computer account > Next > Finish > OK
  • Now your should see Certificates MMC for the local computer, as shown here:
  • Expand Certificates (Local Computer) > Personal
  • Right-click Personal and select All Tasks > Import
  • Browse to the C:\Webmail.cer file you saved earlier
  • Click Next to store it in the Personal store and Finish to complete the import
  • Don't close the Certificates MMC yet. You'll need it later in this process.

Next, you need to tell IIS to us the new certificate.

  • Open IIS Manager and navigate to the Default Web Site that uses SSL
  • In IIS 6, view the properties of the web site and click the Directory Security tab. Then click Server Certificate, Next and Replace the Current Certificate. Select the new cert you imported and compete the wizard.
  • In IIS 7, click Bindings and edit HTTPS. Then select the new cert you imported and close the Site Bindings window and IIS Manager.

Now that IIS is using the new certificate on the OWA server, you need to export the cert and its private key to import on the ISA server.

  • Now go back to the Certificates MMC and click refresh on Certificates in the Personal store
  • Select the certificate you imported
  • Right-click the certificate and select All Tasks > Export
  • Click Next and choose Yes, export the private key
  • Click Next twice and enter a password for the exported file.
  • Complete the wizard, saving the PFX file in a temporary location
  • Copy the PFX file to your ISA 2004 server

Next, we import the certificate into ISA and configure the ISA listener.

  • On the ISA server, double-click the PFX file you exported
  • Follow the Certificate Import Wizard and place the file in the computer's Personal store
  • Now open the ISA Server Management Console
  • Select the Firewall Policy
  • Click the Toolbox tab on the right and expand Web Listeners
  • Double-click the web listener you want to update to edit it
  • Click the Preferences tab and click Select
  • Select the new certificate and close the listener properties
  • Apply the ISA changes

Finally, you're done!!!

Labels: , , ,

Subscribe in a reader Subscribe by Email

Tuesday, January 13, 2009

Editing the 32-bit Registry on a 64-bit computer

or: How to Stop Worrying and Learn to Love Wow6432Node *

Have you ever edited the registry on a 64-bit computer, but the changes don't seem to go into effect? This usually happens with a 32-bit application (often a 32-bit COM app). Here's why:

Windows normally uses the HKEY_LOCAL_MACHINE\SOFTWARE subkey for 32-bit applications that run on a 64-bit version of the operating system. But when a 32-bit application queries a value under the HKEY_LOCAL_MACHINE\SOFTWARE\ subkey, the application reads from the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ subkey. A "registry reflector" copies certain values between the 32-bit and 64-bit registry views and resolves any conflicts using a "last writer wins" approach.

So if your 32-bit application is not reading the registry correctly (often because you're enforcing a setting through Group Policy), ensure the setting is being written to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ subkey on 64-bit computers.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Tuesday, December 23, 2008

How to Modify the All Users Startup Menu

As you no doubt know, Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 have modified the locations for user profiles. They are no longer in %SystemDrive%\Documents and Settings and exist in the %ProgramData%\Users folder.

However, to modify the All Users profile to add a shortcut to the Startup menu you actually need to access the %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup folder.

See Peter Fitzsimon's blog for all the gory details.

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Monday, December 15, 2008

Incorrect userAccountControl Attribute value causes error in DCDIAG

When you run DCDIAG for a domain controller your may see the following error reported:

Starting test: MachineAccount
Checking machine account for DC MYDC01 on DC MYDC01.
Warning: Attribute userAccountControl of MYDC01 is: 0x82020 = ( UF_PASSWD_NOTREQD , UF_SERVER_TRUST_ACCOUNT , UF_TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT , UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
......................... MYDC01 passed test MachineAccount

This typically occurs when the computer account was pre-staged in Active Directory before the computer was joined to the domain. It also may occur if you use the Active Directory Migration Tool (ADMT) to migrate to a new domain. When you do this, the 0x20 attribute is assigned to the UserAccountControl attribute, indicating that the computer account does not require password changes. It really doesn't matter, as Windows will use a password (and change it every 30 days) regardless of this setting.

The error is still annoying, so here's how to fix it:
  • Open ADSIEdit.MSC (install the Support Tools if ADSIEdit is not installed)
  • Connect to the Domain naming context
  • Expand the domain and navigate to the Domain Controllers container
  • Select the problem Domain Controller
  • Right-click the Domain Controller and select Properties
  • Scroll to the userAccountControl attribute and click the Edit button
  • Change the decimal value to 532480 (0x82000 hex)
  • Click Ok twice and close ADSIEdit

Wait for the change to replicate and re-run DCDIAG to confirm the error has cleared.

Labels: ,

Subscribe in a reader Subscribe by Email

Monday, December 1, 2008

Stop Spamming Yourself!

We all knew that the huge decrease in spam that occurred after was shutdown would be short-lived.

Recently, I've a seen large increase in the amount of spam to me apparently coming from me.

Note: Exchange 2003 and 2007 displays the "from" address
of these emails as the full SMTP address (i.e.,, rather than the resolved name (Jeff Guillet), to show that the email actually came from outside the company.
To stop spamming yourself, configure your SMTP gateway server to reject all external emails from your domain(s). Here's how to do this using the Exchange 2007 Edge Transport server:
  1. Open the Exchange Management Console (EMC) on the Exchange Edge Transport server

  2. Expand Microsoft Exchange and select Edge Transport

  3. Double-click Sender Filtering to open its properties

  4. Click the Blocked Senders tab and click Add

  5. Select Domain, enter your SMTP domain name, Include all subdomains, and click OK

  6. Click OK again to close the Sender Filtering Properties window

Now the Edge server will not accept non-authenticated emails from your domain to your domain. Note that this does not affect any external Windows Mobile or Outlook Express clients from sending email into your domain, as long as these users are authenticated.

You can use the following VB script to test the new settings:

'VBScript to test SMTP email

CONST mailServer = ""
CONST emailAddress = ""

Set objEmail = CreateObject("CDO.Message")
objEmail.From = emailAddress
objEmail.To = emailAddress
objEmail.Subject = "Test Message"
objEmail.Textbody = "This is a test message."
objEmail.Configuration.Fields.Item _
("") = 2
objEmail.Configuration.Fields.Item _
("") = mailServer
objEmail.Configuration.Fields.Item _
("") = 25
MsgBox "SMTP Email sent successfully to " & emailAddress, vbInformation, "TestSMTP"

Change the mailServer variable to use your Edge Transport server name and the emailAddress variable to use your internal SMTP address. The script will send SMTP email to the email address from the same email address.

Before Sender Filtering is enabled, the script will return a success message:

After Sender Filtering is enabled, the script will return a Sender Denied message:

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Thursday, November 6, 2008

New Windows Update Client Available

Microsoft is releasing a new version of the Windows Automatic Update client, version 7.2.6001.788, for Windows XP, Vista, and Windows Server 2000, 2003 and 2008.

This update includes the same performance enhancements available in the last client:
  • Improves scan times for Windows Update
  • Improves the speed at which signature updates are delivered
  • Enables support for Windows Installer reinstallation functionality
  • Improves error messaging
This version also fixes a bug that limited the client to only downloading 80 updates at a time. This is important when trying to update an XP RTM computer, for example, since there are far more than 80 updates for this build.

The update will be slowly rolled out via Windows Update and WSUS over the next two months. You can also download the update directly from Microsoft here.

It may be important to know that Windows Update will automatically update the Windows Automatic Update client software, even if the computer is configured not to download automatic updates. The only way to prevent this is to completely turn off Automatic Updates (not recommended).

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, October 31, 2008

Cannot Add a Site to Trusted Sites

I ran into a weird problem today with a Windows Server 2003 SP2 server, where I could not add a site to the Trusted Sites zone. The error I got was, "There was an unexpected error with your zone settings. Unable to add this zone."

To fix the issue, enable Internet Explorer Enhance Security Configuration in Add/Remove Windows Components, add the desired site to the Trusted Sites zone, and then disable Internet Explorer Enhance Security Configuration again. That seems to fix the corruption in the Trusted Sites zone information. Future sites can then be added without issue.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Saturday, October 25, 2008

Getting Windows Mobile to Work with Exchange 2007 Using POP3/IMAP4 and SMTP (Part 2)

This is part 2 of my series, where I show you how to configure Windows Mobile to send and receive email from Exchange 2007 using IMAP4 and SMTP.

Part 1, where we configured Exchange 2007, can be read here.

Now that Exchange 2007 is configured, we need to configure a new email account in Windows Mobile. How you do this depends on the version of Windows Mobile on your device, but the essential steps are as follows:

  • Enter your email address and password to access the new account

  • Select Internet e-mail from the dropdown box for Your e-mail provider

  • Enter your name as you want it to appear to recipients and choose an account display name on the device (i.e., IMAP Email)

  • Enter the FQDN for the Exchange 2007 server that holds the Client Access (CAS) role (i.e., for the Incoming mail server.

  • Choose IMAP4 as the Account Type

  • Enter your account logon (domain\username) for the User Name and enter the network password

  • Enter the FQDN for the Exchange 2007 server that holds the Hub Transport role, followed by :587 (i.e., for the Outgoing (SMTP) mail server. See the figure above. If you don't follow the FQDN with :587, the Windows Mobile device will use the standard port 25 for SMTP communication.

  • Select Outgoing server requires authentication

  • Under Advanced Settings, select both the Require SSL for Incoming e-mail and Require SSL for Outgoing e-mail checkboxes to encrypt the traffic between the Windows Mobile device and Exchange 2007

  • Configure your Automatic Send/Receive schedule

Important Note: You must enter the FQDN:587 correctly the first time for the Outgoing (SMTP) mail server field. You cannot edit it later once you've clicked off that field -- if you do, Windows Mobile will still use port 25. This seems to be a bug in Windows Mobile 6.1 and may happen in other versions, as well. If you don't enter it correctly the first time, you will either need to cancel the setup wizard and start over again or delete the email account and recreate it.

