Monday, March 31, 2008

Windows Core GUI Configurator


This totally rocks!!!

Guy Teverovsky, an MVP for Windows Server - Directory Services in Isreal, wrote a GUI application that helps you configure a Windows 2008 Server Core installation without having to go to the dark place.

While I still recommend you thoroughly know and understand how to configure server core from the command line (after all, this isn't going to be installed on every server core installation you come across), this certainly makes it easy.

Download it here.

Fix for Error 0x80004015 on WSUS Clients


When you try to start the Automatic Updates service on a computer you may encounter an error stating,

Could not start Automatic Updates service on the local computer. Error 0x8000415: The class is configured to run as a security id different from the caller

I've found that this is usually caused when the service was previously configured as Disabled via Group Policy.

When you configure a service startup mode in Group Policy (Computer Configuration\Windows Settings\Security Settings\System Services), Group Policy first has you configure the security of the service in the registry. The default security settings (before you configure it in the GPO) normally includes Authenticated Users with Read and Start, Stop and Pause permissions. When you configure the service in Group Policy, Authenticated Users have no permissions. This prevents normal users from reconfiguring the service back to Automatic and starting it.

To fix this issue, set the service permissions so that Authenticated Users have Read and Start, Stop and Pause permissions on the service. This can be done the following ways:

  • To reconfigure the service in Group Policy, reconfigure the service startup type to Automatic and click the Edit Permissions button. Add Authenticated Users with Read and Start, Startup and Pause permissions. Run GPUPDATE on the client machine or restart it to get the new GPO settings.

  • Manually set permissions on the service using Regedit. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\wuauserv. Right-click wuauserv and select Permissions. Add Authenticated Users with Read permissions.

This tip applies to any other service configured via Group Policy.

Sunday, March 30, 2008

Seen Around Town


I came across this license plate here in Pacifica and it gave me a chuckle. Fix on, brother.

Friday, March 28, 2008

Gained the MCITP Enterprise Administrator Certification


Woohoo!!! I was just notified that I passed the 70-647 beta exam, Windows Server 2008, Enterprise Administrator. Now I get to add some more alphabet soup to my signature (MCITP 2008 Enterprise Administrator). My unbroken streak of passed exams continues! This MCITP certification is equivilent to the MCSE credential for Windows 2003.

If you're interested in the certification path, please see my previous article about the new Microsoft certifications for 2008.




Thursday, March 27, 2008

How to Change the Outgoing SMTP Port in Exchange 2007

By default, Exchange Server 2007 uses port 25 to send SMTP email using Send Connectors. On occasion you may be required to configure an Exchange Send Connector to use a different port - For example, TCP port 465 is commonly used for SMTP over SSL for secure SMTP communication using the SSL protocol. Configuring the port is not exposed through the Exchange Management Console (EMC), it must be configured from the Exchange Management Shell (EMS).

To get a list of the Send Connector names configured in your organization, run:
Get-SendConnector
Here's the one-liner that configures a Send Connector to use port 465:
Set-SendConnector "Your SMTP Send Connector" -Port 465
If you're using a Microsoft Edge server, you will need to configure this from any server that is not running the Edge role. You will also need to wait for an EdgeSync operation or force it manually:
Start-EdgeSynchronization
No services need to be restarted for this change to go into effect.

Tuesday, March 25, 2008

How to Enable RDP Remotely on XP Computers


In a previous article I explained how to enable Remote Desktop access on a remote computer.

I've noticed that these steps do not work on Windows XP computers. It turns out that you need to set two registry keys:
  • HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections should be changed from 1 to 0 (zero)
  • HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections should be changed from 1 to 0 (zero)

The first setting enables the RDP protocol on the computer to listen on TCP port 3389. The second setting allows users to login via Remote Desktop. Both settings go into effect immediately and do not require a restart.

Note: If the second setting is not changed to 0 you will get a logon message saying, "Unable to log you on because of an account restriction." You will also get this same logon message if you attempt to logon via RDP with an account that has a blank password. The account you use must have a password to logon using Remote Desktop.

I wrote a batch file that will easily enable or disable Remote Desktop on a remote machine. The syntax is: RDP [computername] [ON | OFF]. Copy the code below and save it as RDP.BAT somewhere in your system path (I use C:\Windows).

