Author Archives: Mike Crowley
Microsoft’s many uses of the word “Virtual”
It’s really amazing how many smart people are misusing the various product names of Microsoft’s virtualization technologies. I blame this partly on Microsoft’s lack of effort to clarify, but also the topics are just confusing. Here I just wanted to provide a short list of Microsoft’s “virtualization” technologies and a description in easy to understand language.
Presentation Virtualization
This is a fancy name for Terminal Services, which is now called Remote Desktop Services in Server 2008 R2.
Official site: microsoft.com/rds
Hardware Virtualization
Products include, Virtual PC, Virtual Server and Hyper-V. These technologies allow a complete computer operating system to run within another operating system.
Official site: microsoft.com/hyperv
Now the confusing ones:
Virtual Desktop Infrastructure (VDI)
Use of abovementioned RDS combined with abovementioned Hyper-V. In Server 2008 and earlier Microsoft VDI wasn’t an actual product. It was a licensing scheme that allows use of these technologies:
· Hyper-V for hosting your desktops
· System Center Virtual Machine Manager for managing your VMs
· System Center Operations Manager for monitoring everything
· System Center Configuration Manager for building and managing your desktop images
· The Microsoft Desktop Optimization Pack so you can use App-V to virtualize your applications
· All the Remote Desktop infrastructure components, like RS Web Access, RD Session Broker, RD Gateway, etc.
In Server 2008 R2, the licensing still applies, but there is now a “Server Role: Role Service” called “Remote Desktop Virtualization Host”. This role also adds the Hyper-V role and should not be virtualized, as it is to be considered a virtualization host itself.
Using the RD Virtualization Host role, you can create pools of virtual windows desktops (such as Windows 7) for users to access over Remote Desktop Services. The use of Hyper-V allows for many computers to reside within a single server, but it also can employ snapshots to automatically revert a PC back to its administrator-defined state when a user logs off.
To connect to this magical environment, you can use another computer with the Remote Desktop Client (yes even MAC), or you can use a thin terminal sych as a Wyse WinTerm.
IMO: This is what most people mean when they say “we want to virtualize our desktops”
There are 3 videos that cover this in just the right amount of detail here:
1. http://edge.technet.com/Media/Microsoft-VDI-Part-I-Server-Side-Configuration
2. http://edge.technet.com/Media/Microsoft-VDI-Part-II-Virtual-Desktop-Configuration
3. http://edge.technet.com/Media/Microsoft-VDI-Part-III-Client-Side-Experiences
Official site: microsoft.com/vdi
Microsoft Enterprise Desktop Virtualization (MED-V)
MED-V is the most confused in this list. While it sounds like this is a product that allows you to do what I just described in the above VDI section; this is actually far from the truth.
MED-V addresses the issue of application to operating system incompatibility. However before you walk down the MED-V road, you should realize that applications that don’t seem to be compatible with the operating system may actually be “fixed” with ACF. I’m not going to get into ACF here, but you can read about it here: Application Compatibility Factory (ACF) Program
MED-V used to be called “Virtualization Player” before Microsoft bought Kidaro, the parent company. MED-V allows a given workstation to run a modern operating system such as Windows Vista or Windows 7 while also running otherwise incompatible applications on Windows XP which is hidden in the background.
This is accomplished by first installing Virtual PC on the workstation, and then the MED-V client. When a user access an application that the administrator configures to run from the XP environment, it is seamlessly merged into their Windows Vista/7 experience without knowledge of a full XP installation running in the background.
If you are familiar with Windows 7’s “XP Mode” you have a head start into this concept. XP Mode is a derivative of MED-V. The “E” in MED-V stands for enterprise, so of course this means the environment can be controlled in a way that is suitable for large environments. This is done by centralizing the images used for the background environments, and controlling their level of interaction with client computers who run the client.
In addition to incompatible applications there could also be incompatible websites. An example here would be when a user types http://oldsite IE6 is called to access the URL when all other applications would run from IE7 or 8. Applications and URLs that are defined as incompatible are configured within the MED-V management application.
MED-V requires better hardware for workstations that run it; however it does not require virtualization support from the CPU architecture like Hyper-V does.
This software is only available through the MDOP (Microsoft Desktop Optimization Pack) offering via Software Assurance.
Official site: microsoft.com/medv
Microsoft Application Virtualization (App-V)
This product was purchased from Softricity who named it SoftGrid. It has since been renamed to App-V 4.6
App-V, like MED-v is an MDOP offering that deals with application incompatibility. The difference is that MED-V addresses application to operating system incompatibilities, whereas App-V solves application to other application incompatibility issues.
