Author Archives: redflame

Symantec Backup Exec Resource Credentials List Empty Exchange Restore to Different Hardware

Problem:  I encountered a problem while restoring a Microsoft Exchange server to a different server.  After restoring the majority of mailboxes, one restore failed with an access denied error.  When I tried to re-run the job I noticed the resource credentials list was now empty and the options were all greyed out for changing, clearing and testing the credentials.

Resoultion:  http://www.symantec.com/business/support/index?page=content&id=TECH125604

 

 

Leave a comment

Slow Network Performance with Windows 7 When Connecting to Server 2003 Shares

I ran into an interesting issue with a computer that just started one day out of the blue.  The network overview looks like this:  10 workstations, 1 Microsoft Server 2008 R2 64 bit, 1 Microsoft Windows Server 2003, both on matching Dell hardware.  All workstations are Windows Vista except the one machine with troubles which is Windows 7 Professional.

The computer lost its ability to run an application on a share on the 2003 server.  It also when connected to an RDP session on this server would have about a 5 second delay in any click on activities.  The database applications on the 2008 server were unaffected.  After thinking about it and wasting a couple of hours cleaning it, I decided to reload Windows.  With a clean install, a new computer account in Active Directory and a new user, I attempted to access the 2003 share–same behavior.

At this point I was completely baffled, so I began doing some research.  In the past I had some issues with IPV4 Checksum Offloading and Giant Packet Offloading, so I disabled these items on the Network Card (an Intel Gigabit onboard on the Dell Optiplex).  The problem cleared up and I was able to quickly access the share and things seemed better, until I rebooted.  With a clean reboot, the network slow down was back.  I now found that the problem could be suppressed by disable/enable the network adapter.  This is a work around, but not a solution I would leave a client with.

I found many other users affected by this issue on forums, and no good solution (par for the course when browsing the internet).  I finally came across some documentation that fit this problem exactly.  It has to do with some TCP network adapter settings that can only be adjusted using netsh (probably in the registry, but netsh at the command prompt is much easier).

The solution:

Open a command prompt->enter “netsh int tcp set heuristics disabled” and press enter you will see the response “OK” then enter “netsh int tcp set global autotuninglevel=disabled” and press enter, you again will see the response “OK”->restart the machine, voila!! Problem solved for good.  The techincal reasons why???  It is probably way more in depth to explain than I have time to research and explain in this blog, but if you are having this issue, this does fix it.

 

 

Leave a comment

Renew Exchange 2007 Certificate, Missing Private Key

Here is a helpful tip regarding renewing or replacing your SSL certificate for your Exchange server.  In my case I was using an inexpensive service provided by www.register.com to obtain an SSL certificate.  I accepted their already saved .csr from the original certificate request a year ago.  Problem with that is, it contains a private key that pertains to that .csr in regards the generating server, so when they issue the cert the server doesn’t recognize the private key and hence when you try to enable it for Exchange it gives a pile of red error text saying it can’t use do to not having a private key.  Since Register.com doesn’t like to reissue certs, here is the fix:
Go ahead and import the certificate into exchange using the Exchange Management Shell:
import-exchangecertificate -path path to your cert goes here no quotes (this assumes you have already downloaded the certificate to your server and placed in an easy to locate directory, i use c:\ for ease)
  • Click Start –> Run and then type MMC, press Enter.
  • In the MMC Snap In click File Menu and then select Add/Remove Snap-in…
  • Select Certificates.
  • Click Add button.
  • Select Computer account from the popped up dialog box.
  • Click Finish and click OK
  • Expand Certificates –> Personal –> Certificates
  • You should see the certificate that has the little golden key icon missing. The other certificate you may see is the self-signed certificate generated during exchange installation.
  • Now double click on the newly imported certificate and select the Details tab.
  • Click Serial Number and write down this value or simply copy and paste it into a notepad file. Please note that you will not be allowed to copy using mouse. You can use Ctrl+C instead.
  • Open command prompt and type certutil –repairstore my “serial number of certificate” and press enter.
  • Now, refresh the Certificates MMC and you should see the private key paired with the certificate.

You can now enable this certificate on your exchange server

enable-exchangecertificate -thumbprint “your thumbprint goes here” -services “list the services here i.e IIS, SMTP, etc

press enter and you will see a warning about overwriting the existing certificate with the new one, press “y” and enter and you are done!

 

2 Comments

Intuit Patches Quickbooks for Lion Just in Time for Release

Intuit releases a software update for Quickbooks 2011 fixing the pdf printing and saving issue just as Apple releases Lion.  Thanks Intuit!

