C7 Solutions Team Blog

Booting a Server with a USB Key

2009-07-08T15:40:00.001Z

There are numerous instructions on the internet for creating and booting a server with a USB key, but they were all complex or hard to read – even for a techy like myself.

So I thought I would rewrite a simple list of instructions to allow you to create a DOS bootable USB pendrive/key that you can use for any purpose (i.e. flashing BIOS's and other low level functions, as well as booting into other operating systems).

Download download bootable_usb.zip from www.lowfps.com. This is the website these instructions are based on, but I wanted something clearer than that.
Extract the download to a temporary location (i.e. C:\Users)
Run the HP bootable media.exe program and install the software.
Insert the USB key you want to use – it will get wiped during this process to backup its contents if needed.
Run the HP USB Disk Storage Format Tool from the desktop or Start Menu. If you are using Vista or later then you will need to run the program in elevated mode (right-click program and choose Run as administrator).
Select your USB key and choose to do format the key with the FAT or FAT32 file system. Choose Quick Format and select Create DOS Startup Disk. Pick the sub-option "Using DOS files located at" and select the same "DOS Files" subfolder in the location where you extracted the download too (C:\Users in my above example).
Click OK. The USB key will be wiped during this process and a copy of the core files for Microsoft Millennium DOS will copied to the key.
When complete copy to the key any files that you need to execute in DOS mode on the PC (for example I needed to update the BIOS on a x64 Windows Server 2008 Server Core installation running on a Dell Optiplex 755 and it said this was not allowed). The files you copy to the key must work in DOS though.
Shutdown the server and insert the USB key. You must do a hard reboot, a restart will not work.
Restart the server and press F12 to bring up the one-time boot menu (if you do not have this option then go into setup [Del or F2] and ensure USB booting is enabled and set to the primary option).
In the boot menu choose the USB key option.
From the C:\ prompt run the programs you need to start. Note that this is old style DOS and not the Command Prompt in later versions of Windows – so no command completion using the TAB key. So place the files in or near the root folder.

Windows Backup Failure on Windows Server 2008

2009-07-03T15:01:00.001Z

I recently had a case where Windows Backup would fail at approx. 75% complete during a full backup. The backup utility and command line both reported that "The system cannot find the file specified". The Event Viewer/Application... Services/ Microsoft/ Windows/ Backup/ Operational reads "Backup target is running low on free space. Future backups to this target may fail for want of enough space." and then at the same time and immediately after that we get "Backup started at 'TimeZ' failed with following error code '2147942402'" which means file not found or unknown error.

After a series of email communications with the Windows Backup team at Microsoft India (where, incidentally, the program was developed) the answer came back that I should run chkdsk /r and reboot the server. As this process can take hours this occurred out of hours and actually in my case needed to be repeated twice. A normal chkdsk command, run whilst the server was online, reported that the disk had errors and could not continue.

After running chkdsk /r twice, from an elevated command prompt, the backup started to work again.

Uninstalling Virtual Machine Additions in Hyper-V

2009-06-24T13:35:00.001Z

The error message "this installer may only be run inside of a virtual machine" appears when you try to remove old virtual machine additions (from Virtual Server 2005/Virtual PC 2004) when running the virtual machine in Hyper-V.

The migration guidelines recommend the removal (but do not mandate it) of the Virtual Machine Additions. But this is probably because later versions of the additions can be removed from inside Hyper-V, earlier versions cannot.

The problem is the existence of this software stops the installation of the Hyper-V Integration Services.

So to remove the Virtual Machine Additions of the Hyper-V guest (that has been previously used in Virtual PC/Server) you need to do the following:

Shutdown the Hyper-V virtual guest
Share the folder containing the VHD for this guest
Install Virtual PC 2007 or later on another computer
Create a new virtual guest on the Virtual PC, pointing the VHD property to the shared VHD on the network and do not create undo disks.
Boot the Virtual PC guest and uninstall the Virtual Machine Additions. Any prompts about new hardware should be ignored by pressing the Cancel button.
The removal process will require a reboot. Once the reboot has completed you can then shutdown the virtual PC.
Remove the Virtual PC guest, stop sharing the VHD folder and restart the guest in Hyper-V.
Install the Hyper-V Integration Services.

If the virtual guest is so old as to have a Standard PC HAL installed then attempts to install the Integration Services results in the following error "Setup cannot upgrade the HAL in this virtual machine. Hyper-V integration services can be installed only on virtual machines with an ACPI-compatible HAL. For information about hardware requirements, see the Hyper-V documentation".

This cannot be fixed and so if you have an old virtual machine that has a Standard PC HAL (from Device Manager > Computer) then do without the integration services or rebuild the guest from scratch.

Message Tracking Logs 'And/Or' Error

2009-06-16T14:11:00.001Z

The following message appears in the Exchange Server 2003 message tracking logs:

The object 'and/or' in the message tracking logs can't be found in the directory. The object may have been deleted. The tracking history may be incorrect.

This is an error that can be ignored as it does not mean that the email message that you are tracking has not been delivered (discounting other errors that is).

This error occurs in the Exchange Server 2003 tracking logs because the logs store the name of the recipients server, and if the recipients server is determined to be 'and/or' then that is what the log will read.

I have noticed that this error occurs when Exchange Server 2003 talks to Exim 4.69 servers with the following welcome message:

220-server.fqdn ESMTP Exim 4.69 #1 date time
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.

This welcome message is spread across three lines and the last line reads "220 and/or bulk e-mail". Exchange uses the first word following 220<space> (and not 220<dash>) as the server name.

For example, the following is the welcome banner displayed by Postini/Google, which is a single line:

220 Postini ESMTP 108 y6_19_2c0 ready. CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements.

Therefore Exchange will identify this server in the message tracking logs as "Postini".