Java for example can only exist once on a computer. If a user requires an older AND a current version of Java, they cannot run them both from the same computer. App-V changes this rule.
App-V creates a sort of “bubble” for an application to reside within. The bubble itself interacts with the operating system but not with other bubbles. This allows us to put Java v.old and Java v.new into separate “bubbles” and then run them both on the same computer. At the same time if desired.
This bubble means the application is never “installed” onto the computer.
Another cool thing about App-V is its ability to stream these bubbles to the client. App-V uses RTSP to send the application to the client. App-V is Microsoft’s “application streaming” technology. The advantage of streaming an app is that the computer is able to run the app while all the program bits are being sent over the wire as necessary.
With App-V all application processing and workload is done on the client. I mention this because many people believe the “stream” or the streaming server somehow assists the workstation. This is not true. If you run an application within App-V you need the same hardware you would need without App-V. This also means an app that is incompatible on Windows 7 will remain incompatible with Windows 7 even if packaged via App-V. Remember, this is MED-V’s job.
Official site: microsoft.com/appv
I hope this helps you in your future discussions with customers or at least your own personal understanding of Microsoft’s Virtualization offering!
Microsoft Certified Technology Specialist (MCTS): Microsoft Exchange Server 2010, Configuration
Woohoo! I am very excited to report I passed the 71-662 Microsoft Exchange Server 2010, Configuring Exam! I took this beta exam early last month and have been (im)patiently waiting to see my results! I hope I get an invite for the MCITP level exam as well!
Upgrading From Exchange 2000 to Exchange 2010
Are you or anyone you know still running Exchange 2000? If so, you should
know that when you do finally get around to upgrading; Exchange 2010 and
Exchange 2000 cannot exist in the same Forest/Org. The oldest version of
Exchange that can co-exist with Exchange 2010 is Exchange 2003 SP2.
If you want to upgrade from Exchange 2000, you’ll have to upgrade in stages.
Because Exchange 2000 supports an in-place upgrade to Exchange 2003, this method
is going to be the easiest way to prepare for Exchange 2010. Exchange 2003
requires more resources than Exchange 2000, but for the purpose of a migration
project; it won’t be around for long anyway, so you might be able to upgrade
resources in place. Otherwise, you’ll have to allocate hardware for Exchange
2003 only to get rid of it when you go to Exchange 2010. If you are forced to
take this approach, I would recommend virtual hardware for Exchange 2003 as it
is now supported.
We can get into detailed guidance another time, but here are some scenarios
for upgrading to Exchange 2010 from an earlier version of Exchange. I am not
including Exchange 5.5 in this post because I hope nobody is still running it!
Also for the below guidance, I am assuming everything is running the latest
Exchange service pack and/or rollup.
| Current Platform* | Getting to Exchange 2010 |
| · Exchange 2000· On Win 2000
· With 2000 AD |
1. Do an in-place upgrade to Exchange 20032. Don’t bother upgrading the Operating System
3. Prepare for an AD 2003 upgrade (scenario 2) 4. Do an in-place upgrade of at least one domain controller to AD 2003 5. Migrate [UPDATE – NOTE THAT THIS REQUIRES ADDITIONAL CHANGES IN ACTIVE DIRECTORY. THE STEPS IN THIS ARTICLE ARE TO GET YOU TO EXCHANGE 2003 ONLY. THE HYPERLINK HERE INCLUDES THE REMAINING STEPS.] |
| · Exchange 2000· On Win 2003
· With 2000 AD |
· How did you get here? This is not a supported configuration! |
| · Exchange 2000· On Win 2000
· With 2003 AD |
1. Did you first prepare for mangled attributes? If not, examine scenario 3.2. Do an in-place upgrade to Exchange 2003
3. Migrate [UPDATE – NOTE THAT THIS REQUIRES ADDITIONAL CHANGES IN ACTIVE DIRECTORY. THE STEPS IN THIS ARTICLE ARE TO GET YOU TO EXCHANGE 2003 ONLY. THE HYPERLINK HERE INCLUDES THE REMAINING STEPS.] |
| · Exchange 2000· On Win 2003
· With 2003 AD |
· How did you get here? This is not a supported configuration! |
*When I list an AD version, I am also assuming /forestprep has not yet been run for a future version of AD.
