Monday, November 30, 2009

WMI Error Invalid Class 0x80041010 fix

I went and wrote a powershell script that performs a software audit of a Microsoft network. However half the machines on the network returned an error saying Invalid Class 0x80041010. When I ran a wmi query against a failed computer manually, sure thing it failed again!

wmic /Failfast:on /node:"ausdc01" product GET /all

Node - AUSDC01
ERROR:
Code = 0x80041010
Description = Invalid class
Facility = WMI




When powershell queried it I also got an error:

Get-WmiObject : Invalid Class



When performing these queries against the server the following event logs were generated under the Application logs:

Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 10
Date: 1/12/2009
Time: 9:57:43 AM
User: N/A
Computer: AUSDC01
Description:
Event filter with query "select * from MSMCAEvent_MemoryError where (type = 3221553223) and (LogToEventlog <> 0)" could not be (re)activated in namespace "//./root/WMI" because of error 0x80041010. Events may not be delivered through this filter until the problem is corrected.

Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 10
Date: 1/12/2009
Time: 9:57:43 AM
User: N/A
Computer: AUSDC01
Description:
Event filter with query "select * from MSMCAEvent_PCIBusError where (type = 2147811416) and (LogToEventlog <> 0)" could not be (re)activated in namespace "//./root/WMI" because of error 0x80041010. Events may not be delivered through this filter until the problem is corrected.

Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 10
Date: 1/12/2009
Time: 9:57:43 AM
User: N/A
Computer: AUSDC01
Description:
Event filter with query "select * from MSMCAEvent_SMBIOSError where (type = 3221553253) and (LogToEventlog <> 0)" could not be (re)activated in namespace "//./root/WMI" because of error 0x80041010. Events may not be delivered through this filter until the problem is corrected.

Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 10
Date: 1/12/2009
Time: 9:57:43 AM
User: N/A
Computer: AUSDC01
Description:
Event filter with query "select * from MSMCAEvent_CPUError where (type = 2147811392) and (LogToEventlog <> 0)" could not be (re)activated in namespace "//./root/WMI" because of error 0x80041010. Events may not be delivered through this filter until the problem is corrected.

Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 10
Date: 1/12/2009
Time: 9:57:43 AM
User: N/A
Computer: AUSDC01
Description:
Event filter with query "select * from MSMCAEvent_PlatformSpecificError where (type = 3221553255) and (LogToEventlog <> 0)" could not be (re)activated in namespace "//./root/WMI" because of error 0x80041010. Events may not be delivered through this filter until the problem is corrected.


I installed WMITools on both a server that was working correctly and a server that was not working. Download WMITools from here:

http://www.microsoft.com/downloads/details.aspx?familyid=6430F853-1120-48DB-8CC5-F2ABDC3ED314&displaylang=en

In the WMI CIM Studio I saw that on one server the CIM_Products\Win32_Product WMI class existed on one server, but not on the other.

Server that fails with the WMI error 0x80041010:



Server that worked:



After some more research I found out that this Win32_Product class object gets added in when the Management and Monitoring Tools --> WMI Windows Installer Provider is installed.

Add this component and it will resolve the problem:



Remotely Pushout WMI Windows Installer Provider

In my case I want to to use the WMI Windows Installer Provider to perform a software inventory of my network. I cannot do this if this component isn't installed on every computer through out my domain. It is installed by default on vista, 2008 and windows 7 by default but not windows XP or 2003.

To do this first we must place the i386 folder from a Windows 2003 CD on a network share as WMI Windows Installer Provider requires a few files from it.

Next we are going to have to create a custom .reg file to change the place where our computers look for i386 directory for windows component files. This data is located under:

HKLM\Software\Microsoft\Windows\CurrentVersion\Setup



The two main values we need to change is CDInstall to be 0, as we are not installing from a CD and SourcePath. Whatever you put as SourcePath the add and remove windows components utility will add \i386 to the end of it. I shared my i386 directory out as "i386" so to navigate to it I need to type \\ausdc01\i386. This means for my SoucePath I enter it as \\ausdc01.