Now test your new settings by synchronizing the mail account and test sending
an email. If you get an error saying,

Message not sent. The message 'Test email' was not sent and has been moved to the Drafts folder. The server returned the following error message:

550 5.7.1 Unable to relay

It means that the Windows mobile device is trying to send SMTP email over port 25 through your Exchange server to a remote address, which is relaying. Delete the account you just created and do it again, making sure to enter :587 after the FQDN of the SMTP server.

I hope this two-part series helps you get IMAP and SMTP working properly between Exchange 2007 and your Windows Mobile device!

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, October 24, 2008

Getting Windows Mobile to Work with Exchange 2007 Using POP3/IMAP4 and SMTP (Part 1)

This is the first of a two-part article that describes how to enable Windows Mobile devices to receive email from Exchange 2007 using IMAP4 and send email using SMTP.

As you probably know, Windows Mobile can only have one connection agreement with Exchange at a time. That means that if you want to access additional email accounts you must use POP3 or IMAP4 for incoming email and SMTP for outgoing email on your device.

In part 1, I will describe how to set up IMAP4 and SMTP client email submission in Exchange 2007. Part 2 will describe how to configure the Windows Mobile client.

Configuring IMAP4 in Exchange 2007
POP3 offers simple email retrieval services from a user's Inbox in Exchange. IMAP4 offers a few more extensive features, including access to all the folders in the user's mailbox. Neither of these services are enabled in Exchange 2007 by default. To enable POP3 or IMAP4 (usually one or the other), simply change the appropriate service from Manual to Automatic on your Exchange 2007 Client Access server (CAS) and then start it. In this article I will be using IMAP4 for Windows Mobile access.

The next step is to configure the logon authentication mechanism for IMAP4. I strongly recommend using TLS to secure logons so that usernames and passwords are not transmitted in plain text.
  • Open the Exchange Management Console (EMC)
  • Navigate to Server Configuration, Client Access and view the POP3 and IMAP4 properties of the CAS
  • Double-click the IMAP4 protocol and select the Authentication tab
  • Select Secure Logon. A TLS connection is required for the client to authenticate to the server.
  • Select the appropriate X.509 certificate to use and click OK to close the properties window

Configuring SMTP Client Submissions in Exchange 2007
Now we need to configure the Exchange 2007 Hub Transport (HT) server to accept (receive)inbound SMTP connections from clients.

  • Open the Exchange Management Console (EMC)
  • Navigate to Server Configuration, Hub Transport and select the HT server
  • Click New Receive Connector from the Action pane
  • Give the new Receive Connector a name such as, "Mobile Clients"
  • Select Client as the intended use for this receive connector and click Next
  • Click Next to allow all remote networks to use this receive connector
  • Click New to create the new Receive Connector
  • Now open the properties of the Mobile Clients connector
  • Click the Network tab and notice that the port the connector uses is 587
  • Click the Authentication tab. Ensure that Transport Layer Security (TLS), Basic Authentication, Offer basic authentication only after starting TLS, and Integrated Windows Authentication are checked.
  • Click the Permissions Groups tab. Ensure that only Exchange users is checked and click OK to close the properties window.

Name Resolution and Port Forwarding
The FQDN of the CAS (i.e., and the HT server (i.e., must be resolvable from your Windows Mobile device on the Internet. The CAS must also accept IMAP4 requests and the HT must accept SMTP submissions from your Windows Mobile device. This may require you to configure port forwarding from your external firewall. You will need to forward TCP port 143 for IMAP4 to the CAS and port 587 for client SMTP message submission to the HT server.

Port 25 is fast becoming the port used exclusively for server to server SMTP traffic and port 587 is becoming the standard for client to server SMTP traffic.

So far, we have configured Exchange 2007 to allow secure IMAP4 and SMTP client access. In part 2 of this series I will discuss how to enable IMAP4 and SMTP access to Exchange from a Windows Mobile device.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Monday, October 20, 2008

Fix for 0x8024400E Errors on WSUS Clients

I've seen this happen with two customers over the past few weeks, so I figure it might be prevalent enough to blog about it.

Some, but not all, WSUS clients begin to fail when checking for updates. The %windir%\WindowsUpdate.log file shows errors such as:

  • WARNING: SyncUpdates failure, error = 0x8024400E, soap client error = 7, soap error code = 400, HTTP status code = 200

  • WARNING: PTError: 0x8024400e

  • WARNING: Failed to synchronize, error = 0x8024400E

  • WARNING: WU client failed Searching for update with error 0x8024400e

According to the Comprehensive List of WSUS Codes page hosted on this blog, the 0x8024400e error means "SUS_E_PT_SOAP_SERVER: The message was OK but server couldn't process at the moment. Same message *may* succeed at a later time." Huh? I already took a shower this morning! What's with this SOAP business?

The Fix:
This problem is due to problem with a recent revision to the Office 2003 Service Pack 1 update on the WSUS server. It results in some WSUS 3.X servers syncing that revision to an inconsistent state. When computer with products related to Office 2003 communicate to one of these WSUS servers, the web service is unable to process the approvals resulting in detection failure.

In order to reset the approvals to a consistent state on the WSUS server, follow these steps from the WSUS Administration Console:

  1. Find the 'Office 2003 Service Pack 1' update in the updates list. This may involve changing the Approval and Status filters in the update UI (set the Status to "Any" and the Approval to "Declined" -- if you don't see it then set the Approval to "Any except Declined"

  2. Perform the following steps:

    • First, make sure the update is declined. If the update is not yet declined, right-click on the update and decline it.

    • Next, approve the update:

      • Right-click on the update and select the 'Approve...' option in the context menu.

      • In the 'Approve Updates' dialog that opens, just click 'OK'. Dismiss the 'Approval Progress' dialog that appears.

    • Next, decline the update.

      • Right-click on the update and select the 'Approve...' option in the context menu.

      • In the 'Approve Updates' dialog that opens, just click 'OK'. Dismiss the 'Approval Progress' dialog that appears.

The computers that were failing detection will now successfully complete detection against the server and receive any applicable updates.

Note: If you have a hierarchy of WSUS servers, these steps must be performed on each server, starting with the top-level server. If one of the servers is a replica child, one must first change it to be autonomous, then perform the steps above, then change it back to being a replica. This can be done from the Options/Update Source and Proxy Server Dialog.

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, October 9, 2008

Fix for Large Framework.log files

The WMI service maintains text log files for all operating systems earlier than Windows Vista and Windows Server 2008. These log files are stored in the %SystemRoot%\System32\WBEM\Logs folder. The log files include:

  • Wbemcore.log

  • Wbemess.log

  • Mofcomp.log

  • Wmiadap.log

  • Wbemprox.log

  • Framework.log

  • Winmgmt.log

Most of these log files are configured to automatically wrap every 64KB. When the log file reaches this limit, it is renamed to logfile.lo_ and a new log file is created. Unfortunately, this does not happen with the Framework.log file - it will continue to grow indefinitely. This came to light recently at a client site when the backup team noticed that this file was taking a very long time to back up on Exchange servers. The Framework.log files on these servers exceeded 800MB.

Microsoft wrote a TechNet support article, "The Framework.log file grows larger than 64 KB when you use WMI on a Windows Server 2003 or Windows XP computer," which explains that this is due to permissions problem with the Network Service. As the article explains, the fix is to grant the Network Service account the Delete right on the %SystemRoot%\System32\WBEM\Logs folder.

Here's how to do this for all machines in the domain using Group Policy:

  1. Edit the appropriate Group Policy object for the managed computers. I used the Default Domain Policy.
  2. Navigate to Computer Configuration, Windows Settings, Security Settings, File System
  3. Right-click File System and select Add File...
  4. Navigate to the %SystemRoot%\System32\WBEM\Logs folder and click OK. A security window will appear.
  5. Add the LOCAL SERVICE and NETWORK SERVICE accounts, giving both accounts only Read and Write permissions.
  6. Click the Advanced button.
  7. Clear the "Inherit from parent the permission entries that apply to child objects" checkbox.
  8. Select the NETWORK SERVICE account and click Edit.
  9. Check Delete under the Allow column and click OK. Repeat for the LOCAL SERVICE account.
  10. Click OK four times to close all the dialog boxes.

The new security settings will be enforced on target computers on the next Group Policy refresh. After that, the large Framework.log file will be renamed to Framework.lo_ and a new Framework.log file will be created. Once that new logfile grows beyond 64KB it will replace the large file.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Monday, October 6, 2008

Fix for "Could not start the Automatic Updates service on local computer"

You may find that the Automatic Updates service on Windows XP is stopped with the following error:

Could not start the Automatic Updates service on local computer. Error 0×80004015: The class is configured to run as a security ID different from the caller.

This can happen when Windows XP clients attempt to start the Automatic Updates service and is due to a permissions issue. The quickest and the easiest solution would be to reset the permissions for the Automatic Updates service on the client and then start the service.

To display the current permissions of the Automatic Updates service and fix them:
  1. Click Start, Run and type “cmd” to launch the Command prompt
  2. From the command prompt, type: SC sdshow wuauserv
  3. Now, reset the permissions as follows from the command prompt (single line, wrapped for clarity):

We can now start the service and try to detect the Automatic Updates from the command prompt:

C:\>wuauclt.exe /detectnow

This should fix the problem.

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, September 26, 2008

How to Delegate the Right to Unlock User Accounts

In order to delegate the right to unlock locked user accounts to a user or group in Active Directory, you first need to make the right visible in Active Directory Users and Computers (ADUC).

