Thursday, December 13, 2007

Fixing the Automatic Updates Service

Sometimes I suspect that my users have maliciously found a way to avoid having to deal with Restart prompts by sabotaging the Automatic Updates service. On some of the machines I keep running into errors when trying to start the Automatic Updates service. The solution I found on Microsoft's site at:

Basically you can make a batch file to run on the client machine. I dump it on their c:\ drive and then use Dameware to open a remote command prompt on the client and run the batch file directly. Alternately you could tell the user to run it or put it into a logon script temporarily.

Sunday, December 9, 2007

Symantec - Veritas backup exec 11 second impression

When backup exec 11 first came out I had been ready to upgrade to it right up until I read the message boards. The boards were full of hate and frustration due to bugs, lack of exchange 2007 support, the recent shift of tech support to somewhere in BFE, and the breaking of many features that used to work when it was still veritas. So a year and a service pack and a few hotfixes later, I'm taking the plunge. Their license management site gave some minor difficulties but overall wasn't as bad as my previous experiences with it.
Installation breezed through and the LiveUpdate window was a welcome change from the old patch system. Once I confirmed that all my backup jobs were still there I uncrossed my fingers and started upgrading the remote agents. They've added a new remote agent utility which adds a GUI to the remote agent and publishes current IP and port information back to the media servers at regular intervals. Hopefully this'll make it easier for it to keep track of servers outside the firewall or in the dmz.
All in all I'm cautiously optimistic about this upgrade.

** If you're upgrading exchange 2k7 to SP1, pay close attention to the readme when it talks about remote streaming support. I've seen this pop up on some of the boards with backup exec and exch 2k7 when doing individual mailbox restores.


**Update** Had some weirdness with the jobs that were scheduled from policies. I deleted the jobs from the policies menu and recreated them so we'll see if it works better tonight.

Thursday, December 6, 2007

Minimizing the Word 2007 Ribbon

Seems basic enough I know but those are the features that we often can't find because they're so simple but still elusive at times. Some of our users who run lower resolutions weren't happy with the new super sized ribbon that comes with office 2007. Simple fix, set the ribbon to minimize.



Voila, you're done.

Friday, November 30, 2007

Finally got rid of those annoying SSL Security Prompts for outlook 2007/exchange 2007

So the new Exchange 2007 FE and BE system's been up and running fine for a few months now and I finally decided to fix that damn security prompt for the certificates. Essentially I needed a certificate that could handle the Back End server's FQDN and Netbios, the front end's FQDN and Netbios, the Autodiscover dns name, the smtp dns name, and the whole email domain name. Found few articles at the usual places (Tom Shinder's pages/forums, petro.co.il, etc) and started building out the syntax needed. There seem to be different priorities on what's included but my final one was: (and the one that worked mind you since Entrust barfed the first try back out at me)

New-ExchangeCertificate -GenerateRequest -SubjectName "c=US, O=MyCompanyNameHere, CN=FESERVER.YOURDOMAIN.com" -DomainName FESERVER.YOURDOMAIN.com, exchange.YOURDOMAIN.com, autodiscover.YOURDOMAIN.com, FESERVER.ADsubdomain.YOURDOMAIN.com, FESERVER, BEServer.ADsubdomain.YOURDOMAIN.com, BEServer -PrivateKeyExportable $true -keysize 1024 -path c:\certrequest_FESERVER.cer

(the subdomain was for the internal DNS names since Active Directory is a sub-DNS domain)

Also make sure the CN matches the first server name in the DomainName section if you want ISA to work with this.

Now take your .cer file and head over to Entrust and get a "Unified Communications Certificate". http://www.entrust.net/ssl-certificates/unified-communications.htm
Follow the instructions and keep in mind they require a separate contact for Technical and Authoritative for security.