The default value for SourcePath is D:

Next we need to export the changes to a .reg file. Right click on Setup and click Export. Make sure the export range is set to Selected branch and not all.



Once exported open up the .reg file in notepad. There are many registry directory keys under the Setup folder that would have been exported along with our data. These are not required and need to be removed. Please click the below image to enlarge. Everything south of the red square should be removed. Also please remove BootDir encase we actually do have a server that doesn't have C:\ as its boot partition!



Copy the registry file you have crated to a network share. In my environment I just used the netlogon directory in which I created a folder wmichange \\domain\netlogon\wmichange.

You could use pstools or a startup script to make this change on servers now by simply scripting:

regedit /s \\domain\netlogon\wmichange\installsource.reg

However we are going to encompase this as part of our same script.

Next we need to make an unattended setup file, much like we do when we are doing desktop or server deployment on large scales. Create the file under the same directory as above. I called mine answer.txt

\\domain\netlogon\wmichange\answer.txt

In the answer file enter:

[Components]
WbemMSI = On



This is what is required to install the Management and Monitoring Tools --> WMI Windows Installer Provider component.

You can specify any components in add and remove windows components in an answer file. Here are some good links for future reference:

http://itk.samfundet.no/dok-filer/ms-xp-sp2-deployment-ref/u_components.htm
http://forums.techarena.in/server-scripting/738510.htm

The command to kick off this unattended install is:

sysocmgr.exe /i:%windir%\inf\sysoc.inf /u:\\domain\netlogon\wmichange\answer.txt

This will go through and add the WMI Windows Installer Provider component for us.



This should install the component without even prompting for any user interaction. It will pull the files of the network share as configured above.

Now finally lets create a batch script under our \\domain\netlogon\wmichange\ directory called run.bat

Put both commands in the bat file:

regedit /s \\domain\netlogon\wmichange\installsource.reg
sysocmgr.exe /i:%windir%\inf\sysoc.inf /u:\\domain\netlogon\wmichange\answer.txt



Now you got two methods to use this, you can either run it remotely using PSExec or you can use startup scripts. Below I will only show how to use PSExec.

PSexec is a program to remotely execute commands which is part of the PSTools pack... get it from:

http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

PSExec has the capability of running a command against every computer in a domain, or a list of computers from a text file. Remember only 2003 and XP dont have WMI Windows Installer Provider installed by default, so we only want to do these.

Below I will run the command against a single computer CANHQDC01 which did not have the WMI Windows Installer Provider installed.

psexec \\CANHQDC01 "\\domain\netlogon\wmichange\run.bat"

Below shows you the output of the command and how it carried out all the tasks:



Error code 0 is good, it means there were no errors. Now I can perform software audits on CANHQDC01 using WMI where before I couldn't!

Test Exchange Connectivity

I found an awesome tool for testing exchange connectivity for things like Exchange ActiveSync, ActiveSync AutoDiscover, Synchronization, Notification, Availability, and OOF and SMTP.

To use it simply go to:

https://www.testexchangeconnectivity.com/

Sunday, November 29, 2009

Converting Active Directory Integer8 values

Active directory stores dates as Integer8 (a 64-bit number) values. These cannot be read easily by the human eye.

There are many ways to convert these values... I'll show you a few tricks to do this.

Lets export a Integer8 value:

dsquery * "CN=computerobject,OU=Servers,DC=Domain,DC=internal" -attr lastLogon
lastLogon
129040375603051932



One way you can accomplish this is by using powershell:

$(get-date 1/1/1601).adddays(($(&dsquery * "CN=computerobject,OU=Servers,DC=Domain,DC=internal" -attr lastLogon)[1].Trim())/(60*10000000)/1440)



If you dont have powershell you can simply use the w32tm utility:

w32tm /ntte 129040375603051932

Thursday, November 26, 2009

Recovering Windows Encrypted Data for EFS and Bitlocker

In this post I'm going to go over two encryption methods built naively into windows, EFS (Encrypted File System) and BitLocker and how to recover the data should the encryption keys become lost or corrupt.

