Certificate autoenrollment fails with RPC server is unavailable

Hi again,

Some of my work with Certification Authority or ADCS involves enrolling certificates for many usages,
sometimes autoenrollment does not work as it should… and you get some weird errors like:

Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from CA.domain.localDomain-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

also along with some KDC certificate errors because the domain controller does not hold a valid domain controller certificate:

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

This happens when you create your CA on a Domain Controller and the “Domain Controllers” security group is missing from the “CERTSVC_DCOM_ACCESS” Domain Local Security Group.

have a look in the following post for more autoenrollment issues and how to fix’em:
http://blogs.technet.com/instan/archive/2009/12/07/troubleshooting-autoenrollment.aspx

The KDC error reference:
http://technet.microsoft.com/en-us/library/cc734096%28WS.10%29.aspx

How to publish Exchange 2003 and Exchange 2010 with ISA 2006

Hi,

First Step-By-Step !

This guide will show you how to configure ISA 2006 for coexistence of Exchange 2003 with Exchange 2010 remote connectivity services, including:

  • Outlook Web Access & Outlook WebApp
  • Microsoft ActiveSync
  • RPCoverHTTP – Outlook Anywhere
  • Publishing Exchange 2010 FARM – two client access servers

This guide assumes that:

  • ISA 2006 is configured to publish OWA 2003 and all additional services
  • SSL is configured for the Exchange 2003 server
  • Windows Integrated Authentication is enabled on the ActiveSync Vdir in the Exchange 2003 Back-End server ( http://support.microsoft.com/?kbid=937031 )
  • RPC-over-HTTP was working for for 2003 mailboxes, and the 2003 back-end is configured as an RPC-over-HTTP
  • The current configuration works 😉
  • This guide will not cover scenarios when exchange is directly exposed to the internet. which I personally do not recommend in generally….

Okay here we go:

  1. Configure redirection for Exchange 2003 OWA:
    Exchange 2010 will redirect a user that holds a mailbox in exchange 2003, this will be possible when the following cmdlet will be run on the Exchange 2010 Client Access server:
    Get-OwaVirtualDirectory -server cas01-2010 | Set-OwaVirtualDirectory -Exchange2003Url https://owa.ext.com/exchange
  2. Publish Exchange 2010 client access web farm with ISA 2006, OWA first:

New OWA 2010 Publishing Rule Outlook Web Access Publishing

– Notice ISA 2006 does not provide a wizard (or the new form) for OWA 2010 – for that you need TMG

– Now we need to create the Web Farm and select it as the target for the publishing rule

– Configure the web listener and authentication delegation option

– The web listener should be already configured for Form Authentication and a valid SSL certificate

– The publishing rule for the Web Farm is now complete.

– Two additional configurations are now required:

    1. Edit the new “exchange2010” Rule:
      Remove the legacy virtual directory’s – /Exchange, /Exchweb and /Public they will continue to be published to your original 2003 rule.
      Add /ecp/* as this is the new “options” applications for users, and a powerful administration web console with Exchange 2010.
    2. Edit the original OWA 2003 publishing rule and remove Microsoft-Server-ActiveSync path, we will next create ActiveSync publishing rule for Exchange 2010.

Now we have three last steps to finish our Exchange 2010 publishing:

  1. Create a new Exchange Web Client Access rule – and select ActiveSync – Repeat most of part 1 except we select ActiveSync, publish the webfarm, enter the same info, and select the same listener.
  2. Now as same for ActiveSync, we need to move the RPCoverHTTP (Outlook Anywhere) from the 2003 publishing rule to 2010 publishing rule. Delete the existing rule. Next you we will create a new publishing rule for Outlook Anywhere based on Exchange 2010.
  3. Create a new Exchange Web Client Access rule – and select Outlook Anywhere – Repeat most of part 1 except we select Outlook Anywhere, publish the webfarm, enter the same info, and select the same listener.

That’s it 🙂

if you kept up with all the requirements, all should be fine and you are now able to migrate your 2003 users to 2010 with ease, while both systems are allowed for external connectivity.

Enjoy!

