Sunday, January 31, 2010

What is WinRM?

WinRM is short for Windows Remote Management. It is Microsoft's new remote management standard which allows administrators to remotely manage and remotely execute programs on windows machines. Prior to this Remote Procedure Calls (RPC) had to be used for everything by collecting data from the COM and DCOM services. A popular remote management tool that used these RPC calls was the PSTools package by Sysinternals.

WinRM 1.1 first showed its face in Windows Server 2003 R2 but can now also be downloaded and installed for Windows XP and Windows 2003 from:

http://www.microsoft.com/downloads/details.aspx?familyid=845289ca-16cc-4c73-8934-dd46b5ed1d33&displaylang=en

WinRM 1.1 can also be found in:
- Windows Vista
- Windows Server 2008
- Windows Server 2008 (Core Install)

The new version of WinRM 2.0 can be found in:
- Windows 7
- Windows Server 2008 R2
- Windows Server 2008 R2 (Core Install)

Although WinRM is enabled on all these builds of windows, it is not enabled by default on any.

WinRM is based on the Web Services for Management (WS-Management) standards. WS-Management uses SOAP (Simple Object Access Protocol) requests to send send and receive instructions to remote computers. As shown on the wikipedia page - SOAP Requests are sent and received using XML. An advantage of WinRM is it uses port 80 for communication, a port that is usually always open by firewalls and client machines on a network. Because WinRM is XML based, it will also pass through firewalls that perform packet inspection on port 80.

Hold on one second you're saying - I have servers that run IIS web servers. They are already listening on port 80. WinRM is rubbish! Well Microsoft has put special code around this that allows WinRM to share port 80 with IIS for your dedicated web servers. But be careful when installing third party web servers such as apache on a windows PC - I have not tested this but it is something to be mindful of. Please leave a comment if you have more information about different applications running on port 80 with WinRM. One more thing i'd like to point out is only WinRM 1.1 listens on port 80 by default. WinRM 2.0 on Windows 2008 R2 and Windows 7 use 5985 by default and 5986 for SSL based encryption.

WinRM leverages the WMI database to perform many tasks - so make sure WMI is running and is healthy if you are looking to use WinRM. You may already be running WinRM in your environment without knowing it. Many system management products on the market use WinRM as a means of gathering data from the network and performing remote tasks. One well known product that relies on WinRM 2.0 is Powershell 2.0. Powershell 2.0 uses WinRM to remotely launch code on a remote PC.

WinRM is only one half of WS-Management. There is actually a client that communicates with the WinRM server component called WinRS (Windows Remote Shell).

A question you maybe thinking is port 80, not 443. Does this mean it's not encrypted? No all WinRM data is encrypted using whatever the "Integrated Windows Authentication" is set to on the host machine (Either NTLM or Kerberos). Alternatively if you have a PKI setup you can setup SSL for use with WinRM on your internal network. If SSL is in use NTLM and Kerberos get ignored.

Enough Talk, Lets see WinRM in action!

First lets find out if the WinRM server is running on a windows PC by typing:

winrm enumerate winrm/config/listener



This error means no the WinRM server is not running:

WSManFault
Message = The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".

Error number: -2144108526 0x80338012
The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consultthe logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".


The easiest way to start the WinRM server unless you want to do custom configuration is by using the "winrm quickconfig" command.



Hit "Y" to make the change. Next it asks you if you want to allow it to make a HTTP listener and create a windows firewall exception.



Hit "Y" to make the change. WinRM is now running and can be remotely managed by WinRS (the WinRM client).



Now re-run the "winrm enumerate winrm/config/listener" command to see if WinRM is working:



We see it listening on port 5985, this is because I'm running Windows 7 on this PC so its using WinRM 2.0.

Now from another PC I can use the WinRS client to remotely execute commands against that workstation/server by using "winrs -r:https://myserver.com" command. Please note that you need to run the command as a user in the remote computers "Administrators" group. By default WinRS will use your active windows credentials. However I do not run my computer as administrator for security purposes so I will need to specify a user account with Domain Admins rights to ensure I have correct access by using the -u: switch.