Editing the Registry on x64 Windows Computers

2009-06-08T12:55:00.001Z

This is, in the main, just a quick note to myself! When editing the registry on a Windows x64 based computer, but the program that will read those registry settings is a 32 bit application then you need to change the location that you edit to the "Wow6432Node" rather than the usual location.

Note that when blogs and other technical articles write down a registry key they do not often mention that the registry location you need to change is not what they have written down!

For example, there is a problem in the Windows 7 RC release in which Internet Explorer 8 does not show some webpages resulting in an error "A webpage is not responding on the following website:" (see http://support.microsoft.com/kb/970858). The registry key describes setting the hangresistance value, but as Internet Explorer is a 32 bit application you need to set the hangresistance value at HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\ and not at HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\.

If you follow the advice in the Microsoft support article KB970858 then it will not fix the problem on a 64 bit machine. You need to edit the Wow6432Node value instead.

There is an x64 version of Internet Explorer installed, but the common one that people use is the 32 bit version - if you use both, set both registry keys.

Running MOC Courseware Virtual Machines on Windows 7 RC

2009-05-29T13:22:00.001Z

Once you have installed Windows 7 RC and downloaded Microsoft Virtual PC you might have the need to run Microsoft Official Curriculum courseware virtual machines. And therein is a problem.

The virtual machines are built to use Virtual Server 2005, but that cannot install in Windows 7, so you cannot use the Lab Launcher. Though you can install the courseware drives, you will need to run the installer in compatibility mode or the VHD installer will not run.

Once you have the VHD files unzipped you need to configure Microsoft Virtual PC to load them up. This though is a problem if you are not located in the same timezone as the creators of the base disks (PST timezone).

The steps to create a virtual machine when you are in a different timezone are:

Start the virtual machine wizard and make a note of the location value. You will need to modify files in this location later on
Set memory and untick the network connections option
Browse to the exiting hard disks folder. Enable undo disks at this time as well
If you are in a different timezone you will get the following cryptic error
Click OK and modify the file used to point to either any of the �allfiles� disks (as these are not differencing disks) or create your own empty vhd for the time being
Complete the creation steps and then bring up the settings of the new virtual machine (with the wrong disk attached)
Modify the network settings to Internal Network and add any additional disks needed (this will be described in the full setup guide for the course) and close the settings dialog.
Browse to the folder that contains the actual settings file (the vmc file). This folder is the location value from step 1 (defaults to C:\Users\username\AppData\Local\Microsoft\Windows Virtual PC\Virtual Machines).
Open the vmc file in Notepad (or an XML editor) and change the settings to that which you require. These changes are for disks. Look for ide_controller 0 and ide_controller 1 (if present) and change the name of the vhd file to the correct disk name.
Modify the time sync. settings as per http://blogs.msdn.com/virtual_pc_guy/archive/2007/11/28/disabling-time-synchronization-under-virtual-pc-2007.aspx. The virtual machines from Microsoft for training purposes have a grace period and if you bring them up with the current date/time on them (which Virtual PC 2007 does automatically) then you will need to activate them.
Save the file when your changes are completed.
Start the virtual machine. You will see this error message - Inconsistency in virtual hard disk time stamp detected - The virtual hard disk's parent appears to have been modified without using the differencing virtual hard disk. Modifying the parent virtual hard disk may result in data corruption. It is strongly recommended that you mark the parent virtual hard disk as read-only to prevent this in the future. If you recently changed timezones on your host operating system, you can safely continue using this virtual hard disk.
This can occur for a number of reasons, but if the reason is timestamps then click OK. DO NOT click the option not to show the message again, or you will not be able to get past this error without modifying the options.xml file in C:\Users\username\AppData\Local\Microsoft\Windows Virtual PC.

The virtual PC will start, and will prompt you about updates to the integration components, but that is only a minor , so that can be ignored when you are presented with that error, unless you want the error to never show again per machine, in which case install (at your own risk and numerous reboots) the integration components.

Finally, you might need to reactivate some machines, as the hardware will have changed.

CRM 4 Fails to Run In Outlook on Terminal Services

2009-05-28T14:24:00.001Z

If CRM 4 Client is installed on a Citrix/Terminal Services server and the initial installation (done when in CHANGE USER /INSTALL mode) also includes starting Outlook for the first time then a registry key is set in the Terminal Services registry shadow. This means that once you go into CHANGE USER /EXECUTE mode and a new user logs in they get the registry keys set during installation as part of their profile.

This is by design if the registry keys that are set are not needed to be unique per person. And CRM has one registry key that needs to be unique for each user logged into the terminal server. This is the ClientRemotingChannel registry value located at HKCU\Software\Microsoft\MSCRMClient.

If more than one person is connected to the terminal server and running Outlook with CRM configured then behind the scenes the CRM hoster application will be running. The ClientRemotingChannel registry key controls the ability of this application to communicate with Outlook and the CRM server and therefore this registry value must be unique for every logged in user on the terminal server at the same time. If more than one user has the same value (which they will if initial installation is done as above) then the 2nd concurrent user will fail to connect to CRM via Outlook - web access will work fine.

Therefore ensure that the shadow registry value for this (HKLM\SOFTWARE\Windows N\...\MSCRMClient) is not set and that all users that already have a duplicate value have the registry value deleted. The hoster application will recreate the registry value when it starts with a unique value if the registry setting is missing.

A clue to the existence of this error will be the application event log error "Failed to create an IPC Port: Access is denied".

Create i386 CMAK Profile on x64 Machine

2009-05-21T08:32:00.007Z

Informing users and clients how to connect their Windows PC to a VPN connection is easy, but could be easier. There are a few questions to answer and having the user type this in might mean wrong answers, and therefore a supsequent support call would be required.

To ease this issue, and reduce the support call costs Microsoft have made available for a number of years the Connection Manager Administration Kit (CMAK). Lots of websites and blogs describe how to make CMAK profiles but to date none that I can find solve the problem of installing CMAK on a x64 version of Windows 2008 (for example Small Business Server 2008, but any x64 bit architecture will do) and attempting to deploy the resulting executable on a i386 XP architecture.

