Lukas Beeler's IT Blog

Another Cablecom outage – this time, it was nation wide and affected both Business and end user accounts.

Interestingly, the Hotline wasn’t reachable either – busy signal, Swisscom text “Leitung gestört” or simply “Call Failed”.

Lasted from 19:33 to 20:30, but it looks like everything is back online now.

I’ve been playing with DPM 2010 and SCVMM 2008 R2, planning for our new development lab.

I’ve setup a new Hyper-V server on a x3650 M2 (using server core) – i’ve also installed the latest Broadcom NetXtreme II drivers, all the firmware updates, all the best practices you do.

Setting up the machine, transferring VMs from another host (using BITS) worked well and fast, no issues.

And then i installed the DPM agent, started a backup. Two hours later, it was still stuck at “Replica creation in progress”.

I tried reading through the DPM agent logs, through the DPM server logs, looked if DPM created shadow copies (using vssadmin list shadows).

After two hours of fruitless searching (which included restarting everything), i wasn’t any further to a solution.

Well, backup wasn’t working right, but this was just a testing environment, so i decided to do other stuff.

A while later, i ran netstat -t to lookup connections – and also realized that TCP Chimney Offloading was still active. So i disabled it using netsh int tcp set global chimney=disabled. Just a few seconds later, the utilization of the management network adapter jumped to 100% and 5 minutes later, all the VMs were replicated to the DPM server.

So, if you’re having issues with DPM backups being stuck, check the status of your network offloading.

The old DL140 running Debian Linux finally died this Monday, due to a hard drive error which Linux software raid couldn’t deal with. Luckily, the second disk survived and i didn’t have to test my disaster recovery strategy.

If you’re reading this, this blog is now hosted on Windows Server 2008 R2 Web Edition (Yay NFR promotions!). There may still be some kinks that have to be worked out, because this was quite a rush job. Leave a comment if you find any issues.

The company i’m working for, Acommit AG, is hiring again.

Currently, we’re looking for:

Project Manager (PDF)
Sales (PDF)

Exchange 2010 will be out soon, and i’ve been preparing for the migration. One of the more important parts is that you will need to have both Exchange 2007 and Exchange 2010 client access servers accessible from the Internet.

If you’re following the recommended deployment method for Exchange 2007, you’ll already be using a SAN certificate in order to publish AutoDiscovery and OWA. For coexistence of Exchange 2007 and Exchange 2010, an additional name will need to be added to your SAN certificate.

With most CAs, this is a pretty straightforward process that can be done using their web interface, since the private key doesn’t need to be touched. After modifying this, you will get a new .crt file containing the certificate, but no private key (which is correct).

However, importing this into Exchange 2007 using Import-ExchangeCertificate doesn’t work – Windows won’t know which private key is associated with the newly imported certificate. When you try to use Enable-ExchangeCertificate, you will receive the following error message:

Enable-ExchangeCertificate : The certificate with thumbprint 1234 was found but is
not valid for use with Exchange Server (reason: PrivateKeyMissing).

I searched high and low on how to replace a certificate without touching the private key, but i didn’t find anything. So i turned to the community for support – MCSEBoard.de is an excellent Windows community for those who speak German.

Unfortunately, noone knew an easy way either – the suggestion was to use OpenSSL to create a new keystore.

This was rather easy, but i didn’t find any guides on the net on how to do this, so i’m publishing this here in the hope that it will help others with the same issue.

• First, you need to export the key including the private key using the Windows certificate manager. Open an elevated MMC, add the Certificate snap-in and focus on the Computer certificate. Click “Personal”, and then export the certificate with the private key.
• Download and Install OpenSSL for Windows
• Issue the following command: openssl pkcs12 -in mykey.pfx > out.txt
• Open out.txt using an LF-aware text editor, such as Notepad++. Save the PRIVATE KEY part to a textfile called key.pem.
• Save the certificate to a file called cert.crt
• Issue to the following command: openssl pkcs12 -export -in cert.crt -inkey key.pem -out newcert.p12
• Copy the newly created newcert.p12 to the Exchange server.
• Open PowerShell and run the following command: $secureString = ConvertTo-SecureString "blubb" -AsPlainText -Force – Replace “blubb” with the Passphrase you used in the step before
• Run Import-ExchangeCertificate -path newcert.p12 -pass $secureString to import the certificate back into Exchange
• The rest is as usual – use Enable-ExchangeCertificate to enable the certificate.