Lets try grabbing a read out of the directory structure on c:\ of the remote PC:

winrs -r:http://tursanplt01:5985 -u:domainname\useraccount "dir c:\"



As you see it returned the results of the command. I blured my credentials as this is a production network and I do not want you to even know the name of one of my domain admin account.

Also lets see what build of windows the remote computer is running by sending the "ver" command:

winrs -r:http://tursanplt01:5985 -u:domainname\useraccount "dir c:\"



6.1.7600 is Windows 7 with no service pack.

As you see WinRM is a very handy tool and can be used instead of PSExec from the Systeminternals PSTools kit. With Powershell 2.0 integration the possibilities are endless with what you can do. Lastly I would like to point out that many other 2008 features such as Event Forwarding also relies soley on WinRM so it's a must know!

Error -2147221233 reading property

On exchange 2000, 2003 or 2007 you may witness the following error multiple times in the application logs on your exchange server.

Event Type: Error
Event Source: MSExchangeIS Public Store
Event Category: Replication Errors
Event ID: 3093
Date: 1/02/2010
Time: 1:56:41 PM
User: N/A
Computer: EXServerName
Description:
Error -2147221233 reading property 0x674b0014 on object type tbtMsgFolder from database "First Storage Group\Public Folder Store (AUSMAIL01)".





This happens when diagnostics logging is set to MAX for the MSExchangeIS Public object, Replication category. This happens by design.

When you see "-2147221233" or "0x8004010f" this means "No errors were found". When logging is set to max exchanges logs every read even when it was not an error. This was made by design.

Recently Microsoft has documented this in a KB article which can be found:

http://support.microsoft.com/kb/225090

Friday, January 29, 2010

Microsoft Forefront TMG Standard vs Enterprise

Your looking at implementing Microsoft Forefront TMG (Threat Management Gateway). This is the new version of ISA (Internet Security and Acceleration) server.

Forefront only comes in x64... but do you need Standard Edition or Enterprise Edition. With a big difference in price you want to know what your getting.

A feature comparison chart between the two versions can be found on the following Microsoft website:

http://technet.microsoft.com/en-us/library/ee207137.aspx

Saturday, January 23, 2010

Exchange 2010 Licensing and High Availability Planning FAQ

In this post I'm going to address many questions that comes around licensing with Exchange 2010 as this can be a very confusing area - it took me a while to understand it properly!

Can I have exchange 2010 standard edition mixed with exchange 2010 enterprise in the same exchange organisation?

Yes - you can. For example you could have a Exchange 2010 Enterprise Edition mailbox server DAG talking to Exchange 2010 client access servers and hub transport servers in the same active directory site.

Is exchange 2010 enterprise needed for clustering?

No - you can setup Exchange 2010 clustering with nothing but Exchange Standard Edition for all 5 roles. However you may need Windows Server Enterprise Edition or higher depending on what roles you want to cluster as exchange 2010 leverages some high availability functionality from the operating system.

Which exchange roles need Windows 2008 Enterprise Edition for High Availability?

Hub Transport does not require Enterprise Edition of Windows Server 2008 for high availability. This clustering functionality if built into both Exchange 2010 standard and enterprise edition. The Microsoft Exchange Mail Submission service on Mailbox servers automatically load balances between all available Hub Transport servers in the same Active Directory site.

Client Access does not require Enterprise Edition of Windows Server 2008 for high availability. To cluster a Client Access Server Array you need to implement NLB (Network Load Balancing). However if you have a third-party hardware-based network load-balancing for stateless applications such as a CAS server, you can get away from using Network Load Balancing. Remember when planning for NLB implementation it is best to create a separate VLAN for NLB cluster traffic. Network Load Balancing is a feature of Windows Server 2008 Standard and Enterprise.

Mailbox Role does require Enterprise Edition of Windows Server 2008 for high availability. Exchange 2010 DAG's (Database Availability Groups) utilize Windows Server 2008 Enterprise Edition Cluster Services role. Exchange 2010 Standard Edition supports DAG clustering as long as it is installed on Windows Server 2008 Enterprise Edition.