Screenshots for Windows Server 2008 R2 RTM In-Place Upgrade
One really cool benefit of being a MCT is that we get a subscription to TechNet Direct! This means I was able to get my RTM copy of Windows Server 2008 R2 earlier this afternoon!!
You can get a copy of the RTM bits yourself as a 180 trial, here.
I have a few machines that I run in my lab environment, and I figured I’d upgrade them to the latest OS so that I would have a head start for when my clients want to start installing it later this year. Many of you know the basics of installing an operating system, and I’m not going to lie – this isn’t much different than installing Server 2008, but I figured I’d document my progress and post it here for those who might benefit.
Because my lab already exists on Server 2008 SP2 Enterprise Edition x64 (you cannot upgrade from x86), I wanted to do an in-place upgrade, rather than a clean install. After doing the first machine, and gaining confidence, I moved on to the 2nd; which was my domain controller. Because I’m a little insane (& lazy), I wanted to try the upgrade via remote desktop. By golly it worked! I wouldn’t recommend this for, um, lots of reasons – but I can say it DOES work!
Before upgrading the Active Directory domain controller, I first browsed to the .\support\adprep folder and ran the following two commands:
adprep /forestprep
adprep /domainprep
These commands allow for the installation of the first 2008 R2 domain controller. Be sure to do this before you begin the upgrade routine. Active Directory is beyond the scope of what I want to cover today, but if you’re curious about adprep; more info here.
For this article, the images used are from Hyper-V (you’ll notice the window frame). This is not the computer I did remotely, but the process didn’t change.
So without further delay, here are the screenshots:
| 1)Run setup.exe | ![clip_image002[4]](https://ailzvq.blu.livefilestore.com/y1mZD4erZLAafPoBhoRK6yjUL7YQvdHMfdffB8W2dJ8ikUHX-A_ibecnRbJ6dIVW8sIdUFg1L47DuWep5hEx7a0GvBiIxqlCpUn8vdkX35oWhAbXk-xqwkPkZav6XEyGE-oyrGJ8YleGpN-V-wj9Cg0pg/clip_image002[4][2].jpg "clip_image002[4]") |
| 2)Click Install now | ![clip_image004[4]](https://ailzvq.blu.livefilestore.com/y1mGsrPyWg9vh0h0hW8M-WCUOx5yoBAelxjtHf1pETFEh_YwE-LKEVbdb8x4bBIWrCga6PDnHfeBkukp2kSUeyUpxtnR7dutuLoMbEn8YwOdHkmoDSEeNiI4sE8CWtc1f7KapPL4iLcJcl5MreBswUIug/clip_image004[4][2].jpg "clip_image004[4]") |
| 3)The 2008 R2 media is hot off the presses, so there is not yet any updates, but as a best practice, click “Go online to get the latest updates for installation” | ![clip_image006[4]](https://ailzvq.blu.livefilestore.com/y1mOPVwuIOuyWtdLAAUV3K2TKTD-p-Fdv4CiOiyhPJrEFdn8QYABreK1LgbmO07rH_iJHyzLb8mg3o7Qro7ZYqgPGlBiBptSu40Yt8UYs17oVQ7A3mZGQjVChZJMyuB4kAiSHdUzv823JZHZ2wCw5SikA/clip_image006[4][2].jpg "clip_image006[4]") |
| 4)Select the version of Windows Server 2008 R2 you wish to upgrade to.
