I just took delivery of my new work/personal laptop this past week and spent a few days getting it setup just right.  For some background and for those of you who think I am crazy here were my requirements:

1. Must be a laptop, need to travel and for school
2. I like to develop, needs to be fast
3. I like to be creative, needs some graphics and CPU power
4. I like to play with new software and server stuff, needs a Hypervisor
5. I like docking stations too!

So with all of that said I bought a Dell M6500, you can take a look at the base specs at the Dell site, but trust me, don’t buy this monster without working with a Business Sales Rep!

I ended up getting the following:

1. Intel i7 890xm CPU
2. 12GB 1333 GHz RAM
3. nVidia 3800m (1GB Ded)
4. Dual 500GB HDD in RAID0
5. Docking Station of course!
6. The others goodies Dell has to offer

I had a copy of Windows Server 2008 R2 laying around and that is how this post starts…

If you read the comments about the 6500 many people complain about attempting to convert the laptop into a server and run into problems when running Hyper-V on the laptop.  Dell obviously does not support running a server OS on a laptop but there are lots of resources out there.

When I first went away to college I did run Windows Server 2003 on my desktop because I wanted to learn more about IIS6 at the time as well as beginning my foray into ASP development at the time.  Back then getting a server OS running as a workstation was HARD to say the least.  It never worked quite right and programs always picked up on it being a server and not a client so needless to say I eventually moved back to XP at the time.

I had faith in Microsoft and thought I would give 2008 R2 a chance, surely they had made some improvements.

I was right! I was able to setup 2008 R2 and so far everything has worked great.  I have the desktop experience features installed which makes working with the OS a little nicer.  There are a few gotchas but I managed to find a great website complete with automated installers to help out with a lot of the problems.  You can find it here.

So far the experience has been great and I have been lucky enough not to run into the problem many users have talked about where the laptop will lock up when the Hypervisor is running.  No BSODs here!

Feel free to post questions or comments, I’ll try to answer back as quickly as possible.

-Brent

Just published out version 1.2 of uManage.  It now includes a little more automated setup process as well as the new Admin Portal which as of right now only allows the system administrator to view and change some system settings.  The next release (~ 1.5) will really have a lot of the new functionality that will start to make the product really usable in an organization for managing users.  I got a request from one of the previous releases for some screenshots.  I added more to CodePlex and will include them here as well.  If you have an Active Directory test environment the app takes less than 10 minutes to have up and running, so just give it a shot, worst comes to worse and you remove it.

Check it out now: http://umanage.codeplex.com

Check back here for more in the future!

-Brent

Well, it has been a busy week but I managed to find a few hours to update uManage to include a setup wizard as well as fix the first issue.  For those who just want to download it visit Codeplex.

The setup wizard was always in the master plan to make it easy to setup the application as well as in the future allow IT Pro’s who may not know much about ASP.NET to simply download the application as part of Microsoft’s Web Platform Installer.  So essentially, once downloaded IIS and the File System would already be configured and simply need someone to run through the wizard to configure everything else.  Pretty simple I think.

In addition the first issue fix was included.  Of course I was the one that logged it but nonetheless it was important.  In Version 1.0 the membership section was not encrypted which meant that the username and password could potentially be read by anyone who has access to the file system and possibly not to the domain.  They could be employees or potential hackers who want to cause problems.  Either way when the setup wizard is run it encrypts the membership provider section which makes it pretty hard to get to the username and password for the application.

Of course anyone who uses this application really should create a new user account that has delegated rights to mitigate any major security problems.  I will have a new post soon on how to set all of that up as I have a feeling the developers out there might not know what that is all about.  Security is still important people!

Well off to pack for a trip, but check back soon for updates.