Unified Messaging does not require Enterprise Edition of Windows Server 2008 for high availability. The Unified Messaging server automatically load balances connections between all available Hub Transport servers in the same Active Directory site. Unified Messaging deployments can be made more resilient by deploying multiple Unified Messaging servers where two or more are in a single dial plan. The Voice over IP (VoIP) gateways supported by Unified Messaging can be configured to route calls to Unified Messaging servers in a round-robin fashion. In addition, these gateways can retrieve the list of servers for a dial plan from DNS. In either case, the VoIP gateways will present a call to a Unified Messaging server and if the call is not accepted, the call will be presented to another server, providing redundancy at the time the call is established.

Edge Transport can be made highly available 3 different ways - all of which perform load balancing.

1. You can setup NLB (Network Load Balancing) and load balancing all edge connections. Network Load Balancing is available in both Standard and Enterprise editions of Exchange.

2. You can use a third-party hardware-based network load-balancing for stateless applications. This will allow you to use Windows Server 2008 Standard Edition and reduce licensing costs.

3. You can perform load balancing using DNS with multiple MX records with the same priority. This requires you to have a public IP address for each edge transport server sitting your DMZ so you can port forward TCP #25 uniquely on your Internet facing router.

Can I use Windows Server 2008 R2 instead?

Yes - Exchange 2010 is supported on the following platforms:

64-bit edition of Windows Server 2008 Standard with Service Pack 2 (SP2)
64-bit edition of Windows Server 2008 Enterprise with SP2
64-bit edition of Windows Server 2008 R2 Standard
64-bit edition of Windows Server 2008 R2 Enterprise

I would recommend Windows 2008 R2 always as it comes with Powershell Version 2 naively. This means you can use remote shell functionality on your exchange servers. Powershell Version 2 is coming out on normal 2008 Server however it is still in a Community Technology Preview.

Is there different media for Exchange 2010 Standard or Enterprise?

No - There is only one Exchange 2010 media. The licensing editions that are defined by a product key. When you enter a valid license product key, the supported edition for the server is established.

Can you upgrade a Exchange 2010 Standard Edition server to Exchange 2010 Enterprise Edition?

Yes - Product keys can be used for the same edition key swaps and upgrades only. Simply change the product key in Exchange and reboot - then your Exchange server will be Enterprise Edition.

Can you downgrade a Exchange 2010 Enterprise Edition server to Exchange 2010 Standard Edition?

No - You can only swap product keys from enterprise to enterprise. You cannot downgrade from Enterprise to Standard.

Do I need my Exchange 2010 product key to setup my Exchange infrastructure?

No - You can setup your Exchange servers in evaluation mode (Trial Edition). Once you have your infrastructure setup how you like then you can use a valid product key to move to either Standard Edition or Enterprise Edition.

I changed my product key but the Exchange Version has not changed?

You need to reboot for this to take effect.

How long does Exchange 2010 trial edition go for?

Trial Edition goes for 120 days. If you wish to extend a trial longer then 120 days you will need to format and reload your Exchange Server(s). Trial Edition is great for proof of concepts as the customer does not need to pay for an Exchange license up front.

What is the differences in Exchange roles between Standard Edition and Enterprise Edition?

Hub Transport - None.

Client Access - None.

Mailbox Role - Standard Edition is limited to 5 databases per server. Enterprise Edition can scale to 100 databases per server. Both Standard and Enterprise Editions support DAGs. Remember if you plan to use DAGs this requires Windows 2008 Enterprise Edition as it requires the Clustering Services component. In regards to Database Availability Groups, a passive database still counts as one database - keep this in mind if you choose Exchange Standard!

Unified Messaging - None.

Edge Transport - None.

In a large enterprise installation of Exchange 2010 to keep costs down Exchange 2010 Enterprise Edition should only be installed on servers that are going to run the mailbox server role.

How many mailbox servers can I have in a DAG?

A database availability group (DAG) is the base component of the high availability and site resilience framework built into Microsoft Exchange Server 2010. A DAG is a group of up to 16 Mailbox servers that host a set of databases and provide automatic database-level recovery from failures that affect individual servers or databases.