The CMAK program within Windows 2008 (added to the default installation by adding a feature) has options for the creation of a "downlevel" build (i.e. XP, 2003 and 2000) as well as a Vista build (which covers 2008 and Windows 7 as well) but the resulting executable made from the downlevel option is not valid.

The reason for this is many. Firstly the executable is constructed using iexpress.exe on an x64 machine - resulting in a x64 installer that will not run on a i386 machine. Fix this problem (see below for steps) and you find that the installer runs a program to actually create the connection object in the Network settings area of Control Panel, but this program (cmstp.exe) is also x64 architecture and so will not run on an i386 architecture machine.

Before we go into the steps to do this successfully, here (for the benefit of the search engines) are the different errors that you will see:

This profile was not built for this processor architecture. Please contact your Administrator to get the appropriate profile for this architecture.
profile.exe is not a valid Win32 application.
Error creating process <c:\docume~1\user\locals~1\temp\ixp000.tmp\.\cmstp.exe>. Reason: C:\WINDOWS\system32\advpack.dll

To fix this and create an i386 connection profile on an x64 architecture machine involves modifying the file that controls the creation of the executable (the .sed file) and getting two files from either an i386 Windows Server 2003 installation or an i386 XP installation.

First for those extra files. On the Windows 2008 Server that has CMAK installed, and having successfully created a profile (see windowssecurity.com and uksbsguy for profile creation steps) you need to create a folder called i386 inside C:\Program Files\CMAK\Support\en-US (C: and en-US might be different on your installation). This is best done from an elevated command prompt. Inside this folder place advpack.dll and cmstp.exe from an i386 installation of Windows Server 2003 or XP Professional (ensure latest service packs and patches on the source machine as well). Both of these files are found in \windows\system32 on the source installation.

Secondly, also from the elevated command prompt, you need to create a copy of the .sed file for each architecture you want to build for. The .sed file is named after the profile name that you have created and is located in a subfolder of C:\Program Files\CMAK\Profiles\Downlevel where the subfolder is the name of the profile. The default .sed file will work on x64 XP. Therefore to create a .sed file for i386 XP copy profile.sed to profile-i386.sed and then open this file in notepad (by typing notepad profile-i386.sed from the elevated command prompt).

The third step is to edit this .sed file so that the entries that point to the location of cmstp.exe and advpack.dll are to the new files you copied in the first step. Therefore change the line that starts FILE0= and the line that starts FILE1=. These should read something like the following:

FILE0=C:\Program Files\CMAK\Support\en-US\i386\advpack.dll
FILE1=C:\Program Files\CMAK\Support\en-US\i386\cmstp.exe

Additionally, but not required, I also change the TargetName= value from profile.exe to profile-i386.exe so that it does not overwrite the x64 executable that has already been created by the CMAK wizard and I edit the InstallPrompt= value to include something that indicates that I am about to install the i386 version of the connection object.

Now close and save the changes made to the new .sed file.

Finally you can build the executable. But the fun does not stop here. You might have noticed from the errors above that one of the errors is that the executable is not a valid win32 executable. This occurs if the x64 version of iexpress.exe is used to create the installation program. You need to use the 32 bit version that is installed on the x64 machine. The 32 bit version of the program is found in c:\windows\syswow64 (this stands for Windows On Windows 64) and so from the elevated command prompt type \windows\syswow64\iexpress /N profile-i386.sed (this is one command on one line if your browser happens to wrap the text over two lines). This will create the executable named after the TargetName value in the .sed file. This can then be copied to your software installation share and deployed to your users.

Remote Web Workplace in Essential Business Server 2008 Always Prompts for Password and Never Logs In

2009-05-11T15:16:00.003Z

There is a published problem with EBS 2008 where Outlook prompts for a password all the time when connected over HTTP/RPC (Outlook Anywhere) - see the Microsoft EBS Team Blog. We have found that the same problem is also exposed in the Remote Web Workplace when trying to connect over Remote Desktop to your PC or to the servers.

The problem is that the authentication for the Remote Desktop is broken because Outlook has failed to connect based on the published issue mentioned above. The failure of Outlooks authentication breaks the DefaultAppPool is IIS. Recycling the application pool fixes the issue - but only for a short while. It breaks again at the next failed Outlook login. And because the breaks in authentication are due to Outlook it is difficult to see why Remote Desktop ceases to operate.

But apply the same fixes from the above blog and Remote Desktop begins to work and stays working.

To fix, run the following four commands from an elevated command prompt on the messaging server:

%windir%\System32\inetsrv\appcmd.exe unlock config -section:system.webServer/security/authentication/windowsAuthentication
%windir%\System32\inetsrv\appcmd.exe set config "Default Web Site/ews" -section:windowsAuthentication -useKernelMode:False /commit:apphost
%windir%\System32\inetsrv\appcmd.exe set config "Default Web Site/AutoDiscover" -section:windowsAuthentication -useKernelMode:False /commit:apphost
%windir%\System32\inetsrv\appcmd.exe set config "Default Web Site/OAB" -section:windowsAuthentication -useKernelMode:False /commit:apphost

The above commands are probably wrapped for reading on your screen - each bullet point is a single command to be entered as one line. Instructions for making changes via the GUI can be seen on the above blog post.

Giving a laptop to a new user when CRM 4.0 Offline Mode is installed on it

2009-05-07T08:53:00.004Z

When someome leaves a company, or their laptop is replaced and they get a new laptop, their old laptop goes somewhere. If that somewhere is to a new user and that laptop had an installation of CRM 4.0 configured in Offline Mode installed on it then you will get the following error message when you attempt to run the Configuration Wizard to set up CRM within Outlook for the new user:

Microsoft Dynamics CRM for Outlook with Offline Access has already been configured for a user on this computer. Only one user can be configured per computer for Microsoft Dynamics CRM for Outlook with Offline Access.

