Lukas Beeler's IT Blog

Exchange 2010 will be out soon, and i’ve been preparing for the migration. One of the more important parts is that you will need to have both Exchange 2007 and Exchange 2010 client access servers accessible from the Internet.

If you’re following the recommended deployment method for Exchange 2007, you’ll already be using a SAN certificate in order to publish AutoDiscovery and OWA. For coexistence of Exchange 2007 and Exchange 2010, an additional name will need to be added to your SAN certificate.

With most CAs, this is a pretty straightforward process that can be done using their web interface, since the private key doesn’t need to be touched. After modifying this, you will get a new .crt file containing the certificate, but no private key (which is correct).

However, importing this into Exchange 2007 using Import-ExchangeCertificate doesn’t work – Windows won’t know which private key is associated with the newly imported certificate. When you try to use Enable-ExchangeCertificate, you will receive the following error message:

Enable-ExchangeCertificate : The certificate with thumbprint 1234 was found but is
not valid for use with Exchange Server (reason: PrivateKeyMissing).

I searched high and low on how to replace a certificate without touching the private key, but i didn’t find anything. So i turned to the community for support – MCSEBoard.de is an excellent Windows community for those who speak German.

Unfortunately, noone knew an easy way either – the suggestion was to use OpenSSL to create a new keystore.

This was rather easy, but i didn’t find any guides on the net on how to do this, so i’m publishing this here in the hope that it will help others with the same issue.

• First, you need to export the key including the private key using the Windows certificate manager. Open an elevated MMC, add the Certificate snap-in and focus on the Computer certificate. Click “Personal”, and then export the certificate with the private key.
• Download and Install OpenSSL for Windows
• Issue the following command: openssl pkcs12 -in mykey.pfx > out.txt
• Open out.txt using an LF-aware text editor, such as Notepad++. Save the PRIVATE KEY part to a textfile called key.pem.
• Save the certificate to a file called cert.crt
• Issue to the following command: openssl pkcs12 -export -in cert.crt -inkey key.pem -out newcert.p12
• Copy the newly created newcert.p12 to the Exchange server.
• Open PowerShell and run the following command: $secureString = ConvertTo-SecureString "blubb" -AsPlainText -Force – Replace “blubb” with the Passphrase you used in the step before
• Run Import-ExchangeCertificate -path newcert.p12 -pass $secureString to import the certificate back into Exchange
• The rest is as usual – use Enable-ExchangeCertificate to enable the certificate.

And that’s it. It might be a bit cumbersome – and i really hope that there is an easier way to to this. If you know, let me know so i can update this page.

Microsoft has finally offered a fix to the OCS issue described here

See here for the fix and it’s description KB974571

Click here to download the ocsasnfix.exe directly, which will fix the incorrect ASN License data – something which i already guessed about in my previous post about this issue.

SBS 2008 is out for roughly a year. In this time, i did four deployments of SBS 2008, each with 15-30 users.

During this time, i’ve gained valuable experience, which i’ll try to share here so that others can profit from it. Take all this with a grain of salt, as some observations may simply be my fault. Also, as times changes these things might change too.

Software

• Make sure to install Windows Server 2008 SP2 after installing SBS 2008. Some media may come with SP2 already preloaded. You can use the normal SP2 package that’s also used for Vista and the normal Server 2008
• Do not install SBS rollup updates before completing the configuration wizard. This is extremely counter-intuitive, but is described on the Official SBS blog
• Installing Exchange 2007 SP2 requires you to follow special considerations Here
• Installing WSUS 3.0 SP2, which is needed to support Windows 7, is currently not recommended. I was able to do this without issues on my lab machines, but others have reported issues doing this on machines that were in production. If you’re deploying a new SBS server, this should probably be safe to go. But make sure to test functionality afterward.
• Always use the answer file to deploy SBS 2008. This will make it possible to choose a custom domain name. Read my post about choosing your AD DNS namespace
• Do whatever tasks you can do using the SBS console. Resist of using the normal administration tools as much as possible, as you can break SBS with them easily.
• Ensure that the AV software you install is compatible with WS08 x64. Symantec Endpoint Protection Manager works well – Forefront Client Security on the other hand requires a seperate server running 32bit Windows for management. You may consider deploying FCS unmanaged in smaller environments, and configure FCS using the FCS ADM File

