Released: Update Rollup 4 for Exchange 2010 SP1

This update contains a number of customer-reported and internally found issues since the release of RU1. See 'KB 2509910: Description of Update Rollup 4 for Exchange Server 2010 Service Pack 1' for more details. In particular we would like to specifically call out the following fixes which are included in this release:

• 2519359
  Unable to Create a 'Reply With' Rule on Public Folders Even With Owner and Send As Permissions
• 2394554
  Generating DSN fails if original mail uses non-support encoding charset.
• 2490134
  Outlook 2007 does not deliver "Delayed Delivery" Messages against an Exchange 2010 Server in Online mode with any additional Transport loaded in the Outlook Profile

Read and Share–28 June 2011

 

Windows 8 to RTM in April 2012
http://www.zdnet.com/blog/microsoft/not-so-crazy-microsoft-rumors-windows-8-to-rtm-in-april-2012/9823 

Use Group Policy to enforce Office 2010 settings
http://technet.microsoft.com/en-us/library/cc179081.aspx

Combine PowerShell Modules to Avoid Writing Scripts
http://blogs.technet.com/b/heyscriptingguy/archive/2011/06/28/combine-powershell-modules-to-avoid-writing-scripts.aspx

The system administrator has set policies to prevent this installation

While trying to install an msi following prompt appears

and the following event is logged in the event log

Event ID – 7000

c:\downloads\filename.msi is not permitted by software restriction policy. The Windows Installer only allows installation of unrestricted items. The authorization level returned by software restriction policy was 0x0 (status return 0x800b010c).

Resolution

This error means that there a revoked certificate your certificate repository from the maker of the software you are trying to install. Once the revoked certificate is deleted, installation would work fine.

To remove the revoked cert follow the instruction below.

Open Internet Explorer, go to Internet Options –> Contents –> Certificates –> Untrusted Publishers –> Remove the publisher

In my case it was Quest Software

Close Internet Explorer and try the installer, it should work fine now.

Windows 7 + RemProf = Windows XP + Delprof

It has been a while since I have been looking for a remote profile deletion utility for Windows 7. Microsoft provided Delprof for Windows 2000, XP and Server 2003 but it doesn’t work on any OS beginning with Vista. We are in the process of transitioning to Windows 7, out user support guys make heavy use of Delprof as we use Roaming Profiles which get corrupted or have other issues at time or we simply need to clean a workstation. So in the absence of Delprof our user support needs to login to the workstation to clear profiles on a workstation or login to a XP virtual machine and use the command prompt for remote profile deletion.

While  looking for a solution I found the following freeware utility

RemProf download and look at the help file for more info.

Using it with PsExec one can achieve what Delprof does and more. It makes a better Delprof alternative.

for example if you need to delete only one users profile from a workstation, you can user the following command

psexec \\computername \\uncpath\remprof /L username

there are many more options, following is from the help file that comes with it.

Usage:
REMPROF [/LIST|username|/A|/D:days|/AD:days] [/EXCLUDE:usernames] [/?]

  /LIST    - List all user profiles currently not in use (Default).
  username - Delete user profile based on username.
  /A       - Delete all user profiles that have no username association
             including abandoned profile folders.
             i.e. The username has been deleted in Active Directory but
             a profile still exists in form of a SID or the profile did
             not unload correctly and a residue profile folder exists.
  /D:days  - Delete all user profiles equal to or older than the number of
             days specified. NB: /D: without a number is equal to /D:0.
             /D:0 will remove CURRENT user profiles not in use.
  /AD:days - Delete all user profiles that have no username association
             and are equal to or older than the number of days specified.
             NB: /AD: without a number is equal to /AD:0.
  /EXCLUDE:username/s - Exclude particular users from being deleted.
                        Can accept multiple entries, seperated by comma.
                        Must be last command line argument.
                        Unassociated profiles cannot be excluded.
                        Do not include the Domain Name.
  /?       - show this help file

REMPROF without parameters will execute the /LIST switch by default.

