Friday, November 27, 2009
Me Talking About Wireless Security
http://winnipeg.ctv.ca/servlet/an/local/CTVNews/20080904/wpg_personal_info_080904/20080904/?hub=WinnipegHome
Thursday, November 26, 2009
Runas for Windows Explorer
Today I was providing remote assistance to a desktop computer that was out of disk space. The user didn't have sufficient permissions to clean up the disk and I didn't want to work outside of the user's profile. So, I wanted to run Windows explorer a Administrator.
Here's the command line:
runas /user:domain\username "explorer /separate"
Saturday, November 7, 2009
Ballad of the Duplicate SPN
Step 1: Dcpromo down the server
Step 2: rename Server1 to Oldserver so there is no conflict
Step 3: rename new server as Server1
Step 4: Join Server1 to domain
So far, so good. However, after joining the domain we get this error:
The security database on the server does not have a security account for this workstation trust relationship
Verify that the computer account is there and try several combinations of different rejoining and deleting the computer account. No resolve.
After a bunch of searching, it turns out that there is a property of a computer account that cannot be repeated in other computer accounts. The servicePrincipalName propery cannot have conflicting values with other computer accounts. Each computer account should have values that correspond only to its own computer name. However, sometime when you rename computers, not all entries in the attribute get updated.
You can view the entries for a single computer account by using ADSI Edit. However, that doesn't really help you find conflicts. Instead you can you this command to list the SPNs for all computer accounts and then look for duplicates associated with another computer.
Ldifde -f C:\spn.txt -t 3268 -d dc=domainname,dc=local -l serviceprincipalname
-r (serviceprincipalname=*) -p subtree
Looking in this text file we found that the computer account for Oldserver still had references to Server1. We didn't need Oldserver. So, we deleted the computer account for Oldserver and all was good. We could also have used ADSI Edit to change the entries.
Tuesday, November 3, 2009
Virtualization on Windows 7
It turns out that Windows Virtual PC will only run with hardware assisted virtualization. On AMD processor systems this isn't an issue because almost all AMD processors have hardware assisted virtualization. Intel, on the other hand, has been using hardware assisted virtualization as a differentiator between upper and lower end chips for the last several years. Basically trying to get a premium out of it. Many computers with Intel processors do not have hardware assisted virtualization. Unfortunately, my laptop is one of these.
Fortunately, even though it is unsupported (like I'd be calling for support) Virtual PC does run on Windows 7. A blog documenting it is here: http://blogs.msdn.com/virtual_pc_guy/archive/2009/08/19/running-virtual-pc-2007-on-windows-7.aspx.
You can also get Virtual Server 2005 to install on Windows 7 if you really want to, but it is a pretty nasty process. Details are here: http://tfl09.blogspot.com/2009/08/windows-7-and-virtual-server.html.
UPDATE: Microsoft has released an update for XP Mode and Windows Virtual PC so that hardware visualization is not required. See http://support.microsoft.com/kb/977206
Thursday, October 15, 2009
The End of Novell (for me)
I remember when......
- about 70% of organizations used Novell NetWare
- file and print services were all that were expected of a server
- NetWare was more stable than Windows (by a lot)
- GroupWise had reasonable market share
- Microsoft was the underdog for server side computing
- IPX/SPX meant I didn't really need to understand the network configuration
Goodbye NetWare, eDirectory, and GroupWise. It was fun while it lasted. SUSE I hardly knew you.
Tuesday, October 6, 2009
MTS BlackBerry in Vancouver
Right now, my data synchronization for e-mail and even BlackBerry messenger is sporatic at best. Data connectivity is for brief periods of time every hour, two hours, or even four hours. Occasionally, disabling my connections and reenabling them will trigger the data to go on again. Removing and reinstalling the battery sometimes triggers it as well.
If I came here often, I'd need to look at a different provider....Or an iPhone.
Java Woes
Anyway, on Monday morning I get a polite call telling me that the app is not working. This app requires the user to accept a certificate from the vendor the first time it is run, and I assumed that the user accidentally said no to accepting it. So, I took remote control and it definitely did not work. The error, complained about security in a roundabout and cryptic way.