-Brent

I ran into this problem recently with a Windows Server 2003 R2 SP2 machine hosted in a Hyper-V environment where repeated 1054 errors are logged on the client machine.  At first in my research I found that this is an old problem originally reported with AMD Opteron CPUs with multiple cores. (http://blogs.technet.com/perfguru/archive/2008/02/18/explanation-for-the-usepmtimer-switch-in-the-boot-ini.aspx).  It all stems from a problem where Windows was not properly counting CPU cycles on dual or multi-core systems.  Many times this problem is found with Negative Ping times where the initial time for a ping request may come from CPU Core A and after the request is made the time stamp may come from CPU Core B.  The problem though is that the time from CPU Core B was less than the original time returned from CPU Core A thus the negative ping time and in the end the request would fail as Windows could not handle the negative ping time return.

Theoretically this problem was fixed with a patch from AMD and SP2 of Windows Server 2003 however I am not sure why this problem has resurfaced.  The apparent problem arises in the Hyper-V environment because Hyper-V provides a pool of CPUs to the virtual machines to use.  So it is possible that even though the server uses a single CPU core it still is load balanced among the entire pool of CPUs by the Hyper-V Hypervisor and therefore the CPU clock can still return a bad time stamp.

The problem only appears from what I can see to reproduce itself in Windows Server 2003 and R2.  With that being said it is a very easy fix, there is even a Microsoft KB article for a step by step procedure.  However you can simply do the following:

1. Edit the Boot.ini file
2. Add the Load Operator “/usepmtimer”
3. Verify the edit by running “cmd bootcfg”
4. Restart the machine
5. All is well!

If you want more info from Microsoft see the KB Article: http://support.microsoft.com/kb/895980

Additional References:

http://blogs.msdn.com/tvoellm/archive/2008/06/05/negative-ping-times-in-windows-vm-s-whats-up.aspx

http://forums.citrix.com/thread.jspa?forumID=75&threadID=93813&tstart=60

-Brent

For those who are not aware Internet Explorer has a security feature that by default does NOT allow non-secure content (i.e. loaded on HTTP rather than HTTPS) to be displayed on a page that is loaded securely via HTTPS.  It is a good feature because after all any website that is running securely should all be secure with not just bits and pieces that are not secure.  However I ran into a problem with our SharePoint site where someone had linked a non-HTTPS RSS feed to be displayed on a site and caused the below error message to appear every time:

I finally looked into how it can be disabled and found a couple of solutions but it is important that you judge the value of each method versus the security you may be giving up.

1. Disable this error message all together (Least Secure)
2. Utilize IE’s Security Settings to disable the warning for sites you trust or sites on your intranet. (My Choice)

So here’s how to make the changes:

Regardless of Option:

1. In Internet Explorer click “Tools”.
2. Click “Internet Options”.
3. Click the tab titled “Security”.

For Option 1:

1. Ensure the icon titled “Internet” is selected.
2. Click the “Custom Level” button.
3. Scroll about half way down to the section titled “Miscellaneous”.
4. Find the setting titled “Display mixed content”.
5. Set the setting to “Enable” (It should be set to “prompt”).
6. Click “OK” twice and restart IE, problem should be resolved.

For Option 2:

1. I would select either the “Intranet” or “Trusted Sites” icons.
   1. For more information regarding the different zones check out: http://support.microsoft.com/kb/174360
2. For our example we used the Intranet zone so only our internal systems would ignore non secure calls
   1. NOTE: If you call an outside source like RSS you may end up making these changes for both the Intranet and Trusted Sites zones so that you can add your “trusted” RSS feed to your intranet sites.  Then all you have to do is add sites to your trusted sites zone one at a time when you find a new one that is not currently in the list
3. Click the “Custom Level” button.
4. Scroll about half way down to the section titled “Miscellaneous”.
5. Find the setting titled “Display mixed content”.
6. Set the setting to “Enable” (It should be set to “prompt”).
7. Click “OK” twice and restart IE, problem should be resolved.

So the only other problem this causes, specifically in a business environment where there may be hundreds of computers to make this change.  Luckily Group Policy even in Server 2003 supports setting the intranet zones, and the sites for each.