I find it a very useful tool, hope it helps you too.

Cannot install an application over the network on Windows 7 or Server 2008 R2

When you try to install of run an application from a network share you get the following error

Application Error: The application was unable to start correctly (0xc000000f). Click OK to close the application.

to resolve this issue, download the following hotfix. Install it and restart the computer.

http://support.microsoft.com/kb/978869

MSI Manager–Redeploy Software Assigned by GPO

MSI Manager is a simple and great tool that allows you to reinstall a software assigned by group policy. This is very useful when applications were not installed correctly due to timeout or some other issue. If the install gets interrupted in the middle it will not try to reinstall the software again.

To force a reinstall one can manually do the following

in the registry editor navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt.  There will be a key for each software that has been assigned.  To force a reinstall, simply delete the associated key and then run gpupdate/force on the target computer.

To achieve this quicker user MSI Manager – click her to download and read more details

Replace SSL Certificate for Cisco Wireless Controller

I followed the process below:

• Received a .p12 pkcs#12 file from a 3rd party CA
• Imported it to a server that had IIS installd (this was just so I could export it to a .pfx file) this can be done using OpenSSL convertor.
• from IIS exported the certificate with all possible paths and the private key to a .pfx file
• converted the .pfx to .pem using the following command

OpenSSL> pkcs12 -in wlcssl.pfx -out wlcssl.pem

OpenSSL can be downloaded from the following link
http://www.slproweb.com/products/Win32OpenSSL.html
Version 0.9.8o is the only one that works for most WLCs – just this info would have saved hours for me.
Win32 OpenSSL v0.9.8o

more details: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

Reset trust relationship of a machine to the domain

Login as local administrator

use the following command

netdom resetpwd /Server:DCName /userd:domain\administrator /passwordd:*

Troubleshooting Daylight Saving Time Changes

It’s good to know a few facts before we go about troubleshooting DST changes.

By default the PDC in your domain becomes the Time Provider for the clients in a domain. So the first domain controller installed will become Stratum: 1 time provider.

If the PDC was decommissioned and role was transferred to a different DC then it would be necessary to run the following command on it to make it a Stratum: 1 time provide or a reliable time source for the domain.

w32tm /config /manualpeerlist:time.windows.com,0x9 /syncfromflags:manual /reliable:yes /update

Above command would make the DC or any member server you run it on a reliable time source for the workstations in a domain. Other DCs would automatically be Stratum:2 servers that means that they will get their time from PDC and will also be time source for workstations so they are client/servers.

For the DST changes to be applied correctly first make sure that all clients have all current windows updates installed by WSUS or directly from Microsoft. If there are still issues with some computers then see if following helps.

1. Try to restart Windows Time Service

        net stop w32time && net start w32time

1. If that doesn't fix it then consider the following:

• Make sure that the clients are configured to get time from a the Domain

Run the following commands in the same order

         w32tm /config /syncfromflags:domhier /update

         net stop w32time && net start w32time

• TimeZone related information is saved at three locations in registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones

And the Time service parameters

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones" is often updated by Microsoft and is applied through windows updates.

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time" has the configuration for the time service that includes where the machine should get its time from, whether this computer is a time server or a client/server or just a client and much more.

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" when nothing works these settings do their magic when it comes to DST changes.

Problem Cases

1. So you have already restarted the time service on a client and still it displays wrong time.

1. Event log says that the client is getting time from the correct DC but still time is displayed wrong.

1. You have setup the TYPE to NT5DS by running the command [w32tm /config /syncfromflags:domhier /update] which would force the clients to get the time from PDC but still it is displaying wrong time.

Solution

Find a computer that has correct DST applied - a computer that doesn't have problem

Go to the registry and export the following

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

And make sure to add the following entry at the end the exported reg file

"DisableAutoDaylightTimeSet"=dword:00000000

This would make sure that the "Automatically adjust clock for daylight saving changes" is checked or enabled so you don't have the same issue.