A DAG is a boundary for mailbox database replication, database and server switchovers, and failovers, and for an internal component called Active Manager. Active Manager is an Exchange 2010 component which manages switchovers and failovers that runs on every server in a DAG.

You can create multiple DAG's in an Exchange 2010 organisation.

See this blog post for more information about DAGs:

http://clintboessen.blogspot.com/2009/08/exchange-2010-database-mobility.html

Can I have other Exchange 2010 roles on a DAG cluster?

Yes - You may install other exchange 2010 roles on a DAG cluster except Edge Transport as this role cannot be combind with any other Exchange 2010 Roles. This is a change from Exchange 2007. In a Exchange 2007 SCC or CCR mailbox cluster no other exchange roles could be installed on the cluster.

Can I use Enterprise user CALs for Exchange Server 2010 Standard Edition servers?

Yes - Enterprise Edition CALs can be used for Exchange Standard Edition.

Do I need Exchange Standard or Enterprise User CALs?

If you plan to use Exchange Unified Messaging or Archiving you need to buy Enterprise User CALs.

If you wish to use Premium Journaling (which allows you to configure archiving per mailbox) you also need Enterprise User CALs. If you wish to journaling on a mailbox database level you can get away with Standard User CALs.

Personal Tags for Archive and Retention policies is requires enterprise CALs for any mailbox they are configured on.

If you do not plan to use Unified Messaging or Archiving you can get purchase Standard User CALs.

What is the External Connector license (EC)?

The External Connector license (EC) is an optional additional server license for external users that enables access to your servers running Exchange Server 2007. With this license, you do not need to buy individual Exchange Server CALs. The EC license is purchased for every copy of Exchange Server 2007 that can be accessed by the external user. An example of an external user is a person who is not an employee or similar personnel of the company or its affiliates. This license allows access to the Exchange server by an unlimited number of external users that can include, but is not limited to, business partners, suppliers, customers, retirees, and alumni. It is licensed per server.

Can I upgrade my Standard user CALs to Enterprise user CALs?

Yes, when you buy Exchange you must always buy the exchange user licenses. These are also known as the "standard user CALs". The Enterprise CALs are an "upgrade" to the standard CALs. If you want Enterprise user CALs you must buy the standard CALs + the Enterprise CALs.

Do I need to install the Exchange 2010 user CALs?

No - You do not install the user CALs on the server. You ensure you have them to hand for licensing purposes. If your company gets randomly audited by Microsoft there can be a fine involved if you are not licensed correctly.

I have external users accessing my Exchange environment that do not work for my company. Do they require a user CAL?

No - You do not need to buy user CALs for people that do not work for your company. Instead you can get a External Connector license (EC). The External Connector license (EC) is an optional additional server license for external users that enables access to your servers running Exchange Server 2010. With this license, you do not need to buy individual Exchange Server CALs. The EC license is purchased for every copy of Exchange Server 2010 that can be accessed by the external user. An example of an external user is a person who is not an employee or similar personnel of the company or its affiliates. This license allows access to the Exchange server by an unlimited number of external users that can include, but is not limited to, business partners, suppliers, customers, retirees, and alumni. It is licensed per server.

Are Windows Server user CALs also required for my Exchange Users?

Yes - both Windows Server User CAL's and Exchange User CAL's are required. If you setting up a hosted exchange solution there is a separate licensing system called "SPLA".

I currently have Exchange 2003 with Windows Server 2003 in my environment which I have user CALs for. Can I use my Exchange 2003 licenses on Exchange 2010 and Windows Server 2008?

No - If you wish to go to the new products you need to buy new licenses. However Licenses are backwards compatible, for example if you were to buy Exchange 2010 User CALs these can be used on Exchange 2003.

Do I need to buy an Exchange 2010 server license for a Exchange Server running passive mailbox databases?

Yes - You need a license for all members in the DAG. In Exchange 2010 a server does not become passive/active like in previous versions. It's the mailbox database that is active or passive. A DAG can contain a server running both active and passive mailbox databases. Because of this Microsoft build their licensing around "all servers in a DAG must have a server license regardless if they have all mailbox databases passive or not".

