Sole's Blog

All PPTP VPN interfaces in ISA 2006 (sp1) disappeared from the Routing and Remote Access Service console, this problem was a cool problem both because it was challenging but also due to the unexpected results and solutions we found.

The first google attempt at finding a solution told us to try the following workaround – Not recommended!

• Run the following command: C:\> netsh int ip reset c:\resetlog.txt

Well this solution might fix the problem here and now, but you might as well turn to the good old solution of restarting your server every time it fails, because this solution will do the following.

• Enable DHCP and remove all IP configuration of all interfaces.
  Not the smartest move on a server, and you are stuck with having to retype all your settings again.
• Most likely the problem will reappear again, since it does not fix the problem.

Now looking deeper into the error, we started looking at event logs – nothing here to help us (let us know if you had any usefull info here for this error). Then we tried various other things, including looking at a snapshot of the memory usage (you can just open taskmgr.exe) and found something surprising. Wspsrv.exe was using more memory handles than all other processes combined on the machine. A memory leak! It has been several years since I ran into a memory leak, it used to be the most common problem for programmers to avoid, but I rarely see them any more. Read the rest of this entry »

The easiest way (I love easy!) to order and install an SSL certificate on Exchange 2007, is to order a SAN (Subject Alternative Name) certificate with AutoCSR meaning you dont have to create a CSR but instead get a certificate backup file. You also save time with the SAN because you only use one certificate for all services and can move services from one domain to another in the certificate with no problems.

Make sure you get a SAN certificate including the full domain name(s) you use to access Outlook Web Access, Outlook Anywhere, Autodiscover and any internal servernames using the certificate (usually free).

The Certificate you order should contain something like this:

• mail.sole.dk and/or owa.sole.dk – for Outlook Web Access
• autodiscover.sole.dk and any other e-mail domain you use with Autodiscover/OA.
• MYSERVER01 – and any other server that will be using the certificate

Personally I setup servers to respond only to OWA on the mail./owa. domain, and use all other services like Outlook Anywhere, ActiveSync, etc. on the autodiscover. address, this way I can use Forms Based Authentication with my OWA website, and NTLM with my other services. Some people argue for and against having internal server names in the certificate, but I figure if they are free anyways, and might help why not add them – and if security is so much an issue that internal server names must not be revealed, you have other much bigger problems anyway.

Now some simple commands to manipulate Exchange 2007 SSL certificates. (Stolen from the danish Exchange 2007 guide on FairSSL a danish SSL certificate reseller – thanks!) Read the rest of this entry »

The updates I mentioned in a previous post here http://www.sole.dk/post/microsoft-security-bulletin-for-october-2009/

Happened to have an update that kills Office Communication Server 2007 all editions (R2/Standard/Enterprise) and Live Communication Server 2005 (and SP1 edition).

The error that comes up in the event logs is that the server believes that it is an evaluation and just expired with this message: “The evaluation period for Microsoft Office Communications Server 2007 R2 has expired. Please upgrade from the evaluation version to the full released version of the product.”

I also got this message in the event logs: “Error Code: C3E93C23 (SIPPROXY_E_INVALID_INSTALLATION_DATA)”

Event ids logged: 12290 Read the rest of this entry »

 When using Microsoft Remote Assistance to help users in a company (why not it’s free), it can be helpfull to have a shortcut to Offer Remote Assistance somewhere handy. But for some reason the only way to find Remote Assistance is by going thru Help in Windows XP. You can however make a small shortcut your self, simply by creating a shortcut and pasting the following link in it. In Vista you can even install a gadget with the Offer Remote Assistance form in it.

Remote Assistance might not be the easiest thing to get working, but once it works it is a nice support tool to have and the best part of it is its free, it comes preinstalled in your clients, so why not use it? Even if you have something else running it is still a free tool to use just in case. Read the rest of this entry »

Sometimes the automatic updates service is interupted while updating the machine, this can result in updates with corrupted data that prevents the service from installing the updates correctly and failing the service. This means the machine will never get past the updates that are giving an error and continue to try and install over and over. This happens on just about any Windows machine that uses Automatic Updates, including Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.

• The error prevents the workstation or server in installing updates, roll up packs, hotfixes and service packs, both manually and automatically.
• The error can also be that the Cryptographic service will not start correctly.
• The event error message contains information like not able to verify integrity of update.inf and similair.
• The error is in the verification of the update in Microsoft, this authentication is done with certificates by the Cryptographic service. 

The reason I am describing this error, is that it seems pretty normal, it can happen from servers being shutdown due to power failure, crashes, etc. It took me some while to find any good information on how to correct this error, or more correctly I found alot of information but little that helped.

Read the rest of this entry »

Windows Server 2008 allows for setting up the server with a much smaller foot print and some will discuss even more secure environment because there is no GUI, the edition is called Windows Server 2008 Core.

The downside is all configuration of the server has to be done thru command line interface, it is also possible to RDP to a core server and get the command line interface.

But a clever guy named Guy Teverovsky created a very smart user interface to do basic configuration of a Core server. The program he made however was removed because his employer claimed rights of the software made while working for the company.

The software is still available on the internet and now there is even an updated version from the company he worked for. Read the rest of this entry »