Hardware

• Use servers with the new Xeon 5500 CPUs. Read my x3650 M2 tips to find more about them. Consider using an E5530 or faster CPU. Using two CPUs (for a total of 16 virtual and 8 physical cores) makes little sense.
• Buy enough memory. Lots of it. Really. I mean it. You’ll need lots and lots of memory. I would consider 12GB to bare minimum. In a 3×4GB configuration which makes the most sense for the Xeon 5500 setups, this is quite cheap. Consider more memory if you intend to run SQL Server as, consider bumping the memory to 24GB. Remember that you can only use the first 8 slots in a single socket machine.
• Buy enough disks. A good starting layout is 8×147GB 2.5″ disks. Use a RAID 1 for the OS, another RAID1 for Exchange and Sharepoint, and a RAID10 for Data and WSUS. This is all up for debate of course, and it might make sense to consider other disk layouts.

If you have any additions, think i’m wrong somewhere just send in a comment.

Update: See here for Microsoft’s description of this issue KB974571

Security updates are important. And as we’re currently an evaluation setup for OCS 2007 R2, i’ve decided to install todays batch of security updates on these lesser important machines first. And after a reboot, OCS 2007 R2 was broken.

A quick view into the event log revealed that OCS 2007 R2’s evaluation license has expired. Now, this seemed very strange as i’ve installed from volume license media. I’ve the checked the media again, but they weren’t evaluation media.

Here’s the message in all it’s glory:

Event source: OCS Server
Event id: 12290
Event text: The evaluation period for Microsoft Office Communications Server 2007 R2 has expired. Please upgrade from the evaluation version to the full released version of the product.

Maybe i really did use other media to install it? I doubted myself, because that’s usually the most reasonable approach to take. The error is usually behind the keyboard.

Luckily, Microsoft has published documentation on how to upgrade an evaluation version to a full version. Unfortunately, this didn’t work, because as it appears i was running a Volume license version of OCS.

EVALTOFULL parameter cannot be used with currently installed license type Volume

At this point, i was pretty sure that this wasn’t my fault. There has been an issue with the OCS 2007 R2 Evaluation Media expiring at the wrong point in time, but apparently this has been sorted out and did never affect the full versions of OCS 2007 R2.

So i was bummed. A quick view using process monitor revealed that the licensing information was most likely to be stored here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RtcSrv\InstallInfo\ValidationData

I created a backup of that part of the registry, and then renamed the key. I got a file not found error, and created a new key of the same type and wrote binary data of the same length into it. This yielded the following error:

The service is shutting down due to an internal error.

Error Code: 80093102 (ASN1 unexpected end of data.)

At that point, i was pretty sure what might’ve caused this – the MS Crypto API security update KB974571.

I removed the update, rebooted the machine, and OCS 2007 R2 was up and running again, without any issues.

I’ve already opened a case with Microsoft to get this sorted out.

Update:
Appears that this is an official issue: See here

Microsoft recently released Microsoft Security Essentials, which is a free AV solution for anyone running genuine Windows. This is great news, because most other free AV packages exclude commercial use – like Avira or AVG. Especially in the SMB space, were you to argue for every license, this is a good way to ensure that _every_ machine is running an AV package, even without central reporting.

Update: The license is not entirely clear – it does not exclude commercial use, only SaaS use. But in the beginning of the license it says that only home-based small businesses are allowed to use it. So take this with a grain of salt – the license is certainly more permissive than Avira, but it’s not as easy as i thought.