---Begin Code---

@echo off
SET RemoteComputer=%1
SET RemoteComputer=%RemoteComputer:\=%
if /i "%2"=="on" goto EnableRDP
if /i "%2"=="off" goto DisableRDP
goto Syntax

:EnableRDP
REG ADD "\\%RemoteComputer%\HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 0 /f
if ERRORLEVEL==1 goto Error
REG ADD "\\%RemoteComputer%\HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
echo.
echo Remote Desktop has been enabled on %RemoteComputer%
goto End

:DisableRDPREG ADD "\\%RemoteComputer%\HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 1 /f
if ERRORLEVEL==1 goto Error
REG ADD "\\%RemoteComputer%\HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
echo.
echo Remote Desktop has been disabled on %RemoteComputer%
goto End

:Error
echo.
echo ======================================================================
echo Make sure the remote computer is online and you have sufficient rights
echo to modify its registry.
echo ======================================================================
echo.

:Syntax
echo.
echo RDP enables or disables Remote Desktop on a remote computer
echo Visit http://www.expta.com for details
echo.
echo RDP [computername] [ON ^| OFF]
echo.
echo ON - Disable RDP on the remote computer
echo OFF - Enable RDP on the remote computer
echo.

:End
SET RemoteComputer=

---End Code---

Note that if Group Policy is configured to disable Remote Desktop (Computer Configuration Administrative Templates Windows Components Terminal Services Allow users to connect remotel using Terminal Services) the HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections setting will revert back to 1 after a Group Policy refresh.

Friday, March 21, 2008

TechEd 2008 Session Preference Survey is open


The TechEd 2008 Session Preference Survey is now open to registered attendees.

When you arrive at TechEd North America 2008 IT Professionals you will have the opportunity to attend up to 19 breakout sessions and 3 labs taking place during 19 timeslots. By entering the sessions and labs you're planning to attend, Microsoft can assign session rooms and determine which sessions to repeat.

Also, by taking the survey you are automatically entered with a chance to win one of five $100 American Express gift certificates!

Thursday, March 20, 2008

Configuring Virtual Directories with Directory Browsing in IIS7

A website that uses directory browsing is a convenient way to display the files and folders in a directory using a web browser. An example of this is demonstrated here.

To configure directory browsing in IIS6, you simply enable the Directory Browsing checkbox on Home Directory tab of the virtual directory. If you want to configure it so that users are required to authenticate to access the virtual directory, you disable anonymous access, enable Basic Authentication and configure the appropriate NTFS permissions on the target folder.

It's slightly different in IIS7 since IIS7 introduces the concept of delegated administration. This means that you can have the IIS configuration in web.config files which reside in the virtual directory. IIS has to read these config files very early in the connection attempt, i.e. when there is no authenticated user available yet. For this reason IIS has to use the process identity (usually Network Service) to read the web.config file.

To configure a virtual directory for directory browsing in IIS7:

  • Create or select the virtual directory in Internet Information Services (IIS) Manager
  • Double-click Authentication and select the appropriate authentication methods for the Vdir (default is Anonymous)
  • Select the Vdir again and double-click Directory Browsing. Click the Enable action
  • Right-click the Vdir and select Edit Permissions. Configure the NTFS permissions for the target folder and ensure that Network Service has read access to the folder

If you don't grant the Network Service account read rights on the Vdir, you'll get the following error when accessing it:

500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.

Thursday, March 13, 2008

Windows Server 2008 Launch Event

I'm attending the Microsoft launch event for Windows Server 2008 today in San Francisco.

It's nice to see so many partners here. The company I work for, Convergent Computing, has a booth discussing our services and raffling off copies of our newest book, Windows Server 2008 Unleashed.

Right now I'm in a session about Windows Server 2008 Hyper-V. There are lots of people here, maybe 800. The speaker and demos are quite good.

I bit of disappointment is heard from some that the copy of Windows Server 2008 that Microsoft is giving away to participants is licensed for only one year. :(

Overall, there's been a good turnout and a lot of interest from attendees. It's been worth my time.

Tuesday, March 11, 2008

Windows Server 2008 Upgrade Complete

In a previous post I mentioned that I was going to upgrade my network to Windows Server 2008. Well, I've completed the upgrade and it ROCKS!


I now have a single W2K8 Enterprise server running Hyper-V RC0. This server hosts two guests, one x86 domain controller and one x64 Exchange 2007 server running ForeFront Security for Exchange Server. The host server is running this blog as well as Exchange 2007 Edge services. The performance is outstanding! Much better than my old x64 Windows 2003 host running VMware.

The Exchange Team posted a great article, Speeding up installation of Exchange Server 2007 SP1 Prerequisites on Windows Server 2008. It offers XML files that configure the Windows Server 2008 prerequisites for Exchange 2007 SP1. While it wasn't that difficult to install everything manually, it would have saved some time for me if I had this before my upgrade.

Last night I completed the upgrade and decommissioned the old W2K3 DC, Exchange and Edge servers.