The %windir%\System32\dssec.dat file contains all the rights attributes that can be exposed in ADUC. These rights attributes are grouped under headings surrounded by square brackets, such as [user] or [computer]. Each attribute is assigned a value (filter) as follows:

0 - Read and Write is exposed
1 - Write is exposed
2 - Read is exposed
7 - Hide the attribute

To modify the filter, open dssec.dat in Notepad. Find the lockoutTime attribute under the [user] heading. Be careful to select the [user] heading, as there's another lockoutTime attribute under [computer]. Change the value of the filter from 7 to 0 (lockoutTime=0) and save the changes.

To delegate the right right to unlock user accounts in ADUC:
  1. Right-click the OU or domain in Active Directory Users and Computers and select Delegate Control from the context menu
  2. Click Next on the Welcome dialog
  3. Click Add to select the user or group and click OK
  4. Click Next
  5. Select Create a custom task to delegate and click Next
  6. Select Only the following objects in the folder. In the list, check User objects and click Next
  7. Clear the General checkbox and check the Property-specific box
  8. Check both the Read lockoutTime and Write lockoutTime boxes and press Next
  9. Click Finish

Note: You only need to edit the dssec.dat file on the computer where you are performing the delegation. You do not need to modify it from any other machine, including the one where the user administration will occur.

Labels: , ,

Subscribe in a reader Subscribe by Email

Sunday, September 21, 2008

Getting NumLock to Stick

Here's a tip on how to get the Num Lock key to stay on (or off) every time a user logs on.

Simply set the NumLock key to the desired status (on or off), press Ctrl-Alt-Delete (Ctrl-Alt-End in a Hyper-V guest, Ctrl-Alt-Ins in a VMware guest), and select Log off.

This will set the HKEY_CURRENT_USER\Control Panel\Keyboard\InitialKeyboardIndicators to 0 (OFF) or 2 (ON), depending on your preference. The next time you logon, the NumLock setting will stick.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, August 29, 2008

Fallback Printer Drivers in RDP and Terminal Server Sessions

Microsoft Remote Desktop Connection provides the ability for users to use the printers installed on their local computer within a Terminal Server session. This behavior is enabled by default, and can be changed in MSTSC (the Remote Desktop Connection client) in Options, Local Resources tab, Printers.

In order for this to work, a printer driver must be installed on the Terminal Server that matches the driver installed on the local computer. This is problematic, since you can't always be sure which printer is installed on connecting computers. If there is no matching printer driver on the server, the user will be unable to print to that printer within the RDP session. You will also see an error in the System Event Log similar to the following when the user
logs into the Terminal Server:

Event Type: Error
Event Source: TermServDevices
Event Category: None
Event ID: 1111
Date: 7/8/2008
Time: 12:51:15 PM
User: N/A
Computer: HOFS01
Driver HP LaserJet 4250 PCL 5e required for printer !!SERVER1! NetPrinter2 is unknown. Contact the administrator to install the driver before you log in again.

To handle this issue without having to install tons of drivers on your server, you can tell the server to use a "fallback printer driver." If the exact driver is not installed, the server will offer a fallback PCL or PS driver (or both) to use instead. This is configured in Group Policy as shown below. Note that this requires Windows Server 2003 SP1 or later.

For Windows Server 2003, open Group Policy and navigate to Computer Settings, Computer Configuration, Administrative Templates, Windows Components, Terminal Services, Client/Server data redirection, and configure the Configure Terminal Server Fallback Printer Driver Behavior option.

For Windows Server 2008, open Group Policy and navigate to Computer Configuration, Policies, Administrative Templates, Windows Components, Terminal Services, Terminal Server, Printer Redirection and configure the Specify Terminal Server Fallback Printer Driver Behavior option.

Configure the Terminal Server Fallback Printer Driver Behavior to Enabled, Show both PCL and PS if one is not found, as shown below.

When a client logs into the Terminal Server, you will now see the following event in the System Event Log and the client will be able to use their printer.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Friday, August 22, 2008

How to Determine if a PST is ANSI or Unicode

PSTs created in Outlook 2002 and earlier versions are saved in ANSI format, which has a 2.1GB limit. Outlook 2003 and later offer both ANSI and Unicode formats for PST creation. Unicode PSTs have a theoretical 36TB limit which makes them a better choice, providing that backward compatibility is not an issue.

So how can you tell if a PST is in ANSI or Unicode format?

One way is to download a free utility called ListPSTs from You run this utility from the command line against the file or folder that contains the PST(s). The output displays the format of the PST files, as shown above.

Another way to tell without having to use a separate utility is by viewing the properties of the PST from within Outlook, itself. When you add the PST to Outlook, pay attention to the Format field of the PST, as shown below:

Unicode formatted PSTs will display the format, "Personal Folders File". ANSI formatted PSTs will display the format, "Personal Folders File (Outlook 97-2002)".

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Tuesday, August 19, 2008

How to Configure the SCL in Exchange

Recently I was asked what the proper Spam Confidence Level (SCL) should be for an Exchange 2007 installation. The answer is the ever-popular, "it depends."

The SCL is a value that Exchange assigns to each incoming SMTP email and is based on Microsoft's SmartScreen technology. This score determines how likely Exchange thinks an email message is spam. A rating of 0 means the message is not likely spam and a rating of 9 means the message is most likely spam.

SmartScreen is a "black hole" technology -- meaning that the algorithms and heuristics it uses for scoring is not published by Microsoft, thereby making it more difficult for spammers to create messages that can score lower and pass the filter. The Exchange server downloads new heuristics from Microsoft periodically.

Exchange 2003 SP2 introduced the Internet Message Filter (IMF) to score emails with an SCL rating. Exchange 2007 uses Content Filtering on the Anti-spam tab of the Edge Transport server to score emails (as shown below). It can also be enabled on a Hub Transport server if Edge Transport servers are not used. See How to Enable Anti-Spam Functionality on a Hub Transport Server.

Selecting the right SCL filter level is not an exact science. You're trying to filter obvious spam without accidentally filtering legitimate messages. You can use the following method to determine the starting point for your filter.

Using Perfmon to Select the SCL Filter Level
The best way to determine the appropriate SCL filter level is to use perfmon and examine the MSExchange Content Filter Agent object. Over time, the "Messages with SCL x" counters will increment and begin to show a trend.

In the example below, the Messages with SCL 0 through 7 counters are in the lower half of the scale. Messages with SCL 8 is off the charts at 270 -- more than all the lower SCL levels combined. From this data we can infer that it is safe to filter messages with an SCL higher than 7.

Note that these counters reset to zero upon restart of the server. It may take a little while before the trend appears.

Keep in mind that this is only the filter to begin with. You may have to adjust your filter up or down for your specific environment, but this will give you an excellent starting point.

SmartScreen filtering is just one of the anti-spam solutions available for Microsoft Exchange Server 2007. Other solutions include Sender ID Framework, Outlook Junk E-Mail Filter, and Microsoft Exchange Hosted Filtering. See the Microsoft AntiSpam Technologies website for more details.

Labels: , , , , , ,

Subscribe in a reader Subscribe by Email

Thursday, July 31, 2008

It's Not Exchange 2007 Enterprise Until You Enter the Product Key

According to the Microsoft article, "Exchange Server 2007: Platforms, Editions, and Versions":

"When you install Exchange 2007, it is unlicensed and referred to as a Trial Edition. Unlicensed (Trial Edition) servers appear as Standard Edition, and they are not eligible for support from Microsoft Product Support Services. The Trial Edition expires 120 days after the date of installation."

This means that you will be unable to add additional storage groups, managed folders, or use any of the Exchange Enterprise features until you enter the Enterprise product key.

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, July 24, 2008

Free/Busy Information in Exchange 2000/2003/2007

What is Free/Busy?
Users' availability information is stored in Exchange in a hidden system public folder. This information is used by Outlook and OWA to tell other users if they are free or busy (hence, the term Free/Busy information). Normally this information is displayed as color-coded blocked out areas in a user's calendar, as show above. If users have extended rights, they can right-click another user's blocked out time to view the subject of the busy time.

The Free/Busy information is posted as a single message that contains data for the entire Free/Busy duration. The default to publish is 2 month's worth of information, configurable in Outlook Options or via Group Policy. Every time the Free Busy information is updated, the message is overwritten.

Publishing Free/Busy Information
The way Free/Busy information is published to Exchange depends on the method used to update the user's calendar. The Outlook client is usually responsible for generating Free/Busy information. Outlook will read the calendar and generate Free/Busy every 15 minutes by default if the information has been changed. This schedule can be changed in Outlook options or via Group Policy. Outlook also republishes the Free/Busy information whenever Outlook is shut down.

So what happens when the user updates their calendar using Outlook Web Access (OWA) or some other non-MAPI client? In this case, Free/Busy information is updated by a background process called MSExchangeFBPublish (MadFB). This process runs under the System Attendant mailbox and updates Free/Busy every 5 minutes for OWA, OMA, and Entourage clients. When a change is made to the calendar, a Free/Busy message is submitted to the System Attendant mailbox on the mailbox server for the user. The MadFB process polls this mailbox and picks up that there has been a change. MadFB then publishes the user's full Free/Busy message to the Free/Busy folder overwriting the existing message.

Replicating Free/Busy Information
The short answer is don't do it. The only reason to replicate Free/Busy information is when you frequently have users accessing Free Busy information of users in another site, and those sites are separated by a slow or lossy network link. Replicating Free/Busy information introduces inherent latency and causes inaccuracy in the Free/Busy information. Users in one site may see information from a site that has not replicated yet.