Sunday, November 25, 2007

Endpoint kills remote access connection manager (Error 5: Access is denied)

To add to the fun, the uninstaller for Endpoint doesn't always get rid of all the problems that came with it. In one case, all the remote access services crapped out so VPN's were unavailable. If you try to create a new VPN, the window options all gray out. I saw a solution on the symantec boards which recommend doing a full manual uninstall.
https://forums.symantec.com/syment/board/message?board.id=endpointcust&thread.id=1844
Uninstall instructions:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007073018014248?Open&src=ent_gold_nam
One user did comment on this blog that reinstalling Endpoint resolved issues that another admin he knew was experiencing. You may want to try that or a combination of a full uninstall/reinstall, etc.

Wednesday, November 21, 2007

Multiple VLANs behind an ISA 2006 firewall fun

Scenario: Introduce a couple of VLAN's into the internal network.
Objective: Full communication between segments, internet access for all VLANs.

The first part was easy, I got a Layer 3 switch in to handle all the routing between VLANs. If your company is cheap like mine they probably won't let you buy all VLAN switches at the same time so to start out, you can just do a port based setup so the old dumb switches don't know they're on a VLAN. (i.e. port 48 - vlan 20, port 47 vlan 30, etc and cascade dumb switches on).

Then came the problem of getting ISA to allow them to go out onto the Internet. ISA didn't want to add the other subnets to the network definition for "INTERNAL" because it didn't think those subnets were attached to it. Since ISA doesn't do VLAN's very well and I couldn't just add another NIC for every VLAN. The solution: Add a permanent static from the command line on the ISA server to point to the layer 3 switch's IP. Once there's a static route setup, ISA will allow you to add those subnets to the network definition for "INTERNAL". Now you can setup your firewall rules to allow internet access, etc. Since all IP's show up as coming from their original subnet you can set granular policies on traffic per subnet if you set up address ranges.

Friday, November 16, 2007

Installing XP on an Octiplex 755

Similar problem to what I ran into on the D630's. XP just doesn't like the new AHCI mode for SATA controllers. Go to BIOS -> Drives -> SATA Operation and change it to RAID Autodetect/ATA mode instead. Of course, this only affects you if you bought the desktop with the "Vista" operating system preloaded. For now it just makes better financial sense to buy it with Vista and take liberal use of downgrade rights until we're ready for a full rollout.

x64 SQL 2005 native client error during installation

Apparently the SQL 2005 x64 Standard DVD installs some screwed up version of the Native Client which causes the whole installation to barf. After searching a lot of forums the solution that worked for me was to rip out the whole thing, download the x64 native client from http://www.microsoft.com/downloads/details.aspx?familyid=DF0BA5AA-B4BD-4705-AA0A-B477BA72A9CB&displaylang=en and then I rebooted and ran the installer again and it worked fine.

Tuesday, November 13, 2007

Why I'm beginning to hate Symantec

Normally my blog is about recanting the rituals and animal sacrifices necessary to resurrect dead systems from the great bit bucket in the sky. Today however we'll take a small departure and go over why I'm beginning to hate Symantec. Now don't get me wrong, I've used products from other companies like mcafee and Avert and Nod and some of those ones named after small asian furry creatures and I've yet to meet any that could catch all viruses all the time. And now that malware, spyware, and adware have joined the fray they're all starting to seem pretty sucky. You begin to miss all that extra computing power that you lose when you have to run 2 or 3 different programs on your home box just to feel remotely safe.

So anyway I got an email blast from Symantec today notifying me that I automatically am getting an upgrade to the latest and greatest successor to the Enterprise Edition of their A/V solution. Now I've found that the old 10.2 was pretty decent, didn't cause many problems, and caught just enough junk that it wasn't worth the time to evaluate other vendors. So I went and downloaded "Symantec Endpoint Protection" and loaded it onto some test machines. Machine 1: Loaded fine, rebooted okay. It killed skype and windows search - generated nice pretty crash errors in each program. Machine 2: Loaded fine, rebooted okay, and caused the VPN connection that never ends. Literally, had to reboot the machine to get it to let go. Resolved by ripping out the driver for "teefer2" on each NIC. Machine 3: Loaded and left for the day.