Note: Windows 2008 R2 is x64 only. If you currently run an x86 version of Windows you will not be able upgrade. |
![clip_image008[4]](https://ailzvq.blu.livefilestore.com/y1m9-iY2Vn925nOtTVvUOuMSmNDaMtodRsK3PBEsKs5zSCU6IAAEm2wJqXrKJkJyBIfADmNYngOg4AnFOQKGr5-KPvA1osT37krlvUsKVTFJNIZG3AFU2PqWux_pqw2ykaQO-svZW0uR0QlOFq86CGfnQ/clip_image008[4][2].jpg "clip_image008[4]") |
| 5)Read and accept the license. | ![clip_image010[4]](https://ailzvq.blu.livefilestore.com/y1mFogoM32A0140YHT-Q90tP0VXM5oFRTiIC259SC0XuA5MQLH8_9IsEmLd6iUANcUNiUjcOvEgLHvq6muQiaU0hMAK1R_mIdHFN_28J3z4TNi41-alBG2ITgnjsJ4X_vY8JFnHapQaNs6mRvl5nrXjZQ/clip_image010[4][2].jpg "clip_image010[4]") |
| 6)As I mentioned previously, I am upgrading. | ![clip_image012[4]](https://ailzvq.blu.livefilestore.com/y1mFbsZXsUyXBxw5n_SI_QrsppgKcwU3InpKJ6fBBhyV9pyoLDyJMpZc6PemjW8j3NCYgy47ehQjAb0oomenBC28xq0qaq5Zt3GcQqxqhUeKBk_VrjOijbEvdRGc3Fc8oiZMqp5hX68WRl8tCPtpOuhsQ/clip_image012[4][2].jpg "clip_image012[4]") |
| 7)This process ensures compatibility. More on this process here. | ![clip_image014[4]](https://ailzvq.blu.livefilestore.com/y1m4lLnZaOcTSdDU8m324moWWaJwn9_SlWmlsNcydFHwxnC702DOA5jm2-BicZv7XQe18eFpkRNt1t0hq3zf6YJx8yIgIdx8a-v2RBbupbTznnMoEQLRyR_WiQ4iqi4IUBS8oax7dd1vf5EI9WPsvwjBg/clip_image014[4][2].jpg "clip_image014[4]") |
| 8)You will get a screen at the end of the previous step indicating weather or not you pass the list of known compatibility issues. This particular image (off screen) indicates I have other user accounts logged in, and they must first log out. (I had a separate RemoteApp session open).
This tool places a log file on your desktop, regardless of pass or fail so that you can review it later. Once I closed the other sessions, I re-ran setup and was greeted with a “Next” button instead of “Close”. |
![clip_image016[4]](https://ailzvq.blu.livefilestore.com/y1mdA6KUbMHLwfKtLQBU7hSxDbhS3AMxqPFOj8LQYXmVqzCUJaAreDmNoxKWprMYh9dJxXNhhhlc4lFd2377bINi0e4mUPMC_fphNCj7Xyd69ro2YrvUbrbc5nK-fiaol4XS4OgELlqSG5i6vBo7c75fg/clip_image016[4][2].jpg "clip_image016[4]") |
| 9)The install begins! | ![clip_image018[4]](https://ailzvq.blu.livefilestore.com/y1mRvdUxuvis5Lo0_cgMvbQ9lTMX4l8oTZ-2rYddriMHcy2RJp0ttxdmT8anU67xYYYkhLhnm908cgUym9xNfGX1yvx31PkXZ-nCJxs7QGLsXpk_sNyqzN_Xl3uukoXk6V5Ms1QmmNOZmFr6D82H9YfmA/clip_image018[4][2].jpg "clip_image018[4]") |
| 10)After a while it automatically reboots the machine. From now until the end of the install it is “off” the network. | ![clip_image020[4]](https://ailzvq.blu.livefilestore.com/y1mTrHO8dlel0YjJ1adHpxBggzbB7NJID-hbhdH-ls5IgjNSDjNLDzDnVZOxNLOfKsk5qH9b6ghBFYV5SYbbIXRyp03PVik80rCP7vMZTPo7vqkHOEzgF7kFvy8SaG2Ewm3rBMYxVtR8yeXBLGYRvnj5A/clip_image020[4][2].jpg "clip_image020[4]") |
| 11)Setup restarts automatically | ![clip_image022[4]](https://ailzvq.blu.livefilestore.com/y1mWYCoJ2mgQmq5XyFOSIbUFJ-CqqThqKPEoNUbSU7A45QiXulCdaATJASiDmmhX8K8ZRJfGQvBlmymsVXehw5M6ogyxgiZJun_ctpKDfVuZHl7G9RcIteAUCAsXmRLKIM022rktvj2p5L0u1yHIoxCqw/clip_image022[4][2].jpg "clip_image022[4]") ![clip_image024[4]](https://ailzvq.blu.livefilestore.com/y1matTl29KBOwExnv_DNmPZpMG4eF9FFiJFD-CAet61GNvQLMjgEf1l5Twj0PaSE7_AtzTdXAyeE5A_N8B9n8ATZWrxfJrIE4tOhrNPk2IKpW4b8i_ArnytU5n2MTwlKyW-Cy7idMRbvMDBkms3xOKRlA/clip_image024[4][2].jpg "clip_image024[4]") |
| 12)The installer picks up where we left off.