Where is Free/Busy Information Stored?
As mentioned earlier, Free/Busy information is stored in a system public folder. You can view all the Free/Busy information in the org by opening the following URL in a web browser: "http(s)://ServerName/Public/Non_IPM_Subtree/SCHEDULE%2B%20FREE%20BUSY/".

Here, you will see a folder under SCHEDULE+ FREE BUSY for each Administrative Group in the format, "EX:/o=/OU=". Each folder contains messages for each user. These messages are the Free Busy information for the user. The messages are formatted as, "USER-/CN=RECIPIENTS/CN=".

Free/Busy message placement is based on the user's legacyExchangeDN attribute in AD. For example, if my legacyExchangeDN is /o=CompanyABC/ou=Paris/cn=Recipients/cn=jsguillet", my Free Busy information will be stored in the "USER-/CN=RECIPIENTS/CN=jsguillet" message in the "/EX:/o=CompanyABC/ou=Paris" folder.

You are unable to view the contents of the message, but you can delete it. Doing so will remove all Free Busy information from Exchange until it is republished using one of the methods explained above. If Free/Busy information is not available to other users, they will see black and white hash marks across your calendar and Outlook will say that Free/Busy information is not available for this user.

How to Republish Free/Busy Information
On occasion Free/Busy information may not be published correctly in Exchange. There are many reasons that this can occur. Examples include errors in Public Folder replication (if Free Busy is being replicated, another reason to not do this), network errors, and incorrect shutdown of Outlook or Windows.

So how do you republish Free/Busy information? The easiest way to do this for individual users is to have them run Outlook with the /CleanFreeBusy switch:

  • Close Outlook

  • Click Start, Run, enter "start outlook /cleanfreebusy" and click OK

  • Outlook will start, generate the Free/Busy information from the Outlook calendar and republish it to Exchange within 5 minutes. It will overwrite any existing Free/Busy message or publish a new one if it doesn't exist.

While this is easy to do for one or two users, it isn't a good solution for all users in the enterprise since it requires user intervention.

Microsoft KB article 294282 details how to use Updatefb.exe to regenerate Free/Busy information from the calendar information contained in each user's mailbox. You run this utility under the context of a user or service account that has full mailbox access to the affected users. It reads a comma delimited file containing the alias and home mailbox server of each user (i.e., alias, mailbox1) and logs in as that user using Collaboration Data Objects (CDO). It then creates a single appointment for the user for today at 11:00pm. This marks the Free/Busy information as "dirty". It then logs off the MAPI connection, causing the Free/Busy information to republish to Exchange. Note that Updatefb will be unable to open disabled user's or hidden mailboxes, so be sure to exclude them from the CSV input file.

Updatefb.exe is an unsupported utility written by Microsoft and is only available through Microsoft Product Support Services. There are two versions of the utility, Updatefb.exe is the GUI version and CPPCDO.exe is a command line version. I have used it in several environments with no issues.

What About Exchange 2007?
Exchange 2007 uses an entirely new and different way to manage Free/Busy information, so the above does not apply in a pure Exchange 2007/Outlook 2007 environment. When using Exchange 2007 with Outlook 2007 Free/Busy information will no longer come from a Public Folder, but will instead use the Microsoft Exchange 2007 Availability Service. This web service will provide a direct look at the user's Free/Busy information without the need of a client publishing any data. Outlook 2007 and Exchange 2007 can still use (and will still have) the Free/Busy public folder for backwards compatibility with older Outlook clients.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Wednesday, July 23, 2008

Your Troubleshooting PAL

How many times have you been faced with a performance issue with a computer and you don't really know where to start? Sure, you can fire up Performance Monitor (perfmon) and start collecting data for analysis, but which counters do you collect and how do you identify a bottleneck?

Perfmon can gather tons of information and pouring over all that data for analysis can be a daunting task. Enter Performance Analysis of Logs (PAL), a new and powerful tool that reads in a performance monitor counter log in any known format and analyzes it using complex, but known thresholds. The tool produces an HTML report which reports important performance counters and displays alerts when thresholds are exceeded.

PAL is a free open source application developed by Microsoft and is hosted on CodePlex, Microsoft's open source project hosting web site. It requires two other free pieces of software on the computer where PAL will run:

Log Parser 2.2
Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. PAL uses the Log Parser tool to query perform logs and to create charts and graphs for the PAL report.

Microsoft Office Web Components 2003
Log Parser requires the Office Web Components 2003 in order to create charts.

Note: Because there is no 64-bit version of the Microsoft Office Web Components, PAL only runs on x86 platform computers.

To use PAL, you begin by collecting performance data from the target machine using perfmon. Typically, I collect the Memory, Network Interface, Physical Disk, Processor and System counters to begin with. Once you've collected some data run PAL and walk through the wizard. Be sure to answer the Question Variable Names at the bottom of the Threshold File page. The variables are Number of Processors, use of the /3GB switch, is the target a 64-bit computer, total RAM and whether it has a kernel dump configured. Step through the rest of the wizard and PAL will create a batch file, run it and display the output as a graphical report in your web browser. Very cool!!!

You can view a LiveMeeting streaming video training of PAL here.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Wednesday, June 25, 2008

Fix for Self-Update is Not Working in WSUS 3.0

I've noticed a number of WSUS 3.0 servers are coming up with the following error in the Application event log:

Event Type: Error
Event Source: Windows Server Update Services
Event Category: Clients
Event ID: 13042
User: N/A
Computer: WSUS01
Description: Self-update is not working.

To fix the issue, follow these steps:
  • Open IIS Manager and ensure there is a Selfupdate virtual directory in the Default Web Site. If not, create it with the Local Path pointing to C:\Program Files\Update Services\Selfupdate

  • Click the Directory Security tab and ensure that Anonymous Access is allowed

  • Restart IIS

Verify that the problem is fixed by running the following command at the command prompt:

C:\Program Files\Update Services\Tools\wsusutil.exe checkhealth

Then examine the Application event log for the following event:

Event Type: Error
Event Source: Windows Server Update Services
Event Category: Clients
Event ID: 10000
User: N/A
Computer: WSUS01
Description: WSUS is working correctly.

As background, WSUS clients must connect to the SelfUpdate virtual directory to check for a new version of the WSUS client before checking for new updates. This always happens anonymously over port 80, even if WSUS is configured to use a custom port, such as port 8530.

Labels: ,

Subscribe in a reader Subscribe by Email

Outlook Calendar Delays Explained

Some customers experience performance issues when opening other user’s calendars. A delay occurs the first time they open the calendar, but subsequent access is fine. At random times the performance issue occurs again. Here’s why this happens.

When Outlook accesses another user’s calendar, Exchange applies a view which restricts the user from viewing private items. This happens regardless of whether there are any private items or not. This process is run on, and controlled by, the Exchange server. The act of applying a view to a folder creates search folders in the Exchange store. Once the search folder has been created, it is cached for later use, which makes subsequent viewings faster.

Exchange doesn’t cache all search folders forever. Doing so would cause server-side delays since the cache folders are continuously updated by Exchange.

The number of search folders (also known as views) is defined at the store level in Exchange. The default is 11 and the best practice is to set it between 5 to 20 views, per mailstore. It’s important to note that this number is global for the mailstore and views are not shared between users.

To demonstrate, suppose John is an administrative assistant and manages 10 separate calendars. The first time he accesses each calendar, there is a delay as Exchange creates the view. After the views have been built, subsequent access is fast. Now another user, Linda, opens 6 other calendars, including the first 3 calendars that John accessed. John and Linda are in the same mailstore. In this example, calendars 1-3 are cached for Linda, 4-7 are cached for John and 8-11 are cached for Linda. John will have to wait to access to access the first calendar while the view is rebuilt for him. By increasing the number of views stored on the Exchange server to 20, this will not occur (10+6=16, which is less than 20).

The number of views stored on the Exchange server is held in the msExchMaxCachedViews attribute in AD. To adjust the value, use ADSIEdit to navigate to dn: CN=Mailbox Store,CN=Storage Group,CN=InformationStore,CN=Server NAME,CN=Servers,CN=AG Name,CN=Administrative Groups,CN=Orgname,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Company,DC=com. Right-click the mailbox store to adjust on the right pane and edit the msExchMaxCachedViews attribute.

Setting the value too low will cause more frequent delays for users as the views are built more often. Setting the value too high will cause slow overall Exchange performance as more views are continously updated. It should never be set higher than 50.

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, June 5, 2008

VMM 2008 Managed Hyper-V 's Won't Start

This evening our neighborhood took a large power surge due to a car hitting a power pole. Everything in the house shutdown abruptly, including my local network running Hyper-V hosts and Virtual Machine Manager 2008 (beta).

When the power returned about 60 seconds later, all my physical servers turned back on, but the Hyper-V VMs would not start. The following events were logged in the Hyper-V Event Log:

Log Name: Microsoft-Windows-Hyper-V-Worker-Admin
Source: Microsoft-Windows-Hyper-V-Worker
Date: 6/5/2008 8:36:30 PM
Event ID: 17040
Task Category: None
Level: Error
Description:The authorization store could not be initialized from storage location 'msxml://C:\ProgramData\Microsoft\Virtual Machine Manager\HyperVAuthStore.xml'. Error: General access denied error (0x80070005).

Log Name: Microsoft-Windows-Hyper-V-VMMS-Admin
Source: Microsoft-Windows-Hyper-V-VMMS
Date: 6/5/2008 8:36:44 PM
Event ID: 15500
Task Category: None
Level: Error
Description:'EDGE STD x64' failed to start worker process: The extended attributes are inconsistent. (0x800700FF). (Virtual machine ID 118D4321-2B6D-4DE3-B1F0-E55BCD1DCD60)

To fix this problem, uninstall the VMM 2008 Local Agent and reinstall it. Catastrophe averted!