Please let me know if you have any issues with the blog. The migration went very smooth and I don't anticipate any problems.

Friday, March 7, 2008

Getting Networking to Work in Hyper-V Beta

First, I thoroughly recommend reading Ben Armstrong's article, "Understanding Networking in Hyper-V," for an explanation of how networking changes on a Hyper-V enabled host. He explains that the real NIC on the host is converted to a virtual network switch and a new virtual NIC is created on the host to access the network using the virtual switch.

Sometimes networking doesn't get setup properly on the host when the Hyper-V role is installed. Here's how to fix it:


When networking is not configured properly after Hyper-V is installed, you'll see only the one physical adapter in Network Connections (assuming, of course, that you have only one network adapter).


1. Open network properties of the NIC and uncheck all the connections on the adapter (Client for Microsoft Networks, IPV4, IPV6, ...everything) and click OK. Obviously, this will disrupt network communication to and from the server, so plan this work accordingly.


2. Click Virtual Network Manager in the Hyper-V console and create a new external network bound to the real NIC. This will convert the real NIC on the host to a Microsoft Virtual Switch and create a new virtual NIC for the host to use for its network adapter (see step 4).


3. In each Hyper-V guest, select the External Virtual Network for the VM's network adapter.


4. Back on the host, you will now see two NICs in the Network Connections window. Local Area Connection (the original real NIC) is now a Microsoft Virtual Switch and is using only the Microsoft Virtual Network Switch Protocol. You will also see a new virtual NIC (usually named "Local Area Connection 3," in my testing). I've renamed it here to Virtual Local Area Connection.


5. Open the properties of the new virtual NIC and re-IP it to it's original static IP address.


6. Verify that the host has network connectivity, and then check your VM guests for connectivity.

Let me know if this helps you.

Wednesday, March 5, 2008

How to Add SMTP Verb Commands to ISA Server 2006

If you have an ISA 2006 server between a Microsoft Exchange 2007 Edge server and the Exchange Hub Transport server, you may have a problem where messages queue on the Edge with 500 5.1.1 "unrecognized command" errors.

This Microsoft article partially explains how to resolve the problem. When the Edge Transport server tries to send mail through Microsoft Internet Security and Acceleration (ISA) Server 2006, with SMTP filtering or Secure SMTP (SMTPS) filtering enabled, the SMTP filter blocks the communication. You fix this by either disabling the SMTP filter on the ISA server or adding the verbs (and optionally their maximum length) to the SMTP filter.

What the article doesn't say is which verbs to add or their maximum length. Well, here they are:

  • PIPELINING

  • DSN

  • ENHANCEDSTATUSCODES

  • STARTTLS

  • X-ANONYMOUSTLS

  • AUTH

  • X-EXPS NTLM

  • 8BITMIME

  • BINARYMIME

  • CHUNKING

  • XEXCH50

  • SIZE

All the verbs have an empty maximum length except for possibly SIZE. That should be set to the maximum message size allowed in your org in bytes (for example, 10485760 for 10MB).

Tuesday, March 4, 2008

How to Enable Autologon in Windows Server 2008 Workgroup Servers and Windows 7 Computers



Update: I've confirmed that the following procedures also work for Windows 8 and Windows Server 2012.
 

Click here for instructions for enabling AutoLogon for Windows Server 2008 member servers and Windows 7 member workstations.

There may be times that you want/need to enable Autologon for Windows computers and servers.  Examples may be lab machines or kiosks.  Here's how to do it:
  • Click Start Run and enter control userpasswords2
  • Clear the checkbox for Users must enter a user name and password to use this computer and click OK. If this checkbox is missing, see my article about enabling AutoLogon on member servers and workstations.
  • Enter the user name and password that will be used for Automatic Logon and click OK
When the computer starts up the account you specified will be logged in automatically. Note that the password is encrypted on the computer.

This tip works for Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.


Since you're here, be sure to check out my article about building a super-fast Windows Server 2012 lab server for under $1,000!

40% off code for new Microsoft Technet Subscriptions



Here's a 40% off code for NEW Microsoft Technet Subscriptions. It will work with either the Direct or DVD option.

Use coupon code: TMSAL06

Good article on the SCOM Root Management Server function

The Operations Manager Product Team posted a good article explaining the role and purpose of the SCOM Root Management Server (RMS).

Microsoft could do better in the business continuance/disaster recovery arena by providing a simple wizard to automate the promotion/demotion of the RMS.

In my experience, most DR scenarios usually involve a site failure (power or network) that simple clustering won't resolve. The steps required to failover to a remote site (importing the RMS keys and updating the agents) currently require someone with sufficient rights to follow a separate DR procedure document. It would be nice if this could be done from the GUI (where most of the admins live). This would facilitate the DR process when resource and time constraints are most critical.