When am I required to purchase new user CALs for Exchange 2010?

I had someone below ask me a very tuff question. He asked "if I was to purchase an exchange 2007/2010 edge transport server, and still use Exchange 2003 in the backend, am I still required to purchase user Client Access Licenses (CALs) for exchange 2007/2010?" The answer is yes!

This question stumped me so I contacted Graham Crawford from Microsoft Licensing. He explained to me that this is known as multiplexing in licensing terms. Whenever any software communicates with Exchange 2007/2010 in anyway, a license is required for each user communicating to that server. In this scenario all users are communicating with the edge transport server through Exchange 2003 as the edge will be used for spam filtering so user CALs for exchange 2010 are required.

Another scenario is when you have a mixed environment with say 400 users with their mailbox located on Exchange 2003, and 600 users with their mailboxes located on Exchange 2010. 1000 Exchange 2010 user CAL's are required as the 400 Exchange 2003 users are still communicating with email routing to the Exchange 2010 servers!

To summarise, as soon as you implement an Exchange 2010 server, you will require a User CAL for every user in your organisation.

Do I require licenses for shared mailboxes?

I had a user ask me if they require licenses for any shared mailboxes. This user has 250 user mailboxes and 100 shared mailboxes.

I contacted Adam from Microsoft Licensing Australia. He told me that licenses are only required per user. Shared mailboxes that multiple users access do not require a license.

If you have any other questions or about Exchange 2010 Licensing and High Availability Planning that I did not address here, please leave a comment and I will update this post answering your query ASAP.

Error 0x800710FE

In Windows Vista or Windows 7 when deleting a folder or file from a folder that is redirected to a network share you may experiance the following error:

An unexpected error is keeping you from deleting the file. If you continue to receive this error, you can use the error code to search for help with this problem.

Error 0x800710FE: This file is currently not available for use on this computer.



To resolve this problem perform the following steps:

1. Click Start and enter regedit in the start search to open Registry
Editor.
2. Expand to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache
3. Add a new key:
Key Name: FormatDatabase
Key Type: DWORD
Key Value: 1
4. Restart the computer then the CSC cache is rebuilt. Test the same issue
again.

If this does not resolve the problem try uninstalling anti-virus software as there has been known cases where AV has caused this problem.

Wednesday, January 20, 2010

Make One Page Landscape - Microsoft Word 2007

When writing a word document you want one page landscape and the rest portrait. How do you do this?

You need to do whats called a section break, this is different to a page break.



Once you have a section break you are then able to change the Orientation of the page.

Monday, January 18, 2010

Dell Studio 1537 Laptop Wireless Problems

You may have read my previous post about bluetooth problems with the dell studio laptop. This was fixed by upgrading the firmware from A07 to A08.

See:
http://clintboessen.blogspot.com/2009/05/dell-studio-1537-laptop-bluetooth.html

However the A08 firmware has another bug. If you plug a network cable into the laptop load a few websites etc, then unplug the network cable and use it on wireless, the wireless will not work until a reboot.

Dell released another firmware upgrade A09 that fixes this!

Saturday, January 16, 2010

Loading your settings failed. (Access is denied.)

I restored a PC from backup using the ntbackup utility. I restored all programs and content on the C:\ including the windows directory and program files. I also restored the systemstate meaning I restored the registry, all user accounts, drivers etc.

However I did not restore the profiles!

I could log in fine with a standard user account. However my profile settings did not save. Also when I ran a VB Script I got the following error:

Loading your settings failed. (Access is denied.)



I went into the registry and saw that my HKCU for that user was only read only for all users. My user account did not have ownership and "Full Control" of the entire HKCU key and all sub keys.



This was a hard problem as I couldn't exactly run regedit.exe as Administrator as then it would show me the HKCU for the Administrator account. HKCU is the ntuser.dat file in the users profile directory. It is registry settings unique to that user profile... so when you open regedit it will only display the HKCU settings for that user's ntuser.dat file!

The way I fixed this was I added that user into the "Administrators" group. I then went in and took ownership of the HKCU key and all sub keys. Then took full control. I then removed the user from the "Administrators" group.

