Lukas Beeler's IT Blog

Update: See here for Microsoft’s description of this issue KB974571

Security updates are important. And as we’re currently an evaluation setup for OCS 2007 R2, i’ve decided to install todays batch of security updates on these lesser important machines first. And after a reboot, OCS 2007 R2 was broken.

A quick view into the event log revealed that OCS 2007 R2′s evaluation license has expired. Now, this seemed very strange as i’ve installed from volume license media. I’ve the checked the media again, but they weren’t evaluation media.

Here’s the message in all it’s glory:

Event source: OCS Server
Event id: 12290
Event text: The evaluation period for Microsoft Office Communications Server 2007 R2 has expired. Please upgrade from the evaluation version to the full released version of the product.

Maybe i really did use other media to install it? I doubted myself, because that’s usually the most reasonable approach to take. The error is usually behind the keyboard.

Luckily, Microsoft has published documentation on how to upgrade an evaluation version to a full version. Unfortunately, this didn’t work, because as it appears i was running a Volume license version of OCS.

EVALTOFULL parameter cannot be used with currently installed license type Volume

At this point, i was pretty sure that this wasn’t my fault. There has been an issue with the OCS 2007 R2 Evaluation Media expiring at the wrong point in time, but apparently this has been sorted out and did never affect the full versions of OCS 2007 R2.

So i was bummed. A quick view using process monitor revealed that the licensing information was most likely to be stored here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RtcSrv\InstallInfo\ValidationData

I created a backup of that part of the registry, and then renamed the key. I got a file not found error, and created a new key of the same type and wrote binary data of the same length into it. This yielded the following error:

The service is shutting down due to an internal error.

Error Code: 80093102 (ASN1 unexpected end of data.)

At that point, i was pretty sure what might’ve caused this – the MS Crypto API security update KB974571.

I removed the update, rebooted the machine, and OCS 2007 R2 was up and running again, without any issues.

I’ve already opened a case with Microsoft to get this sorted out.

Update:
Appears that this is an official issue: See here

Microsoft recently released Microsoft Security Essentials, which is a free AV solution for anyone running genuine Windows. This is great news, because most other free AV packages exclude commercial use – like Avira or AVG. Especially in the SMB space, were you to argue for every license, this is a good way to ensure that _every_ machine is running an AV package, even without central reporting.

Update: The license is not entirely clear – it does not exclude commercial use, only SaaS use. But in the beginning of the license it says that only home-based small businesses are allowed to use it. So take this with a grain of salt – the license is certainly more permissive than Avira, but it’s not as easy as i thought.

I’ve been participating in the MSE beta test with my Windows 7 machines at home, and my impression has been very good. Performance is excellent, and the GUI is simple and straightforward.

After a few negative experiences with McAfee 8.7 at work, and my very good experiences with MSE at home, i tried to have another look at FCS.

Well, FCS is rather old right now, with the new release just on the horizon. Still, the current release is supported on Windows 7 x64 with the latest patches, and so far my impressions have been very good. The management server only runs on 32bit Windows, which also means it won’t run on WS08R2.

But my impression has been good so far – the package installed on the client is far more lightweight than McAfee, and even the managment software leaves a much better impression.

We’ve also been using Symantec Endpoint Protection at a few customers, but my impression of that product was even worse than McAfee.

We’ll see how FCS will fare, and the test deployment is currently running. If you have any good tips or websites for me, i’d be delighted to read them.

The Midrange Wiki is a good way to get started with the IBM i platform. I’ve started writing a short Getting Started guide there, which may be of interest to you.

If you work on the IBM i platform, the Midrange Mailing Lists may also be a place to visit and subscribe. Also, check out the IMHO Midrange Blog.

I’ve been playing with Windows 7 for quite some time and the internal deployment at the company i work for is also coming along quite nicely. A few machines are still on the RC and our branch office is still running on Vista, but this should be resolved until the end of the next month.

However, we’re also an ISV. DIAS-iS has been running on Windows Vista since the release – thanks to the efforts of our developers, who fixed everything during the beta phase of Windows Vista. As such, our software ran on Windows 7 since the beginning.

During the past few weeks, i did all the necessary administrative work to get our Software certified with the “Compatible with Windows 7″ Logo.

Doing this isn’t that hard, but it requires you to jump through quite a few hoops.