And that’s it. It might be a bit cumbersome – and i really hope that there is an easier way to to this. If you know, let me know so i can update this page.

Microsoft has finally offered a fix to the OCS issue described here

See here for the fix and it’s description KB974571

Click here to download the ocsasnfix.exe directly, which will fix the incorrect ASN License data – something which i already guessed about in my previous post about this issue.

I’ve been playing with Windows 7 for quite some time and the internal deployment at the company i work for is also coming along quite nicely. A few machines are still on the RC and our branch office is still running on Vista, but this should be resolved until the end of the next month.

However, we’re also an ISV. DIAS-iS has been running on Windows Vista since the release – thanks to the efforts of our developers, who fixed everything during the beta phase of Windows Vista. As such, our software ran on Windows 7 since the beginning.

During the past few weeks, i did all the necessary administrative work to get our Software certified with the “Compatible with Windows 7″ Logo.

Doing this isn’t that hard, but it requires you to jump through quite a few hoops.

Here’s a basic rundown of steps:

• Obtain a MS Authenticode certificate from Verisign. Note that other code signing certs won’t work (e.G. Thawte)
• Create a WinQual Account here
  • You’ll need to sign a sample .exe with the code signing cert from step one
• Download the Software Logo Toolkit
• Download the Windows 7 Logo Requirements Document
• Both of these packages contain all the documentation you need – most of the requirements are easily satisfied if you have an application that behaves nicely, uninstalls correctly, works in TS environments
• Create an empty Windows 7 x64 VM. Note that it must be x64.
• Install the Software Logo Toolkit on the machine
• Start the GUI, start the Session Server in a second session on the same machine
• Run through all the phases, make sure the report says “Pass” or “Pass with warnings” (verify that the warnings are not real errors)
• Submit the .xml through the WinQual account. You’ll immediately get certified

So it’s not that hard.

The key point to delivering a good user experience is to ensure that your application uses standard installation technology like .MSI, that it doesn’t require administrative privileges, that all configuration is stored in the userprofile (Registry or %APPDATA%) and that it’s multi-session capable.

And that’s all the “Compatible with Windows 7″ logo verifies – so if you already have a well-behaving Windows application, getting that logo is easy as pie. It does not cost anything directly – the only costly requirement is the fact hat you need a Verisign Authenticode certificate. This will set you back 400$. Microsoft does not want any money from you for this Logo – and it can be great in Marketing your competitiveness and readiness as a software vendor.

So Windows 7 RTM is out. So i’ve tried playing with XP Mode, which didn’t work for me on the RC version, and after a bit of debugging didn’t find the issue.

So, with a fresh newly installed laptop and the new release candidate of Windows XP mode, i gave it a whirl again. But it failed with the same sequence of completely intelligible error messages, namely “Integration features have been disabled” and the even more helpful “Parameter is incorrect”.

So i installed it on my desktop as well, where it worked without a hitch. The major difference between my desktop and my laptop is that the laptop is joined to the corporate domain and the desktop at home obviously not.

I dug a bit deeper into the event log, and drilled down to Microsoft\Windows\Virtual PC\Admin, where i found this error message:

Could not enable the Integration features for ‘Windows XP Mode’. The current mode is – 0. Last Channel start Value – 0×800700B7, Last Disconnect Reason – 0×300001B, Last Extended Disconnect Reason – 0×0, GHI State of the guest machine – 0×1

Now, this whole “disconnect” thing sounded strange until i remembered that Windows Virtual PC used RDP to deliver the screen – and at that point i thought about the RD Gateway server that’s being pushed by a GPO.

So for a quick test, i set the following key in the registry to zero:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Terminal Services\UseProxy

And tried starting Virtual PC again. It worked! Setting the key back to 1 predictably led to the same error message.