This is the 2nd stage of the upgrade. |
![clip_image026[4]](https://ailzvq.blu.livefilestore.com/y1mgW8Yf5Ongc2VjYQCbejMLODRUkN89quqs3-5Bovgvo46taX_3TF8zPBO-QQNB5gB23PNQlQajgBE1RRcYVcjjNrKUZbadwH3BFfJkucU7nHTebDvTF1WmTxmlqqb3jaj6M-pzpYiNsoZay9Abu06zw/clip_image026[4][2].jpg "clip_image026[4]") |
| 13)Go find something else to do for 20 minutes. It will be fine… | ![clip_image028[4]](https://ailzvq.blu.livefilestore.com/y1mZYfUTt2ZS1NYyXfLPp-4CtXdqMHMbnZSAbj6KqchyApaWX_UqcW9OdiKVMzqoirbtkGlgOYjlDaZHZCfPI9Mew8IqP_rBLrK8e2OZFFOmFVif2IHBuR2oVmSyrkbxX5v4bzwe0clcGB4jA4hM6hUCw/clip_image028[4][2].jpg "clip_image028[4]") |
| 14)Getting close! | ![clip_image030[4]](https://ailzvq.blu.livefilestore.com/y1mj8aO61g2lDcCWlBQvL2hHHyYw2hT4XDD0DbNYacQ-qRwHNJjjO7bFgVLE-Cedfz1s0qO2th4tPByPcf5Guv9NxyJFLe97TKi_DKxYgj8Rn-a7zUg0LAEGwjec-P-jm6Ppg5VCL92oSrLJ71L-XREJQ/clip_image030[4][2].jpg "clip_image030[4]") |
| 15)Almost there! | ![clip_image032[4]](https://ailzvq.blu.livefilestore.com/y1miExzKZ7ec1E353BFuIb4qjSD47cM-jY4qG8ERGjJofI0l6nWqDXsoQK9tI0IC5D7UynxO4yW7-qidi50MLPiSOe3gy9XMyTRKuQ1gxWkaIPkPRtuiTEOMDfQE8YRD3llREmflnbYhc2GG_1ztDyGgg/clip_image032[4][2].jpg "clip_image032[4]") |
| 16)Start, Run, Winver –>
(Note: Build 7600) |
![clip_image034[4]](https://ailzvq.blu.livefilestore.com/y1mARYoAsudia1BXbb8F7okodVjdBu0vvXInUi3OeoO_A_1xqzdnv4Rys46_YabrrRVn6DWDrysQ0Qmghzcv1x3J1EYP58Vqd0yRDfwp2RZ0_D9d_bdebRVgQqVfNq3kYXgge6mLXaJjI7I2fbYiT1nPw/clip_image034[4][2].jpg "clip_image034[4]") |
Once you check everything out for yourself, don’t forget to activate! You’ve got 10 days before it starts to remind you.
And there ya have it! Happy Upgrading!
The Psychology of a TechNet Forum Thread
I like spending my free time on Microsoft’s TechNet Forums site. I feel like it’s a great place to test my mettle by helping to solve people’s problems, but also it helps me gain a deeper perspective into the issues the technical community faces with a given product. This in turn, of course, makes me a better engineer and consultant – But before you try this at home, let me warn you: it’s addicting!
I have been surfing, helping, contributing, asking for around 2 years now and I’ve noticed some funny behaviors from the people who post there. I have also noticed what “types” of posts seem to get answered the fastest and which posts seem to linger unanswered indefinitely! This is what I want to point out today. Hopefully with my advice you’ll get your questions answered faster and with more accuracy! See below for 7 do’s and do not’s of online tech forum etiquette:
1. Do use punctuation! I am not talking about proof reading your English exam here, but it’s surprising how distracting a lack of: periodslinebreaksandspaces can be. Remember that other than the few paid Microsoft employees who roam this site, we are all answering questions voluntarily. I won’t say 🙂 how many times I have skipped a question because the reading the article was going to take more energy than I felt like expending at the moment.
2. Do a quick internet search for your error code or problem description before you post! I don’t think anyone REALLY minds looking the error up and pasting the link back for you, but I can’t understand how people will post their error on a technical forum, which takes considerably more effort than to just look it up in the first place! I have reminded myself to hold back on many occasions from posting lmgtfy.com links in my answer!
