Lukas Beeler's IT Blog

Exchange 2010 will be out soon, and i’ve been preparing for the migration. One of the more important parts is that you will need to have both Exchange 2007 and Exchange 2010 client access servers accessible from the Internet.

If you’re following the recommended deployment method for Exchange 2007, you’ll already be using a SAN certificate in order to publish AutoDiscovery and OWA. For coexistence of Exchange 2007 and Exchange 2010, an additional name will need to be added to your SAN certificate.

With most CAs, this is a pretty straightforward process that can be done using their web interface, since the private key doesn’t need to be touched. After modifying this, you will get a new .crt file containing the certificate, but no private key (which is correct).

However, importing this into Exchange 2007 using Import-ExchangeCertificate doesn’t work – Windows won’t know which private key is associated with the newly imported certificate. When you try to use Enable-ExchangeCertificate, you will receive the following error message:

Enable-ExchangeCertificate : The certificate with thumbprint 1234 was found but is
not valid for use with Exchange Server (reason: PrivateKeyMissing).

I searched high and low on how to replace a certificate without touching the private key, but i didn’t find anything. So i turned to the community for support – MCSEBoard.de is an excellent Windows community for those who speak German.

Unfortunately, noone knew an easy way either – the suggestion was to use OpenSSL to create a new keystore.

This was rather easy, but i didn’t find any guides on the net on how to do this, so i’m publishing this here in the hope that it will help others with the same issue.

• First, you need to export the key including the private key using the Windows certificate manager. Open an elevated MMC, add the Certificate snap-in and focus on the Computer certificate. Click “Personal”, and then export the certificate with the private key.
• Download and Install OpenSSL for Windows
• Issue the following command: openssl pkcs12 -in mykey.pfx > out.txt
• Open out.txt using an LF-aware text editor, such as Notepad++. Save the PRIVATE KEY part to a textfile called key.pem.
• Save the certificate to a file called cert.crt
• Issue to the following command: openssl pkcs12 -export -in cert.crt -inkey key.pem -out newcert.p12
• Copy the newly created newcert.p12 to the Exchange server.
• Open PowerShell and run the following command: $secureString = ConvertTo-SecureString "blubb" -AsPlainText -Force – Replace “blubb” with the Passphrase you used in the step before
• Run Import-ExchangeCertificate -path newcert.p12 -pass $secureString to import the certificate back into Exchange
• The rest is as usual – use Enable-ExchangeCertificate to enable the certificate.

And that’s it. It might be a bit cumbersome – and i really hope that there is an easier way to to this. If you know, let me know so i can update this page.

Microsoft has finally offered a fix to the OCS issue described here

See here for the fix and it’s description KB974571

Click here to download the ocsasnfix.exe directly, which will fix the incorrect ASN License data – something which i already guessed about in my previous post about this issue.

I’ve been playing with Windows 7 for quite some time and the internal deployment at the company i work for is also coming along quite nicely. A few machines are still on the RC and our branch office is still running on Vista, but this should be resolved until the end of the next month.

However, we’re also an ISV. DIAS-iS has been running on Windows Vista since the release – thanks to the efforts of our developers, who fixed everything during the beta phase of Windows Vista. As such, our software ran on Windows 7 since the beginning.

During the past few weeks, i did all the necessary administrative work to get our Software certified with the “Compatible with Windows 7″ Logo.

Doing this isn’t that hard, but it requires you to jump through quite a few hoops.

Here’s a basic rundown of steps:

• Obtain a MS Authenticode certificate from Verisign. Note that other code signing certs won’t work (e.G. Thawte)
• Create a WinQual Account here
  • You’ll need to sign a sample .exe with the code signing cert from step one
• Download the Software Logo Toolkit
• Download the Windows 7 Logo Requirements Document
• Both of these packages contain all the documentation you need – most of the requirements are easily satisfied if you have an application that behaves nicely, uninstalls correctly, works in TS environments
• Create an empty Windows 7 x64 VM. Note that it must be x64.
• Install the Software Logo Toolkit on the machine
• Start the GUI, start the Session Server in a second session on the same machine
• Run through all the phases, make sure the report says “Pass” or “Pass with warnings” (verify that the warnings are not real errors)
• Submit the .xml through the WinQual account. You’ll immediately get certified

So it’s not that hard.