I’ve been participating in the MSE beta test with my Windows 7 machines at home, and my impression has been very good. Performance is excellent, and the GUI is simple and straightforward.

After a few negative experiences with McAfee 8.7 at work, and my very good experiences with MSE at home, i tried to have another look at FCS.

Well, FCS is rather old right now, with the new release just on the horizon. Still, the current release is supported on Windows 7 x64 with the latest patches, and so far my impressions have been very good. The management server only runs on 32bit Windows, which also means it won’t run on WS08R2.

But my impression has been good so far – the package installed on the client is far more lightweight than McAfee, and even the managment software leaves a much better impression.

We’ve also been using Symantec Endpoint Protection at a few customers, but my impression of that product was even worse than McAfee.

We’ll see how FCS will fare, and the test deployment is currently running. If you have any good tips or websites for me, i’d be delighted to read them.

The Midrange Wiki is a good way to get started with the IBM i platform. I’ve started writing a short Getting Started guide there, which may be of interest to you.

If you work on the IBM i platform, the Midrange Mailing Lists may also be a place to visit and subscribe. Also, check out the IMHO Midrange Blog.

I’ve been playing with Windows 7 for quite some time and the internal deployment at the company i work for is also coming along quite nicely. A few machines are still on the RC and our branch office is still running on Vista, but this should be resolved until the end of the next month.

However, we’re also an ISV. DIAS-iS has been running on Windows Vista since the release – thanks to the efforts of our developers, who fixed everything during the beta phase of Windows Vista. As such, our software ran on Windows 7 since the beginning.

During the past few weeks, i did all the necessary administrative work to get our Software certified with the “Compatible with Windows 7″ Logo.

Doing this isn’t that hard, but it requires you to jump through quite a few hoops.

Here’s a basic rundown of steps:

• Obtain a MS Authenticode certificate from Verisign. Note that other code signing certs won’t work (e.G. Thawte)
• Create a WinQual Account here
  • You’ll need to sign a sample .exe with the code signing cert from step one
• Download the Software Logo Toolkit
• Download the Windows 7 Logo Requirements Document
• Both of these packages contain all the documentation you need – most of the requirements are easily satisfied if you have an application that behaves nicely, uninstalls correctly, works in TS environments
• Create an empty Windows 7 x64 VM. Note that it must be x64.
• Install the Software Logo Toolkit on the machine
• Start the GUI, start the Session Server in a second session on the same machine
• Run through all the phases, make sure the report says “Pass” or “Pass with warnings” (verify that the warnings are not real errors)
• Submit the .xml through the WinQual account. You’ll immediately get certified

So it’s not that hard.

The key point to delivering a good user experience is to ensure that your application uses standard installation technology like .MSI, that it doesn’t require administrative privileges, that all configuration is stored in the userprofile (Registry or %APPDATA%) and that it’s multi-session capable.

And that’s all the “Compatible with Windows 7″ logo verifies – so if you already have a well-behaving Windows application, getting that logo is easy as pie. It does not cost anything directly – the only costly requirement is the fact hat you need a Verisign Authenticode certificate. This will set you back 400$. Microsoft does not want any money from you for this Logo – and it can be great in Marketing your competitiveness and readiness as a software vendor.

Windows Server 2008 R2 was released to MSDN today, and of course i want and installed it on a machine that did something more or less useful – a Fax server. Which is of course an internal system and not really in production.

I’m using a Diva BRI-2 2 Channel PCI-E Card, which already has support for Windows Server 2008 R2, and installing the Diva Software went without any issues.

Installing the Fax service was also easy, but there was no Fax printer to be seen anywhere.

I’ve followed the TechNet documentation for creating Fax printer on Windows Server 2008 R2, but it didn’t work – at first i received a “Permission denied” error message, after which i started Windows Fax & Scan using Administrator privileges.

This didn’t help that much – i could now go through the wizard, but no Fax account and no printer was created. This seemed strange.