This problem is down to the existance of the CRM SQL Server 2005 Express Edition database on that computer. Uninstalling CRM and reinstalling it does not fix the issue, and it would be fixed by removing SQL Server 2005 Express Edition as well - but that is overkill.

All you need to do is to remove the MSCRM_MSDE database. And the easiest way to do this is to use the osql command line tool.

Start > Run > type cmd and press Enter (or type cmd in the search box in Vista/Windows 7).
In the Command Prompt type osql -E -S pcname\CRM and press Enter.
At the number prompt type drop database mscrm_msde and press Enter.
At the next number prompt type go and press Enter.
Finally type quit followed by Enter to exit from osql.

You can now run the CRM 4.0 Configuration Wizard for this new user and choose Offline Mode if you wish - a new database will be created.

Enabling ActiveSync on a Sony P1i with a GoDaddy Certificate

2009-04-01T19:06:00.003Z

GoDaddy issued certificates are not trusted by the Sony P1i phone and so if you are using a GoDaddy issued digital certificate for ActiveSync on one of these phones you will be prompted to accept the certificate at each sync. As this kills the purpose of push email sync you will want to stop the prompt.

You do this by installing the GoDaddy trusted root certificate. On any Windows computer that works when connecting to a website protected with your GoDaddy certificate run mmc.exe and add the Certificates snap-in, selecting the local user option. Browse to Trusted Root Certification Authorities and click on the Certificates node. Find and right-click the Go Daddy Class 2 Certification Authority and choose All Tasks > Export. Export the certificate as a DER encoded binary X.509 (.CER) file to a folder on that computer.

Email that file to the owner of the Sony P1i and sync the phone to download their email (confirming the prompt that we want to remove). Open the email and download the attachment. Once the attachment is downloaded (which might involve syncing again and confirming the certificate prompt) open the attachment. The phone will install the certificate into its certificate store. No more prompts!

Configuring an SSTP VPN on Small Business Server 2008

2009-03-31T11:54:00.004Z

SSL based VPN's are great. In short it is VPN without firewall or NAT issues (both of which you get with PPTP and IPSec VPN's). But SBS 2008 does not enable SSTP VPN's by default. It uses RRAS, so SSTP is possible, but it is not as easy as it first looks! The following is a brief guide to the steps. Exact step by step instructions are not included, as you should be someone with RRAS and certificates experience before approaching this, and if you are not but have a business need for SSTP VPN (and who doesn't!) then call C7 Solutions in the UK on 0845 257 1777 for help and assistance. This is not at all easy to configure and get working.

Ensure that you have run the connecting to the internet wizard, and that you are using a third party certificate (as there are less steps if you do this). With the default self signed certificate SSTP will not work as the client on the internet will not be able to reach the certificate revocation location. Using the installed Certificate Services and creating your own issued certificate requires publishing to the internet the certificate revocation information and so adds steps that are not entirely necessary given that certificates are inexpensive and would cost less to buy than the time taken to go through all the extra steps needed with your own issued certificates.
Enable remote access from the SBS Console > Network > Connectivity page and choose Configure a Virtual Private Network link under Connectivity Tasks on the right-hand side of the window.
Add some SSTP ports to the VPN in the Routing And Remote Access management program. Right-click Ports and choose Properties and enable SSTP for remote access inbound connections and set the number of connections to a suitable number for your organization. Leave PPTP enabled as Windows XP does not support SSTP VPN tunnels (only Vista SP1 and later will do so).
Create an MMC and add in the local computers Certificate snap-in. View the properties of your trusted certificate that you are using for Remote Web Workplace and note down the Thumbprint value of this certificate.
Ensure that this certificate is associated with 0.0.0.0:443 and [::]:443 network bindings on the server. Type netsh http show ssl from elevated command prompt to get this information. You typically get four entries with IP:port being the first line of each. Check for IP:port reading "0.0.0.0:443" and [::]:443 as this shows the IPv4 and IPv6 mappings for SSL certificates on the server. Ignore the :8172 and :987 entries (these are for IIS Management Service and companyweb).
If the certificate hash is not the same for both the remote web workplace certificate and the netsh bindings information in the previous two steps or if you are missing the IPv6 binding then you need to reset the bindings. If they are same then jump to step 7.
a) Ensure that the certificate bound to the remote web workplace is correct. From the client machine browse to http://remote.your_domain.com. You should be automatically forwarded to https://remote.your_domain.com/remote and the login page. If you get any certificate errors during this in the web browser you must fix them now before continuing.
b) If the certificate on the remote web workplace site is incorrect then run the Fix My Network wizard and the Set Up Your Internet Address wizard in the SBS Console (both found in the Network > Connectivity > Connectivity Task pane).
c) Repeat the test in step a and if the certificate that is now associated with the site is incorrect also run the Add A Trusted Certificate wizard which is found in the same place as above. This step should not be needed if a trusted certificate has already been installed on the server and it matches the remote.your_domain.com name and the wizards in step b will associate the correct certificate to the website.
d) From an elevated command prompt delete the certificate binding for IPv4 by typing netsh http delete sslcert ipport=0.0.0.0:443. The binding should be deleted successfully.
e) From an elevated command prompt delete the certificate binding for IPv6 by typing netsh http delete sslcert ipport=[::]:443. The binding should be deleted successfully if an IPv6 binding existed, otherwise expect to see an error which can be ignored.
f) Delete the certificate binding in the RRAS configuration by deleting these registry keys, if they exist, "HKLM\ System\ CurrentControlSet\ Services\ Sstpsvc\ Parameters\ Sha256CertificateHash" and "HKLM\ System\ CurrentControlSet\ Services\ Sstpsvc\ Parameters\ Sha1CertificateHash"
g) Connect the correct certificate to the IPv4 and IPv6 bindings by typing the following entries from an elevated command prompt where xxx is the certificate hash of the trusted certificate used for the Remote Web Workplace. netsh http add sslcert ipport=0.0.0.0:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY and netsh http add sslcert ipport=[::]:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY.
h) Close any open copy of IIS Manager and restart the program. Ensure that the bindings for the SBS Web Applications site is correctly bound to your trusted remote web workplace certificate.
i) Note that binding SSTP to the IPv4 and IPv6 listeners on port 443 will cause TS Gateway administration to display error messages (specifically that the certificate is not bound and that the IIS web site is not configured). These errors can be ignored on SBS 2008 but if you click the links to fix the errors then all will work fine. The only condition is that this fixing of errors must be done after SSTP is configured correctly (so ensure SSTP connectivity works and then come back to this step to fix). Future changes to the certificate in IIS or TS Gateway might break the SSTP binding.
From a client machine browse to https://remote.your_domain.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ and ensure that no errors occur. Note that you will not see anything in the web browser. View the properties of the certificate, specifically the CRL Distribution Points (CDP) value. Note that you should not have got any certificate errors when browsing to this site and if you did you need to resolve them before continuing further in these steps.
Browse to the CDP URL in the above certificate - you should be able to reach this location on the web without error. The web browser should attempt to download the CDP file.
On a Vista (SP1 or later) or Windows 7 client create a new VPN connection and in properties of the connection object choose the Security tab and ensure that the Type of VPN is set to SSTP. For regular everyday use set this to Auto, and it will find a working protocol (starting with PPTP) and so if PPTP does not work due to NAT or firewall/proxy issues SSTP will be tried and succeed (but for testing set the VPN connection specifically to SSTP). Also ensure that the name of the server you are connecting to is the same name that the certificate uses for the certificate common name.
Connect the VPN and all should work. Errors regards certificate trust will appear if you have used the self issued certificate, even if you have added the certificate to your certificate store and have the certificate working in Internet Explorer. Once you have connected you can confirm from the RRAS management console that you are connected over an SSTP VPN connection. To confirm this click Ports in the RRAS management console and the active connection should be utilizing an SSTP port.
Congratulate yourself on getting this far - this is not easy!