3. Do not put ***URGENT!!!!!!!!1!!! in the subject line. A mentor of mine once taught me the subtlety of Urgent vs. Important. Many things are important, but not all of which are urgent. The accuracy of the definition, of course isn’t my gripe. It’s the impatience or perhaps arrogance of the poster. I can assure you that adding “urgent” to your subject will not move you higher in the mental queue of the participants. In fact when I answer these types of quotes I typically roll my eyes before reading the thread, expecting a question from someone who has taken no time to think about the problem for themselves.
4. Do Use paragraphs. Yes, this is similar to #1 but I wanted to give its own attention because having your problem reported in paragraph form makes it easier to digest and analyze. I love it when someone breaks their post out into: background info, specific conditions, and question sections! This allows our analytical minds to work better and to focus on specific areas of the problem.
5. Do ask one question at a time (ok maybe two). These threads usually come from people looking for design help. They often have no idea about the technology they have suddenly found themselves managing, and ask questions about anything and everything all at once. The reasons for this number should be obvious but it’s often forgotten in the panic of the poster. Ask a single question about a single procedure, or possibly how two or three items interact, or pros and cons, etc. Remember, there is no limit of threads you can start! Don’t try to cram everything into a single request. Also bear in mind the forum serves two purposes, only one of which is to answer YOUR question. The other is to serve as a reference for others. With long winded design discussions, this second objective is lost, the first is rarely accomplished either. Either RTFM or pay a consultant to come and assist.
6. Do not bash Microsoft’s products. It is perfectly acceptable to ask “on system “x” I could do this – how do I do it with Microsoft’s solution?” But on occasion I have seen that turn into whining or outright insults to the people who work at Microsoft. This type of post is immature and unwelcome. If you have something that you need to air, start a blog, and if it’s worth reading people will find it. In the mean time get out of the way of people trying to do real work here.
7. Do keep it short and sweet. Please provide enough information so that the problem can be analyzed without requiring a bunch of back and forth questions, but let’s not start with huge memory dumps or lots of event logs. I offer this advice only because it makes the problem seem more complicated than it may actually be. That in turn means you may have people shy away from reading your post entirely.
And there you have it! Happy posting!
Screenshots from Exchange 2010 (Beta) Installation
Microsoft Transporter Suite Updated
The Microsoft Transporter Suite is a free tool that can be used to migrate IMAP, POP and Domino email content into an Exchange 2007 environment. I’ve been working with the Transporter Suite on a few projects over the past year, and am pleased to see it is now finally a multi-threading application (for POP/IMAP only)! This should resolve a lot of the performance issues I (and others) have been having.
More info here:
|
Release month/year |
Updates |
|
February 2009 |
· Added support for multi-threading of POP/IMAP migrations. · Improved stability of the POP/IMAP migration tool. · Improved support for different POP/IMAP Administrator authentication models (support for proxy authentication). · Improved support for IMAP forward/reply flags. · Added support for additional POP/IMAP servers. |
|
June 2008 |
· Improved handling of in-line images in migrated messages. · Improved handling of unread messages in migrations from University of Washington IMAP server implementations. · Fixed an issue whereby attachments could get misnamed. · General enhancements for the Transporter user interface. |
The tool also has several updates for Domino:
|
Release month/year |
Updates |
|
February 2009 |
· Removed the Transporter Application Analysis node · Added support for Windows Server 2008 and Domino R8 · Improved migration of recurring meetings and updated recurring meetings · Improved stability of Free/Busy service · Improved support for multidomain Active Directory topologies · Improved support for moving Domino Groups · Improved support for moving anniversaries |
|
June 2008 |
· Improved migration of meeting messages from Lotus Notes · Fixed an issue whereby user attributes for contacts in Active Directory may be lost after contacts are migrated from Lotus Notes · Better handling of proxy addresses to avoid spurious duplicate address warnings |
Download the tools here.
App-V 4.6 RC Client Error 460579-19D0990A-10000009
Recently I had a customer ask for my assistance with a problem they were having in their App-V environment.
Client computers would get the following error when they tried to connect to their defined publishing server:
My Google foo failed me initially on this, as I was not able to find anything related to the 460579-19D0990A-10000009 error message. Despite these seemingly definitive pages (here & here) on other errors.
I decided to look at the Management Server to see if perhaps it could shed more light on the situation. When I looked at the server’s application log I found this message to be more useful:
| Log Name: Application Source: Application Virtualization Server Event ID: 44955 Task Category: (1) Level: Error Description: Certificate could not be loaded. Error code [-2146893043]. Make sure that the Network Service account has proper access to the certificate and its corresponding private key file. |
The Services MMC shows the Application Virtualization Management Server service is logging on as builtin\Network Service. Here is our problem!