Here’s a basic rundown of steps:

• Obtain a MS Authenticode certificate from Verisign. Note that other code signing certs won’t work (e.G. Thawte)
• Create a WinQual Account here
  • You’ll need to sign a sample .exe with the code signing cert from step one
• Download the Software Logo Toolkit
• Download the Windows 7 Logo Requirements Document
• Both of these packages contain all the documentation you need – most of the requirements are easily satisfied if you have an application that behaves nicely, uninstalls correctly, works in TS environments
• Create an empty Windows 7 x64 VM. Note that it must be x64.
• Install the Software Logo Toolkit on the machine
• Start the GUI, start the Session Server in a second session on the same machine
• Run through all the phases, make sure the report says “Pass” or “Pass with warnings” (verify that the warnings are not real errors)
• Submit the .xml through the WinQual account. You’ll immediately get certified

So it’s not that hard.

The key point to delivering a good user experience is to ensure that your application uses standard installation technology like .MSI, that it doesn’t require administrative privileges, that all configuration is stored in the userprofile (Registry or %APPDATA%) and that it’s multi-session capable.

And that’s all the “Compatible with Windows 7″ logo verifies – so if you already have a well-behaving Windows application, getting that logo is easy as pie. It does not cost anything directly – the only costly requirement is the fact hat you need a Verisign Authenticode certificate. This will set you back 400$. Microsoft does not want any money from you for this Logo – and it can be great in Marketing your competitiveness and readiness as a software vendor.

Windows Server 2008 R2 was released to MSDN today, and of course i want and installed it on a machine that did something more or less useful – a Fax server. Which is of course an internal system and not really in production.

I’m using a Diva BRI-2 2 Channel PCI-E Card, which already has support for Windows Server 2008 R2, and installing the Diva Software went without any issues.

Installing the Fax service was also easy, but there was no Fax printer to be seen anywhere.

I’ve followed the TechNet documentation for creating Fax printer on Windows Server 2008 R2, but it didn’t work – at first i received a “Permission denied” error message, after which i started Windows Fax & Scan using Administrator privileges.

This didn’t help that much – i could now go through the wizard, but no Fax account and no printer was created. This seemed strange.

Now, this really seemed like a permission issue. So i disabled UAC, rebooted the server, and tried it again. Everything worked – i was able to create the Fax printer, and after sharing it faxing worked as it should.

So, what now? Why doesn’t this work with UAC? I’ve been running our WS08 servers with UAC disabled (our Vista client were UAC enabled, and so are our Windows 7 clients), and thought WS08R2 should also work well with UAC enabled. But apparently, that wasn’t a good idea.

So Windows 7 RTM is out. So i’ve tried playing with XP Mode, which didn’t work for me on the RC version, and after a bit of debugging didn’t find the issue.

So, with a fresh newly installed laptop and the new release candidate of Windows XP mode, i gave it a whirl again. But it failed with the same sequence of completely intelligible error messages, namely “Integration features have been disabled” and the even more helpful “Parameter is incorrect”.

So i installed it on my desktop as well, where it worked without a hitch. The major difference between my desktop and my laptop is that the laptop is joined to the corporate domain and the desktop at home obviously not.

I dug a bit deeper into the event log, and drilled down to Microsoft\Windows\Virtual PC\Admin, where i found this error message:

Could not enable the Integration features for ‘Windows XP Mode’. The current mode is – 0. Last Channel start Value – 0x800700B7, Last Disconnect Reason – 0x300001B, Last Extended Disconnect Reason – 0×0, GHI State of the guest machine – 0×1

Now, this whole “disconnect” thing sounded strange until i remembered that Windows Virtual PC used RDP to deliver the screen – and at that point i thought about the RD Gateway server that’s being pushed by a GPO.

So for a quick test, i set the following key in the registry to zero:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Terminal Services\UseProxy

And tried starting Virtual PC again. It worked! Setting the key back to 1 predictably led to the same error message.

So next i excluded Windows 7 users from this GPO using a simple WMI filter, which will be a temporary measure to mitigate this issue.

This seems to be a bug somewhere, as those settings shouldn’t break Virtual PC. I’m not sure where i should report this to, but i’ll have a look at that. At least now people with the same issue should get this solution through Google.