Log On To Restrictions in Essential Business Server

2009-03-30T12:40:00.003Z

Thirty days after installing Essential Business Server 2008 your licence restrictions take effect. This means that users are shown as unlicenced in the EBS Management Console will only be able to log into licenced devices (as shown in the EBS Management Console as well). Only licenced users will be able to log into any computer on the network (unless group policy restrictions so limit them).

The licencing enforcement is implemented by the Log On To restriction on the user account. This restriction (on the Account tab of the users object in Active Directory Users and Computers administration program) lists the workstations, by NetBIOS name, that the user can log into and all unlicenced users will have a list of device licenced machines. All licenced users will be set to allow them to log into any workstation. This list is reset at a regular basis each day, but if you are approaching 30 days since installation get your user and device licences correct, don't miss anyone or any shared device off the list or they will not be able to login or the shared computer will not be accessable to any of the unlicenced users.

SBS 2008 SharePoint Install Breaks Default SBS Web Site

2009-03-21T09:55:00.003Z

A recent installation of a second SharePoint site on Small Business Server 2008 broke the Remote Web Workplace site for access from the internet. Intranet access to the site worked fine, but from the internet where the http request to the site is redirected to https had stopped working.

Opening up IIS 7 Manager and checking the bindings of the SBS Web Applications site showed that the site had two http bindings and a https binding. The https binding was for * under IP Addresses and port 443. Clicking the Edit button on this binding showed that the certificate was not correct. This was the reason the site was not working, as a https site requires a certificate.

So I selected the correct certificate and clicked OK. And got the following error:

A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)

The reason is that the installation of the SharePoint site, and the installation of the certificate to support that site broke the binding for the TS Gateway role on the Windows 2008 machine. The broken binding on the SBS Web Applications site was because of this broken TS Gateway configuration and to fix the above error in IIS required fixing the TS Gateway issue. Note that at no point in the configuration of the SharePoint application was the TS Gatway role configuration changed - the installation of another certificate on the server broke the TS Gatway which broke the Remote Web Workplace SBS Web Applications site.

Opening Server Manager and navigating to the Roles/Terminal Services/TS Gateway/Servername area showed a message in the middle pane of the Server Manager saying that configuration of the TS Gateway was not complete. Clicking this link brought up the TS Gateway SSL Certificate page of the Properties dialog. Click Browse Certificates and select the correct certificate. In SBS 2008 this will be the Remote Web Workplace certificate. Click OK to close the dialog and you will now be able to check the https binding on the SBS Web Applications website. The error will now not occur, and the https binding will be bound to the correct certificate.

If you are not running SBS 2008 then the above is possible, just it is more likely to be a problem with the Default Web Site bindinging instead.

Additionally, I noticed after I had written the above that this error also occurs if you delete the certificate used by the TS Gateway from the IIS box and as well as breaking TS Gateway (which would be expected) it also breaks the "Add a trusted certificate" wizard in the SBS Server Console. The Add a trusted certificate wizard crashes when started with just a failed application message and nothing in the event log. To fix make sure the SBS Web Application IIS site is bound to a valid digital certificate.

Hyper-V and VSS Backups Cause Bluescreen

2009-03-16T15:57:00.002Z

I found the other week that my Hyper-V server, running Server Core and nothing else was restarting all of its own accord. As this is just a server at home, and the monitor is switched off 99% of the time I had not noticed it blue screening.

So looking in the event log (remotely of course, as it was running Server Core) to see why, I noticed it had done the same thing every day at a few minutes past 1pm - one of my scheduled backup times during the day.

I was getting Event ID 1001 at about 1:03pm each day. So I changed the time of the backup (using Windows Server Backup, command line) to 11pm and I got 1001 bugchecks at 11:03pm each day.

There was nothing else recorded in the event log, apart from the usual system start/TCP-IP etc messages and no clue as to the reason for the failure. All I had was the BugCheck, an example being 0x0000007e (0xffffffffc0000047, 0xfffff80003676b48, 0xfffffa60019ff5c0, 0xfffffa60019ff660.