So next i excluded Windows 7 users from this GPO using a simple WMI filter, which will be a temporary measure to mitigate this issue.

This seems to be a bug somewhere, as those settings shouldn’t break Virtual PC. I’m not sure where i should report this to, but i’ll have a look at that. At least now people with the same issue should get this solution through Google.

So SSDs have been out for quite some time and with the upcoming release of Windows 7 (August 6th on TechNet), i decided to get myself one at home. This coinceded nicely with Intels announcement of the X25-M G2, the 34nm SSD.

I ordered mine last Friday and it arrived yesterday. It looks like i was rather lucky with this, because Intel has since withdrawn them because of an issue with using a HDD password. Since i don’t use that, i didn’t care and installed Windows 7 RC.

And, well, the performance is absolutely astonishing. I’ve upgraded from an old AMD X2 running Windows 7 Beta earlier this year to an i7 also running Windows 7 Beta – more RAM, new hard disk, new graphics. The UI wasn’t noticably faster, sometimes Explorer decided to take ages to work things out, the event viewer was still rather slow, but of course video recoding and games were a lot better.

But now, with an SSD, the UI is extremely responsive – event viewer opens instantly, switches instantly between categories. It just feels like a new machine, with just one part replaced.

So, yeah. I’m quite pleased with my purchase.

I’ve just migrated our internal OCS 2007 setup to OCS 2007 R2. Yeah, i’m very late at this.

Everything worked, but LiveMeeting when using the Edge server. It worked fine internally, or when a VPN connection was established. The LiveMeeting Error Log showed me exactly what failed, but it took my almost half an hour to figure out why it was failing.

[P] SEQ#16,placeware::SslSocket::connectInternal::TLSNegotiationTimer stop,112029,,
[D] [X-PSOM] SslSocket::connect end OK
[D] [X-PSOM] TunnelSocket::connect ProxyHeader sent.
[I] [X-PSOM] SSLTunnelStream: Established SSL Tunnel Stream to hor-ocsgw-01.acommit.ch
[I] [X-PSOM] Forwarded TCP probe succeeded
[P] SEQ#14,placeware::ServerInfo::ForwardedTcpProbeThread::run::ForwardedTcpProbeTimer stop,145082,,
[I] [X-PSOM] Best mode for Client RPC is : 1
[I] [X-PSOM] Best mode is fwdtls. Reusing stream in probe.
[I] [X-PSOM] PWS Handshake sent.
[E] [X-PSOM] placeware::Socket::readWSAGetOverlappedResult failed, error = 10054
[E] [X-PSOM] Socket error while reading.
[E] [X-PSOM] SslSocket::close: socket is not connected

So, looks good at first. And then it fails. No log entry on the OCS Edge, no entry on the OCS Standard.

I figured out the solution when rechecking my entire configuration – i misconfigured the external Edge server hostname on the Standard Server.

Fixing the issue is easy:

• Log on OCS Standard Server
• Right click on Pool – Properties – Web Conference -Web Conference Edge Server.
• Then, enter the correct external host name. You’ll find this name in the Edge server configuration.

The dump then reads like this:

[P] SEQ#16,placeware::SslSocket::connectInternal::TLSNegotiationTimer stop,83410,,
[D] [X-PSOM] SslSocket::connect end OK
[D] [X-PSOM] TunnelSocket::connect ProxyHeader sent.
[I] [X-PSOM] SSLTunnelStream: Established SSL Tunnel Stream to hor-ocsgw-01-1.acommit.ch
[I] [X-PSOM] Forwarded TCP probe succeeded
[P] SEQ#14,placeware::ServerInfo::ForwardedTcpProbeThread::run::ForwardedTcpProbeTimer stop,122853,,
[I] [X-PSOM] Best mode for Client RPC is : 1
[I] [X-PSOM] Best mode is fwdtls. Reusing stream in probe.
[I] [X-PSOM] PWS Handshake sent.
[I] [X-PSOM] Received PWS Handshake.