In the light of the recent announcement how Hyper-V Server 2008 R2 will be licensed, i thought about familiarizing myself with the Clustering & Live Migration capabilities, using the RC release of Hyper-V Server 2008 R2.

I have to admit that Failover Clustering isn’t exactly the field i have a lot of experience in (in other words, i have never used it in producation). But after seeing that i wouldn’t be drowning in work this friday afternoon, i decided to give it a whirl.

So, in order to get started i needed two machines that were able to support running Hyper-V Server 2008 R2. One of them was HP ML110 G5, about which i wrote a few months back. Unfortunately, i could use only one of them. So my next choice was an old HP desktop, which fortunately had a VT compatible CPU.

Next, i needed a storage backend. Of course i had to use a software solution, but having no experience and only a very old PIV era IBM SFF PC, i just picked the first Google search result which supported SCSI-3 Reservations, which are required for WS08 clusters. I’ve downloaded and installed Open-E DSS.

For networking, all i was able to find was a 100mbit 3com 24 port hub. Yes, this looked like one of the most ghetto environments i put together yet, but interestingly i got it all to work.

Open-E DSS installs to an USB stick, formatted with FAT32. You just unzip the installation file, run an .exe on the stick to make it bootable, and then you can run the system directly from USB. In my case, using rather outdated hardware, everything was recognized by the Linux kernel. Of course, the machine only having a slow 40GB 5400RPM hard disk wasn’t exactly the fastest on the block, but configuration was surprisingly simple. Unfortunately, installing and activating the Lite license required two reboots, after which it lost all it’s iSCSI settings (but no data!)

Installing Hyper-V Server 2008 R2 on the ML110 was a breeze. Using sconfig, the machine was quickly joined to the domain, remote administration enabled, failover clustering enabled and using the graphical iscsicpl iSCSI was configured, the volumes formatted and attached.

Next was the HP desktop machine. Installing was fine, worked perfectly, all the necessary hardware was recognized. Unfortunately, the machine only had 1GB of RAM, which meant that i couldn’t do all that much fancy stuff with it. I was in for a nasty surprise here later, because i didn’t enable Intel VT in the BIOS (which is hidden in the “Security” Options). I think the Hyper-V Server setup should give you a warning here if the feature isn’t enabled.

Next i created the cluster. I’ve used this blogpost and TechNet to get a basic overview on what i needed to do. In just a few steps through the cluster configuration wizards, my cluster was configured and ready. I was able to bring my VM online on the first node (the ML110) and decided to install Windows XP, since i only had 1GB of RAM on the second node. I gave the VM 256MB of RAM and ran through the setup (which took ages – iSCSI over a 100mbit Hub to an old PIV with a 5400rpm hard drive isn’t a good idea anymore).

Next, i decided to setup VM networking, created the appropriate VM interfaces on both machines, restarted my XP VM and tried to do a live migration. Which failed. “Insufficient system resources”. Turns out i needed to adjust the amount of memory reserved for the root partition using PowerShell – all described in this Clustering and High Availability blog post.

After running (get-cluster HV01).RootMemoryReserved=128, it failed again. This time with these event log entries:

‘Test-VM’ The switch port connection for “Network Adapter” (BE62B93F-1490-4F7E-8229-FA18D50DC974) is invalid.

‘Test-VM’ Microsoft Synthetic Ethernet Port (Instance ID {BE62B93F-1490-4F7E-8229-FA18D50DC974}): Failed to Power on with Error ‘The system cannot find the path specified.’ (0×80070003).

Failed to connect NIC ’9144ED30-35D9-4E5F-8012-70AC436EC603–BE62B93F-1490-4F7E-8229-FA18D50DC974′ to port ” on switch ’0734959D-3′, status = C000003A.

I disabled networking in the VM altogether, and tried Live Migration again. It worked! The next was spent with searching the internet for information about my issue, about which i found nothing. Obviously the network interfaces should be named the same in all cluster hosts, but that was the case. Yet, no matter what i did it didn’t work!

I was starting to doubt my hardware, added a second pair of NICs since the configuration of using the same NIC for everything wasn’t really recommended, but when reading the error message it really didn’t sound like that was my issue. Of course adding the second pair of NICs didn’t help.

So i did what i always did: i started guessing, and after quite a bit of time i got it rights. Turns out you must not use the Hyper-V MMC to manage the VM configuration, and instead the “Settings” button in the failover cluster manager. Only issue is that the failover cluster manager has a much more prominent button labeled “manage virtual machine”, which opened the Hyper-V MMC.