A bit of research later, and ignoring most of the posts regards VSS and Hyper-V I came across http://support.microsoft.com/kb/958662/en-us and http://support.microsoft.com/kb/960038/en-us (the latter of these is a hotfix) which I applied and solved the problem.

It would seem that Hyper-V and VSS based backups have an issue with some backups if a virtual machine is in a running state. It is possible to save the Hyper-V guest machine and then back it up without issue, but of course this kicks people of the virtual machine - a bit pointless really unless its a development machine. To turn off backup for a Hyper-V machine, so that the server does not bluescreen then either disable the Backup (volume snapshot) option in the guest machine settings, under Integration Services or install the hotfix and reboot once.

How to Configure CRM 4 on a Terminal Server When Not All The Users Use Microsoft Dynamics CRM 4.0

2009-03-13T09:43:00.004Z

The Microsoft Dynamics CRM 4.0 Outlook client software, when installed on a terminal server (Microsoft or Citrix) results in the CRM toolbar (which is part of the CRM Outlook Add-in) appearing for all users of the server regardless of whether or not they require the functionality of CRM and irrespective of whether or not they have an account on the CRM system.

The CRM toolbar appears because the Outlook CRM Add-in is loaded, and the add-in is loaded because of the following registry key:

HKCU\Software\Microsoft\Office\Outlook\Addins\crmaddin.addin

Removal of this key from the users’ registry stops the add-in appearing under Outlook and stops the add-in loading. There is though one problem with this. At the users login a program runs that recreates this key if it is missing, so that registry key needs to be removed as well. This one is:

HKLM\SOFTWARE\Microsoft\Windows\Current Version\run and the deletion of the MSCRM value (keeping a copy of the data in this value for later).

For all users logging into a computer running the CRM Outlook client would now only get the add-in if the first registry key above exists, so existing CRM users are not affected by this change. Remove the first registry key above from any user who does not use CRM and remove the second key one from the machine and all new users will not get CRM. To give new users the CRM Outlook add-in just run the command line that was the data of the MSCRM registry value (where x is the drive where the CRM software is installed):

x:\program files\microsoft dynamics
crm\client\configwizard\crmforoutlookinstaller.exe /activateaddin

All the above works fine on a standard client, but if you need to do the above on a terminal server then you need to be aware of the shadow copy of the registry keys that terminal servers use to create the initial users profile the first time they login. Because the CRM client is initially installed with the CHANGE USER /INSTALL command active the registry stores a copy of the first registry key above so that it can be applied to users when their profile is created. This registry key needs to be removed as well. You will find this key at:

HKLM\SOFTWARE\Microsoft\Windows NT\Terminal
Server\Install\Software\Microsoft\Office\Outlook\Addins\crmaddin.addin

Note that you do not need to be in change user install mode when you make this change, as we are not uses these changes to affect existing user profiles, just stopping new user profiles from loading the CRM add-in if they do not need to. To change existing user profiles just delete the first registry key above from their profile using a script or manual action or whatever method you prefer. Of course you will need to have done the other steps above before this or the registry key will be recreated the next time they login.

OWA Login Issues With RWW in SBS and WEBS

2009-03-11T21:10:00.005Z

Remote Web Workplace (RWW) is a feature of Windows Essential Business Server 2008 (WEBS) and Small Business Server 2008 (SBS). Both of these operating systems provide a web portal to view internal resources such as Outlook Web Access (OWA), SharePoint and Remote Desktop to your own PC.

I have noticed on a number of installations the following error:

There is a problem in Remote Web Workplace. A logon error occurred: There is a problem communicating with the Outlook Web Access server.

There are two reasons for this that I know about. The outcome of this for the user is a popup with the above error in it when clicking the E-Mail or SharePoint link within RWW.

The first is if you have changed the URL of your RWW site then the Single Sign-On (SSO) functionality is configured to connect to the old URL and so fails. The second reason is if the external URL for RWW is not accessible internally (for example if the internal Active Directory DNS name is the same internally and externally and the internal DNS zone does not have an A record for the RWW URL).

To fix the first issue you need to make a backup of the web.config file located in "c:\program files\Windows Essential Business Server\Bin\webapp\Remote" and then edit this file (using Notepad or the like) so that the ssoApplications node reads as follows:

<wssg>
<ssoapplications>
<ssoapplication application="OutlookWebAccess" servername="remote.fabrikam.com">
</ssoapplications>

Where the serverName value is correct for your environment. Note also that if SharePoint is installed and the Company Web link appears on RWW, this XML node will contain some Sharepoint information that will need changing too.

To fix the second issue you need to add an A record to your internal DNS that points to your RWW site and to use the external IP address of this site. If your internal AD/DNS zone is the same as your external zone (i.e. fabrikam.com in the above example) then create a new A record for remote.fabrikam.com on an internal DNS server that has the external IP address of the site as IP address. If you internal and external DNS zones are separate ensure that the SBS server or the WEBS Messaging Server resolve the external value correctly.

If neither of these solve your problems with RWW then the place to look is the RWW debug log file. This is located in "c:\program files\Windows Essential Business Server\Logs\WebWorkplace\w3wp" and you need to read the bottom of the file to find the most recent login error (search the file from the bottom upwards for the word "error").

The above two problems where solved based on the errors found in this debug log file.

Account Rename and Essential Business Server 2008 Installation Failure

2009-02-27T14:23:00.004Z

The error "cannot find the specified active directory object: winnt://<server>/<user>,user" and "program file folder creation or environment variables setting did not finish successfully" appears during the installation of Essential Business Server 2008 on the Security Server if a group policy exists in your current environment that renames the local administrator account name.

The GPO setting under "Windows Settings\Security Settings\Security Options" called "Accounts:Rename administrator account" that enforces this must be turned off for the domain, because at the time of the EBS installation the security server is located in the Computers container.