Now, this really seemed like a permission issue. So i disabled UAC, rebooted the server, and tried it again. Everything worked – i was able to create the Fax printer, and after sharing it faxing worked as it should.

So, what now? Why doesn’t this work with UAC? I’ve been running our WS08 servers with UAC disabled (our Vista client were UAC enabled, and so are our Windows 7 clients), and thought WS08R2 should also work well with UAC enabled. But apparently, that wasn’t a good idea.

So Windows 7 RTM is out. So i’ve tried playing with XP Mode, which didn’t work for me on the RC version, and after a bit of debugging didn’t find the issue.

So, with a fresh newly installed laptop and the new release candidate of Windows XP mode, i gave it a whirl again. But it failed with the same sequence of completely intelligible error messages, namely “Integration features have been disabled” and the even more helpful “Parameter is incorrect”.

So i installed it on my desktop as well, where it worked without a hitch. The major difference between my desktop and my laptop is that the laptop is joined to the corporate domain and the desktop at home obviously not.

I dug a bit deeper into the event log, and drilled down to Microsoft\Windows\Virtual PC\Admin, where i found this error message:

Could not enable the Integration features for ‘Windows XP Mode’. The current mode is – 0. Last Channel start Value – 0×800700B7, Last Disconnect Reason – 0×300001B, Last Extended Disconnect Reason – 0×0, GHI State of the guest machine – 0×1

Now, this whole “disconnect” thing sounded strange until i remembered that Windows Virtual PC used RDP to deliver the screen – and at that point i thought about the RD Gateway server that’s being pushed by a GPO.

So for a quick test, i set the following key in the registry to zero:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Terminal Services\UseProxy

And tried starting Virtual PC again. It worked! Setting the key back to 1 predictably led to the same error message.

So next i excluded Windows 7 users from this GPO using a simple WMI filter, which will be a temporary measure to mitigate this issue.

This seems to be a bug somewhere, as those settings shouldn’t break Virtual PC. I’m not sure where i should report this to, but i’ll have a look at that. At least now people with the same issue should get this solution through Google.

In the light of the recent announcement how Hyper-V Server 2008 R2 will be licensed, i thought about familiarizing myself with the Clustering & Live Migration capabilities, using the RC release of Hyper-V Server 2008 R2.

I have to admit that Failover Clustering isn’t exactly the field i have a lot of experience in (in other words, i have never used it in producation). But after seeing that i wouldn’t be drowning in work this friday afternoon, i decided to give it a whirl.

So, in order to get started i needed two machines that were able to support running Hyper-V Server 2008 R2. One of them was HP ML110 G5, about which i wrote a few months back. Unfortunately, i could use only one of them. So my next choice was an old HP desktop, which fortunately had a VT compatible CPU.

Next, i needed a storage backend. Of course i had to use a software solution, but having no experience and only a very old PIV era IBM SFF PC, i just picked the first Google search result which supported SCSI-3 Reservations, which are required for WS08 clusters. I’ve downloaded and installed Open-E DSS.

For networking, all i was able to find was a 100mbit 3com 24 port hub. Yes, this looked like one of the most ghetto environments i put together yet, but interestingly i got it all to work.

Open-E DSS installs to an USB stick, formatted with FAT32. You just unzip the installation file, run an .exe on the stick to make it bootable, and then you can run the system directly from USB. In my case, using rather outdated hardware, everything was recognized by the Linux kernel. Of course, the machine only having a slow 40GB 5400RPM hard disk wasn’t exactly the fastest on the block, but configuration was surprisingly simple. Unfortunately, installing and activating the Lite license required two reboots, after which it lost all it’s iSCSI settings (but no data!)

Installing Hyper-V Server 2008 R2 on the ML110 was a breeze. Using sconfig, the machine was quickly joined to the domain, remote administration enabled, failover clustering enabled and using the graphical iscsicpl iSCSI was configured, the volumes formatted and attached.