After some testing and tweaking, no fix. Later when doing some research (ok, Google searches) I found out that this is a bug in the last two releases of Java for apps with certain characteristics. I had installed Java 6 update 16. The last version without the bug was Java 6 update 14. Remove the new version, install the old and all was fine. Fortunately all the older versions of java are archived and easily available.
Monday, September 14, 2009
RDP on an Alternate Port
Yesterday I did this on our new Windows 2008 e-mail server to allow outside access, but could not connect to the new port number or the old port number. It turns out that Windows Firewall was the culprit. I assumed that the Windows firewall rule would be hooked in to the service executable. However, there is a rule with a hard coded TCP port instead.
So, when you change the RDP port number, remember to create a new incoming rule that allows that port.
Friday, August 14, 2009
IE8 HTTPS warning
Do you want to veiw only the webpage content that was delivered
securely?
My instinct is to hit the Yes button to show the graphics. However, you need to select No.
However, you can disable this warning. The steps are located here: http://blog.httpwatch.com/2009/04/23/fixing-the-ie-8-warning-do-you-want-to-view-only-the-webpage-content-that-was-delivered-securely/
Friday, August 7, 2009
Links = File System Flexibility
I have one workstation that I do 90% of my work on. This computer has a lot of apps and a ton of data (no lectures about the home server please). My 250GB drive is almost out of space and I'd like to increase performance of my VMs.
The MS courses use C:\Program Files\Microsoft Learning for the VMs. I don't have an option to move this. However, I can configure that path as a symbolic link to another location instead. So, my C:\Program Files\Microsoft Learning is now a link to V:\Microsoft Learning. This allows me to put all my VMs on a separate drive. If I get inspired later on, I may split the differencing drives from the base drives for even better disk performance.
The MKLink command creates the links.
Wednesday, August 5, 2009
For God Sakes, Plan for a Disaster
First the client. Like many clients, this one is using a USB drive for backup of a computer that does peer-to-peer sharing on the network. All of their accounting data is on this computer as well as other files. After a period of time they stopped doing the backup. You know the excuses, none are good, but all of us start to slack off over time.
So, the hard drive in this computer dies, no backup. We got lucky and after I moved the drive to a different computer, it was readable, and we got the data. But it was coming up as a hardware failure in diagnostics.
Now for our server. It is located in a basement. The water main in the basement broke and filled the basement with 6 feet of water. We did have a backup, but it was with the server. So, always do an offsite backup. Fortunately for us, all we lost was some configuration documentation and the billing info for the last month. We were able to recreate the billing info and we can figure out the documentation again.
We will not be caught like this again. We will be implenting a full offsite recovery plan. And it will be automated, so we can't get lazy about it.
Friday, July 31, 2009
Multiple instances of Excel
In the past I found that the work around was to open one spreadsheet. Then open Excel from the Start Menu and open the second spreadsheet from within the second instance of Excel. Another workaround on the web talked about disabling OLE in some way, but that one killed functionality I needed.
However today I found a better solution for me. I created a shortcut in the Send To menu that directs files to Excel. When I use this is opens in a second Excel instance.
Details on the Send To: http://www.howtogeek.com/howto/windows-vista/customize-the-windows-vista-send-to-menu/
Still not quite as good as just double-clicking, but much better than a manual open of Excel.