BitLocker

Bit Locker requires Trusted Platform Module (TPM) v1.2 or higher. TPM is a security chipset built into the computers hardware. It either has it or it doesn't. If you don't have TPM you cannot use bitlocker.

The TPM contains information such as:
- the recovery password
- TPM owner password
- information required to identify which computers and volumes the recovery information applies to.

On a Microsoft network if you deploy bitlocker to all your vista / windows 7 workstations or 2008 member servers, you can deploy a group policy to store this TPM backup data in Active Directory. This ensures that data can always be recovered by authorized users even if the physical computer containing the bitlocked hard drive fails. You cannot save recovery information in Active Directory if the domain controller is running a version of Windows Server earlier than Windows Server 2003 with SP1.

There are 5 files needed to achieve TPM password backups:
- Add-TPMSelfWriteACE.vbs
- BitLockerTPMSchemaExtension.ldf
- List-ACEs.vbs
- Get-TPMOwnerInfo.vbs
- Get-BitLockerRecoveryInfo.vbs

Download these files from here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=3a207915-dfc3-4579-90cd-86ac666f61d4&DisplayLang=en

If you are at 2003 functional level you have to perform a schema extention to create the fields in Active Director required to store the TPM recovery information. If you are 2008 functional level this is not required.

If you are serious about backing up TPM Recovery Information to Active Directory, please carefully read the following technet article:

http://technet.microsoft.com/en-us/library/cc766015(WS.10).aspx

I do not recommend implementing BitLocker into an active directory organisation without backing up the TPM recovery information from all bitlocked machines on the network.

Encrypted File System

The encrypted file system uses Data Recovery Agents (DRA) to backup encryption keys. You can have one more more DRA's for different departments under different organisational units, everyone in one DRA.

When you setup EFS you create a version 2 EFS user certificate from the EFS cert template and roll the certificates out to all users using auto-enrollment (Requires 2003 functional level).

If you are looking to implement EFS in your organisation make sure you read and completely understand Data Recovery Agents by reading the following article:

http://technet.microsoft.com/en-us/library/bb457020.aspx

Wednesday, November 25, 2009

5.1.0 500-'Firewall Error'

When trying to send external emails out we were getting the following error randomly for particular emails:

[203.10.1.143] #<[203.10.1.143] #5.0.0 smtp; 5.1.0 - Unknown address error 500-'Firewall Error' (delivery attempts: 0)> #SMTP#;

CAUSE: The Cisco firewall has a configuration entry like the following (it may have additional parameters specified after in addition to esmtp):

ip inspect name esmtp

This problem occurs because of incompatibilities or restrictions caused by the Cisco firewall configuration. It is more likely to occur if you are sending an email to multiple recipients or using a distribution list in Exchange.

FIX: Disable this entry in the Cisco firewall configuration by inserting the word “no” at the beginning of the line as shown, so that it should now read something like

no ip inspect name esmtp

Other people have seen this problem as well:
http://www.solutions.pro/email-server-generates-500-firewall-error-error-8/
http://nzschooltech.blogspot.com/2009/09/exchange-management-console-issue-on.html
http://mattlog.net/2008/12/31/exchange-2007-500-firewall-error/

Tuesday, November 24, 2009

Email Dossier - A great way to test email addresses

An awesome website to test email addresses, the MX records and a test SMTP conversation for them is:

http://centralops.net/co/EmailDossier.aspx

Here is a screenshot of the type of information it produces:

Saturday, November 21, 2009

SMTP Site Links in Active Directory - When To Use

I'm sure most of you Microsoft Administrators out there have seen SMTP site links before. What are they and how are they different to standard IP site links used by the DRA (Directory Replication Agent - the thing that compresses replication data for inter-site replication).

If you have an extremely unreliable connection with high latency you must use SMTP Site Links and not IP Site Links. These are connections like satellite for example - satellite connections must use SMTP for replication as IP will not function correctly.