Good Luck!

-Brent

I was working on modifying SharePoint URLs again which if your not sure how to do I have another post about that here.  My problem came up when I was updating the Shared Service Provider (SSP) The complete error message that appears in the application event log has this description:

Access is denied. Check that the Default Content Access Account has access to this content, or add a crawl rule to crawl this content. (0x80041205)

For some this is a very frustrating error message because it does not provide a whole lot of information.  The solution that solved my problem had to do with the IIS Loopback Check.  In essence the Loopback Check is designed to thwart off potential security attacks to the server.  It is important to note that this problem for me was only found while utilizing Windows Integrated Security.  The error message comes up because the Search Provider tries to login and hit the web server so much and so quickly that the server thinks it is being attacked and therefore blocks the traffic and login.

There are two options to fix this problem.  The first is to simply disable the loopback check but this poses a serious security issue if your site is heavily utilized and moreover public.  The second and more secure solution is to specify allowed sites.  I would highly suggest taking the time to add in allowed sites since with either solution you have to edit the registry.  For the actual fixes I have posted the link to the Microsoft KB article below that contains the process to follow.  The article says it only applies to IIS 5 and 6 however it resolved my problem on IIS7 as well.  I think less people would have a problem with this in SharePoint if it were titled better.

http://support.microsoft.com/kb/896861

Please let me know if this does or does not work for you

-Brent

I recently was tasked with a simple project to export the contents of an SVN repository on a off-site server so we could backup a repository in the event the SVN Server died.  The off-site server runs Windows and I figured I could easily do this using the svn export command that you can research in the SVN Book.  The problem was finding a svn command line tool that could be run as a scheduled task.  Finding this tool was not an easy feat.  You can utilize the SVN components and executables that come with TortoiseSVN however this is not very clean for just a command line tool.  I eventually found a free download from SlikSvn that has both 32 and 64 bit components.  That fit the bill it offered a good command line interface as well as helpful help docs as well.  It offers not just the typical svn commands but can handle the more administrative commands even svnsync between two different SVN servers.  Either way a good find for anyone who needs command line access only for Windows machines.  Link is below:

SlikSvn Downloads

Enjoy!

-Brent

There is nothing more “fun” than system or data recovery.  The only hard drive I currently have in my server is slowing down and appears to be dying so I went ahead and purchased three new Western Digital Caviars from NewEgg and loaded them into the Chassis.  The box happens to have an NVIDIA (Evga) mainboard which also has a RAID controller unit built in, so I decided to use it for RAID5 purposes, which according to Microsoft is the best RAID configuration for Hyper-V support and speed.  However, once I realized that some of my important Virtual Machines were not exported it quickly became a struggle because I have never had to perform a Hyper-V data recovery procedure with less than optimal conditions.  I luckily found this post: http://blogs.msdn.com/robertvi/archive/2008/08/26/howto-recover-snapshots.aspx that explained how you can merge the Hyper-V differencing disks back together to create a single VHD file that Hyper-V can load up.  It was very helpful and probably saved me hours of internet scouring.

To Add Some More Info:

My single server at home is actual just a VM Host that then runs multiple other machines for DNS, DC, TS Gateway, etc.  It also serves up files to users as well.  The problem is that Hyper-V allows you to create “snapshots” so you can easily revert changes back as long as your Hyper-V machine is functioning correctly.  You can have multiple layers of snapshots in different trees as well.  I had taken a few snapshots during my installation process of each machine in the event something went wrong I could just revert it back.  However when you create a new VM in Hyper-V it requires that you have a single VHD file or that you create a new VHD file.  So my problem arose when I no longer was able to login to the old Hyper-V machine and either export or merge all of my Snapshots down to a single set of files or file.  Using the article above along with the first comment/response it is very easy to use Hyper-V’s Virtual Disk Management tools to merge the snapshots down even without the virtual machine currently being loaded by the system.