The computer a txt file with the names of all computers that have problem and use the following command to apply changes (make sure to have pstools installed)

Psexec –s @txtfilewithcomputernames.txt regedit -s path\to\regfile.reg

Restart the computers

Hope it helps. Happy DST!!

Check the following for more info: http://support.microsoft.com/kb/914387

Add Trusted Sites in Internet Explorer – Keeping users’ existing list

I received a call from a colleague asking if we could add a few intranet sites to each users Trusted Sites list. I said “Sure” that should be easy, send the list of sites.

Hmmm!! Easy!! Yea but not too easy.

Because if I use a group policy for this, users wont be able to add any site to the list. Which might be a great thing from security point but in our environment its just not acceptable.

So I had to think of a different method.  While changing the trusted zone settings manually I used Procmon.exe to record changes in registry and and found that the Trusted Zones are saved in the following location

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

Now I felt better because there are many ways to deploy these settings but I used Group Policy Preferences. Easy and Clean.

1. Added the intranet sites to my Internet Options – Trusted Sites

2. Opened the existing GPO for Internet Explorer

3. Navigated to User Configuration –> Preferences –> Windows Settings –> Registry

4. Right Click Registry and chose New –> Registry Wizard

   
   

5. Select Local Computer –> Next and Just Chose the Domain or the sites that you added to the Registry location mentioned above.

6. Make sure to tick/check all the values

That’s it! It will now apply to all users while they have their own list of Trusted Zones.

List of Top Free Windows Administration Tools

This is a comprehensive list of Windows Administration Tools available for free. There are some great detailed reviews about tools, all of these review are written by Michael Pietroforte.  I like his reviews as they are informative and honest.

Windows Administration Tools 

Above is a precious collection of any Systems Administrator.

Error while importing option “6.” while moving DHCP database from Windows Server 2008 to another Windows Server 2008/2003 or 2008 R2

 

To move DHCP from one server (2003/2008) to another you can use the following steps

1. At the command prompt type netsh dhcp server export C:\dhcpdata.txt all , and then press ENTER.

Note: You must have local administrator permissions to export/import the data.

Configure the DHCP server service on the server that is running Windows Server 2008

1. Add DHCP Server Role
2. Make sure to Authorize DHCP while installing the Role.

Import the DHCP database

1. Copy the exported DHCP database file to the local hard disk of the Windows Server 2008-based computer.
2. At the command prompt, type netsh dhcp server import c:\dhcpdata.txt all and press ENTER

If might receive the following error

“Error while importing option “6.” “This option conflicts with the existing option “” An Internal Error Occurred.”

It is because by default when you install DHCP Server Role, it puts the following entries in Server Options.

006 DNS Server
015 DNS Domain Name

To fix the Error –> Just delete the above two entries from Server options and Run the Import DHCP database command again.

NPS Setting for SafeWord 2008 with Cisco Router

When using Aladdin SafeWord 2008 with RADIUS authentication installed on Windows Server 2008, Network Policy Server (NPS) needs to be configured for RADIUS authentication with the router as RADIUS client. For Cisco routers the following authentication settings will work.

Unfortunately the documentation for Aladdin SafeWord 2008 does not provide the following steps, so I decided to put it here for anyone who can benefit from it.

After you have installed SafeWord 2008 successfully, made sure all SafeWord services have the startup type – Automatic and have activated it. Now its time to work on RADIUS Authentication, following steps describe the complete process:

1. Open Start --> All Programs --> Aladdin --> SafeWord --> Configuration --> IAS Agent Configuration
   Under Authentication Policy click on Groups and make sure the following options are selected.
2. Steps below are for NPS settings
   * Open NPS Console, Right Click RADIUS Clients and select New RADIUS Client option
   * Provide following details based on your environment.
   
   
3. Go to Policies --> Network Policies (Right click and choose New) and Follow the snapshots below
   
   
   
   
   
    
   Authentication methods are very important
    
   Click next in all the windows after this and finish at the end.
   
4. Make sure that this newly created Network Policy is on the top and if you want disable all the other listed network policies by default.
5. No need to touch the connection request policy already there.