Unfortunatly, by the time this error occurs you can do nothing about it apart from format the hard disks and reinstall the server!!!

Running Schema Upgrade Tool When You Have No DVD Drive on Infrastructure Master

2009-02-27T09:42:00.002Z

The Essential Business Server installation steps for the Management Server might require you to insert the Prerequisite Planning Tools DVD into the Infrastructure Master to run schemaupgradetool.exe. What if you do not have a DVD drive on the current infrastructure master?

Then copy over the network the SCHEMAUPGRADETOOL.EXE, MMSNETWORKINGNATIVE.DLL and the entire ADPREP folder. Then run SCHEMAUPGRADETOOL from the command line on the infrastructure master.

This takes no paramaters to run, and takes a few seconds to start up. Though when I ran it on a Windows Server 2003 SP2 infrastructure master it popped up an empty dialog box with an OK button and nothing else - this though seems to indicate success and the Management Server installation can now continue.

SBS and WEBS 2008 Backup Fails to Backup Exchange Server

2009-01-28T14:05:00.006Z

The following errors are reported in the Event Log Windows Logs/Application when you run the built-in backup that is part of Small Business Server 2008 (SBS) or Windows Essential Business Server 2008 (WEBS):

Event ID 565 - Consistency check for component StorageGroup-GUID\'Microsoft Exchange Server\Microsoft Information Store\SERVER' failed. Application 'Exchange' will not be avaliable in the backup done at time 'date time'

The Event Viewer log at Application and Services Logs/Microsoft/Windows/Backup/Operational shows that everything completed fine but the Windows Server Backup administrative tool says backup completed with warnings. Double-clicking the backup record shows:

Application will not be available for recovery from this backup. Consistency
check failed for component Microsoft Exchange Server\Microsoft Information
Store\Server-Name\Store-GUID

This seems to be related to having enabled Local Continous Replication (LCR) on the Exchange mailbox database. This is unfortunate as LCR is such a useful tool in recovery for Exchange Servers that I would want to enable it as a matter of course, and spec my SBS servers to have enough disk space to store LCR copies. Note that the actual Exchange databases and log files are backed up as part of the volume backup, just not as part of the application aware backup and that might result in invalid restores as the volume level backup is not Exchange aware.

Please Microsoft, will you make the VSS backup for Exchange 2007 that is included in SBS and WEBS LCR aware. Thanks.

Remote Web Workplace not operating in SBS 2008 or EBS 2008

2009-01-16T10:39:00.004Z

If when you log into Remote Web Workplace on Small Business Server 2008 or Essential Business Server 2008 as a non-administrator user you get the following error messages:

Cannot connect to the Remote Web Workplace site. To continue, contact your network administrator.
Event Viewer/Application Log/ASP.NET 2 Warning: Event ID 1309
ArgumentOutOfRangeException "Index was out of range. Must be non-negative and less than the size of the collection." Request URL: https://server:443/remote/menu.aspx

You need to do the following to fix this error. On the server you need to modify the permissions of the RWWConfig.xml file. This file is located in "C:\Program Files\Windows Small Business Server\Data" or "C:\Program Files\Windows Essential Business Server\Data" depending upon the product that you are running.

Ensure the permissions on the above file are
Authenticated Users - Read (not inherited)
NETWORK SERVICE - Read (not inherited)
SYSTEM - Full Control (inherited from parent folder)
Administrators - Full Control (inherited from parent folder)
Make sure the Authenticated Users group is a member of the Pre-Windows 2000 Compatible Access group.
Run iisreset from the command line on the server
Attempt the login again, but first close any copy of Internet Explorer that was running (or attempting to run) RWW.

CRM 3.0 Disaster Recovery

2009-01-09T13:47:00.001Z

Updated 9 Jan 2009 as I needed to repeat these steps again, and so have
clarified them a bit!

I am in the process of performing a CRM restore, when I came across this cryptic message: "One or more Microsoft CRM groups do not exist".

I am restoring into a new Active Directory so the groups do not exist, but the installer does not create them or tell me what they should be (in full). It tells me via help that the groups need to be called:

PrivUserGroup
ReportingGroup
SQLAccessGroup
UserGroup

But what it misses out is that these groups are to be suffixed with the Organisation GUID for the previous installation (who's databases I have, and am restoring CRM using).

The organisation GUID is stored in the database, and you need to run the following SQL query on the MSCRM SQL database to get the answer:

SELECT TOP 1 OrganizationID, Name FROM organizationbase

Also ensure that during the reinstall of CRM 3.0, you set the Organisation name to that which is returned from the database and use the same product key as before. The product key can be obtained using "SELECT licensekey FROM license"

You also need to set the buildnumber in the BuildVersion table to 0 and delete any mentioned Qfe values, noting them down so that you can install these hotfixes later on.

Finally you need to change the GUID in OrganisationBase for each of the four groups above to the new objectGUID value for each group that you have just created. Using adsiedit.msc (part of the Windows Support Tools on the Windows Server installation CD-ROM) view the objectGUID value for each in hex. Then copy the value to notepad and reverse the first four groups of characters, reverse the next two groups of characters, reverse the third group of two and copy and paste the fourth group of two and the final group of six (the last two groups are not reversed). Note that you do not reverse each pair of characters individually, but treat each pair as a group and reverse the groups as shown below. Put curly braces on the new GUID and paste into SQL Enterprise Manager (or if using SQL 2005 run a script as shown below.

For example:

objectGUID=0x 1x 2x 3x 4x 5x 6x 7x 8x 9x Ax Bx Cx Dx Ex Fx

becomes:

GUID in database={3x2x1x0x-5x4x-7x6x-8x9x-AxBxCxDxExFx}

SQL 2005 Script (no {} in GUIDs here though): UPDATE OrganizationBase SET UserGroupID='GUID', PrivilegeUserGroupID='GUID', ReportingGroupID='GUID', SQLAccessGroupID='GUID'

During the installation you need to ensure that the installation user does not exist in SystemUserBase. To do this find the current installation user in the DomainName column and rename this users domain name (for example DOMAIN\administrator becomes DOMAIN\xxAdministrator). A new user will then be created during this installation.