The new management console for administration has a nice GUI and gives you access to some nice data like who's logged into each client PC, MAC info, ram, etc. More bells, whistles, creates custom deployment packages, makes expresso, slower than a dead snail. I'll give it a few more days before I have to give up and wait until the next release to try again.

Other reasons why I'm beginning to hate Symantec:
1. What they did to Backup Exec.
2. What they did to Backup Exec technical support.
3. Their licensing site. (how hard is it to just show me all my licenses without having to enter in my friggin serial # each login?)
4. Symantec Endpoint
5. The online knowlegebase for product support.
6. What they did to Backup Exec.

UPDATED: I went ahead and use the Endpoint Protection Manager to create a separate deployment package for my Developers and Technical sales guys. This package only has the A/V, Antispyware but leaves out the network threat protection. This is working out much better for now.

Tuesday, November 6, 2007

RIP - Hyperterm

So I'm finally playing around with Vista on the old laptop. I got a new switch in and hooked up the COM ports and went to fire up HyperTerm. To my dismay, it was gone. Good old sweet, gentle but stupid and rickety HyperTerm. I'll admit, it was never the most powerful terminal solution out there but you could always depend on it being installed on every windows box. My only theories are that either that extra 29KB would've pushed the Vista ISO past a single DVD, or that it was deemed a security hazard, or that they couldn't figure out how to let it open a COM port securely.

Alas, I had to fall back to Putty http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
which is a very reliable SSH/Telnet/Serial client. No installation required, just copy/paste and play.

Monday, October 22, 2007

sql 2005 sp2 921896 failed

Well, I ran into a nice issue while trying to install SQL 2005 SP2 on a server that already has Hotfix 921896 installed. A big blaring error which causes the database engine upgrade to abort and generating a new level of headache. After much, much searching I found a workaround on the MSDN forums for it. Apparently the fix is to go through with the SP2 update and let it error out, then change a registry key to fool the system into thinking that everythings cool and re-running the service pack again. The second time I ran the SP2 update, the database engine was updated properly.

"Even when you complete the installation, the parameter Resume(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftSQL\Server\MSSQL.1\Setup) in the registry stays at 1 instead of 0. Youhave to change it to 0 and then it works." - markwyz1

See the last post on this page: https://forums.microsoft.com/MSDN/ShowPost.aspx?PageIndex=9&SiteID=1&PageID=9&PostID=1249824

You may ask why I'm reposting the whole solution here. To put it simply, there's not a whole lot of references to this fix on the web but there are a whole lot of hits with no solution.

Tuesday, October 9, 2007

Installing WinXP on a Dell D630 laptop that came with Vista

*UPDATED 12/19/08* - There are now three ways to go about this. See below for the updated link
Seems like it would be straightforward and easy. I mean, we ghost image and load up latitudes every week with no problem. Lo and behold, a new curve ball from Intel/Microsoft/Dell - "Flash Cache" (http://en.wikipedia.org/wiki/Intel_Turbo_Memory) and "AHCI"(http://en.wikipedia.org/wiki/AHCI). If these two things are enabled, then you get a pretty Blue Screen during bootup. Apparently the new Flash Cache is like the "ReadyBoost" feature that we see on newer USB drives where data is cached from the hard drive to speed up access. In this case, the cache is built into the laptop hardware and I'd imagine is a good deal faster. Unfortunately XP doesn't seem to have a clue what to do with it and it is a feature that is unlikely to be supported in XP as MS is really pushing Vista. And due to legacy apps we have to support, we're stuck with good old rock solid XP for now.