-Brent

This “How To” is based on my research and simple testing and is meant to assist in the process of changing the URL of a MOSS 07 installation.  I don’t have a complex setup so it may not work for all of you but it should help:

My Scenario:

1. We have a single Front-End Web Server and a single Back-End Database Server, each is a separate physical box
2. We have two Web Applications, one for the SharePoint Central Admin Site, the other for our SharePoint Installation
3. Our Shared Services Provider resides inside our primary SharePoint installation (A small installation didn’t require separate applications)

The Dilemma:

1. We used an internal DNS (Host Header) value to setup the Web Application
2. We now want to expose the web application to the internet and utilize SSL

The Fix (Adapted from Faraz Khan’s Post):

1. Open the Central Administration Site
2. Click on the “Operations” tab
3. Under “Global Configuration” click “Alternate Access Mappings”
4. Select “Edit Public URLs”
5. Make sure to select the correct web application from the “Alternate Access Mapping Collection” drop down
6. Change the “Default” URL to point to the new domain name
7. Click Save
8. SharePoint will now do some work to update links and everything else to point to the new location, however it does not seem to update the IIS Host Headers.
9. Open the IIS Manager
10. Edit the Bindings for the Web Application to use the new Host Header
11. If it makes you feel better restart IIS

I found that this solution will correct the primary web application but has no effect on the shared services provider, when you access a My Site in MOSS it will still use the old URL.  Once I have completed testing on that portion of the change I will post an update here.

-Brent

If you have ever been to an airport, hotel or other public place that offers Wi-Fi service you may have also noticed that some require you to pay for access and others just require you to register.  Depending on your business this can be a good thing as it provides a source for extra revenue, or maybe just more insight into your visitors and how they access the hotspot.  On the other hand it does provide a little bit more security so you don’t end up with leaches on the network.

There are many vendors of systems and access points to provide this type of service, however I stumbled across a Microsoft document that provides information to setup and configure this type of service using existing Windows based servers.  It specifically targets Windows 2003 and Windows XP, but I am sure that is an updated version for 2008 and Vista.  On the other hand it is important to note that it does not contain any information about supporting Apple or Linux based machines.  Even if this solution does not work for you it may be worth the time to read just to understand some concepts and background on how a system to handle this could be implemented.

So without further ado the document can be found here.  If you have used this system or something similar please post your experience and comment on the system as I would be curious how it worked out for you.

-Brent

I was recently searching for links to many of the Microsoft Posters that are available in PDF format.  These posters are usually very large and can be printed out either on a printer or taken to a store like Kinko's or the UPS Store to be printed on poster paper.  This list will change or get added to as I find new posters or the links change.

Posters:

1. Exchange 2007 Component Architecture
2. Windows Server 2008 Components
3. TechNet Active Directory Jigsaw
4. Windows Server 2008 Active Directory Components
5. .NET 3.5 Namespace Poster

Again, most of these posters are meant for printing on paper large than 8.5x11.

-Brent

When using Windows XP SP3 with remote desktop on a Windows Vista or Server 2008 computer that requires NLA or Network Level Authentication you might run into the following error:

"The remote computer requires Network Level Authentication, which your computer does not support. For assistance, contact your system administrator or technical support."

 The problem arises because the Security Provider in Windows XP designed to handle NLA is turned off by default. Don't ask me why. The provider is called "CredSSP" and according to Microsoft here is what it does:

"CredSSP is a new Security Service Provider (SSP) that is available in Windows XP SP3 by using the Security Service Provider Interface (SSPI). CredSSP enables a program to use client-side SSP to delegate user credentials from the client computer to the target server. (The target server is accessed by using server-side SSP). Windows XP SP3 involves only the client-side SSP implementation. The client-side SSP implementation is currently being used by Remote Desktop Protocol (RDP) 6.1 Terminal Services (TS). However, the client-side SSP implementation can be used by any third-party program that is willing to use the client-side SSP to interact with programs that are running server-side SSP implementations in Windows Vista or in Windows Server 2008."