One thing about SMTP Site Links is it cannot replicate the SYSVOL, it only replicates things like the Schema Naming Context and the Default Domain Naming context. It can also replicate Global Catalog Data. Because SMTP Site Links cannot replicate SYSVOL, they can only be used between different domains in the same active directory forest (remember active directory sites and services is the physical network topology for all logical domains in a forest - not just for 1 domain like we usually see).

If you have a company with a remote site over satellite links, you need a domain controller on site, as latency in satellite is way to high to authenticate over the WAN. Your only option is to create a child domain for that remote site. This is not a bad thing, because remember child domains have transitive trusts and can access all resources in the parent domain anyway if granted permissions so don't be scared about creating additional domains - it is very easy. Most companies try and get away with just a single active directory domain - but some cases you are required to have additional domains!

For more information please read:

http://technet.microsoft.com/en-us/library/bb742427.aspx
http://support.microsoft.com/kb/244368

Microsoft Recommends SATA for Exchange 2010

Exchange 2010 has a new I/O pattern that results in 70 percent lower I/O requirements than Exchange 2007 (and Exchange 2007 had 70 percent lower I/O requirements than Exchange 2003!). This reduced I/O pattern, thanks to optimizations that make it so writes don't come in bursts anymore, combined with advancements in SATA drives, means SATA is now a realistic storage platform for Exchange 2010. SATA was previously just for desktop systems.

Microsoft recommends when using SATA storage you have your mailboxes replicated to at least 3 other servers in your organisation using DAGs - the latest and greatest in exchange mailbox high availability... see:

http://clintboessen.blogspot.com/2009/08/exchange-2010-database-mobility.html

Mailbox databases are replicated and are made highly available with load balancing accross your organisation, no server becomes mission critical. When deployed correctly if a single mailbox server was to fail, no one would care... where with previous versions people would be panicing. The server can simply be repaired whenever the administrator gets a chance... 3 months down the line if need be.

Also as long as you have your mailboxes replicated to at least 3 servers Microsoft says you no longer need to worry about backing up to expensive tape devices and storage mediums. This also comes about with the new Dumpster 2.0 replacing the old Dumpster 1.0 that was used in exchange 2003 and 2007. If you need all mail to be kept for 10 years, even after a user has deleted it, you can configure this using the dumpster allowing administrators to manually recieve deleted items from the DAG on any physical server. Quoted from Microsoft "Your organization can rely on the Exchange 2010 high availability infrastructure—which can provide up to sixteen replicated database copies—rather than tape backups to recover from failures, which helps you to reduce operating costs."

For more about dumpster 2.0 read:

http://clintboessen.blogspot.com/2009/10/exchange-2010-dumpster-20.html

Because SATA is a cheap storage solution where you can buy 2TB drives for next to nothing these disks will be locally attached to the servers. My recommendation is to not virtualize the mailbox servers as they ususally have high load even in a load balanced solution. This is one of very few servers in a windows environment I would not virtualize, nearly everything else should be virtualized. Microsoft does not recommend virtualizing servers with high utilization!

Links:

http://www.microsoft.com/exchange/2010/en/my/storage.aspx
http://www.microsoft.com/exchange/2010/en/us/mailbox-resiliency.aspx

Friday, November 20, 2009

Windows 2008 Versions - Hardware Support

Below I will list the different versions of server 2008 and what each support in terms of hardware.

Server 2008 Web Server x86 supports 4GB Memory and 4 processors
Server 2008 Web Server x64 supports 4GB Memory and 4 processors

Server 2008 Standard x86 supports 4GB Memory and 4 processors
Server 2008 Standard x64 supports 32GB Memory and 4 processors

Windows 2008 Enterprise x86 supports 64GB Memory and 8 processors
Windows 2008 Enterprise x64 supports 2TB Memory and 8 processors

Windows 2008 Datacenter x86 supports 64GB of Memory and 32 processors
Windows 2008 Datacenter x64 supports 2TB of Memory and 64 processors

Windows 2008 Datacenter can only be purchased OEM.