Tuesday, July 28, 2009
Office 2007 Trial as a Marketing Tool
End results of installing trial software without a formal evaluation process:
- Staff are annoyed when trial software expires and ceases to work
- Productivity is lost while staff figure out they can still open documents manually in Office 2003, but not by just double-clicking the doc
- Client pays $$ for me to uninstall Office 2007
- No sale is made because no actual evaluation is done
- Waste of everyones time and $
Saturday, July 18, 2009
Stop SBS from Shutting Down
The Microsoft recommended solution for this is to insert disc 1, run setup, and remove the SBS 2003 component. This will leave a plain Win 2003 server without the shutdown issue. However, when I attempted to do this, setup errored out indicating that I was trying to upgrade to an older version which was not possible. Removing service packs may have worked, but here is a faster work around taken from a guy named Alan (http://social.microsoft.com/Forums/en-US/whssoftware/thread/af4fc3b4-bb50-4c5e-b09a-72ef2c3ac687)
I've found a slightly more elegant solution to this problem rather than just
aggressively killing the process until Windows gives up trying to start it
again, and I'd like to share it in the hope that Google will re-index and pick
it up for others to use. You may have noticed this service cannot be disabled
via the MMC snap-in.My search term on google was: how to stop the SBCore
service. Anyway, down to business…- Tools you'll need – Process Explorer from http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
As you probably know, you have a service called SBCore or "SBS Core Services",
which executes the following process: C:\WINDOWS\system32\sbscrexe.exe. If you
kill it, it just restarts – and if you try and stop it you are told Access Denied.If you fire up Process Explorer, you can select the process and Suspend it, now we can start to disable the thing. Run regedit and expand the nodes until you reach the following hive /key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBCore Right click this, hit permissions and give the "Administrators" group on the local machine full access ( don't forget to replace permissions on child nodes ). F5 in regedit and you'll see all of the values and data under this key.
Select the "Start" DWORD and change it from 2 to 4 – this basically sets the service to the "Disabled" state as far as the MMC services snap-in (and windows for that matter) is concerned.
Next, adjust the permissions on the file C:\WINDOWS\system32\sbscrexe.exe so that EVERYONE account is denied any sort of access to this file. Then go back to process explorer, and kill the sbscrexe.exe process, if it doesn't restart – congratulations!
Load up the services MMC snap-in and you should find that "SBS Core Services" is stopped and marked as Disabled.
Enjoy,
Alan :)
Note: When you run Process Explorer through Terminal Services, you are unable to suspend the process. I had to go on site to perform this process.
Fault in Wininet.dll
- My first thought was to go back to an earlier restore point, but I couldn't because it would crash each time I opened Help and Support.
- Next I created a new user and logged on as that user. this new user didn't experience the same issue, so I knew is was related to user settings rather than system settings.
- Restored a restore point, but the original user issue was not resolved. However, now at least I could do some research by using IE and the new user account.
- During research, I found a few articles talking about clearing cache with this issue. They were for older versions of Windows and IE, but I figured I'd give it a shot.
- I was unable to clear the cache by using the Internet Options in Control Panel because it errored out. I was able to delete the files manually.
- After the cache was cleared, all was good.
Desktop Support for the Server Guy
A server is a controlled environment. Most servers run a limited number of applications and the applications installed are known. In addition, there is a limited range of settings that are commonly configured. On a desktop computer, all options are open, because there is no telling what a user has done with their computer. This can be challenging for sure, and sometimes even intimidating when a problem occurs. Not to mention that the solutions sometimes are just crazy.
Yesterday, I was working on a desktop computer with multiple applications erroring out. The solution ended up being to clear the cache in IE. That's just plain weird.
Thursday, July 9, 2009
When in Doubt, Reinstall
Yesterday I was troubleshooting a Java application that launches from a Web page, but is a stand-alone app when it runs. It was complaining that the server could not be contacted. Here was my process:
- Verify only one computer is affected
- Clear the java cache - no fix
- Install latest Java update - no fix
- Reboot computer just to be sure - no fix
- Start monkeying with java settings - no fix
- Try from a different user profile on the same computer - still broken
- Install a packet sniffer to monitor traffic - no obvious errors
What was the fix? Easy. Uninstall all Java components and then download and install the latest Java. Wish I had tried that a bit earlier.
Friday, July 3, 2009
BES Calendaring Weirdness
Some users were getting a red X when attempting to reply to meeting requests. Also, some meetings were not being synchronized properly.
To resolve this issue we had to update the cdo.dll file on the BES server. The version on the Exchange server was relatively recent. The version on the BES server was several years old. Apparently it is a best practice for BES to use the most recent cdo.dll file from any of your Exchange servers.