Monday, March 3, 2008

Temporary fix for "Performance Module could not find a performance counter"

The SCOM Team has posted a temporary fix for the "Performance Module could not find a performance counter" we've all been seeing after applying SCOM SP1.

Check out this post on the Operations Manager Product Team blog.

Automatically Reset the FTP Service in Windows Server 2008


One of the more popular tips I've posted is, "How to automatically reset the FTP service," in Windows Server 2003. This tip is useful for public FTP sites where bad guys are trying to hack in, usually using a dictionary attack.

Doing the same thing in Windows Server 2008 is slightly different and has an important caveat - It will not work with the Microsoft FTP Publishing Service for IIS 7.0 yet. It will work fine if you use the standard FTP Publishing Service, included on the Windows Server 2008 DVD.

As in my original post, create a batch file named C:\Scripts\ResetFTPService.bat, as follows:
net stop msftpsvc
ping -n 10 127.0.0.1
net start msftpsvc
The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.

To make the script run automatically on the correct event, use the Windows Server 2008 Task Manager:

  • Right-click Task Manager (under Configuration in Server Manager) and select Create a Basic Task

  • Name the task, "Reset FTP Service" and click Next

  • Choose When a specific event is logged as the Task Trigger, click Next

  • Select Log: System, Source: IIS-FTP, and Event ID: 100. Click Next

  • Select Start a program and click Next

  • Enter C:\Scripts\ResetFTPService.bat for the Program/script and click Next

  • Click the checkbox for Open the Properties dialog for this task when I click Finish and then click Finish

  • In the Properties window select Run whether user is logged on or not and Run with highest privileges

  • Click OK

  • Enter the User name and Password for running this task

This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source IIS-FTP is logged in the System event log.

Remember, this will not work with the Microsoft FTP Publishing Service for IIS 7.0 because this service strangely does not log failed logon attempts to the event log. I've posted a request to the IIS7 team for this functionality.

Saturday, March 1, 2008

You can't get there from here...


This weekend I'm starting the migration of my production network from Windows 2003 servers running VMware for virtualization to Windows Server 2008 with Hyper-V.
I have it all planned out like this:
  • Clone my existing W2K3 VMware VMs (DC and E2K7) to a USB drive

  • Convert the VMware VMs to VHDs using System Center Virtual Machine Manager 2007

  • Mount the VMs on my new isolated W2K8 host; test

  • Create a new W2K8 DC VM to upgrade the domain

  • Create a new W2K8/E2K7 VM and migrate all the mailboxes to it

  • Decommission the W2K3 DC and E2K7 VMs

  • Test the new environment

  • Move my blog and websites to the new W2K8 host

  • Turn off my old W2K3 box and re-IP the W2K8 server with the W2K3 server's IP. This will put it into production.

  • Test the web, Exchange, OWA environment again

  • Drink a beer to celebrate. OK, there might be some pre-celebration drinking throughout the process...

By following this plan, I'll minimize downtime to a few minutes and I'll always be able to roll back to the old server simply by turning it back on.

Sounds like a good plan, but here's why it won't work -- the only tool that can convert VMware VMs to VHDs is Virtual Machine Manager 2007 (Hyper-V can't do this on its own), but VMM 2007 can't create or convert x64 VMs. Both my DC and E2K7 server are 64-bit, so at this time there's no way to get there from here. I only wish I'd have remembered this before I spent 4 hours configuring the VMM2007 server and domain. Doh!

By the way, the failure I got during the x64 VM conversion was on step 1.5, "Make operating system virtualizable." This happened right after the plug and play system reported it was "Installing Microsoft Virtual Server Storage devices."

Microsoft Virtual Machine Manager 2008 is expected to create and convert 64-bit guests, but the earliest bits whon't be available for it till around March.

So, my updated migration plan is this:

  • Clone my existing W2K3 VMware VMs (DC and E2K7) to a USB drive as backups

  • Build a new Windows Server 2008 Hyper-V host

  • Introduce a new W2K8 DC Hyper-V guest into the domain

  • Create a new W2K8/E2K7 Hyper-V guest

  • Configure a new Edge server on the W2K8 host

  • Migrate all the mailboxes from the old E2K7 server to the new one

  • Decommission the W2K3 DC and E2K7 VMs

  • Test the new environment

  • Move my blog and websites to the new W2K8 host

  • Turn off my old W2K3 box and re-IP the W2K8 server with the W2K3 server's IP. This will put it into production.

  • Test the web, Exchange, OWA environment again

  • Commence said beer drinking celebration