Doing a search on this new information brought me to the App-V Security Operations Guide. Within, I found instructions for adjusting the permissions:
(Page 10)Modifying Private Key Permissions to Support Management Server or Streaming ServerIn order to modify the permissions of the private key, a Windows Server 2003 Resource Kit tool, WinHttpCertCfg.exe can be used. There are other ways to modify the certificate permissions, however this is the most straightforward and easy way of completing this task. The following steps explain how to modify the permissions of a certificate to support a secure App-V installation. Managing Private Keys on Windows 2003Use WinHttpCertCfg.exe to set the correct ACL on the private keyOn Windows Server 2003, the process of changing the permissions on the Private Key to support App-V is described in the steps below. This process requires that a certificate that meets the prerequisites listed above has already been installed on the machine or machines that App-V Management or Streaming Server will be installed on. Additional information on using the WinHttpCertCfg.exe tools is available at the link below. http://msdn.microsoft.com/en-us/library/aa384088(VS.85).aspx 1. On the machine that will become the App-V Management or Streaming server, type the following commands in the command shell to list the current permissions assigned to a specific certificate. winhttpcertcfg -l -c LOCAL_MACHINE\My -s Name_of_cert (eg. server.domain.com)
2. Next, if necessary modify the permissions of the certificate to provide read access to the security context that will be used for Management or Streaming Service. NOTE: The default security context is Network Service, some organizations don’t use built in accounts and a domain account may be used instead. winhttpcertcfg -g -c LOCAL_MACHINE\My -s Name_of_cert -a NetworkService
3. Verify that the security context was properly added by listing the permissions on the certificate. winhttpcertcfg –l –c LOCAL_MACHINE\My –s Name_of_cert
Managing Private Keys on Windows 2008Windows Server 2008 makes the process of changing the ACLs on the private key much easier. The certificates GUI can be used to manage private key permissions. 1. Create an MMC with the Certificates snap-in that targets the Local Machine certificate store. 2. Expand the MMC as shown in the diagram below and select Manage Private Keys.
3. Use the Security tab to add the Network Service account with Read access.
|
I found that both methods actually work on Server 2008 / R2 in case for some reason you are more comfortable with the command line and/or you didn’t bother to scroll down like I did to realize there is now a GUI alternative! 🙂
After I made this permission adjustment, I tried the client refresh again, and instantly my applications appeared!
I hope this tip helps someone out there!
Remotely Enabling Remote Desktop (the 1337 way)
So this one is a little obscure, but lemme paint a quick picture:
A few years back, I had a small client site that had some remote users and executives that would connect to their office workstations from home via VPN / Remote Desktop. One day an executive got a new computer and “we” forgot to enable Remote Desktop for her. Normally this could have been addressed by a GPO, but it was a really small client site, and we just didn’t put that much complexity into the configuration. Anyway, this same day the user wanted to work from home and she was not able to connect. She proceeded to call me during dinner to inform me of this situation! I wanted to help but was thinking it would be tough to allow remote access REMOTELY! But I thought of a way! After I completed the below steps I contacted the user and she was able to connect!
I was so proud of myself I saved the steps and now I want to share it with everyone today. I used a combination of a free utility called psexec which can be downloaded here. I also used the built-in command prompt and registry editor that comes with Windows. Look at the below window, and follow the command prompt progress. I’ve commented along the way in green.