The steps to resolve were:
- Copy C:\program files\exchsrvr\bin\CDO.dll from Exchange server to BES server (same path.
- Reregister the dll (regsvr32 cdo.dll)
- Restart BES server (probably could just restart services, but why mess around)
Problem resolved.
Props to Shaw Cable for good service
- 2pm...Try an Internet speed test - results showed same upload and download speed of about 1Mbps. Hmmm. I should have about 10 Mbps download.
- 2:05pm...Reboot router - No change.
- 2:10pm...E-mail Shaw - They request results from internal speedtest at speedtest.shaw.ca. Hmmm. Only 500Kbps now.
- 3:30pm...Restart cable modem - Ooops. Internet gone and not coming back.
- 3:35....Call Shaw tech support- they check signal strength and it's low. Appointment schedule for next day (not bad for consumer level stuff).
- 3:45....Start to panic about what to do with no Internet, but remember that e-mail still comes in on the Blackberry. Take a deep breath.
- 4:00pm...Take laptop to the second floor to search for unsecured wireless. Find about 8 networks, but all secured. Phooey.
- 4:30pm...Remember that I have splitter on the cable. Remove it and Internet comes back. Whoo Hooo.
When the Shaw guy got here today I explained about the splitter. He indicated that it was likely the cause, but wanted to test signals anyway.
After about an hour of him troubleshooting. It turns out that the line into the house from the street is bad. He's recommended replacing it, but they likely won't get to it for a few months. In the meantime, he put a booster on the Internet line and all it's good.
Total turn around 24hrs.
Wednesday, June 24, 2009
Common Blackberry and BES Issues
The two most common issues we see:
- Device suddenly unable to send or receive email. We are seeing this on newer devices and seems to be a weird hardware/OS issue in the device. The only fix we have found for it is removing and replacing the battery. This forces a full reboot (no data lost). We have not been able to determine any specific circumstances that cause the issue.
- Device able to receive new messages, but not send. This occurs when the service account for the BES server does not have the correct permissions to the mailbox of the user. The fix for this one is to give the BES service account Send As permissions to the user. Again, this seems to be a somewhat random error. It happens to individual users sometimes and we've never found a source.
Tuesday, June 23, 2009
Windows Server 2008 Foundation
Here is the basic rundown of the Foundation edition features that make it different from Standard edition:
- Does not include Hyper-V
- Does not include server core
- Limited to 15 simultaneous user connections
- Separate licencing from CALs (may be cheaper)
- Lower cost
- Only available through OEMs
The Foundation edition can still be used for:
- Domain Controller
- Terminal Services (need the TS CALs, limited to 15 users still)
- Remote access
- Application server
- File and Print server
Looks like an interesting option for smaller environments that need a basic server and don't want to kick out the $ for a full server or SBS. I can think of one client right now who could use this.
Free AV Software
Well, Microsoft is about to become one of the biggest AV software providers out there. Microsoft Security Essentials is now in beta. This replaces the One Care product that I don't think was overly successful in the market place. However, MS Security Essentials is free, and that's an important distiction.
Only 75,000 downloads of the beta are allowed here: http://www.microsoft.com/security_essentials/market.aspx.
I'm in Canada. So, I can't try it out. Only for the US, China, and Brazil.
Tuesday, June 9, 2009
Increase simultaneous downloads in IE
So, this post is as much for me at anyone else. This like has the key to modify and even a nifty automated process for increasing the simultaneous downloads to 10.
http://support.microsoft.com/kb/282402
Monday, June 1, 2009
Create Your Own E-Learning
Version 2.3 has just been released which includes a spell checker. In general it is a good tool for its defined task. You create a variety of Web pages including quizes and adventure activities through the included templates.
There are templates for providing demonstrations and animations. However, those must be created outside of LCDS using third-party tools such as Camtasia (from Techsmith).
Check out LCDS here: http://www.microsoft.com/learning/tools/lcds/default.mspx
Thursday, May 28, 2009
Free Remote Desktop through Firewall
This tool is excellent for users that want to remote control and office or home PC when they are in different locations. It is not as well suited for IT professionals that want to control PCs within the internal environment for repairs.