However, the good news is Microsoft also provides a very detailed process on how to turn on CredSSP. I have provided a link to the KB article that describes how to turn on CredSSP. Follow the process under "How to Turn on CredSSP" and the message should be resolved.

http://support.microsoft.com/kb/951608

-Brent

NOTE: When referring to the PDC or Primary Domain Controller I am referring to the PDC Emulator Master that is a member of the FSMO Roles. The original concept of a PDC was discontinued prior to Windows 2000's release

I ran across this problem at home, where I have a Hyper-V server that runs all of my other servers, one of which is our home Domain Controller. It is also the Primary Domain Controller which means that by default it provides NTP and Time Synchronization services for the rest of the Domain, and in some cases the network. By default when you setup a new domain the NTP Service is installed and configured. If for some reason this is not the case see the following TechNet article:

http://technet.microsoft.com/en-us/library/cc786897.aspx

If you are not familiar with Hyper-V you should know that Hyper-V just like VMWare installed "Integration" or "Client" tools, which is really just a fancy term for Drivers and Services that enhance the client-to-host communications. Typically as part of these tools the time service for the Client Server will synchronize itself with the host machine, primarily because the host machine has the Motherboard which has the CMOS Battery that allow the computer to keep time. Again, this is a great idea; otherwise your clients might get out of whack.

The problem comes in when your Primary Domain Controller (PDC) which is providing time service to client machines is on the same domain as the host computer that is not a domain controller. The problem is that the time service continues to synchronize the host machine with the client, but in reality the host should be getting its time information from the PDC. The PDC in turn should synchronize with an external NTP Server or Pool. (Read: http://en.wikipedia.org/wiki/Primary_Domain_Controller).

So, over time the clock of both machines either speeds up or slows down, but either way does not keep proper time. Eventually this causes major problems, especially for laptops that travel and instead try to sync with another time server as a last resort, because once you bring it back on the domain and it is outside of the 10 minute difference window it stops all communication.

My Fix:

I actually have two. The first tells the host machine to look at an NTP Pool and not talk to the Domain to get time information. The second disables the Hyper-V Time Synchronization service, there-by allowing the virtual machine to look to an external NTP pool and get the right time. See below for the steps:

NOTE: These changes all take place from the host machine and not the virtual domain controller!

Fix 1 – Change NTP Settings:

NOTE: This solution modifies the registry. Make sure you know what you're doing, as no one else can be held responsible for killing YOUR computer.

• Stop the Time Service, you can use the Service Control Manager MMC Snap-In or at the cmd prompt: "net stop w32time"
• Open the registry editor, Start, Run, "regedit"
• Browse for the following key: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
• Change the key "Type" from "NT5DS" to "NTP". If you do not have NT5DS I would stop now!
• By default Windows uses the Microsoft NTP Pool. For most this is fine. If you want to use a more open source and larger pool I suggest doing the following:
  • Change the key "NTP Server" to "north-america.pool.ntp.org" (See http://www.pool.ntp.org for other pools around the world)
  • Browse for the following key: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config"
  • Change the key "AnnounceFlags" from "10" to "5"
• Close the registry editor
• Start the Time Service, you can again use the MMC Snap-In or "net start w32time"
• Normally it can take a while for the time to update itself, but we can override this and force it to run. Do the following:
  • From the cmd prompt: "w32tm /resync /rediscover"
  • If it fails to sync the first time run it again, I have had problems where this sometimes fails the first time.

Fix 2 – Disable Integration Service Time Settings:

1. Open the Hyper-V MMC Snap-In
2. Select the Virtual Machine running your Active Directory
3. Right-Click on the machine and select "Settings"
4. Under "Management" select "Integration Services"
5. Un-Check Time Synchronization

So from the steps above the obvious choice should be Fix 2, its much simpler and you don't have to deal with the registry or the time service. Just remember that the virtual machine by default will not have a battery to keep track of the time. So if you take a DC offline for a day or two, the clock will be totally off, because you have disabled the time synchronization service. Lastly, if you have multiple virtual domain controllers on different host machines you only need to make the change to the domain controller that serves as the PDC Emulator, because everything else will flow downhill and get the proper time.