The key point to delivering a good user experience is to ensure that your application uses standard installation technology like .MSI, that it doesn’t require administrative privileges, that all configuration is stored in the userprofile (Registry or %APPDATA%) and that it’s multi-session capable.

And that’s all the “Compatible with Windows 7″ logo verifies – so if you already have a well-behaving Windows application, getting that logo is easy as pie. It does not cost anything directly – the only costly requirement is the fact hat you need a Verisign Authenticode certificate. This will set you back 400$. Microsoft does not want any money from you for this Logo – and it can be great in Marketing your competitiveness and readiness as a software vendor.

So Windows 7 RTM is out. So i’ve tried playing with XP Mode, which didn’t work for me on the RC version, and after a bit of debugging didn’t find the issue.

So, with a fresh newly installed laptop and the new release candidate of Windows XP mode, i gave it a whirl again. But it failed with the same sequence of completely intelligible error messages, namely “Integration features have been disabled” and the even more helpful “Parameter is incorrect”.

So i installed it on my desktop as well, where it worked without a hitch. The major difference between my desktop and my laptop is that the laptop is joined to the corporate domain and the desktop at home obviously not.

I dug a bit deeper into the event log, and drilled down to Microsoft\Windows\Virtual PC\Admin, where i found this error message:

Could not enable the Integration features for ‘Windows XP Mode’. The current mode is – 0. Last Channel start Value – 0x800700B7, Last Disconnect Reason – 0x300001B, Last Extended Disconnect Reason – 0×0, GHI State of the guest machine – 0×1

Now, this whole “disconnect” thing sounded strange until i remembered that Windows Virtual PC used RDP to deliver the screen – and at that point i thought about the RD Gateway server that’s being pushed by a GPO.

So for a quick test, i set the following key in the registry to zero:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Terminal Services\UseProxy

And tried starting Virtual PC again. It worked! Setting the key back to 1 predictably led to the same error message.

So next i excluded Windows 7 users from this GPO using a simple WMI filter, which will be a temporary measure to mitigate this issue.

This seems to be a bug somewhere, as those settings shouldn’t break Virtual PC. I’m not sure where i should report this to, but i’ll have a look at that. At least now people with the same issue should get this solution through Google.

So SSDs have been out for quite some time and with the upcoming release of Windows 7 (August 6th on TechNet), i decided to get myself one at home. This coinceded nicely with Intels announcement of the X25-M G2, the 34nm SSD.

I ordered mine last Friday and it arrived yesterday. It looks like i was rather lucky with this, because Intel has since withdrawn them because of an issue with using a HDD password. Since i don’t use that, i didn’t care and installed Windows 7 RC.

And, well, the performance is absolutely astonishing. I’ve upgraded from an old AMD X2 running Windows 7 Beta earlier this year to an i7 also running Windows 7 Beta – more RAM, new hard disk, new graphics. The UI wasn’t noticably faster, sometimes Explorer decided to take ages to work things out, the event viewer was still rather slow, but of course video recoding and games were a lot better.

But now, with an SSD, the UI is extremely responsive – event viewer opens instantly, switches instantly between categories. It just feels like a new machine, with just one part replaced.

So, yeah. I’m quite pleased with my purchase.

I’ve just migrated our internal OCS 2007 setup to OCS 2007 R2. Yeah, i’m very late at this.

Everything worked, but LiveMeeting when using the Edge server. It worked fine internally, or when a VPN connection was established. The LiveMeeting Error Log showed me exactly what failed, but it took my almost half an hour to figure out why it was failing.