The biggest benefit of this software is that no firewall configuration is required. After the agent is installed on the PC, it initiates the connection out through the firewall on port 80. If your computer has web access without authentication, then game on.
If you need other tools like the ability to transfer files or print, then you can upgrade to another version with a monthly fee. The other main alternative product with a monthly fee is GoToMyPC.
Tuesday, May 26, 2009
Exchange 2007 Backup on Win2008 - Finally!
If you have SBS2008, this functionality is already there. If you are a large organization, you likely have third party backup software that performs Exchange 2007 backups. However, for mid-sized organizations trying to save a few $ on backup software, this is a life saver. I know of one client that will start using this immediately.
For more information see:
Saturday, May 23, 2009
Testing Exchange 2007 connectivity
When I used it to test RPC over HTTP connectivity to our Exchange 2003 server, it came up with an error on our GoDaddy certificate. However, the certificate is legitimate and works fine for both Web stuff and RPC over HTTP. So, perhaps there's a reason it's still in beta.
For a more detailed description of the tool see this article from the MSExchangeTeam:
Friday, May 1, 2009
Windows 7 Backup
- You can backup just specific files and folders. In Vista, it was done on a per volume (drive letter) basis.
- The disk you back up to does not need to be dedicated to backup. So, you can just keep a folder for backups. Vista took a whole partition and then hid it from you so that you couldn't put other data on it.
Monday, April 27, 2009
Windows 2008 Failover Clustering
- Clustering in Windows 2008 is much easier than previous versions of Windows. The wizardized process is very easy. You barely need to understand what clustering is to get this up and running.
- Printer clusters now store their drivers as part of the printing cluster on shared disk. You no longer need to worry about synchronizing drivers on different cluster nodes.
- File share clusters are accessible only by name and not IP address. It seems like they are using a technology similar to host headers on an IIS Web site.
- iSCSI shared storage can be access two different ways. Both nodes in the cluster can share the same target (the way I've always done in the past) or two targets can be created that point to the same LUN on the SAN, one target for each cluster node. Both function fine. However, having two targets on two separate HBAs in the SAN can provide some redundacy and opportunity for higher performance.
Wednesday, March 18, 2009
Exchange 2007 Resource Mailboxes
http://msexchangeteam.com/archive/2009/02/26/450776.aspx
Tuesday, February 17, 2009
Data Protection Manager for Hyper-V
The big thing with DPM is that it's disk-based backup with an option to go to tape. Your initial backup on a server is a full backup, but after that, it's all snapshots. Makes a daily backup go much faster. You can archive to tape on a schedule that you determine. So, cool from that perspective.
Now for backing Hyper-V and Virtual Server VMs you have two options. First, install an agent in the VM and backup the VM like a physical server. This option gives you the most flexibility because you can choose what data to back up and what data to restore. However, you also pay for an agent on each VM.
An alternative is host backups. Host backups are done only at the host level, rather than at the guest level. If the OS and applications in the guest are VSS aware (they have a VSS writer), then a backup can be peformed without taking the server down or pausing it. VSS is used to make all data consistent before a snapshot is taken and the vhd files are backed up.
The upside to host based-backups is lower licensing costs. A single DPM license is installed at the host level and all VMs are backed up with this single license. The downside is recovery flexibility. You can only restore an entire VM. However, if you did need specific files, you could restore the VM to an alternate location and then extract the files you need by mounting the vhd. A pain, but doable and may be worth it depending on the $ you are saving.
For more information about backing up VMs on Hyper-V and Virtual Server, check out this link: http://edge.technet.com/Media/DPM-2007-SP1-Protecting-Hyper-V/
Thursday, February 12, 2009
Delegating Management of Exchange 2003 Contacts
The steps are:
- Open Active Directory Users and Computers.
- Right-click the OU (or domain) you want to delegate Contact administration for and then click Delegate Control.
- Click Next.
- Add the users or groups that you want to delegate control to and click Next.
- Click Create a custom task to delegate and then click Next.