Thursday, November 19, 2009

Citrix RDP Logon Error

The following error was experianced when logging onto a citrix server using a standard user account with RDP. Administrator accounts can still logon with RDP.

The desktop you are trying to open is currently available only to administrators. Contact your administrator to confirm that the correct settings are in place for your client connection.

Also the error message "To log on to this remote computer, you must have Terminal Server User Access permissions on this computer."



The second error is ususally when you are trying to log onto a terminal server and you do not have "Allow logon over terminal services" user rights assignment in place. Most cases you nest the user account or domain users inside "Remote Desktop Users", a group that is always granted "Allow logon over terminal services".

However with citrix installed even though these permissions are right it will still not log in. To resolve this go to tscc.msc to open up the Terminal Services Configuration Connections. Go to the properties of the RDP-Tcp terminal services connector. Go to the Citrix Settings tab, and untick Non-administrators only lauch published applications.

Wednesday, November 18, 2009

Use Old Run As Windows 7 and Windows Vista

In Windows XP/2003 you had a feature to run a program as another user called "Run As". In Windows Vista and Windows 7 when your right click there is only "Run As Administrator" which runs automatically as an administrator account on the local computer or domain which is available.



For Windows 7 this menu still exists it's just hidden. To be able to run a program as a different user press CTRL + SHIFT then right click on the application.



For Windows Vista there is no way with the core windows build apart from using command prompt and using the runas.exe command line tool.

However Sysinternals has come to the rescue here with a small code ShellRunas applet. Grab it from here:

http://technet.microsoft.com/en-us/sysinternals/cc300361.aspx

Connect to Printer Error Windows Vista and Windows 7

The following error was experianced when trying to add a printer from a 2003 print server to a windows 7.

Windows cannot connect to the printer. No printers were found.



To get around this, instead of adding the printer as a network printer (like you would normally do), add it as a local printer creating a printer port. Perform the following steps to do this:

Select Add a Local Printer.



Select Create a New port... in the port box select Local Port.



Under enter a port name, enter the UNC path of the printer on the print server.



Click Have disk to manually select the driver.



Download the driver from the manufactures website. Windows Vista and Windows 7 drivers are very similar, if the manufacture only has a x86 or x64 vista driver it will most likely work on windows 7. In my case I downloaded the driver from the Ricoh website as I have a Ricoh Aficio MP C4500 printer. Select the driver in the wizard.



Sometimes drivers have support for multiple printers. Select the right printer that matches your model.



Provide the printer with a name



Wait for the driver to install.



Print a test page to verify that the procedure worked. Click finish.



This error is pretty generic and can have multiple causes, but generally it's when the print server does not have the correct print driver for your version of windows. On the windows 2003 print server you cannot view if it has windows vista or windows 7 driver support.



To add in support for windows vista and windows 7 you need to use the print management console from a windows 2008, vista or windows 7 PC. Print management console comes as part of the RSAT (Remote Server Administration Tools).

To download RSAT for Windows Vista go to:

http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en

To download RSAT for Windows 7 go to:

http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en

Then simply add the driver to the print server for windows vista or windows 7.

Microsoft Connection Manager Administration Kit (CMAK)

The connection manager administration kit is a handy tool to allow users to easily configure their VPN connection on the client workstation. It supports PPTP, L2TP and SSTP.

CMAK creates an executable file that users can download from a Web site. Then all they have to do is double click on the file and the connectoid that you’ve configured for them will be automatically installed on their computers. The users then just need to double click on the connectoid object in the Network Connections folder to dial up the VPN connection. This incurs much less overhead than trying to teach the users how to create their own VPN connections.