Finally once installed, start the Deployment Manager tool and reassociate all the users with the newly created user in the new Active Directory. Restoring CRM into an existing AD is much simpler - just the Organisation Name and Product Key need to be retreived.

Windows 2008, IIS 7.0, 64 bit Server, Terminal Services Web Application and Access Databases

2008-11-25T19:47:00.004Z

This is a long list of pre-requisites, but for your information they do not work together.

If you have a web site that uses Access as its data storage and you migrate that site to an x64 Windows machine then access to the Access MDB file ceases with the following error: "'Microsoft.Jet.OLEDB.4.0' provider is not registered on the local machine".
On IIS 6.0 you need to set the entire web server to 32 bit mode, but on Windows 2008/IIS 7.0 you can set each application pool to 32 or 64 bit. This is a property found under Advanced Settings for the application pool. To gain access to Access MDB files the application pool needs to run in 32 bit mode.
If you have TSWeb installed, then you also have installed the RPC/HTTP proxy component.
If you have the RPC/HTTP proxy component installed any 32 bit application pool will fail upon starting - Error 5139 for Microsoft-Windows-WAS.

So to use Access databases in a legacy web application migrated to Windows 2008, 64 bit, with TSWeb also installed either uninstall TSWeb (and RPC/HTTP proxy), or use a different server, or rewrite the web application to use SQL Express. Supposedly this will be fixed in the first service pack for Windows 2008.

There - it only took 6 hours to work that one out!

Enterprise Certificate Services and Terminal Services Gateway - Certificate Issuing for Internet Usage

2008-10-24T08:49:00.003Z

To issue a certificate for the Windows 2008 Terminal Services gateway using your own intalled Enterprise Certificate Authority, out of the box you need to create a certificate request file, request the certificate from the Enterprise CA, install the issued certificate and map the certificate to the TS Gateway.

This can help you if you get errors such as -2146875377 or "the dns name is unavailable and cannot be added to the subject alternative name" or "denied by policy" errors.

In detail these steps are:
Create MMC Console for all steps

On the TS Gateway Windows 2008 server, with the remote administration tools installed, click Start > Run and enter mmc.exe.
Confirm the UAC prompt and add the following snap-ins: Certificate Authority (choose computer on which this role is installed), Certificates (for local machine), TS Gateway Manager.

Create a Certificate Request

Expand Certificates (Local Computer)/Personal/Certificates and right-click Certificates>All Tasks>Advanced Options>Create Custom Request.
Click Next on the Before You Begin page.
Choose Web Server as the template. The template type that you chose is the 2nd most important choice you make in this process. Click Next.
Click the Details down arrow and then click Properties.
On the Subject tab, under Subject Name, select Common Name under Type and enter the URL that you will use across the internet to reach this TS Gateway. Click OK when the names you are using have been added to the list on the right of the dialog. The correct value for common name is the 1st most important choice you make here.
Click Next.
Enter a file name and click Finish.

Upload Certificate Request to Enterprise Certificate Authority

Expand the Certification Authority node in the MMC you created above.
Right-click the CA name and choose All Tasks>Submit New Request.
Browse and select the request file created in step 7 in the previous section.
Save the issued certificate with a .cer file extension.

Install the Certificate on the TS Gateway Server

Expand Certificates (Local Computer)/Personal/Certificates and right-click Certificates>All Tasks>Import and click Next.
Browse to the file created in step 4 in the previous section.
Click Next twice.
Click Finish. You will be told the import was successful.

Map Certificate to TS Gateway

Expand TS Gateway Manager in the MMC.
Right-click your TS Gateway server and choose Properties
Select the SSL Certificate tab and ensure the "Select an existing certificate..." option is set.
Click Browse Certificates and select the new certificate that you have just created
Click Install and OK.

Then to finish, open Remote Desktop Connection tool (mstsc.exe) and connect to a Terminal Server using the Gateway option via the Options>Advanced>Settings dialog. To complete these steps you must also have created the policies for connection the the gateway.

Enabling Previous Versions on Windows 2008 Server Core

2008-10-23T14:47:00.003Z

Enabling Previous Versions for file shares on Windows 2008 when you have the full graphic's interface is easy to do - but what about if all you have is the command line as you get in Server Core.

To turn on Previous Versions (shadow copies) via the command line follow these steps:

From the command line on the server type:
vssadmin add shadowstorage /for=c: /on=c: /MaxSize=5GB
This will enable shadow copies on the volume, and this might be enabled already (esp. if you have already run a backup on the server). This particular command will do copies for the shares on the C: drive, with the storage for the copies also on the C: drive, and limiting that storage to 5Gb. Any of these options can be changed.
Enable remote management on the Server Core firewall (again this might have already been done):
Netsh firewall set service RemoteAdmin
Netsh advfirewall set currentprofile settings remotemanagement enable
Netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes
Netsh advfirewall firewall set rule group="Windows Firewall Remote Management" new enable=yes
Then from a remote machine with the Task Scheduler MMC snap-in enabled, connect to the Server Core machine as an administrator level account and add the following scheduled task - 1 for each disk on the server:
General>Name: Shadow Volume Copy
General>User Account: Administrator level account (run whether logged in or not)
Triggers>New: Weekly, 7am, Mon-Fri and Weekly, 12pm, Mon-Fri
Actions>Start a program: %systemroot%\system32\vssadmin.exe
Actions>Start a program>Arguments: Create Shadow /AutoRetry=15 /For=c: (changing C: if you have a different drive)
Click OK and right-click the task and choose Run.
Open a file share that is held on the Server Core machine and see if the Previous Versions tab shows a previous version having just been created.