- Click Only the following objects in this folder and select the Contact objects checkbox from the list.
- Select the Create selected objects in this folder and Delete selected objects in this folder checkboxes and then click Next.
- In the permissions list, select the Full Control checkbox and then click Next.
- Click Finish.
That should give the user or group permissions to manage and create only contacts for the OU or domain that was selected. By default, these permissions will flow down and be inherited by lower OUs.
The user will then use AD Users and Computers to create the contact objects. If you want to get fancy, you can create a custom view for the user to limit what they actually see. The version of AD Users and Computers that is used by the user will need to be updated with the Exchange 2003 management bits by installing the Exchange 2003 admin tools otherwise, it can’t mail enable the contacts.
Tuesday, February 10, 2009
Finally a Use For IPv6
IPv6 automatically creates a link-local address for each computer. This allows communication between computers on the same logical network without any manual configuration. This is similar to APIPA addresses in IPv4, except, link-local addresses are done in addition to any other addresses, not as a replacement.
In this setup, I can use regular UNC paths even though the computers are on different IPv4 networks. Sweet.
Also very useful for remote control.
Hyper-V Manager from a Non-Domain Computer
- Create an account in the domain running Hyper-V that has the exact same logon name and password as the account being used on the Vista computer.
- Configure COM on the Vista computer to allow anonymous remote connections.
Then BOOM! It works. And you can do your screen recordings remotely.
For click-by-click instructions on the configuring COM, see step 7 in this blog: http://blogs.technet.com/jhoward/archive/2008/03/28/part-2-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx
Monday, February 2, 2009
Groove for File Backup on a Laptop
I don't run a server in my house right now. So I thought I'd give Groove from MS Office 2007 a try. One of the features in Groove is file synchronization between hosts in a shared workspace.
A few things I've found out:
- The 64-bit version of Groove 2007 does not support file sharing workspaces. You can still sync files, but all of the files are stored in the Groove database instead of just syncing part of the file system.
- There is no easy way to save a file into a Groove workspace. You must copy a file into the workspace and then open it from the workspace. While you work on the open file a temp copy is placed on the hard drive. When you close the document, the changed version is placed back into the Groove database. I would have preferred browsing to Groove workspaces through Explorer (Although, there's 3rd party addon for the low low price of $60USD per seat).
In the short-term at least, this appears to be a workable solution for me. It will synchronize my basic Word documents and graphics. But the fact my apps can't save directly to a workspace without first opening the file from that workspace is definitely clunky.
Friday, January 30, 2009
Credit to Dell
I've taken the opportunity to upgrade the laptop to 64-bit ultimate since I need to do a reinstall anyway. No sense having a laptop with 4GB of RAM on a 32-bit OS. A 32-bit OS only sees a little over 3GB.
100% Depreciation for Computers
From a business perspective, it means that your taxes more closely match your cashflow. Or, if you finance, you get the tax writeoff before you are even done paying for them.
Thursday, January 29, 2009
Retail or Online Discounter?
I was very happy that I picked them up at a major retailer and just returned them the next day. I might have been able to return them to an online discounter, but would have been out shipping at the very least.
Saturday, January 17, 2009
Ex2003 Public Folders and SSL Cert
The token supplied to the function is invalid.The problem is SSL being required on the Exadmin folder in the Default Web Site used for Exchange management. This is only a problem when a third party SSL cert is installed because the internal name does not match the external DNS name used on the cert. In addition to disabling SSL for the Exadmin folder, I also had to use ADSI edit to remove the secure port in the Exadmin object in Active Directory. Now life is all good.
ID no: 80090308 Exchange System Manager
Detailed steps are at the bottom of the page here: http://hellomate.typepad.com/exchange/2004/04/public_folder_e.html
Thursday, January 15, 2009
MOSS 2007 Audiences for List Items
Most Web parts are not capable of reading and filtering items based on audiences. The Content Query web part does. So, you need to use a Content Query web part to filter the items in the annoucement list based on audience. Not as pretty, but functional.
Personally, I'd stick with using audiences at the Web Part level rather than item level. There are no special requirements for that to function.