Instead of documenting the procedure, I already found an awesome screenshot by screenshot post on windowsecurity.com by Thomas Shinder. Please refer that for more information on how to set it up:

http://www.windowsecurity.com/articles/Windows-Server-2008-Connection-Manager-Administration-Kit.html

Tuesday, November 17, 2009

Exchange 2010 Enterprise Edition Spam Updates

I just read a good article published by the Microsoft Exchange Team:

http://msexchangeteam.com/archive/2009/10/14/452868.aspx

In Exchange 2003/2007 you were able update your spam definitions by Microsoft Update. With Exchange 2010 standard this is the same. However with Exchange 2010 enterprise you need to have forefront in order to get your spam updates. The following is a quote from the article published by the exchange team:

"With Exchange Server 2010 Enterprise CAL anti-spam definition updates will not be provided by Microsoft Update. They will be made available via Forefront Security for Exchange."

Sunday, November 15, 2009

Exchange Version Based Routing

With Exchange 2007 SP2 and Exchange 2010 there is a new term called version based routing. This is basically an exchange 2007 mailbox server can only communicate with the store driver on a 2007 hub transport server. Also an Exchange 2010 mailbox server can only communicate with an Exchange 2010 hub transport server. However an exchange 2007 hub transport server can route mail to an exchange 2010 hub transport. For co-existence you must place at least 2 hub transport and 2 mailbox servers in every site containing both exchange 2007 and 2010 so support both infrastructures.

This picture is handy in showing how they coexist inside a single site:

Thursday, November 12, 2009

Perform an Offline MBSA Scan

This post shows you how to perform an offline scan with the microsoft baseline security analyzer. This is required when there is no WSUS or Microsoft update server on your network.

First you must have an up to date catalog file of all the updates that are available via microsoft update. Obviously you need to get to a PC with an internet connection to obtain this. The file that contains the update information is called wsusscn2.cab. This is always changing as new updates are released... but you can always download the latest copy by going to this link:

http://go.microsoft.com/fwlink/?LinkId=76054

Make a list of all computers you want to scan and save it in a text file like this:



Download and install MBSA from the following link:

http://www.microsoft.com/downloads/details.aspx?FamilyID=F32921AF-9DBE-4DCE-889E-ECF997EB18E9&displaylang=en

Open a command prompt and navigate to:

C:\Program Files\Microsoft Baseline Security Analyzer 2

Run the following command:

mbsacli /catalog c:\wsusscn2.cab /listfile c:\computers.txt /wi /nvc /nd

/wi = Show all updates even if not approved on the WSUS server.
/nvc = Do not check for a new version of MBSA.
/nd = Do not download any files from the Microsoft Web site when scanning.

Wait for the scan to complete... once complete open up the MBSA console from the start menu. Click view existing security scan report.

Event ID 3019 - MRxSmb

A very common event error that appears on many workstations and servers is this:

Event Type: Warning
Event Source: MRxSmb
Event Category: None
Event ID: 3019
Date: 13/11/2009
Time: 8:27:32 AM
User: N/A
Computer: ALOE
Description:
The redirector failed to determine the connection type.



This error can be ignored. It occurs whenever a network drive is mapped, and a user goes and tries to map the same network drive again. For example if you have a logon script that maps the drive when a user logs in, then next time they login it tries to remap the drives again, it will generate this error for each failed drive mapping.

Tuesday, November 10, 2009

Service Unavailable when accessing OWA

I had users getting the Service Unavailable error when accessing outlook web access:



On the client access server the following application pools continued to crash even after restarting them:



The following errors were experianced in the system log in event viewer:

Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1039
Date: 11/11/2009
Time: 2:06:56 PM
User: N/A
Computer: EXCHANGESERVER
Description:
A process serving application pool 'MSExchangeUMAppPool' reported a failure. The process id was '8048'. The data field contains the error number.

Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1039
Date: 11/11/2009
Time: 2:06:56 PM
User: N/A
Computer: EXCHANGESERVER
Description:
A process serving application pool 'DefaultAppPool' reported a failure. The process id was '9136'. The data field contains the error number.

Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1039
Date: 11/11/2009
Time: 2:06:56 PM
User: N/A
Computer: EXCHANGESERVER
Description:
A process serving application pool 'MSExchangeAutodiscoverAppPool' reported a failure. The process id was '4712'. The data field contains the error number.

Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1039
Date: 11/11/2009
Time: 2:06:56 PM
User: N/A
Computer: EXCHANGESERVER
Description:
A process serving application pool 'MSExchangeOWAAppPool' reported a failure. The process id was '7460'. The data field contains the error number.

Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1039
Date: 11/11/2009
Time: 2:06:56 PM
User: N/A
Computer: EXCHANGESERVER
Description:
A process serving application pool 'MSExchangeServicesAppPool' reported a failure. The process id was '4016'. The data field contains the error number.

Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1002
Date: 11/11/2009
Time: 2:07:02 PM
User: N/A
Computer: EXCHANGESERVER
Description:
Application pool 'MSExchangeAutodiscoverAppPool' is being automatically disabled due to a series of failures in the process(es) serving that application pool.

Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1039
Date: 11/11/2009
Time: 2:07:02 PM
User: N/A
Computer: EXCHANGESERVER
Description:
A process serving application pool 'MSExchangeOWAAppPool' reported a failure. The process id was '1352'. The data field contains the error number.

Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1002
Date: 11/11/2009
Time: 2:07:40 PM
User: N/A
Computer: EXCHANGESERVER
Description:
Application pool 'MSExchangeOWAAppPool' is being automatically disabled due to a series of failures in the process(es) serving that application pool.

These problems occured because .NET framework 1.1 was installed on a x64 exchange server. .NET framework 1.1 only comes in 32bit. When you install it on a x64 server it enables 32bitAppOnWin64 for IIS which causes the application pools to crash. To resolve this problem perform the following acctions:

1. Uninstall .NET Framework 1.1 from add and remove windows components.

2. Disable 32bit support in IIS by running the following command:

cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0

3. Reinstall ASP.NET by running the following command:

%SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe -i

4. Restart IIS by running the following command:

iisreset


Here is a list of all commands entered into the shell to resolve the problem, click to expand:



Now OWA is working again as normal:

Sunday, November 8, 2009

Exchange 2007 /exchange Not Redirecting

Exchange 2003 to 2007 migration. The new client access server role is put in place on a box with no other roles. A Exchange 2007 mailbox server exists on another server. Users who have an exchange 2007 mailbox on the 2007 mailbox server can login using https://mail.companydomain.com/owa. However when they use https://mail.companydomain.com/exchange they get the following error:

"You do not have permissions required to access this Web site. Please contact the Web site administrator."



However the username and password is right because if you go to https://mail.companydomain.com/owa it works fine.

https://mail.companydomain.com/exchange is meant to redirect them to https://mail.companydomain.com/owa automatically. To resolve this we installed 3 IIS components on the backend exchange 2007 mailbox server:
- ISAPI Extensions
- Basic Authentication
- Windows Authentication



After this /exchange redirected to /owa again as it should for 2007 mailbox users.

Saturday, November 7, 2009

Account Operators - A Fast Way to Delegate Control for Service Desk

One of the painful things that is always neglected but still very important is the delegation of control for service desk staff. Service desk staff need access to perform tasks in active directory, however you want to limit their actions as to what they can do. This is where delegation access lists come into play, however creating a successful delegation permission list is not an easy thing to do for most administrators and can take time to get right.

For companies that are very busy and do not have time to do this, there is a Built-In Group called Account Operators which is always overlooked by Administrators. In face this group is perfect for help desk staff, here is why:

Account Operators is a domain local group that grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups. They can also log on locally to domain controllers. However, Account Operators can't manage the Administrator user account, the user accounts of administrators, or the group accounts Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Account Operators also can't modify user rights.

After reading this I encourage you to take your help desk employees out of the Domain Admins group and add them to the Account Operators group, it will allow them to perform most elements of their service desk duties.

MPIO and Windows Server 2008

MPIO is short for Multipath I/O. MPIO was made to support failover redundency and load balancing solutions. With MPIO if an unexpected failure of hardware occurs between the server and it's data storage it will not lead to an interuption of service or connectivity. When configured as a load balance solution MPIO can be used to share the load of client connections between two or more physical paths in order to avoid bandiwidth saturation of any one path that could lead to redunced or unsatisfactory performance for end users.