That's it!! NPS authentication with SafeWord 2008 should work fine now.

Users cannot logon to the Terminal Server

When users try to logon to the terminal server they get the following error

Insufficient system resources exist to complete the requested service

or their sessions just drops during the login process without any errors.

In this case one of the reason could be that your terminal server is handling the memory usage correctly.
check the event log to see if you can find event 1500 and event 1508 for each unsuccessful logon attempt.

if yes then use the following method:

To resolve this problem, modify the registry to increase the PoolUsageMaximum value and the PagedPoolSize value. To do this, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

3. On the Edit menu, point to New, and then click DWORD Value.
4. In the New Value #1 box, type PoolUsageMaximum, and then press ENTER.
5. Right-click PoolUsageMaximum, and then click Modify.
6. In the Value data box, type 60, click Decimal, and then click OK.
7. If the PagedPoolSize registry entry exists, go to step 8. If the PagedPoolSize registry entry does not exist, create it. To do this, follow these steps:
   1. On the Edit menu, point to New, and then click DWORD Value.
   2. In the New Value #1 box, type PagedPoolSize, and then press ENTER.
8. Right-click PagedPoolSize, and then click Modify.
9. In the Value data box, type ffffffff, and then click OK.
10. Exit Registry Editor, and then restart the computer.

source: http://support.microsoft.com/default.aspx/kb/935649

Roaming Quick Access Toolbar

Office 2007 is packed with useful new features. Quick Access Toolbar is one of them, although the concept is not new but the ease with which you can add the buttons to quick access toolbar is what I would call a new feature. With Quick Access Toolbar you can have a collection of frequently used commands on the top of the ribbon, in the title bar. To add an option to the quick access toolbar just right click on any command on the Ribbon in any Microsoft office program and select the option “Add to Quick Access Toolbar”

Of course we all know that, we also know that this toolbar is actually saved as a file in your profile at the following location

"%USERPROFILE%\Local Settings\Application Data\Microsoft\Office\*.qat

all the files with .qat extension are quick access toolbars for the related application.

When using roaming profile it becomes an issue because as you have noticed that the qat files are in Local Settings folder, which doesn’t get saved with the roaming profile. So to have all users’ Quick Access Toolbar in the roaming profile we need to do two things. First following registry DWORD needs to be created for each user.

HKCU\Software\Policies\Microsoft\Office\12.0\Common\Toolbars

New DWORD –> QuickAccessToolbarRoaming
Value –> 00000001

Above can be achieved in many ways, easiest of them could be to use Group Policy Preferences.

Now we  the second step is optional because it is completely for user satisfaction. For the users who have already added their favorite commands to the QAT, once the roaming is activated they will lose their settings. To prevent it you can add the following line to a logon script or just create a new batch file and have it applied as logon script for all users.

move /Y "%USERPROFILE%\Local Settings\Application Data\Microsoft\Office\*.qat" "%APPDATA%\Microsoft\Office\"

Send as permissions disappear – Exchange 2007

You granted send as permissions to an account from Exchange Management Console in exchange 2007 environment and realize that after an hour later the permissions have disappeared, in fact any other explicit permissions that you granted through Active Directory have gone as well. This will also becomes an issue for organizations using BlackBerry.

Above is by design, read this for more details.

To fix the issue:

Remove the account from any of the following group

• Administrators
• Account Operators
• Server Operators
• Print Operators
• Backup Operators
• Domain Admins
• Schema Admins
• Enterprise Admins
• Cert Publishers

If that's not an option then see the work around in the following KB Article.

http://support.microsoft.com/?kbid=907434 

This applies to any version of Microsoft Exchange.

If Active Directory System Discovery does not work

If you are using Microsoft System Center Configuration Manager and Active Directory System Discovery does not show new computers added to your Active Directory then following will resolve the issue.