-Brent

As many people have found out over the past couple of months Microsoft has released the newest version of the Remote Desktop Client. The current version is 6.1. However, as many more of you have found out, the 6.1 client is not supported or released for Windows Server 2003. For many users and admins this is not an issue, but for those of use using Terminal Servers 2008 on a Windows Server 2008 box it raises a few problems. The biggest problem is that the 6.1 client is required to utilize RemoteApps (Similar to Citrix). For common user use this is not a big issue, however for administrative and testing purposes it can be a problem.

The 6.1 RDC is available for the following systems:

1. Windows Server 2008
2. Windows Vista SP1
3. Windows XP SP3

I have been able to find a solution, while not support or sanctioned by Microsoft it seems to do the trick. After users complained (and rightly so) about not being able to get the 6.1 client for Windows XP SP2 Microsoft released a Hotfix to allow those users to install and use it. Personally I recommend upgrading to SP3 as it is pretty solid and stable. I have not had a lot of users experiencing problems with it. So to install the RDC 6.1 for Windows Server 2003 do the following:

1. Visit: http://www.microsoft.com/downloads/details.aspx?FamilyId=6E1EC93D-BDBD-4983-92F7-479E088570AD&displaylang=en
2. Download the XP SP2 Client
3. Once Downloaded the application needs to be run in XP SP2 compatibility mode
   1. Right-Click the installer
   2. Select Properties
   3. Check the "Enable Compatibility box"
   4. Select "Windows XP"
   5. Apply and Close
4. Run the installer – follow the prompts and complete the installation

Ta-da RDC 6.1 for Windows Server 2003

This applies to IIS 6.0 and not 7.0 that I am aware of.  I will see if this has been handled differently in

IIS 7.0 later.

I found a few good resources while doing this research today.  This is a long standing problem.  This post provides resources and links to help solve the problem.

A typical scenario looks like this:

You have a single server with many websites and you need to use a certificate for SSL traffic on two of the five websites.  You do not need to use SSL at all on the remaining sites.

Solution:

You need to use a wild card certificate, assuming that all of the sites reside in the same domain space.  Just for clarification a wildcard certificate certifies a domain namespace, like www.brentpabst.com or www.microsoft.com.  Anything that exists as a domain.  What this does in essence is certify that *.brentpabst.com is OK.  So if you have any number of levels of sub-domains you could, in theory, install this certificate and it would be valid.  I found both a MSDN and a link to the Singapore .NET User's Group on the subject.

Microsoft TechNet: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true

Muang's Blog: http://sgdotnet.org/blogs/maungmaung/archive/2007/01/22/Multiple-_2800_SSL_2900_-Web-Sites-in-IIS-_2800_Part-2_2900_.aspx

If you have not done so already and work with IIS 6.0 in most of your day to day work you would do well to have the IIS 6.0 Resource Kit.  You can download it here.  In general as a SysAdmin or Engineer I also recommend having the Windows Server 2003 Administration Tool Pack.  These are all invaluable tools!

Hope it helps!

I came across the need to force a site to load secure over SSL using IIS7.  The important thing was the the application would not even load for the user unless it was opened over SSL.  I searched online and found an easy way to get IIS7 to only allow HTTPS traffic to pass to the application however since the application already existed it was going to cause me a problem because people had already set their bookmarks up for the standard HTTP address.  So I did more searching to automatically load the HTTPS version instead and for smarter browsers tell them to pick up on the change.  I modified some code snippets I had found plus embedded it into a familiar IIS7 error message in the event the transfer failed.  I have attached a ZIP file with the new error page.

Read the contents of the html file to get instructions on how to load it into IIS.

-Brent