Leave a comment

Microsoft releasing 22 patches next week for Windows and Office

Computerworld - Microsoft today said it will issue four security updates next week, only one of which is pegged as critical, to patch 22 vulnerabilities in Windows and Visio 2003.

Next Tuesday’s patch lineup is smaller than June’s, when Microsoft shipped16 updates that fixed 34 flaws. The company typically delivers a lighter load in odd-numbered months. In May, for instance, Microsoft shipped just two updates — the company calls them “bulletins” — to patch only three vulnerabilities.

Of the four updates slated, one will be rated “critical,” the highest threat label in Microsoft’s four-step scoring system, while the other three will be marked “important,” the second-most-dire ranking.

Next week’s Patch Tuesday vulnerability count will be among the largest for the year, with its 22 bested only by April’s 64 and June’s 34, and tied with February’s collection.

But the bugs-per-bulletins ratio is the highest for the year, observed Andrew Storms, director of security operations at nCircle Security, hinting of next week’s releases.

“I think we’ll see one bulletin with a very high number of vulnerabilities,” said Storms. “We’ve seen that happen several times this year, most recently last month when it patched eight bugs in Excel with one update.

In April, Microsoft patched 30 vulnerabilities in the Windows kernel device driver with a single bulletin, a record for one update.

Storms said that the multi-bug update coming next Tuesday may fix numerous “elevation of privilege” vulnerabilities or a large number of “DDL load hijacking” flaws.

The former describes a bug attackers can use to gain complete administrative control of a system that they can already access, perhaps through an exploit of a separate vulnerability. DLL load hijacking, on the other hand, is the term used for attacks that rely on tricking applications or operating systems into loading a malicious file with the same name as a legitimate DLL, or dynamic link library.

Microsoft has issued more than a dozen DLL load hijacking updates since last November. In May, the Slovenian firm Acros Security announced thatmore DLL load hijacking updates were necessary to plug holes in Windows 7 and Internet Explorer 9 (IE9). At the time, Microsoft said only that it was investigating the Acros report.

The sole critical update scheduled for next week affects Windows Vista and Windows 7, but does not impact the much older Windows XP or any of Microsoft’s server operating systems.

Because Windows XP will be immune to the one or more vulnerabilities in that update, Storms said the bug had to be in code first used in Vista, then reused in Windows 7. He noted there are multiple candidates that fit the bill, including the security prompting component called UAC — for “user account control” — but said there wasn’t sufficient information to take an educated guess.

 

Leave a comment

Mac OS Lion and Quickbooks 2011

If you are running Quickbooks 2011 and you are thinking of upgrading to Lion, don’t.  There are some bugs with printing with emailing forms and reports as well as other issues.  Generally the program functions, but it is buggy and not fully functional.  More info here:

http://www.qblittlesquare.com/we-want-to-hear-from-you/quickbooks-on-lion-news/

My suggestion–wait to upgrade to Lion if you rely on Quickbooks on your Mac.

 

1 Comment

Mac OS Lion and Quickbooks 2011

Leave a comment

Split DNS setup for Exchange Server Internal Web Interface mail.domain.com and External DNS Resolution for domain.com

This is the simplest fix for a head scratching problem with posts all over the internet with different methods of trying to “fix” it.

Here is the issue:  you have an internal server such as your mail server with on an Active Directory domain, but you also have an external Web server somewhere out there in internet land (in the cloud, what a bogus term).

For example:  you have an internal Exchange mail server (or any mail server for that matter) on your Active Directory domain at the IP 10.100.32.10 and you have an SSL Certificate for mail.yourdomain.com installed on your exchange server.  Your web server however is hosted in a server farm by shared or dedicated web host at www.yourdomain.com at xxx.xxx.xxx.xxx IP address.  If your DNS is configured correctly, when you try to access mail.yourdomain.com internally, it will fail, because DNS has tried to resolve mail.yourdomain.com to the IP of your web server that hosts www.yourdomain.com at xxx.xxx.xxx.xxx.  Easy fix there, you create (should have already created an A Record on the web server that directs traffic the WAN IP of your company firewall that is NATed back to the internal IP of your server.  In trying again you will notice that mail.yourdomain.com resolves now to your WAN IP of your router.  This is fine with some cheaper routers, as you can NAT this IP on 443 to your Exchange server and it will answer these requests.  However, most firewalls will not allow this type of traffic referred to as hairpinning, where the source network IP matches the destination IP but it is sent to the WAN IP of the router.  Cisco for sure will drop this type of traffic (there are many articles describing hairpinning as being possible on ASA devices, but none of them including Cisco’s documentation actually work on my ASA 5505s).