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, May 20, 2008

Quickly installing MOSS 2007 with SP1 on Windows Server 2008

If you try to install MOSS 2007 on Windows Server 2008, you are going to get an error that there is an incompatibility. To install, you need SP1 for MOSS.

You can slipstream SP1 yourself, but it turns out there's an easier way. First, install the trial version of MOSS 2007 with SP1 (32 bit or 64 bit). After you install the trial version, upgrade from the trial version.
  1. In Central Administration, on the top link bar, click Operations.
  2. On the Operations page, in the Upgrade and Migration section, click Convert license type.
  3. On the Convert License Type page, in the Enter the Product Key box, type the new product key.

Thanks to Kirk Allen for the tip!

Labels: , ,

Subscribe in a reader Subscribe by Email

Unable to Successfully Promote SCOM RMS Server

If the root management server (RMS) in a System Center Operations Manager 2007 (SCOM 2007) implementation fails or becomes unavailable for some reason the entire SCOM system will fail. Well, not exactly. The managed agents will still collect performance and alert data and will either queue this data or forward it to its management server. The management servers will be unable to forward this information to the SQL database and administrators will be unable to launch either the Operations or web consoles, so it's as good as dead.

There are two ways to rectify this -- bring the RMS server back online or promote an existing SCOM management server to an RMS. Microsoft article, "How to Promote a Management Server to a Root Management Server Role in Operations Manager 2007" does a good job of explaining the steps required, so I won't go through them here. But what happens if you get the following error when promoting the new RMS?

The machine managementserver is a server for multiple management groups (not supported)!

This occurs when the registry contains extra "Parent Health Service" or "Send Priority" keys under the Server Management Groups key. Navigate to:

HKLM-Software-Microsoft-Microsoft Operations Manager-3.0-Server Management Groups

Under this key you should see a key that matches the name of your SCOM management group. There should not be any other keys at the same level as the management group name. Back them up and delete them. In the example below, backup and delete the "Send Priority" key and its subkeys.

Run the same ManagementServerConfigTool.exe PromoteRMS command and it should work now.

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, May 15, 2008

SQL Exceptions during SCOM 2007 RMS Promotion

The Micosoft article, "How to Promote a Management Server to a Root Management Server Role in Operations Manager 2007" does a pretty good job of explaining how to promote a SCOM 2007 management server to a root management server.

While performing a disaster recovery test today, I found that I was getting the following SQL exceptions when I ran the ManagementServerConfigTool.exe PromoteRMS command:

The type initializer for 'Microsoft.MOMv3.Setup.MOMv3ManagedCAs' threw an exception.

Turns out this is because I ran the ManagementServerConfigTool.exe PromoteRMS command directly from the SCOM SP1 Support Tools folder, which is missing some of the DLLs required to run the command.

Simply copy the files from the Support Tools folder on the SP1 CD to the local \Program Files\System Center Operations Manager 2007 folder and re-run the command.

Labels: , ,

Subscribe in a reader Subscribe by Email

Wednesday, May 14, 2008

Error Running SecureStorageBackup

When backing up or restoring the RMS keys using the SecureStorageBackup utility in SCOM SP1, you may come across the following error:

Could not load file or assembly 'Microsoft.Mom.Common, Version=6.0.4900.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.

To fix this, copy Microsoft.Mom.Common.dll from C:\Program Files\System Center Operations Manager 2007 to the same folder where SecureStorageBackup.exe is run. Then run SecureStorageBackup again.

Labels: , ,

Subscribe in a reader Subscribe by Email

Sunday, May 11, 2008

Failure installing VMM2008

When installing the server component of Microsoft System Center Virtual Machine Manager 2008, you may come across the following error:

Microsoft System Center Virtual Machine Manager 2008 installation did not complete successfully. Review the error log for information, and then try Setup again.
ID: 205. Details: Fatal error during installation

Virtual Machine Manager Server installation did not successfully install. All items that were copied during the installation process have been removed, however some required prerequisite software is still present on the machine. It is not necessary to remove the remaining software before you run Setup again. But you can uninstall the prerequisite software by going to Add or Remove Programs.
For error details, click the Error tab.

The ServerSetup.log file also references error 1603 in various places. This is caused by name resolution (DNS lookup) failures. Examine your DNS configuration for any or more of the following errors:
  • Misconfigured TCP/IP settings
  • Primary DNS is misconfigured on the VMM server
  • The VMM server is unable to resolve the DC by name
  • The VMM server does not have a record in DNS
  • The DC is unable to get proper name resolution of the VMM server
  • Incorrect DNS forwarding
  • DNS is not functioning correctly on the DNS server

Once the errors have been corrected, reinstall the VMM server component.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Monday, May 5, 2008

Well, that was painful...

I'm installing a new SCOM 2007 SP1 infrastructure in a test environment.

I built up a couple of SQL 2005 database servers and two management servers, one of each in each of two sites. I installed the SCOM database on the first SQL server and then installed SCOM on the first management server, making it the root management server (RMS).

After SCOM installs, setup asks if you want to run the Operations Console. I cleared the checkbox to do so and began to immediately upgrade to SCOM 2007 SP1. Big mistake. Now I couldn't log into the console with any account. It seems that SCOM needs to do some more setup when you run the console for the first time.

I ended up completely uninstalling SCOM from the RMS and deleting the OperationsManager database from the SQL server, then I reinstalled everything. This time I launched the console before upgrading to SP1. It worked, but wasted about an hour and a half.

Learn from my mistake.

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, April 29, 2008

How to Enable Autologon for Windows Server 2008 Member Servers and Windows 7 Member Workstations

In a previous post I showed how to enable Autologon for workgroup servers and workstations.

Once you join a server to a domain, Windows will automatically delete the AutoAdminLogon value from the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key. This causes the userpasswords2 control to hide the "Users must enter a user name and password to use this computer" checkbox shown above.

Here's how to get the missing checkbox back and configure Autologon:
  • Open a CMD prompt and enter the following (all on one line):
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d "1" /f
  • Click Start, Run and enter control userpasswords2
  • Clear the checkbox for Users must enter a user name and password to use this computer and click OK
  • Enter the user name and password that will be used for Autologon and click OK

When the computer starts up the account you specified will be logged in automatically. Note that the password is encrypted on the computer.

This tip works for Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Tuesday, April 15, 2008

Fix for Failed Security Update for Microsoft XML Core Services 4.0 Service Pack 2

I recently built up a new Hyper-V virtual domain environment based on a single server image. Unfortunately, my base image had a problem downloading and installing the Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB936181). The yellow Windows Update shield would pop up in the notification area to say the update was ready to install. I would install it, but Automatic Updates would download it again and say it needed to be installed again.

Here's what the event logs looked like:

Event Type: Information
Event Source: Windows Update Agent
Event Category: Installation Event
ID: 19
Date: 4/15/2008 Time: 7:11:59AM
User: N/A
Computer: HOSCOM
Description:Installation Successful:
Windows successfully installed the following update: Security Update for
Microsoft XML Core Services 4.0 Service Pack 2 (KB936181)
... and then almost immediately,

Event Type: Information
Event Source: Windows Update AgentEvent
Category: Installation Event
ID: 18
Date: 4/15/2008 Time: 7:12:50AM
User: N/A
Computer: HOSCOM
Description:Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Wednesday, April 16, 2008 at 3:00 AM: - Security Update for Microsoft XML Core Services 4.0 Service Pack 2(KB936181)
Very annoying. To fix this issue, download the update from Microsoft and manually install it. The update can be found here.

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, April 10, 2008

Comprehensive List of WSUS Error Codes

I came across a web page a long time ago that lists all(?) of the cryptic WSUS error codes, such as 0x0000041D. This is extremely helpful when troubleshooting WSUS logs and WindowsUpdate.log files. I've found that it's helpful for lots of other Microsoft products, as well! I saved it as a portable MHT file that you can download.

If I could remember where I found this, I would gladly give them credit.

Please to enjoy. WSUS Error Codes

Labels: , , ,

Subscribe in a reader Subscribe by Email

Monday, April 7, 2008

Getting Exchange 2007 to work with SBC Yahoo DSL

Update: Beginning yesterday, November 14, 2008, the email relay servers began NDRing emails sent from AT&T customers. Again, this information was not passed on to its customers.

I've updated the instructions below to use the servers, which are now accepting authenticated connections.

First, let me say that SBC Yahoo is less than helpful on any assistance with configuring Exchange (any version) to work with their SMTP gateways. Really, I can't blame them too much because of the potential to hammering of their systems with large quantities of email from businesses using a "home"level of service.
In any event, here's how to configure Exchange 2007 with Edge services to send email through SBC Yahoo's email servers.

Configure the outbound Send Connector
  • Logon to the server hosting the Hub Transport role
  • Open the Exchange Management Console (EMC)
  • Expand Microsoft Exchange\Organization Configuration\Hub Transport
  • Click the Send Connectors tab
  • Double-click your outbound SMTP connector to open its properties. Mine is named "EdgeSync - expta to the Internet"
  • Click the Network tab
  • Select "Route email through the following smart hosts" and click the Add button
  • Select "Fully qualified domain name (FQDN)" and enter as the smart host. Click OK
  • Select Basic Authentication (do not check Basic Authentication over TLS)
  • Enter your SBC username (i.e., and SBC password. Click OK

Configure the Edge server to use port 587
  • Yes, yes, I know that SBC's documentation says SSL port 469, but trust me, it's 587...
  • On the Hub Transport server, open the Exchange Management Shell (EMS)
  • Type Get-SendConnector and make note of the name of the send connector you just configured. Again, mine is "EdgeSync - expta to the Internet"
  • Type Set-SendConnector "EdgeSync - expta to the Internet" -port 587 to change the port. Obviously, change the name in quotes to the name of your Send Connector.
  • Type Start-EdgeSynchronization to force a sync with the Edge server

Force the Send Connetor to Retry
  • Open EMC on the Edge server and click Toolbox
  • Double-click Queue Viewer
  • On the Queues tab, select the outbound SMTP queue and click the Retry action

Notes: TLS is not the same thing as SSL. TLS creates a secure connection between servers, while SSL creates a secure connection between a client and a server. TLS is capable of reverting back to SSL 3.0 if TLS doesn't work, but this is not an RFC requirement. At the time of this writing, Microsoft's implementation of TLS does not revert to TLS.