Monday, January 11, 2010

Enable Backup Exec Agent Debug Logging

If you have a weird backup error on the symantec backup server exec server you may want to turn on debug logging on the backup exec agent for the server in question to help you diagnose the problem.

To do this first stop the "Backup Exec Remote Agent for Windows Systems" service on the server with the problem.

Edit the properties of the service and int he start parameters enter -debug



Next you need to enable debugging in the registry:

HKLM\Software\Symantec\Backup Exec for Windows\Backup Exec\Engine\Logging

Change the DWORD CreateDebugLog to "1" to enable debug logging:



Next start the "Backup Exec Remote Agent for Windows Systems" service again.

The logs will be located in this folder:

C:\Program Files\Symantec\Backup Exec\RAWS\logs

Start the backup and review the client log file for additional information as to what caused it to error out.

Saturday, January 9, 2010

iiNet Perth DNS Server Change

This post is only relevant to people that live in Australia mainly around Perth - international readers please ignore.

The popular DNS server dns.iinet.net.au (203.0.178.191) has been used by many IT professionals in Perth for years due to its fast response times and massive cache!

However as of December 2009 iiNet has configured ACL's on this DNS server to only allow people from iiNet IP Addresses to use it. Many other ISP's lock down their DNS server to only their IP ranges as well such as Amnet (another popular Perth ISP).

I found this out as one of my sites was connected using Internode running a bind9 server that forwarded DNS requests to iiNet. If iiNet failed it would go use recursion to perform the lookup. However whenever people were to load a website, the web browsers would hang and sometimes time out as bind9 had to first time out with iiNet on each request before performing recursion. Hitting F5 to refresh on the client workstation would then load the website.

If anyone knows of any highly available DNS servers in Perth that are redundant that are open to the public on all IP ranges can you please leave a comment and let us know. I believe it is better to always forward DNS requests to a local public DNS server with low latency because:
- It reduces the work for your DNS server to always perform recursion to resolve each request.
- It saves Internet usage if your Internet link supports WAIX (Western Australian Internet Exchange - free data around Perth between different ISP's) as your only talking to a local server instead of DNS servers around the world as you would be if you were using recursion.
- It speeds up DNS - A public DNS server has a much bigger cache so many requests there is a higher chance the public DNS server may already have it cached. Just ensure the public DNS server your using is protected against cache poisoning!

Friday, January 8, 2010

Slow Network Speed with HP v2.8.13.0 on ProLiant DL380 G5

I was called out to look at a email issue between two hub transport servers for a international energy company. Messages were sitting in the queue for long periods of time in the Perth office and were having trouble reaching remote sites. After some investigation I used a bandiwidith testing program called IPerf to monitor bandiwith between the two hub transport servers and found out that they were only getting 700 bits a second between the two servers. This was not due to the link being maxed out.

The ProLiant DL380 G5 server in the remote site was running HP v2.8.13.0 with teaming enabled.

We upgraded the network drivers to the latest as of this writing v5.0.13.0 and disabled teaming. Full network speed returend and email begain flowing correctly.

Was a really weird issue. The client did not want to re-enable teaming until they replace the Cisco 2950 switch!

Thursday, January 7, 2010

Removing Trend Office Scan Without Password

You want to uninstall trend office scan client of a PC but you do not know the administrator password. To get around this you can modify a registry key that allows you to uninstall it without the password!

- HKLM\Software\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc
- AllowUninstall=1

This needs to be a DWORD.

If you are still unable to uninstall it, see my post to forcefully remove trend office scan client:

http://clintboessen.blogspot.com/2009/09/forcefully-remove-trend-officescan.html

Forcefully Uninstall Trend ServerProtect 5.7

I tried to deploy Trend ServerProtect to a server that had a corrupt install of ServerProtect using the Trend Micro ServerProtect Management Console. However when deploying I kept receiving the following error:

Error: ServerProtect server is not available
Target server: servername



To get around this I had to forcefully remove ServerProtect from the Server with the issue.

I did this using the following procedure.