Before I ramble on too far, here's the skinny of it, go into BIOS -> SATA Operations and set the mode to ATA instead of AHCI. If Flash Cache is enabled, you have to turn that off first in BIOS before it'll let you modify the AHCI setting. Then Voila, XP is happy.

Updated 12/19/08 Alternately you can build a XP CD with the Intel Storage Manager drivers integrated into it. I recommend using nLite and follow the instructions at this site:
http://www.msfn.org/board/index.php?showtopic=107504
I have tested this and was able to create a XP SP2 volume cd with these drivers integrated.

Updated: See link in the first comment below to the Dell forums from. (Thanks go out to 'bro_tayo' for his workaround. I tested this out on a D630 this morning (2/1/08) and was able to get it to run now with AHCI and Flash Cache enabled. I also went ahead and installed the latest Intel Storage Manager on top of it just as a precaution. The version that Dell and Lenovo currently are pushing is 7.0.0.1020 whereas Intel has 7.8.0.1012.

Links:
Bro_Tayo's Post:

http://www.dellcommunity.com/supportforums/board/message?board.id=insp_harddrive&thread.id=61287&c=us&l=en&cs=19&s=dhs

Lenovo page for the procedure mentioned in Bro_Tayo's post:

http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-62909
(That link appears to be dead.) Possible alternate:
http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-70477


Intel's latest version of the Storage Manager:

http://downloadcenter.intel.com/filter_results.aspx?strTypes=all&ProductID=2101&OSFullName=Windows*+XP+Professional&lang=eng&strOSs=44&submit=Go%21#UTL

Tuesday, October 2, 2007

can't update timesheets in project server 2003

Scenario: You've published your project to Project Server 2003 and your resources don't seem to be able to update their timesheets. They were able to last week but this week some of those time fields are greyed out. Only tasks that were changed this week seem to be affected so not all users and tasks were affected.

Option 1: Take your Microsoft Project Server out back and shoot it. (oddly enough, this is often the solution that comes to mind first for all Project Server issues).

Option 2: Log into Project Web Access as an Admin. Go to the Admin menu, then on the left click on Customize Project Web Access. Make sure "Hours of work done per day or per week" is selected. This setting on my server 'magically' changed sometime last week and all projects that were republished since then have this problem. Change this setting and click the save button at the bottom. Then open the affected projects with Project 2003 Pro and go to Publish -> Republish Assignments and click OK. (Yes, you need to republish ALL assignments).

I found this solution while googling so props go out to Dale Howard of msprojectexperts.com (as of 2004 when the newsgroup post occured).

Friday, September 28, 2007

WinDirStat

While reading through this month's "Windows IT Pro" magazine(www.windowsitpro.com/), I spotted this WinDirStat (http://windirstat.info/) listed in the free utilities section. This utility will scan a drive and all its directory structures, then graphically show you where all the space on it is being used. It shows you the breakdown per directory tree and what percentage of space is used by each filetype on the drive. You can click on any of the 'boxes' in the visualization it creates at the bottom of the application to zoom right down to the location on the drive it represents.Needless to say this is now going to be a standard tool to be installed on my file servers.

Download link: http://sourceforge.net/projects/windirstat/

Sunday, September 16, 2007

IronKey review

I've been playing around with the new Ironkey USB drive this week and it's pretty impressive. Sure we've all played with the software encryption options on normal USB drives and the ability to run apps off the drive is old hat to U3 users but the introduction of hardware based encryption into the sub $100 market is a nice change.
For those of you who haven't the faintest idea what I'm talking about, check out Ironkey's website at https://www.ironkey.com/. It has an AES 256 cipher chip in it and automatically destroys itself after 10 consequetive bad password attempts. Yes, I said destroy - your data will be forever lost. The drive comes preloaded with a locked down version of firefox and you have the option of using their secure network as a proxy and surf the web anonymously.
Of course, it doesn't hurt that it's waterproof and has a solid metal casing that feels pretty sturdy.
Overall it seems like a fairly secure device but if you're not feeling that paranoid, you can always use software based options like Truecrypt (free, easy to use) http://www.truecrypt.org/

Sunday, September 9, 2007

Exch2k7 Even 1035 - Inbound Authentication Failed

So shortly after upgrading our Exchange system to 2007, I started having trouble receiving emails from this one company. The following error would not go away and all other servers out there in the web that we sent mail to or received mail from had no problems. Even though Anonymous access was enabled on my Hub Transport server, the other server kept trying to authenticate with us.