MPIO supports the following storage technologies:
- iSCSI
- Fibre
- SAN

During configuration the following supported options for Multipath I/O Load
Balancing Modes of operation will be presented:

Failover. With Failover based Load Balancing a primary path is configured
to be used at all times, unless it should become unavailable at some point.
In the event that the primary should become unavailable, then traffic will
be failed over to a configured secondary path. No load balancing takes place
with this configuration. It is strictly for the purposes of providing a redundant
secondary path in the event of any sort of failure to the primary path.

Failback. Will always prefer the primary, and will only direct to the
secondary when the primary is not available. Will always go right back to
the primary as soon as it is available again.

Round Robin. All available paths will be used in a balanced approach.

Round Robin with a subset of paths. Primary paths are specified,
and used in a Round Robin balancing manner. Secondary paths listed
in decreasing order of preference will only be used when the last of the
primary paths becomes unavailable

Dynamic Least Queue Depth. I/O will always use the path with the
smallest traffic load on it.

Weighted Path. Each path will be assigned a weight, and the path with
the lowest number will always be chosen as the priority path. The higher
the number, the lower the priority.

The default configuration is Round Robin when the storage controller is set for
active / active. When the storage controller is set for Asymmetric Logical Unit Access the default configuration is Failover.

Once installed MPIO can be launched from either of 2 locations: the ControlPanel or Administrative Tools. Some storage vendors have their own Device Specific Modules designed to work with W2K8. To install them, open the MPIO Control Panel Configuration Utility | DSM tab.

To install MPIO add it under server manager features:

Access-based Enumeration

Access-based Enumeration was first introduced in Windows Server 2003 Service Pack 1. This feature allows users to only see files and folders to which they have access when browsing content on a windows file server. This eliminates confusion to end users when having a large amount of folders to which they don't have access to.

There is a brilliant white paper written by Microsoft for Server 2003 on ABE (Access-Based Enumeration) which can be downloaded here.

As explained in the microsoft white paper to enable access-based enumeration you use the abecmd commandline tool.

abecmd /enable 10.0.0.2 “Customer Accounts"

10.0.0.2 being the file server
"Customer Accounts" being the share for which ABE is being enabled.

There is also a handy technet article on Access-Based Enumeration for Server 2003 which can be find here:

http://technet.microsoft.com/en-us/library/cc784710(WS.10).aspx

In server 2003 however you could not enable Access-based enumeration against a DFS Namespace share.

Now in Windows Server 2008 DFS you can enable access-based enumeration on a DFS namespace by using the dfsutil command line tool as follows:

dfsutil property abde enable \\<namespace root>

For more information about access-based enumeration on 2008 DFS Namespaces see:

http://technet.microsoft.com/en-us/library/dd919212(WS.10).aspx

Wednesday, November 4, 2009

How to insert a checkbox in Word 2010

This was frustrating me for ages in the end my mate Alan showed me how to do it. Thought I might blog it encase someone else has the same problem.

To insert a check box in 2010 you need to enable developer tools like you did in 2007, its just in a different place.

Go to the document information screen.



Click options



Click Customize Ribbon then tick the Developer tickbox.



There will now be a developer tab where you can add the checkbox:

Tuesday, November 3, 2009

Bind9 Error on Ubuntu

I noticed an error on all my secondary bind9 servers running on ubuntu linux. This error was appearing in the daemon.log file in /var/log

zone 4playgames.local/IN: refresh: unexpected rcode (SERVFAIL) from master 192.168.10.2#53 (source 0.0.0.0#0)

On the primary DNS server I was recieving this error message in daemon.log:

zone 4playgames.local/IN: loading from master file 4playgames.local.zone failed: CNAME and other data

The primary DNS server was still functioning correctly, however this one zone file was no longer functioning. What caused the problem was there were 2 records that had the same name. A "CNAME" and an "A" record both had the same name in the zone file, which caused the entire zone file not to load anymore.