1. Stop the following services (if they exist):
- Trend ServerProtect
- Trend ServerProtect Agent

2. Open the Registry Editor. Make sure you create a full backup of the registry before making modifications.

3. Delete the following keys if they still exist:
- HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ServerProtect
- HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\DebugLog
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SpntSvc
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EarthAgent
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TMFilter
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmpreflt (Windows 2003 only)
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VsapiNT
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ServerProtect for NT
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ServerProtect IS
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ServerProtect Management Console

4. Close the Registry Editor

5. Delete the ...\Program Files\Trend\Sprotect folder.

6. Delete the Trend ServerProtect Management Console program menu.

7. Delete the ServerProtect Devices:
- Go to the Control Panel > Administrative Tools > Computer Management
- Open the System Tools tree, select Device Manager.
- Enable hidden devices from the view menu.
- Expand Non-Plug and Play Drivers tree.
- Delete the following devices:
* Trend ServerProtect Prefilter (Windows 2003 only)
* Trend ServerProtect Filter
* Trend ServerProtect Scan Engine
* StartAG
* StartNS
* tmcomm

To each of these drivers when it asks to reboot click "No". Uninstall all of them first. They wont disappear until you do the reboot.

8. Restart the server and verify that the devices no longer exist.

9. Reinstall Trend ServerProtect to the problem PC.





Also see my post for forcefully removing Trend Officescan Client:

http://clintboessen.blogspot.com/2009/09/forcefully-remove-trend-officescan.html

Wednesday, January 6, 2010

Trend Micro Client Packager

The trend micro client packager is used to create trend micro installation packages tailored to your network. It is located in:

C:\Program Files\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\ClientPackager

If you want to create builds that run on windows Vista, Windows 7 and Windows Server 2008 you must be running 8.0.0.2302. 8.0.0.1004 does not support anything higher then Windows XP and 2003.

Also note, although can install 32bit trend on a 64bit version of windows it is not supported and it does cause problems. Ensure that only a 64bit version of trend is installed on a 64bit version of windows.

To find out what version of Client Packager you have right click on ClnPack.exe in the above directory and click properties. Then click the Version tab.

8.0.0.1004 looks like this and does not support the new operating systems:



8.0.0.2302 looks like this and supports the new operating systems:



To create a package to deploy to workstations or servers open the Client Packager (ClnPack.exe) from the above directory. I recommend changing the package type to MSI because it allows you to deploy it through group policy or manually.



Update Agents allow the pc you deploy this package to to be an update agent and distribute trend updates to other trend agents. This is something you do not normally want so do not tick this. All the other boxes grey out.

If you have a simple trend install always specify this source file unless you know what your doing:

C:\Program Files\Trend Micro\OfficeScan\PCCSRV\ofcscan.ini

Then specify an output file.



Please note if your trend server is running a 32bit version of windows you can only create 32bit MSI files. If your trend server is running a 64bit version of windows, you can only create 64bit MSI files. If you wish to create a 64bit installer on a 32bit windows install specify the package type to be "Setup".

Related Posts:

http://clintboessen.blogspot.com/2009/09/forcefully-remove-trend-officescan.html

http://clintboessen.blogspot.com/2009/09/trend-micro-find-trend-server.html

How to Test Bandwidth Between Two Windows Computers

In this post we will be looking at a handy little tool called IPerf which can be downloaded from here:

http://www.noc.ucf.edu/Tools/Iperf/iperf.exe

This was recommended to me by the network engineers at work as being one of the fastest and efficient ways to measuring bandwidth on a link. IPerf does not have to be installed, it runs simply in a command prompt window. You need to setup IPerf on both ends to perform testing.

To use IPerf to test your network speed perform the following:

On one end run IPerf as the server:

iperf -s



On the other end run IPerf as the client including the name or ip address of the iperf server.

iperf -c 10.10.9.39



Here we can see we are getting 8.93mbps over the link to my other end.

Another handy trick is you can test bandiwidth both ways by using the -d switch for duel-test. This should be done if your network is full duplex only! If your running half-duplex this is not a good test to do!

iperf -c 10.10.9.39 -d



This testing was done over an MPLS cloud!