How do you solve this?  Many articles say it’s simple (and it is).  You just create a dns zone for yourdomain.com and create an A record for mail.yourdomain.com.  This is great, and after a flush of dns caches this will work just fine.  Ping mail.yourdomain.com and the IP of your exchange server will reply 10.100.32.10 in our case.  Now ping www.yourdomain.com and you will get host can not be found.  What happened????  This new authoritative zone you just created for yourdomain.com does not contain a www record for yourdomain.com.  I scratched my head over this for a bit and did some searching around the net looking for possible alternate methods.  CNAMES, delegation, forwarders, none of these work for this situation.

The fix is so simple it makes me cry.  Create a zone in your DNS server for mail.yourdomain.com.  Create an A record with a blank host name and set the IP, which in this example is 10.100.32.10, and flush dns and reregister it.  Problem solved.  The mail.yourdomain.com now properly resolves internally to 10.100.32.10 and the yourdomain.com requests will properly forward to an external DNS for resolution.

Many thanks to gingerlime.com for the information he provided in his blog.

 

Leave a comment

Outlook Anywhere Installation Exchange 2007

Microsoft dramatically improved the administration capabilities and simplified the preparation and installation of Microsoft Exchange 2007.  I am only covering one specific issue in this blog as I could go on for days about the features of 2007 Exchange Server.
In 2007, they renamed the RPC over HTTP feature that was available on Front End Exchange servers in 2003, to Outlook Anywhere.  In all of Microsoft’s documentation they sell this feature as a turn on and and configure within the client feature, however this is not the case as many have discovered.  If you simply follow the documentation provided by Microsoft, you will quickly find that it fails to connect using RPC over HTTP even though you have all the settings and your network configured properly.
I banged my head against the wall for weeks searching for the problem to fix this.  Luckily there is a great tool provided on the web to help troubleshoot connectivity issues at https://www.testexchangeconnectivity.com/.  Using this tool and some other resources I found the root of the problem.
Many sites would say the answer is to simply disable IPv6 all together in order to cure your connection issue.  This however, as some might find out the hard way, can cause your information stores to fail to mount.  IPv6 is required by Exchange Server to operate and communicate with other Servers in the network.  It is only required by certain roles (I am not listing those here), so if you have multiple Exchange servers serving the separate roles, you can get away with this, but in most cases all roles exist on 1 or 2 servers.  I also don’t like the “disable” workaround.
The problem is that Server 2008 by default gives priority in the TCP/IP stack to IPv6 addresses.  If you ping your server from a command prompt using ping localhost you will notice the reply is from ::1 as opposed to replying with the local loopback IP of 127.0.0.1.  Exchange listens on ports 6001, 6002, and 6004 for RPC over HTTP requests, but will not work on IPv6 for some reason.  If you perform the netstat command you can see these entries are listening as ::1.  They in fact need to listen on IPv4 at the 127.0.0.1 in order for RPC over HTTP to work.
The solution is so simple it makes me sick to my stomach.
1.  Open your hosts file at %rootdrive%:\windows\system32\drivers\etc\hosts
It will look like this
# Copyright (c) 1993-2006 Microsoft Corp.
#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a ‘#’ symbol.

#

# For example:

#

#      102.54.94.97     rhino.acme.com          # source server

#       38.25.63.10     x.acme.com              # x client host
127.0.0.1       localhost
::1             localhost
2.  Comment out the last line so that it looks like this
127.0.0.1       localhost
#::1             localhost
3.  Add the following entries
<IP of your server here>     <FQDN of your server>
<IP of your server here>     <Netbios name of your server>
4.  Your hosts file now looks like this

127.0.0.1          localhost

#::1               localhost

<Lan IP of your server>  <server name>

<Lan IP of your server>  <FQDN of server>
5.  Ping localhost and you should get reply from 127.0.0.1
Try the connectivity test again and as long as your certificate is correct and from an authorized CA, you now have fixed your Outlook Anywhere issue.
Provided by Redflame Technologies
http://www.redflametech.com
Leave a comment

Outlook Anywhere Installation Exchange 2007

Leave a comment
Need help fast?Need help fast?
Need Emergency Support?

Have a problem that needs immediate assistance? Get in touch with us now via this contact form and we will get back to you ASAP.

* required
Send Message