You should also register your external email address with SBC Yahoo's email system. This will ensure that email from your external account won't be NDR'd back to you when you send it. See

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Thursday, April 3, 2008

Hyper-V Integration Components For Windows 2003 SP1

Well, kinda.

Big Red Disclaimer: The steps listed here are not supported by Microsoft (or me). I've tested it several times and have not found any issues. If it doesn't work for you - well, sorry.

The Integration Components for Hyper-V RC0 are only avaialable for Windows XP 32-bit with SP3 or later, Windows Server 2003 with SP2 or later, Windows Vista 32-bit with SP1 or later , all versions of Windows Server 2008 and, just recently, Linux.

So what do you do if you want to virtualize a Windows 2003 SP1 server? After all, you may have a legacy application that won't run on SP2 and one of the hopes of virtualization is to move these servers off of dedicated hardware. Here's how to do it:

  • Gather your CDs. You'll need the following:
    • Windows 2003 Server CD (RTM or SP1 - make sure it doesn't have SP2 slipstreamed into it)
    • Windows Server 2003 SP2 upgrade CD or ISO (available here from Microsoft)
  • Create a new Windows 2003 virtual server using the Hyper-V New Virtual Machine Wizard
  • Upgrade the virtual machine to SP2 using the SP2 CD or ISO.
  • From the Hyper-V Action menu, insert the Integration Services Setup disk and install the Integration Components. The installation will require a restart when it's complete.
  • After the restart, uninstall Windows Server 2003 SP2 using Add or Remove Programs in Control Panel. The uninstall will warn you that KB943295 and the Integration Components may not work if you continue the uninstallation. Click Continue.
  • Restart the virtual machine to complete the uninstallation.

Now you have a Windows 2003 VM with SP1 which runs the Integration Components! You can use this base image to make as many servers as you like. Be sure to use a tool like NewSID to generate unique SIDs for each clone, otherwise you'll run into problems in a domain.

Note: I haven't tested this for Windows Server 2003 RTM, Vista RTM or Windows XP RTM/SP1/SP2, but I expect it will work. Please post a comment if you have success or failure.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Monday, March 31, 2008

Fix for Error 0x80004015 on WSUS Clients

When you try to start the Automatic Updates service on a computer you may encounter an error stating,

Could not start Automatic Updates service on the local computer. Error 0x8000415: The class is configured to run as a security id different from the caller

I've found that this is usually caused when the service was previously configured as Disabled via Group Policy.

When you configure a service startup mode in Group Policy (Computer Configuration\Windows Settings\Security Settings\System Services), Group Policy first has you configure the security of the service in the registry. The default security settings (before you configure it in the GPO) normally includes Authenticated Users with Read and Start, Stop and Pause permissions. When you configure the service in Group Policy, Authenticated Users have no permissions. This prevents normal users from reconfiguring the service back to Automatic and starting it.

To fix this issue, set the service permissions so that Authenticated Users have Read and Start, Stop and Pause permissions on the service. This can be done the following ways:

  • To reconfigure the service in Group Policy, reconfigure the service startup type to Automatic and click the Edit Permissions button. Add Authenticated Users with Read and Start, Startup and Pause permissions. Run GPUPDATE on the client machine or restart it to get the new GPO settings.

  • Manually set permissions on the service using Regedit. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\wuauserv. Right-click wuauserv and select Permissions. Add Authenticated Users with Read permissions.

This tip applies to any other service configured via Group Policy.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Tuesday, March 25, 2008

How to Enable RDP Remotely on XP Computers

In a previous article I explained how to enable Remote Desktop access on a remote computer.

I've noticed that these steps do not work on Windows XP computers. It turns out that you need to set two registry keys:
  • HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections should be changed from 1 to 0 (zero)
  • HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections should be changed from 1 to 0 (zero)

The first setting enables the RDP protocol on the computer to listen on TCP port 3389. The second setting allows users to login via Remote Desktop. Both settings go into effect immediately and do not require a restart.

Note: If the second setting is not changed to 0 you will get a logon message saying, "Unable to log you on because of an account restriction." You will also get this same logon message if you attempt to logon via RDP with an account that has a blank password. The account you use must have a password to logon using Remote Desktop.

I wrote a batch file that will easily enable or disable Remote Desktop on a remote machine. The syntax is: RDP [computername] [ON | OFF]. Copy the code below and save it as RDP.BAT somewhere in your system path (I use C:\Windows).

---Begin Code---

@echo off
SET RemoteComputer=%1
SET RemoteComputer=%RemoteComputer:\=%
if /i "%2"=="on" goto EnableRDP
if /i "%2"=="off" goto DisableRDP
goto Syntax

REG ADD "\\%RemoteComputer%\HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 0 /f
if ERRORLEVEL==1 goto Error
REG ADD "\\%RemoteComputer%\HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
echo Remote Desktop has been enabled on %RemoteComputer%
goto End

:DisableRDPREG ADD "\\%RemoteComputer%\HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 1 /f
if ERRORLEVEL==1 goto Error
REG ADD "\\%RemoteComputer%\HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
echo Remote Desktop has been disabled on %RemoteComputer%
goto End

echo ======================================================================
echo Make sure the remote computer is online and you have sufficient rights
echo to modify its registry.
echo ======================================================================

echo RDP enables or disables Remote Desktop on a remote computer
echo Visit for details
echo RDP [computername] [ON ^| OFF]
echo ON - Disable RDP on the remote computer
echo OFF - Enable RDP on the remote computer

SET RemoteComputer=

---End Code---

Note that if Group Policy is configured to disable Remote Desktop (Computer Configuration Administrative Templates Windows Components Terminal Services Allow users to connect remotel using Terminal Services) the HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections setting will revert back to 1 after a Group Policy refresh.

Labels: , , , , , ,

Subscribe in a reader Subscribe by Email

Thursday, March 20, 2008

Configuring Virtual Directories with Directory Browsing in IIS7

A website that uses directory browsing is a convenient way to display the files and folders in a directory using a web browser. An example of this is demonstrated here.

To configure directory browsing in IIS6, you simply enable the Directory Browsing checkbox on Home Directory tab of the virtual directory. If you want to configure it so that users are required to authenticate to access the virtual directory, you disable anonymous access, enable Basic Authentication and configure the appropriate NTFS permissions on the target folder.

It's slightly different in IIS7 since IIS7 introduces the concept of delegated administration. This means that you can have the IIS configuration in web.config files which reside in the virtual directory. IIS has to read these config files very early in the connection attempt, i.e. when there is no authenticated user available yet. For this reason IIS has to use the process identity (usually Network Service) to read the web.config file.

To configure a virtual directory for directory browsing in IIS7:

  • Create or select the virtual directory in Internet Information Services (IIS) Manager
  • Double-click Authentication and select the appropriate authentication methods for the Vdir (default is Anonymous)
  • Select the Vdir again and double-click Directory Browsing. Click the Enable action
  • Right-click the Vdir and select Edit Permissions. Configure the NTFS permissions for the target folder and ensure that Network Service has read access to the folder

If you don't grant the Network Service account read rights on the Vdir, you'll get the following error when accessing it:

500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.

Labels: , ,

Subscribe in a reader Subscribe by Email

Wednesday, March 5, 2008

How to Add SMTP Verb Commands to ISA Server 2006

If you have an ISA 2006 server between a Microsoft Exchange 2007 Edge server and the Exchange Hub Transport server, you may have a problem where messages queue on the Edge with 500 5.1.1 "unrecognized command" errors.

This Microsoft article partially explains how to resolve the problem. When the Edge Transport server tries to send mail through Microsoft Internet Security and Acceleration (ISA) Server 2006, with SMTP filtering or Secure SMTP (SMTPS) filtering enabled, the SMTP filter blocks the communication. You fix this by either disabling the SMTP filter on the ISA server or adding the verbs (and optionally their maximum length) to the SMTP filter.

What the article doesn't say is which verbs to add or their maximum length. Well, here they are:


  • DSN




  • AUTH





  • XEXCH50

  • SIZE

All the verbs have an empty maximum length except for possibly SIZE. That should be set to the maximum message size allowed in your org in bytes (for example, 10485760 for 10MB).

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Monday, March 3, 2008

Temporary fix for "Performance Module could not find a performance counter"

The SCOM Team has posted a temporary fix for the "Performance Module could not find a performance counter" we've all been seeing after applying SCOM SP1.

Check out this post on the Operations Manager Product Team blog.

Labels: , ,

Subscribe in a reader Subscribe by Email

Automatically Reset the FTP Service in Windows Server 2008

One of the more popular tips I've posted is, "How to automatically reset the FTP service," in Windows Server 2003. This tip is useful for public FTP sites where bad guys are trying to hack in, usually using a dictionary attack.

Doing the same thing in Windows Server 2008 is slightly different and has an important caveat - It will not work with the Microsoft FTP Publishing Service for IIS 7.0 yet. It will work fine if you use the standard FTP Publishing Service, included on the Windows Server 2008 DVD.

As in my original post, create a batch file named C:\Scripts\ResetFTPService.bat, as follows:
net stop msftpsvc
ping -n 10
net start msftpsvc
The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.