Monday, January 4, 2010

HP Server Hardware Diagnostics

You have a HP server you wish to perform hardware diagnostics on to identify any potential problems with the server components. What tool do you use? Where do you get it from?

Well HP provide two tools for this:
- HP Insight Diagnostics Online Edition
- HP Insight Diagnostics Offline Edition

Ideally you wish to run the Offline scan as it is more comprehensive and can detect problems the online scan cannot. Where do you get the offine edition however? This is not downloadable from the HP site anymore without a cost. However when you buy a HP server you get a "Smart Start HP CD" with the server which is bootable. If you boot of this disk it has the Offline diagnostics tool on the disk.

As of this writing its up to version 8.3 of the tool. If you cannot find a smart start disk anywhere I found an old copy of the tool (version 8.0) which can be downloaded from the following FTP link:

ftp://ftp.compaq.com/pub/products/Servers/supportsoftware/ZIP/

Hope this post has been helpful.

Sunday, January 3, 2010

Upgrading Exchange Outlook Web Access to Exchange 2010

I just read this post by Ross Smith from the Microsoft Exchange Team in regards to Outlook Web Access when upgrading exchange 2003 or 2007 to 2010. This is a very important article which you will need to take into consideration if you perform an upgrade in the near future. It describes how it works along with the power shell commands you need for the configuration requirements.

It covers upgrades to 2010 from both Exchange 2003 and 2007.

Here are some basic flow diagarms for co-existance for 2003 and 2007 taken from Ross Smith's post.

Ex2003:



Ex2007:



Please do take time to read the full article before performing the migration assuming your users do use active sync:

http://msexchangeteam.com/archive/2009/12/08/453472.aspx

ExFolders - PFDavAdmin's Replacement

In Exchange 2010 WebDAV is gone from Exchange. PFDAVAdmin was named as it is because it used WebDAV to access and make changes to public folders. With WebDAV gone from Exchange PFDAVAdmin can now no longer be used with Exchange 2010.

So what now?

Well many of the public folder administration functionality can be done using powershell with Get-PublicFolder and Set-PublicFolder commands.

However what if you need a GUI?

Microsoft has developed a new tool called ExFolders to replace PFDAVAdmin. ExFolders still has the same user interface as PFDAVAdmin, so things will look very familiar. There are a few changes as well as additional features incorporated into ExFolders that I will point out below:

Changes from PFDAVAdmin:
  • ExFolders must be run from an Exchange 2010 server - it cannot be run from a workstation as PFDAVAdmin could. It can connect to Exchange 2010 or 2007, but not older versions!
  • Remove Item-Level Permissions is gone, because these are no item-level permissions in Exchange 2007 or 2010.
  • DACL fix functinoality is gone. With no WebDav and no M: drive, non-canonical DACLs should be practically unheard of.
  • Permissions export format between PFDavAdmin and ExFolders are compatible.

New Features in ExFolders:

  • Folder property imports are now supported. You were able to do folder property exports with PFDAVAdmin but not imports.
  • Item property exports are supported - that is, you can export a set of properties from all items in a folder. This feature has been added for troubleshooting purposes - you can not do item property imports!
  • ExFolders support the new free/busy permissions that were introduced in Exchang 2007 and Outlook 2010.
  • You can now connect to multiple mailbox stores at the same time, so you can run a batch operation against several mailbox setores or all mailboxes in the org!
Where can I get ExFolders?

http://msexchangeteam.com/files/12/attachments/entry453398.aspx

Upgrading Exchange ActiveSync to Exchange 2010

I just read this post by Ross Smith from the Microsoft Exchange Team in regards to Active Sync when upgrading exchange 2003 or 2007 to 2010. This is a very important article which you will need to take into consideration if you perform an upgrade in the near future. It describes how it works along with the power shell commands you need for the configuration requirements.

It covers upgrades to 2010 from both Exchange 2003 and 2007.

Here are some basic flow diagarms for co-existance for 2003 and 2007 taken from Ross Smith's post.

Ex2003:



Ex2007:



Please do take time to read the full article before performing the migration assuming your users do use active sync:

http://msexchangeteam.com/archive/2009/12/08/453472.aspx