|
C:\Documents and Settings\admin>”C:\Documents and Settings\admin\Desktop\psexec.exe” \\computer0123 cmd.exe
PsExec v1.94 – Execute processes remotel Copyright (C) 2001-2008 Mark Russinovich Sysinternals – http://www.sysinternals.com
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\systeadmin2>hostname computer0123 #verify hostname C:\WINDOWS\systeadmin2>netsh firewall add portopening TCP 3389 rdp enable Ok. #now I’m sure remote desktop will be allowed through the firewall
C:\WINDOWS\systeadmin2>netstat -a
Active Connections
Proto Local Address Foreign Address State TCP computer0123:epmap computer0123.Eedge.net:0 LISTENING TCP computer0123:microsoft-ds computer0123.Eedge.net:0 LISTENING TCP computer0123:39259 computer0123.Eedge.net:0 LISTENING TCP computer0123:netbios-ssn computer0123.Eedge.net:0 LISTENING TCP computer0123:netbios-ssn computer0123.Eedge.net:0 LISTENING TCP computer0123:microsoft-ds kaserver.eedge.net:10442 ESTABLISHED TCP computer0123:1332 kadata.eedge.net:microsoft-ds ESTABLISHED TCP computer0123:1535 kaserver.eedge.net:netbios-ssn ESTABLISHED TCP computer0123:2033 kaserver.eedge.net:1025 TIME_WAIT TCP computer0123:1060 computer0123.Eedge.net:0 LISTENING TCP computer0123:10001 computer0123.Eedge.net:0 LISTENING UDP computer0123:microsoft-ds *:* UDP computer0123:isakmp *:* UDP computer0123:1025 *:* UDP computer0123:1026 *:* UDP computer0123:1027 *:* UDP computer0123:4500 *:* UDP computer0123:ntp *:* UDP computer0123:netbios-ns *:* UDP computer0123:netbios-dgm *:* UDP computer0123:1900 *:* UDP computer0123:ntp *:* UDP computer0123:netbios-ns *:* UDP computer0123:netbios-dgm *:* UDP computer0123:1900 *:* UDP computer0123:ntp *:* UDP computer0123:1028 *:* UDP computer0123:1044 *:* UDP computer0123:1209 *:* UDP computer0123:1900 *:* #I see Remote Desktop is not enabled, as port 3389 is not in the list #I then use regedit from my machine and remotely connect to the registry on her workstation and enable remote desktop. (HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnection=0)
C:\WINDOWS\systeadmin2>shutdown -m \\computer0123 -r The machine is locked and can not be shut down without the force option.
C:\WINDOWS\systeadmin2>shutdown -m \\computer0123 -r –f
C:\Documents and Settings\admin> #it works now |
For those who are lost in the command prompt, just look at these steps instead:
- Use psexec to open a cmd session on the computer0123
- Use netsh to open a hole in the remote computer’s firewall for TCP 3389. This is the port Remote Desktop uses.
- Use netstat to check to see if remote desktop is currently listening/running
- Use regedit (not shown) to connect to computer0123’s registry and change the 1 to an 0 in the fDenyTSConnection key.
- Use the shutdown command to restart the computer, which is required when enabling Remote Desktop via the registry.
Exchange 2007 Certificate Installation in 7 Easy Steps!
Ok, so I know this information is already out there in many formats, but I’m asked how to do it on a regular basis anyway. And while using www.letmegooglethatforyou.com is a fun site, it’s a good way to lose a client (or at least get uninvited to lunch)! So here’s how to configure Exchange 2007 to use an public SSL certificate:
(the fast, no-nonsense version)
1. Use this link to generate the cmdlet structure for your PowerShell command. This will output the CSR https://www.digicert.com/easy-csr/exchange2007.htm
2. Send the CSR to a trusted provider.
a. Entrust is my favorite but GoDaddy is the cheapest. Other UCC vendors include DigiCert and Comodo.
b. More detail here: http://support.microsoft.com/kb/929395
c. You’ll notice VeriSign isn’t on this list. They DO offer UCC but only if you spend thousands in their managed PKI program…
3. While Windows Mobile support all of these vendors, understand that the iPhone and Palm may not.
a. Palm doesn’t support UCC at all, but you can get around that by using a UCC / SAN cert anyway, and just putting the OWA/ActiveSync FQDN as the primary name in the certificate. It just can’t read the alternate fields.
4. Once you get the certificate back, rename it to a .cer file
5. Open PowerShell again and type: Import-ExchangeCertificate c:\filename.cer
6. Type Get-ExchangeCertficate to see your new cert at the top of the list. Copy the thumbprint to the clipboard.
7. Then type: Enable-ExchangeCertificate –Thumbprint xxx –services iis, smtp, pop, imap, um
a. Don’t list all the services unless the role is actually installed on the box itself
b. If you intend to use the same cert on multiple servers, understand that may break your agreement with the Certificate Authority, and you have to import the key pair on the 2nd server before step 6 works.
Misc:
-
- Palm OS cert list: http://www.palm.com/cgi-bin/cso_kbURL.cgi?ID=16733
- Windows Mobile cert list: http://blogs.msdn.com/jasonlan/archive/2006/03/14/550747.aspx
- iPhone cert list: http://support.apple.com/kb/HT2185
- Note that the iPhone may not like the certificate, but you can choose to use it anyway when creating the profile and it won’t bother you again.
Mike Crowley's Whiteboard 