[P] SEQ#16,placeware::SslSocket::connectInternal::TLSNegotiationTimer stop,112029,,
[D] [X-PSOM] SslSocket::connect end OK
[D] [X-PSOM] TunnelSocket::connect ProxyHeader sent.
[I] [X-PSOM] SSLTunnelStream: Established SSL Tunnel Stream to hor-ocsgw-01.acommit.ch
[I] [X-PSOM] Forwarded TCP probe succeeded
[P] SEQ#14,placeware::ServerInfo::ForwardedTcpProbeThread::run::ForwardedTcpProbeTimer stop,145082,,
[I] [X-PSOM] Best mode for Client RPC is : 1
[I] [X-PSOM] Best mode is fwdtls. Reusing stream in probe.
[I] [X-PSOM] PWS Handshake sent.
[E] [X-PSOM] placeware::Socket::readWSAGetOverlappedResult failed, error = 10054
[E] [X-PSOM] Socket error while reading.
[E] [X-PSOM] SslSocket::close: socket is not connected

So, looks good at first. And then it fails. No log entry on the OCS Edge, no entry on the OCS Standard.

I figured out the solution when rechecking my entire configuration – i misconfigured the external Edge server hostname on the Standard Server.

Fixing the issue is easy:

• Log on OCS Standard Server
• Right click on Pool – Properties – Web Conference -Web Conference Edge Server.
• Then, enter the correct external host name. You’ll find this name in the Edge server configuration.

The dump then reads like this:

[P] SEQ#16,placeware::SslSocket::connectInternal::TLSNegotiationTimer stop,83410,,
[D] [X-PSOM] SslSocket::connect end OK
[D] [X-PSOM] TunnelSocket::connect ProxyHeader sent.
[I] [X-PSOM] SSLTunnelStream: Established SSL Tunnel Stream to hor-ocsgw-01-1.acommit.ch
[I] [X-PSOM] Forwarded TCP probe succeeded
[P] SEQ#14,placeware::ServerInfo::ForwardedTcpProbeThread::run::ForwardedTcpProbeTimer stop,122853,,
[I] [X-PSOM] Best mode for Client RPC is : 1
[I] [X-PSOM] Best mode is fwdtls. Reusing stream in probe.
[I] [X-PSOM] PWS Handshake sent.
[I] [X-PSOM] Received PWS Handshake.

For several months, i’ve had a problem on a Hyper-V host described WS08 and the black screen of waiting. Basically, the machine boots up, hangs 50 minutes being completely unresponsive, and then goes on working perfectly for weeks.

The problem was resolved (temporarily) by deleting shadow copies, but it still exists. As i’ve had time this weekend to investigate this closely, i’m pretty sure that i found the root cause of the problem, but i have no solution yet. Remember, this is all just a theory i cooked up – i’m putting this information out there in case anyone else has a similar problem.

My theory is that this is related to Plug & Play manager running enumeration of devices left by the Hyper-V VSS writer backup.

On the affected machine, the C:\windows\system32\config\SYSTEM file is around 170 MB. Using dureg, i could boil this down to two registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Which are about 6 megabytes each, when looking at them using dureg:

C:\Users\z-l.beeler\Desktop>dureg.exe /lm “SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk”
Size of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk: 6575468

Since this machine has been operational since about a year, with daily backups (BE12.5), it is much more pronounced here than on other machines. The Virtual Disk being part of the backup procedure is visible in the System log – it produces errors during the backup and Microsoft even has a KB article on the issue KB958669.

The eventlog on the affected machine looks like this:
18:02 The quota minifilter driver completed rescanning directories under quota management on volume “\Device\HarddiskVolume3 (G:)”. All quota information is up-to-date.
18:48 The Plug and Play service entered the running state.

Which for me further indicates that there is some kind of issue with the Plug and Play service. Unfortunately, the machine is not reachable remotely during the issue, but my guess would be that the Plug and Play service is hung in a “Starting” state, causing the lockup issue because of kernel interactions.

Unfortunately, i don’t have enough information and i’m not sure if deleting random registry keys is a good approach on this. I’ve posted on MCSEboard.de and the TechNet Forums – in the hope of getting valuable feedback from other long-term Hyper-V users.

Update: I don’t have a solution yet, but i’ve received a few insights. Thanks to zahni from MCSEBoard.de i got a link to KB959476, which doesn’t match my specific issue, but definitively goes into the right direction.