To make the script run automatically on the correct event, use the Windows Server 2008 Task Manager:

  • Right-click Task Manager (under Configuration in Server Manager) and select Create a Basic Task

  • Name the task, "Reset FTP Service" and click Next

  • Choose When a specific event is logged as the Task Trigger, click Next

  • Select Log: System, Source: IIS-FTP, and Event ID: 100. Click Next

  • Select Start a program and click Next

  • Enter C:\Scripts\ResetFTPService.bat for the Program/script and click Next

  • Click the checkbox for Open the Properties dialog for this task when I click Finish and then click Finish

  • In the Properties window select Run whether user is logged on or not and Run with highest privileges

  • Click OK

  • Enter the User name and Password for running this task

This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source IIS-FTP is logged in the System event log.

Remember, this will not work with the Microsoft FTP Publishing Service for IIS 7.0 because this service strangely does not log failed logon attempts to the event log. I've posted a request to the IIS7 team for this functionality.

Labels: , , , , , ,

Subscribe in a reader Subscribe by Email

Friday, February 29, 2008

Leap Year Error in Exchange 2007

Trouble with your Exchange 2007 list service failing to respond today? Go home and try again tomorrow - it's a leap year.

Users around the world are reporting in the Microsoft Exchange Server Admin forum that they are unable to create new email and domain acceptance policies today, February 29. When they advance the clock on the Exchange server to March 1, 2008 the policies work as expected.

The issue is preventing admins from moving mailboxes within their Exchange 2007 servers, getting the error:.

"The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error."

If you do decide to change your server time, be sure to stop and disable the Windows Time service on the Exchange server to prevent the time from resyncronizing with the Domain Controllers. Also be aware of other side effects, such as message tracking and log changes, etc.

Update: Nino Bilic from the Microsoft Exchange team has confirmed this problem on the Exchange Team Blog:

"After investigation of this problem we have learned that this problem would occur only if you have started or restarted the Microsoft Exchange System Attendant service between 12:00AM UTC , Feb 29, 2008 and 12:00AM UTC, Mar 1, 2008.

"If you are impacted by this, all that you have to do is restart the Microsoft Exchange System Attendant service after the midnight UTC, March 1, 2008. Restart of the System Attendant will not disrupt your Information Store service."

Labels: ,

Subscribe in a reader Subscribe by Email

Friday, February 22, 2008

Troubleshooting Exchange 2007 9646 Errors

I client has users who have been migrated from Exchange 2003 to Exchange 2007 SP1, running on Windows Server 2003 SP2.

After a while, users are no longer able to connect via Outlook to Exchange - OWA continues to function, but Outlook (2K3 and 2K7) stops working.

This is because of a new feature in Windows 2003 SP2 that enables "Scalable Networking" - In short, it shuts down closed connections to the server, but it doesn't play well with Exchange. When Outlook connects over several MAPI sessions, the unused ones are shut down by Windows, but they aren't closed cleanly and Exchange still sees them as open sessions.

Once the user has 32 open sessions (a combination of valid and invalid ones) - Exchange cuts them off and event ID 9646 errors are seen on the mailbox server event log:
Mapi session "/O=BLATHER/OU=PACIFICA/cn=Recipients/cn=CooperH" exceeded the maximum of 32 objects of type "session".

A hotfix will be released in late March that addresses the issue, but the short term fix is to run the following command from the command line on all Exchange 2007 mailbox servers:

Netsh int ip set chimney DISABLED

The following articles discuss the technology and the issue:

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Thursday, January 10, 2008

Fix for SCOM 2007 Health Script failures

I had a problem with a couple of Windows Server 2003 domain controllers that were constantly showing as unhealthy in SCOM. The Health Explorer showed that the AD Op Master Roles monitor was failing. The Operations Manager event log would show the following events:

Event Type: Warning
Event Source: Health Service Script
Event Category: None
Event ID: 1
Date: 1/10/2008
Time: 5:50:05 AM
User: N/A
Computer: SADC01
AD Op Master Response : The script 'AD Op Master Response' failed to create object 'McActiveDir.ActiveDirectory'. This is an unexpected error.
The error returned was: 'The specified module could not be found.' (0x8007007E)


Event Type: Warning
Event Source: Health Service Script
Event Category: None
Event ID: 1000
Date: 1/10/2008
Time: 5:55:05 AM
User: N/A
Computer: SADC01
AD Lost And Found Object Count : The script 'AD Lost And Found Object Count' failed to create object 'McActiveDir.ActiveDirectory'. This is an unexpected error.
The error returned was 'The specified module could not be found.' (0x8007007E)

The solution is to run the OomADs.msi file in the C:\Program Files\System Center Operations Manager 2007\HelperObjects folder on the server having the problem. In my case, the domain controllers. Installation is quick and will not require a reboot. Once that's done restart the OpsMgr Health Service and you're good to go.

Labels: , ,

Subscribe in a reader Subscribe by Email

Wednesday, January 2, 2008

Fix for Problem Storing Email Attachments on Storage Card

I frequently try new ROMs for my Windows Mobile device. On my last ROM I came across an issue that prevented me from storing Email attachments on my 2GB microSD storage card. The Storage error says, "No unlocked storage card detected. Make sure an unlocked storage card is inserted and try again."

The problem occurs when Windows Mobile thinks the extended ROM is your storage card, and the extended ROM is locked (the default behavior).

Notice in the screenshot above that WM6 says I have only 8.52MB free (the extended ROM), not 2GB as it would be if it were looking at the storage card.

The fix is to hide the extended ROM, restart the mobile device and reconfigure email to store attachments on the storage card. You can then re-show the extended ROM if necessary.

Labels: , ,

Subscribe in a reader Subscribe by Email

Fixing Incorrect Directory Permissions in WSUS 3.0

I have a client with a fairly large WSUS deployment, comprised of 36 WSUS servers servicing over 10,000 computers and servers in a distributed environment. Recently, we upgraded the entire WSUS 2.0 SP1 infrastructure to WSUS 3.0. I noticed the following event on many, but not all, of the WSUS downstream servers:

Event Type: Error
Event Source: Windows Server Update Services
Event Category: Core
Event ID: 10012
Date: 1/2/2008 Time: 7:30:49 AM
User: N/A
Computer: SAFS01
Description: The permissions on directory D:\WSUS are incorrect.
For more information, see Help and Support Center at blah, blah, blah

These servers also suddenly began to fail its synchronization from the upstream server. Strangely, they all had been working fine for a few weeks after the upgrade. The solution is to modify the directory permissions as follows:
  • The root folder of the local content directory must have at least Read permissions for the Users security group and the NT Authority\Network Service account. In other words, if the WSUS content directory is D:\WSUS\WSUSContent, the D:\WSUS directory must have the correct permissions. The BITS service will fail if these permissions are not set.
  • The content directory itself (in the above example, the WSUSContent directory) must have Full Control permissions for the NT Authority\Network Service account.
  • The temporary ASP.NET directory (%windir%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files) must have Full Control permissions for the NT Authority\Network Service account.
  • The system %TEMP% directory (usually %windir%\TEMP) must have Full Control permissions for the NT Authority\Network Service account.

After the permissions have been set correctly restart the Update Services service and check the Application event log for errors. You should be able to perform a synchronization successfully now.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Thursday, December 20, 2007

How to Overcome Windows Protected Groups Permissions Problems

Windows Active Directory protects certain built-in groups from ACL modifications. The purpose of this is to prevent these groups, and their members, from becoming inaccessible by applying restrictive permissions to them. For example, an administrator my accidentally (or maliciously) assign Deny All permissions to the Domain Admins group. Doing so will prevent the Domain Admins group members from managing the domain.

To fix this condition, the AdminSDHolder process reapplies default ACL permissions to all protected groups. This background occurs roughly once per hour. A side affect of this is that it removes the permissions inheritance attribute from all AD objects that are members of these protect groups. Membership is transitive, meaning that a user may be a member of a group that is a member of a protected group and will be affected by this process. A common side effect of this behavior is that affected users cannot change properties of their user object in AD or reset their own passwords using ADUC.

As a resolution you can modify the ACL permissions on the AdminSDHolder container in the System container of the domain. The ACL permissions applied to the AdminSDHolder container act as the "template" that is applied to all Windows Protected Groups.

The protected groups in Windows 2000 are:

  • Enterprise Administrators
  • Schema Administrators
  • Domain Administrators
  • Administrators

The protected groups in Windows Server 2003 and in Windows 2000 after you apply KB327825 or Service Pack 4 are:

  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Domain Administrators
  • Schema Administrators
  • Enterprise Administrators
  • Cert Publishers

In addition, the following users are also considered protected:

  • Administrator
  • Krbtgt
The following steps explain how to modify the permissions on this container to allow members of these groups to modify their own attributes and reset their passwords using ADUC.
  • Run Active Directory Users and Computers (ADUC) with Domain Admin rights

  • View advanced features by selecting Advanced Features from the View menu

  • Select the System container in the selected domain

  • Right-click the AdminSDHolder container and select Properties

  • Click the Security tab and the Advanced button

  • Under Permission Entries select SELF and click Edit

  • Assign SELF Full Control permissions. Click OK.

  • Click OK to close the Advanced Security Settings for AdminSDHolder window

  • Click OK to close the AdminSDHolder Properties window

The new settings will propagate to all members of the Windows Protected Groups the next time the AdminSDHolder background process runs (about an hour).