There is a bug in SCCM SP2 that does not resolve the LDAP query for newly added computer objects. To make it work:

• Go to Site Management > Site Name > Site Settings > Discovery Methods
• Go to the properties of Active Directory System Discovery
• In the General Tab, Click on the new button to and chose Custom LDAP or GC query query should be based on the following. (remember to check Recursive and Include Groups if needed)
  
  LDAP://SERVERNAME:PORT/DC=CONTOSO,DC=COM
  
  
• To put the above in context: Lets say your domain name is contoso.com and the name of the LDAP server is dc01.contoso.com then the query will look like the following.  (389 is the default LDAP port)
  
  LDAP://DC01:389/DC=CONTOSO,DC=COM
  
  
• If the same was to be done for an OU named Workstations in the above domain, following query can be used.
  
  LDAP://DC01:389/OU=WORKSTATIONS,DC=CONTOSO,DC=COM
  

Move DHCP scope from Windows Sever 2000 to Windows Server 2003 or 2008

Move DHCP from Server 2000 to 2003 or 2008

http://support.microsoft.com/kb/325473

Microsoft has detailed step by step KB article on it.. in brief.

• Reduce the lease duration on server 2000 so the clients will renew IP and you will discover issue quicker if there are any.
• Timing is important –> deactivate the scope on old server before you import it on the new one.

Here are the steps

1. Download and install the DHCPExim utility on server 2000, it will not create shortcuts so access it from C:\Program Files\Resource Kit\
2. Open command prompt and stop DHCP Service with the following command
   
   net stop dhcpserver
   
   
3. Open DHCPExim.exe and following the instructions to export any selected scope data to be exported to a txt file. You can chose to disable to the scope immediately.
   
4. Now on your server 2003 copy the txt file on the local drive and run the following command.
   
   netsh dhcp server import filepath\filename.txt all
   
   
   
5. Authorize the new DHCP server

Read the this article for moving DHCP from server 2003 to server 2008

Happy Upgrading!!

Great freeware for Windows Administrators – ManagePC

ManagePC is a freeware that can be used by administrators and/or helpdesk in an Active Directory domain to manage remote windows 2000/xp/2003 machines. Following is the features list.

ManagePC features

• Retrieves important WMI data from machine
• Remote control (via Remote Desktop, Remote Assistance or VNC)
• Remotely manage machine (via MMC)
• Reboot machine
• Remotely edit registry
• Stop/start services
• Monitor and terminate processes
• View local users and groups
• Remotely uninstall software
• Export data to Excel, HTML and RTF format
• All retrieved data stored in XML files for history purposes
• WMI Query Builder
• No extra software required on client machines

It does work with Vista and Windows7 machines but there are a few permission issues that need to be fixed, hopefully in next versions. This open source software provides a comprehensive suite of remote management tools with no client or agent installed on the target machine. But make sure that the PSTools are installed on the administrator’s machine for the uninstalls to work, specifically PsExec is required for that task.

Installation is very simple, once the software is installed read the help file its very brief. Happy Managing PCs!!!

http://managepc.net/

Enable Wake On LAN (WOL) on all Dell PCs in your domain

Wake on LAN can be very useful for all Systems Administrators and Helpdesk. Do you remember last time when all your users were asked to logged off and none of them left their computers OFF? …….. No! thought so.

Well that can be solved, in my case I just have to deal with Dell computers so it was easy enough. I used the following method.

1. Download and install the following utility from Dell on one of the computers
   Dell Client Configuration Utility
   
2. Use the following instructions to prepare an exe file that can be deployed to all the Dell computers to modify BIOS settings to enable Wake on LAN.
   Create BIOS Settings Package
   
3. Once you have the BIOS settings file, use GPO or PSexec to deploy it to all computers.
   
4. And finally you can use a command line utility like WOL.EXE to wake up a computer (MAC address required)

To get the MAC address use following commandline
getmac /S computernam

the above was the most basic that can get anyone started with WOL, like Dell there are other manufactures that provide similar utilities to deploy BIOS settings or in some cases it might already be enabled. If you have Lansweeper or Configuration Manager in your domain then you can use these to wake up computers as well.