I’ve also found the Device Remover software, which gives me a clear graphic representation of the issue – over 9500 devices on the affected server. It even offers a removal function, but i don’t want to risk using this tool on a production server.

I’ve also opened a case with Microsoft PSS, in hope of getting an official solution to this issue soon.

Update 2:Removing the devices cut down the number of devices to about 300. I did this after Microsoft PSS recommended me to remove them. As i assumed, this resolved the issue during boot-up hang. Unfortunately, even after installing WS08 SP2, the machines still creates new virtual hard drives when running backup. I will try to get this resolved completely.

Last Week, one of our x3650 which serve as a primary file and print server crashed during Backup.

This wasn’t nice, especially because i couldn’t start the machine using the RSA Adapter. After going on-site (at around 23:00), i unplugged the power, reconnected it, and the machine booted. And crashed. And booted.

I booted it in safe mode, disabled all DFS replication task by disabling the DFS service, and the machine was finally able to boot. As soon as something IO intensive happened, it crashed. I opened a call with IBM, IBM replaced the system board.

This worked again for about a day. Then the machine crashed again, this time with “Planar Voltage Channel Fault”. This was at around 20:00. A few hours later, IBM arrived on-site and replaced the system board again.

The ServeRAID Controller then started AutoSynchronization of the array, which made the machine unbearably slow. And then it crashed again. I disabled the Automatic Server Reboot service, and set the synchronization priority to low. I also upgraded the hard disk firmware to version 1.03.

After about a day, the synchronization completed. Performance was comparably normal, but the machine still required about 20 minutes to boot, which was unacceptable. Looking at the eventlog, i saw some log entries before the waiting time, and some after. All of them normal, none of them looking like errors.

IBM came on site two times, replacing the ServeRAID memory and replacing the CPU and HD backplane power connector. However, neither of that fixed the issue. I began to suspect a software issue.

Today, IBM was on site again. They brought a replacement server. After testing our server with one of their hard disks (which was fast, as usual), it seemed clear that this was a software issue.

I had an idea, mostly related to the fact that the first crash was during a backup. I looked at the device manager, set it to show all hidden devices, and found about 100 shadow copies.

I looked at vssadmin list shadows, which also showed a lot of shadow copies. I removed all shadow copies on one of the drives which contained shadow copies, but there were still some there. I deleted them using vssadmin delete shadows. The reboot was fast again: Instead of 20 minutes, it only took around 5 (including the BIOS).

So, if you have Windows Server 2008 hanging at the Black Screen of Death err Waiting, it’s probably a good idea to look at your shadow copies. They may be culprit.

Also, big thanks to the techs from IBM, and for taking this issue seriously.

Yeah, i know. Not much content from me in the past few weeks. Not much motivation to write anything, and mostly bullshit happening that writing about wouldn’t be productive.

Either way, i attended a Citrix course and started setting up our internal Citrix test environment. Naturally, i also took some uninteresting Citrix Sales exams and a real exam at prometric.

The exam is easy if you even halfway know your way around Citrix. One thing that i didn’t pay too much attention too are port numbers, but there were a few in which knowing them was an advantage.

The past few months have been busy, very busy.

Mergers and acquisitions have always been a big part of what the important people do.

Of course, theoretically, that wouldn’t be my problem. However, one wouldn’t believe on how much work it is to get rid of an old name throughout a whole network.

First comes Active Directory – it uses DNS as a primary means of identification. Renaming an Active Directory domain is purely theoretical, e.G. it doesn’t work and it’s not supported if you’re running Exchange 2007.

Then there’s numerous other stuff that depends on DNS, names and everything. But in the end, i did my part of this deal. It has been an interested time and now i really wonder how big companies like Swissair handled their renames – or are they still running their infrastructure under the old name?

My employer is now called Acommit AG.

Of course, the whole rename proved to be a really good argument to buy new servers and upgrade straight to Windows Server 2008 – that means on my side the renaming thing has worked rather well. I still don’t know a lot about the company we bought (Futura Retail Solution GmbH), but their main market is selling POS related products.

If you need the full details, you can get them here:

Futura Retail Solution GmbH
Acommit AG (soon to be updated)