Labels: , , ,

Subscribe in a reader Subscribe by Email

Thursday, November 29, 2007

How to tell which .NET Framework SP is installed

Here's an easy way to tell which .NET Framework 2.0 service pack is installed. Open a command line and enter the following command as a single line:

reg query "HKLM\software\Microsoft\NET Framework Setup\NDP\v2.0.50727" /v SP

For .NET Framework 3.0, enter:

reg query "HKLM\software\Microsoft\NET Framework Setup\NDP\v3.0" /v SP
The commands will return the REG_DWORD value for the SP version (0x0 for RTM or 0x1 for SP1).

Various .NET Framework updates and releases are available for download:

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, November 19, 2007

How to Enable Remote Desktop from a Remote Machine

[Note: Also see my other article that explains how to enable Remote Desktop for Windows XP computers]
Have you ever tried to connect to a server or workstation via RDP, but can’t because Remote Desktop isn’t enabled? Here’s how you can enable Remote Desktop remotely.

The following procedures assume that you have administrator rights on the target machine.
  1. Run Regedit
  2. Select File Connect Network Registry
  3. Enter the name of the remote computer and click OK
  4. At the bottom of the registry tree you will see two hives appear for the remote machine: HKEY_LOCAL_MACHINE and HKEY_USERS
  5. Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
  6. Double-click fDenyTSConnections in the right-hand pane and change the value from 1 to 0
Another way to accomplish the same task is by using WMIC, the WMI command line utility in Windows 2000, XP, Vista and 2003 Server. Here’s the one line command:

wmic /node:TargetComputer PATH Win32_TerminalServiceSetting WHERE AllowTSConnections=0 CALL SetAllowTSConnections 1
The command above is not case sensitive, by the way.

Note that neither of these methods require a restart of the remote machine, however I have seen it sometimes take a minute to take affect. Remember, patience is a virtue. :)

Labels: , , , , , ,

Subscribe in a reader Subscribe by Email

Saturday, November 17, 2007

Automatically Reset the FTP Service

[Click here for a Windows Server 2008 version of this article]

A client of mine utilizes the Microsoft FTP service in Windows Server 2003 IIS 6.0 on a public web server.

Unfortunately, the FTP service is notoriously insecure since it transmits passwords in plain text. It also does not offer any way to block brute force or dictionary attacks. Because of this, the client was seeing multiple failed logins from the Administrator account, several times per second. These show up as warnings in the System event log from the MSFTPSVC source with event ID 100. Since I always rename the Administrator account as a standard best practice, it was obvious these attempted logins were coming from an attacker.

Windows Server 2008 will offer Secure FTP (or FTP over SSL) as a separate download for IIS7, which will be the first major improvement to the protocol since it was developed. But being that my client is running Windows 2003, this isn't an option.

The solution I used involves the Windows EventTriggers utility. I created a batch file named C:\Scripts\ResetFTPService.bat, as follows:

net stop msftpsvc
ping -n 10
net start msftpsvc
The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.

To make the script run automatically on the correct event, I use EventTriggers as follows:

eventtriggers /CREATE /TR "Reset FTP Service" /TK C:\Scripts\ResetFTPSVC.bat /L System /EID 100 /SO MSFTPSVC /RU ""
This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source MSFTPSVC is logged in the System event log. The /RU switch causes the task to run under the Local System account, which has the rights necessary to run unattended.

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Friday, October 12, 2007

Fixing Side-By-Side Errors

I've run across a few servers that are throwing the following "Side By Side" error in the Application event log:

Event Type: ErrorEvent
Source: SideBySide
Event Category: None
Event ID: 59
Date: 10/12/2007
Time: 7:30:55AM
User: N/A
Computer: FDOMOPS01
Description:Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_DEC6DDD2\MFC80U.DLL. Reference error message: The referenced assembly is not installed on your system.

Usually, I've found these servers to be running SQL 2005. The fix is to install the Microsoft Visual C++ 2005 Redistributable Package. It's available here:

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, August 30, 2007

Don't Use Google for ISA Health Checks

Have you or your users run across the following lately when accessing Google?

403 Forbidden


We're sorry......

but we can't process your request right now. A computer virus or spyware application is sending us automated requests, and it appears that your computer or network has been infected. We'll restore your access as quickly as possible, so try again soon. In the meantime, you might want to run a virus checker or spyware remover to make sure that your computer is free of viruses and other spurious software.

We apologize for the inconvenience, and hope we'll see you again on Google.

The trouble may not be a virus or spyware, it may be your ISA server. One of the features that ISA server offers is HTTP health checks. This allows you to configure a web address that ISA will access on a regular basis and alert you if the response time exceeds the configured threshold.

Google must be getting hit hard with spybots that frequently hit their network. They've taken steps to monitor repetitive access to the same page from a single source IP. When they detect this, they serve up the page above with something akin to CAPTCHA to ensure that a real human is accessing Google and allow you to continue your search.

If this is happening to you, it may be because you've configured your health checks to target Google. Reconfigure your proxy server's HTTP health checks to use another site.

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, August 14, 2007

ASP .NET 2.0 is Reported Missing

Various applications may return a failure indicating that ASP .NET 2.0 is missing, even though it's installed. Systems Center Operations Manager 2007 (SCOM) is an example.

This failure occurs if you install Internet Information Services (IIS) after you have installed .NET Framework 2.0. If you install .NET Framework 2.0, then install IIS while selecting ASP .NET 2.0 as an optional component, the ASP .NET 2.0 extensions might not be registered correctly in the IIS metabase.

The solution for this is to go to the %SYSTEMDRIVE%\Windows\Microsoft.NET\Framework\v2.0.50727 folder and from a command prompt, run the command: aspnet_regiis.exe –i –enable

Labels: ,

Subscribe in a reader Subscribe by Email

Wednesday, June 13, 2007

NTVDM encountered a hard error

I ran across this one today when trying to run a 16-bit application on a Windows 2003 Server. I run the app and it pops up a Windows dialog box saying, "System Error : NTVDM encountered a hard error."

Turns out that the environment path for "TEMP" and "TMP" is invalid. Normally these paths resolve to their 8.3 pathname, so an enviromental variable set to %USERPROFILE%\Local Settings\Temp will resolve to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp. On my problem server the path resolves to C:\DOCUME~1\ADMINI~1\Local Settings\Temp, note the space in Local Settings. This mix of long filenames and 8.3 names is invalid.

To resolve the issue, I changed the user TEMP and TMP variables to use C:\TEMP.

Labels: ,

Subscribe in a reader Subscribe by Email

Monday, May 14, 2007

How to Debug Windows Memory Dumps

From time to time, we're faced with the dreaded BSOD, or bugcheck, on a Windows machine. The procedures below guide you through the steps necessary to analyze and debug dump files.

For a downloadable copy of these procedures, click here: How%20To%20Debug%20Memory%20Dumps.doc

  • Download and install the Microsoft Debugging Tools from

  • Go to Start All Programs Debugging Tools For Windows WinDbg

  • Click on File Symbol File Path, enter:
    and click OK.

  • Click File Save Workspace so that your symbols path is saved for future use.

  • Now locate your memory dumps. Small memory dumps are usually located in %systemroot%\minidump and Kernel memory dumps are located in %systemroot%\MEMORY.DMP.

  • Go to File Open Crash Dump and load the file. You may get a message to save base workspace information. If so, choose No. Now you will get a debugging screen. It may take a little bit to run, since the symbols are downloaded as they are needed. Then you will see information such as:

Microsoft (R) Windows Debugger Version 6.7.0005.0
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [\\hoem02\c$\windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\symbols*
Executable search path is:
Windows Server 2003 Kernel Version 3790 MP (4 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_gdr.050225-1827
Kernel base = 0xe0b49000 PsLoadedModuleList = 0xe0be66a8
Debug session time: Wed May 9 02:01:49.965 2007 (GMT-7)
System Uptime: 6 days 22:51:23.840
Loading Kernel Symbols
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffff00c). Type ".hh dbgerr001" for details
Loading unloaded module list
* *
* Bugcheck Analysis *
* *

Use !analyze -v to get detailed debugging information.

BugCheck A, {4, 2, 0, e0b6136d}

Probably caused by : volsnap.sys ( volsnap!VspWriteVolumePhase35+3a )

Followup: MachineOwner

  • So far, we can tell that the bugcheck was caused by volsnap.sys, which is the Microsoft volume shadow copy driver. Use !analyze -v to get detailed debugging information. The most useful information is at the top of the analysis:

* *
* Bugcheck Analysis *
* *


An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: e0b6136d, address which referenced memory

  • From here, we can tell that volsnap.sys tried to read memory from an IRQL that was too high. This is usually caused by a bad driver, in this case, volsnap.sys.

  • Next, let's find out what process was calling volsnap.sys. Enter !thread in the kd> command line input box and look for the line that begins with Owning Process:

2: kd> !thread
THREAD faa03658 Cid 0568.1954 Teb: 7ffac000 Win32Thread: 00000000 RUNNING on processor 2
Not impersonating
DeviceMap e1003978
Owning Process fc1913b0 Image: cvd.exe
Wait Start TickCount 38443765 Ticks: 0

  • Now enter !process fc1913b0 0 (the hex number of the Owning Process), a space and the number 0.

2: d> !process fc1913b0 0
PROCESS fc1913b0 SessionId: 0 Cid: 0568 Peb: 7ffff000 ParentCid: 0218
DirBase: dd4a3000 ObjectTable: e141a910 HandleCount: 475.
Image: cvd.exe

  • We can now tell that the cvd.exe process (used by Commvault) called the volsnap.sys driver. Since volsnap.sys is a Microsoft driver, a quick check on TechNet reveals that there is an updated VSS package available for our server ( which addresses the problem.

Note: Writing debugging information must be configured on the machine prior to the BSOD in order to get a memory dump. This is done in the Advanced tab of system properties. Set it to "Kernel memory dump" in order to get the process information.

Labels: , ,

Subscribe in a reader Subscribe by Email