After that, everything worked. I was able to live migrate my machine including the network from host to host. I tested running a Top Gear clips through RDP, while live migrating the machine.

Migrating from the slow HP desktop to the ML110 gave about 2 seconds of video outage, but migrating from the ML110 to the HP desktop just resulted in a slow hiccup. My assumption was that this would probably be completely invisible on more modern hardware.

So what does this mean? Microsoft has made Live Migration and Clustering a feature available to everyone, at (almost) no cost. Administrating such a cluster requires Active Directory, and either a WS08R2 server or a Windows 7 machine with RSAT installed.

This means we can finally have decent virtualization features without paying thousands of francs in licensing fees. I hope this makes it possible to create a few virtualization projects for our customers, which are mostly in the small business range.

Hyper-V Server R2 should be available around mid-August, at which i’ll need to rebuild my Ghetto setup here. I’m of course hoping to get some more cash in order to move or internal virtualization setup from a single-host to a SAN-hosted cluster, but somehow i doubt that will happen quickly.

Update:

I’ve played around with Expression Encoder a bit, and created a Video of a Live Migration. I’ve put the probably most boring video on Youtube – Live Migration of Pinball.

So SSDs have been out for quite some time and with the upcoming release of Windows 7 (August 6th on TechNet), i decided to get myself one at home. This coinceded nicely with Intels announcement of the X25-M G2, the 34nm SSD.

I ordered mine last Friday and it arrived yesterday. It looks like i was rather lucky with this, because Intel has since withdrawn them because of an issue with using a HDD password. Since i don’t use that, i didn’t care and installed Windows 7 RC.

And, well, the performance is absolutely astonishing. I’ve upgraded from an old AMD X2 running Windows 7 Beta earlier this year to an i7 also running Windows 7 Beta – more RAM, new hard disk, new graphics. The UI wasn’t noticably faster, sometimes Explorer decided to take ages to work things out, the event viewer was still rather slow, but of course video recoding and games were a lot better.

But now, with an SSD, the UI is extremely responsive – event viewer opens instantly, switches instantly between categories. It just feels like a new machine, with just one part replaced.

So, yeah. I’m quite pleased with my purchase.

Finally, Office 2010 is now available officially.

I’m currently running Windows 7 Build 7100 x64 on my laptop, so i decided to uninstall Office 2007 and install Office 2010, the x64 version.

Unfortunately, the x64 version does not support running any x32 plugins. This is unfortunate, since one of the key features of our ERP package is a tight integration with Microsoft Office, which even i used from time to time. We call it the Office Solution Pack, which has been completely rewritten as a native .NET Office 2007 Plugin. The screenshot to the right is slightly outdated, but it clearly shows the integration we had.

I’m already pushing our developers for a x64 version of the plugin, but i suspect it will take a lot of time until all applications we are using (e.G. System i Access) are running on Office 2010 x64.

Also, its important to know that having 32bit plugins around after installing Office x64 will lead to several nasty error messages. You will need to uninstall the 32bit plugins before installing Office x64. Interestingly, the Primary Interop Assemblies come now shipped with Office by default. This alleviates installing them, streamlining the plugin installation process.

This also means that Office 2010 x64 will be a very niche product, and most people will opt to deploy the 32bit version. This isn’t bad – now that an x64 version is around, plugin developers can start adopting and we may see larger deployments of Office 2010.Next x64.

I’m now running my productive mailbox against Office 2010. Yep, might be risky, but it also gives me a very easy way to learn a new product before we’re actually pushing it to customers. I’ve found that i’ve never learned all that well in a separate environment.

So, whats new in Office 2010? Well, the only application i use daily is Outlook. And we will see how it plays out. Outlook 2010 now also comes with the new ribbon interface, and so far i like it. We will see how this plays out.

My current employer Acommit AG is hiring.

We’re looking for a developer with knowledge on .NET (C#) and Java for our office in Horgen/ZH.

I’m not that much involved with our development team, but i can tell you that you’ll have current infrastructure to work on – Windows Vista/7, Visual Studio 2008, a current PC with two highres screens, a virtualization environment for testing and of course free coffee and soda.

Official text and contact on the official Website.