Event Type: Error

Event Source: MSExchangeTransport

Event Category: SmtpReceive

Event ID: 1035

Date: 6/29/2007

Time: 11:17:42 AM

User: N/A

Computer: EXCHANGE2007

Description:

Inbound authentication failed with error LogonDenied for Receive connector Default EXCHANGE2007. The authentication mechanism is Gssapi. The source IP address of the client who tried to authenticate to Microsoft Exchange is .

So after many unsuccesful searches on the web, the microsoft newsgroups, etc I finally wound up using the empirical method and tried disabling some of the authentication methods. I restarted the Hub Transport service after each test to make sure the settings kicked in and voila the error went away. In the end, I wound up disabling the "Exchange Server authentication" and the "Integrated Windows authentication" options under Authentication under the Default Receive connector on my Hub Transport server. Since I don't have multiple Hub Transport servers this won't affect my environment for now and hopefully by the time I do it won't matter.

Thursday, September 6, 2007

Connecting to an nortel RCC database for third party reporting

The nortel Reporting for call center server uses mysql for it's local database of call activity. Should you want to login to it and check the tables, you first have to find out what port it is on, dig through the installation scripts to find the username and password, etc. As of v2.4.344.1.61, here's the info to save you some time:

1. Test that you can connect to it with mysql itself. CD to the bin folder of the mysql install on the RCC server.
2. mysql --port=3309 --user=rccuser --password
3. It will then prompt you for the password which can be found in the "AddUser.scr" file (open with notepad) located at Program Files\Nortel\Reporting for Contact Center\RunOnce. It will be surrounded by ' and located after the username which is rccuser
4. Once you are logged in, type in show databases; (always end in semicolon). This will show you all the databases.
5. Type in use ccrdb;
6. Then use show tables; to display the tables.

Now that you've confirmed the port, username and password you have will work, now you can use Crystal or some other reporting package that supports mysql connections to generate your own reports.

Friday, August 31, 2007

Exchange 2007 powershell - enumerate all members of all distribution groups

Updated 4/22/08 - Fixed missing characters lost in previous upload

So I had a request to generate a report showing all Email Distribution Groups and the members of each group. I'm currently learning PowerShell so it worked out good for practice. My first approach was to just build a generic one for any active directory group and OU, etc but after a few roadblocks I wound up at the right way to build it using the build in exchange 2007 cmdlets.

# Enumerates all members of all Distribution Lists in Exchange 2007. Uses cmdlets from exch2007
# Updated 4/22/08
# By: Gnawgnu

#first get all distributionlists
$dl = get-distributiongroup

#prepare and output file
$currDate = get-date
write-host "Email groups as of: " $currDate | out-file 'c:\temp\emailgroupmembers.txt'


#then enumerate through them all and get all group members.
foreach ($group in $dl) {

$groupName = "Group Name: " + $group.name
write-host $groupName -foregroundcolor Green
write-host "Owner: " $group.ManagedBy.Name -foregroundcolor Green
$groupName | out-file -append 'c:\temp\emailgroupmembers.txt'
$group.ManagedBy.Name | out-file -append 'c:\temp\emailgroupmembers.txt'
$dlgm = get-distributionGroupMember $group.name.ToString()
$dlgm | fw | out-file -append 'c:\temp\emailgroupmembers.txt'

}

Yeah, I know some parts could be optimized more but this script works. Have fun with it.