Next was the HP desktop machine. Installing was fine, worked perfectly, all the necessary hardware was recognized. Unfortunately, the machine only had 1GB of RAM, which meant that i couldn’t do all that much fancy stuff with it. I was in for a nasty surprise here later, because i didn’t enable Intel VT in the BIOS (which is hidden in the “Security” Options). I think the Hyper-V Server setup should give you a warning here if the feature isn’t enabled.

Next i created the cluster. I’ve used this blogpost and TechNet to get a basic overview on what i needed to do. In just a few steps through the cluster configuration wizards, my cluster was configured and ready. I was able to bring my VM online on the first node (the ML110) and decided to install Windows XP, since i only had 1GB of RAM on the second node. I gave the VM 256MB of RAM and ran through the setup (which took ages – iSCSI over a 100mbit Hub to an old PIV with a 5400rpm hard drive isn’t a good idea anymore).

Next, i decided to setup VM networking, created the appropriate VM interfaces on both machines, restarted my XP VM and tried to do a live migration. Which failed. “Insufficient system resources”. Turns out i needed to adjust the amount of memory reserved for the root partition using PowerShell – all described in this Clustering and High Availability blog post.

After running (get-cluster HV01).RootMemoryReserved=128, it failed again. This time with these event log entries:

‘Test-VM’ The switch port connection for “Network Adapter” (BE62B93F-1490-4F7E-8229-FA18D50DC974) is invalid.

‘Test-VM’ Microsoft Synthetic Ethernet Port (Instance ID {BE62B93F-1490-4F7E-8229-FA18D50DC974}): Failed to Power on with Error ‘The system cannot find the path specified.’ (0×80070003).

Failed to connect NIC ‘9144ED30-35D9-4E5F-8012-70AC436EC603–BE62B93F-1490-4F7E-8229-FA18D50DC974′ to port ” on switch ‘0734959D-3′, status = C000003A.

I disabled networking in the VM altogether, and tried Live Migration again. It worked! The next was spent with searching the internet for information about my issue, about which i found nothing. Obviously the network interfaces should be named the same in all cluster hosts, but that was the case. Yet, no matter what i did it didn’t work!

I was starting to doubt my hardware, added a second pair of NICs since the configuration of using the same NIC for everything wasn’t really recommended, but when reading the error message it really didn’t sound like that was my issue. Of course adding the second pair of NICs didn’t help.

So i did what i always did: i started guessing, and after quite a bit of time i got it rights. Turns out you must not use the Hyper-V MMC to manage the VM configuration, and instead the “Settings” button in the failover cluster manager. Only issue is that the failover cluster manager has a much more prominent button labeled “manage virtual machine”, which opened the Hyper-V MMC.

After that, everything worked. I was able to live migrate my machine including the network from host to host. I tested running a Top Gear clips through RDP, while live migrating the machine.

Migrating from the slow HP desktop to the ML110 gave about 2 seconds of video outage, but migrating from the ML110 to the HP desktop just resulted in a slow hiccup. My assumption was that this would probably be completely invisible on more modern hardware.

So what does this mean? Microsoft has made Live Migration and Clustering a feature available to everyone, at (almost) no cost. Administrating such a cluster requires Active Directory, and either a WS08R2 server or a Windows 7 machine with RSAT installed.

This means we can finally have decent virtualization features without paying thousands of francs in licensing fees. I hope this makes it possible to create a few virtualization projects for our customers, which are mostly in the small business range.

Hyper-V Server R2 should be available around mid-August, at which i’ll need to rebuild my Ghetto setup here. I’m of course hoping to get some more cash in order to move or internal virtualization setup from a single-host to a SAN-hosted cluster, but somehow i doubt that will happen quickly.

Update:

I’ve played around with Expression Encoder a bit, and created a Video of a Live Migration. I’ve put the probably most boring video on Youtube – Live Migration of Pinball.