More relevant links on the subject:

Upgrading Outlook Web App to Exchange 2010

Transitioning Client Access to Exchange Server 2010

Local operating system boot fails when external storage is attached

Well the topic explains this quite enough..

but I’d like to share little more.

A typical Exchange 2010 deployment based on Server 2008 R2, we used IBM Blade Center HS22 this time with a QLogic HBA to connect to an EMC Symmetrix storage with FC … okay, enough hardware talk. 🙂

The “symptom” was that after connecting the LUN’s to the and creating the partitions, well the next reboot to the server was .. unsuccessful… shocked as we were, after some quite tryouts: Drivers, Firmware upgrades, disable that and disable that … and when all failed …some searching, we came up with a few links… all seem to be quite “close but no cigar”.

Local operating system boot fails when external storage is attached – IBM System x3550 M2, x3650 M2 and BladeCenter HS22

UEFI-aware OS doesn’t boot after load defaults or deployment – IBM BladeCenter and System x

The system becomes unbootable after you add raw disks to a Windows Server 2008 R2-based computer that has EFI enabledhttp://support.microsoft.com/kb/975535

First real world experiences with IBM’s x3650 M2

The last link includes a comment by “Rudi” , which gave us a good idea. lets try it again…

well, we did ! and guess what ?? IT WORKED.

Quick wrap up:

1) HS22 BladeCenter – Server boots from local raid-1 SAS disks with a GUID Partition Table (GPT) – Server 2008 R2 EFI boot loader.

2) 21 LUN’s attached with FC from a EMC Symmetrix storage (MBR).

Solution:

3) Make sure you initialize all drives with GPT – Guid Partition Table. that’s it !

Smile 🙂

** quick notice. to sum all the other links, if you use a non uefi aware OS (basically only server 2008+ is uefi aware) you need to make sure to use the “Legacy Only” method.

Hope this helps, we spent quite some time around this issue.

Edit ISA / TMG login form – Easily !

Wanted to share this nice little app I’ve found.. it will allow you to easily ” Customizing HTML Forms in ISA Server 2006 ” (or TMG) , instead of editing strings.txt and customize html stuff , go GUI 🙂
A free community utility by  Kay Sellenrode – FBA Editor v1

Just visit the page, or check out this youtube video showing off this great utility.

Enjoy

Exchange 2007 SP2 for SBS 2008 installation tool available !

Error:
You must update your Windows Small Business Server 2008 settings both before and after you install Exchange Server 2007 Service Pack 2 (SP2). Before installing SP2 for Exchange Server 2007, read the detailed information at http://go.microsoft.com/fwlink/?LinkId=155135.

http://support.microsoft.com/?kbid=974271

At last, a installation too for easy install of Exchange 2007 SP2 for SBS 2008,  no more “hacking” the sbs 2008 server…

Great News, Enjoy !

Where did “newsid” go ? seems mark got the answer

Mark posted a great post about this ancient urban legend, “The Machine SID Duplication Myth”

For the record, just remember that NewSID was never the solution for imaging a computer as a template.
And i’ll quote some of mark’s post and leave you to read the rest on his blog..

On November 3 2009, Sysinternals retired NewSID, a utility that changes a computers machine Security Identifier (machine SID). I wrote NewSID in 1997 (its original name was NTSID) because the only tool available at the time for changing machine SIDs was the Microsoft Sysprep tool, and Sysprep doesn’t support changing the SIDs of computers that have applications installed. A machine SID is a unique identifier generated by Windows Setup that Windows uses as the basis for the SIDs for administrator-defined local accounts and groups. After a user logs on to a system, they are represented by their account and group SIDs with respect to object authorization (permissions checks). If two machines have the same machine SID, then accounts or groups on those systems might have the same SID. It’s therefore obvious that having multiple computers with the same machine SID on a network poses a security risk, right? At least that’s been the conventional wisdom.

….I realize that the news that it’s okay to have duplicate machine SIDs comes as a surprise to many, especially since changing SIDs on imaged systems has been a fundamental principle of image deployment since Windows NT’s inception. This blog post debunks the myth with facts by first describing the machine SID, explaining how Windows uses SIDs, and then showing that – with one exception – Windows never exposes a machine SID outside its computer, proving that it’s okay to have systems with the same machine SID. Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so MIcrosoft’s support policy will still require cloned systems to be made unique with Sysprep.

http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx

Enjoy !

Thanks mark for the clarification.

Exchange Servers Permissions are needed on Security Groups

Recently, I’ve encountered a situation where users that have been migrated to Exchange 2007 could not send mail to certain public folders.

It seems that the selected recipients were members of a security group that had inheritance disabled, and which had only few specific ACL’s for Admins and such. but the ” Exchange Servers ” group were not included in the DACL.

The NDR reported back the recipients tried to send the email to the public folder was:

#550 5.2.0 STOREDRV.Deliver: The Microsoft Exchange Information Store service reported an error. The following information should help identify the cause of this error: “MapiExceptionNotAuthorized

To resolve this i’ve added Read Permissions – Allow for the Exchange Servers  group, with inheritance to all child objects.

Hope this will be useful !

RTL Plain Text emails with Outlook 2007 – fixed

Finally, a long term solution to a problem that have been annoying quite a while…

Outlook 2007 + Plain Text replies , that uses Right to Left languages , in my case Hebrew, were received reversed in order .. that is the words in the sentences were displayed literally reversed.

A quite annoying word issue actually… A workaround for this was making sure that users were sending out Rich Text (RTF) email’s. then the replies were displayed correctly.

Long story short. to solve this, request and install the following patch http://support.microsoft.com/kb/973401 –
Description of the Word 2007 hotfix package (Word-x-none.msp, Wordconv-x-none.msp): August 25, 2009

Additional configuration to align the text to the right could be done by following daniel’s petri post regarding this :

http://www.petri.co.il/correcting-email-display-direction-in-outlook.htm

This solved my issue on the spot.

Better later then never 🙂

Ultimate list of keyboard shotcuts for Windows (7)

Well, I know… there’s tons of links on the net for this.. here’s my top selected keyboard shortcuts.

Some are mostly all Windows 7 specific, and includes a few Aero shortcuts…but some are old school ones.

Start Clicking !

Win+UP Arrow :- Maximize the current window

Win+Down Arrow :- If the current window is maximized, restore it; if the current window is restored, minimize it

Win+Left Arrow :- Dock the current window to the left half of the screen

Win+Right Arrrow :- Dock the current window to the right half of the screen

Win+Home :- Minimize all but the current window

Win+P :- Open the projection menu (generally used for laptops connected to projectors)

Win+X :– Open Windows Mobility (For Laptops)

Alt+F4 :- Close the active window

Alt+Tab :- Switch to previous active window

Alt+Esc :- Cycle through all open windows

Win+Tab :- Flip 3D

Ctrl+Win+Tab :- Persistent Flip 3D

Win+T :- Cycle through applications on taskbar (showing its live preview)

Win+M :- Minimize all open windows

Win+Shift+M :- Undo all window minimization

Win+D :- Show Desktop

Win+Space :– Preview Desktop (Aero Peek)

Win + “+”:– Zoom in Desktop (Full Screen) – This is by far the best addition for windows desktop on my part.

Win + “-”:– Zoom out Desktop (Full Screen) –  “-”

Win + 1-9 :– Launch Pinned Applications on Taskbar by their locations

A Few More Handy Shortcuts:

CTRL + SHIFT + N :Create a new folder

F2 :– Rename on mostly any parameter (yeah.. well not anyone knows this handy one) Try the TAB key with this too.

CTRL + SHIFT + ENTER :– While in the Search bar on Start menu – Run a program as Administrator (When UAC enabled)

SHIFT + Right Mouse Button :– In an Folder window – allows “Open A Command Prompt Here”

SHIFT + Right Mouse Button (on a file / folder) :– “Copy as Path” for the selected file / folder

CTRL + SHIFT + ESC :– Open Task Manager

F7 :- While in Command Prompt / Powershell – Shows recent commands

Links:

Windows 7 Shortcut keys on blogsdna.com

“The IO Guy” blog on TechNet – this is by far the most comprehensive list I’ve encountered.

Windows 7 Keyboard Shortcuts – the complete list

Feel free to comment and add more handy stuff, I’ll be happy to include more “must have” shortcuts.

Enjoy