Blank Live Communication Server (LCS) 2005 MMC Snap-In

Description

You have successfully install your Live Communication Server (LCS) 2005 or LCS 2005 with SP1. However when you start the Live Communication Server Administration tool you got blank page only.
There's nothing appear at the left hand side of the mmc window. The account that you are using already have the correct permission.

Resolution

Create a new MMC snap-in to manage the Live Communication Server 2005.

> Click Start, click Run, type mmc, and then click OK.
> In the Console1 MMC snap-in, click Add/Remove Snap-in on the File menu.
> In the Add/remove Snap-in dialog box, click Add, click Live Communications Server 2005 in the Add Standalone Snap-in dialog box, click Add, click Close, and then click OK.
> On the File menu, click Save As.
> In the Save As dialog box, locate the %WINDIR%\System32 folder.
> In the File name box, type wrtcsnap2.msc, and then click Save.
> Click Yes when you are prompted to overwrite the existing wrtcsnap2.msc file.

For details, please see http://support.microsoft.com/kb/926921

Email being block by att.net

Description:

Users are having issue when sending email to certain domain. From the undeliverable message, you could see, " is blocked. For information see http://att.net/blocks'>". You've check with known blacklist provider and none of them have your IP listed.

Resolution:

To remove your IP from their list is through their website http://att.net/blocks. Choose Tools for administrators of mail systems whose messages have been blocked. Fill in your IP address, name, contact number, and the error message that you received. After that click submit. It would take a couple of days for them to remove your IP.

Email being block by 88.blackzap.net – Frontbridge

Description:

Users are having problem sending email to some domain. From the error message you could see “smtp; 550 Service unavailable; Client host [xxx.xxx.xxx.xxx] blocked using 88.blacklist.zap; Mail From IP Banned To request removal from this list please forward this message to delist@frontbridge.com>”. You’ve check with known blacklist provider and none of them have your public IP listed.

Resolution:

The only way to get your public IP remove from their blacklist is through email. The list is proprietary and not open for public. You need to send them email asking for delisting and they will reply back to you in one business day. This is the case if you get listed the first time. But if you IP get listed again, the process would be more difficult and take much longer time.

Frontbridge is owned by Microsoft and its part of their Exchange Hosted Services. However the support seems only available on US working hour’s time. Other than that, there’re some false positive that could make good legitimate email being blocked.

Cannot start IPSEC service error. The system cannot find the file specified.

Description:
Suddenly you cannot logon to the domain from a server. You cannot ping it, even though the network card is connected to the network and functioning normally. You can ping to self from the server. No firewall blocks the connection. When looking through event viewer, you notice 2 errors were log; Event ID 7023 and Event ID 4292 (IPSec driver has entered Block mode). Both are related to IPSEC. You check the IPSEC services and found that you cannot start it. There’s “The system cannot find the file specified” error.

Resolution:
The problem occurs when there’s corrupted file in the policy store. The file may become corrupted if an interruption occurs when the policy being written to the disk. To solve it, please go to HKEY_LOKAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local. Delete this subkey (if exist). After that, rebuild the new local policies store. To do that, click Start > Run > type regsvr32 polstore.dll. Try starting the IPSEC services again. All issue should work well now.

Event ID 9325 logged when running Exchange Offline Address Book (OAB) generator

Description:
You notice that there are a couple of event ids 9325 being logged at your exchange server. All function seems to run normally. The error message shown something like “OALGen will skip user entry person name in address list '\Global Address List' because the SMTP address is invalid”.

Resolution:
Using Adsiedit.msc console, go to the SMTP proxy address attribute and proxyaddresses attribute. Check the value and correct or remove any invalid SMTP address. You can refer to the Microsoft KB 926206 (http://support.microsoft.com/?id=926206) for detail info for how to resolve these errors.

Event ID 9321 logged when running Exchange Offline Address Book (OAB) generator

Description:
You notice that there are a couple of event ids 9321 being logged at your exchange server. All function seems to run normally. The error message shown something likes “OALGen could not generate full details for entry person name in address list '\Global Address List' because the total size of the details information is greater than 64 kilobytes.”

Resolution:
The most common cause for this is a large number of certificates published for the user, causing their details to be over the 64kb limitation for the details in the OAB. There is no way to increase this limit, so the solution is to remove any unneeded certificates from the users so that we get the details under 64kb.
To clean out the certificates:
- In ADUC, make sure View, Advanced Features is checked.
- Go to the properties of the user.
- Published Certificates tab.
- Remove any unneeded/expire certificates.

Exchange Server - Cannot Generate Offline Address Book (OAB) error 8004010e

Description:
Exchange server cannot generate offline address book. Newly created email address doesn’t appear at the Global Address List. At the event viewer you see error logged with event id 9338, 9330, and 9126. You’ve try changing the server generating OAB to other, but the same error occurs.

Resolution:
The most common reason for failure to generate the OAB with error 8004010e is a mangled attribute in Active Directory.
Use Nspitool.exe to identify which user has the mangled attribute.
1. Save and unzip the attachment to your Exchange server.
2. Click Start, click Run, type in cmd and click Ok.
3. Navigate the directory which you save the nspitool.exe in and run the following command: nspitool -WalkAddressList >c:\nspioutput.txt
You should see something like “QueryRows failed 0x8004010e on entry personname, WalkAddressList ended with 0x8004010e” on the output text.
Next step is to use adsiedit.msc to connect to GC partition to check the attribute value. Go to the user properties and check the manager attribute value. Is it the same with the Active Directory User and Computer (ADUC) version? If not, change the value at ADUC to something else, wait for the replication to occur, and change it back to the correct value.
The attribute value shown through ADUC and through adsiedit.msc should have the same result.
Run the nspitool.exe again and do the necessary fix until there’s no “queryrows” error anymore.

Checklists when promoting a Windows Domain Controller

Here are some of the things that you must configure when promoting a domain controller at a forest with multi sites and multi domains topology. 

If this is a new Domain Controller at new site: 

a. At Active Directory Sites and Services, create a new site. 

b. Create a new subnet and link it to the newly created site. 

c. Configure the IP site link for Active Directory replication. 

· Promote the Windows Server to become Domain Controller. 

· Configure the Domain Controller to become a DNS server – Active Directory Integrated (Domaindnszones). 

· Configure the Domain Controller to become a Global Catalog server. 

· Configure DNS Forwarders. 

· Configure the Domain Controller to be the Authoritative Name Servers in the domain. 

· Enable Strict Replication Consistency. (more) 

· Disable Windows Scalable Networking Pack Components. (more) 

· Change Windows Time Service MaxNegPhaseCorrection and MaxPosPhaseCorrection value to 48 hours. (more)

How to disable Windows Scalable Networking Pack Components

Description
Scalable Networking Pack (SNP) is enabled by default as part of installing Windows Server 2003 Service Pack 2. SNP can be used, under specific circumstances, to improve network performance. Most environments, however, do not have SNP capable network adapters/drivers. This can result in unexpected network problem which is why it is recommended to disable SNP unless a server can benefit from it. For Domain Controller, it is recommended to disable this feature.

Resolution
To disable SNP, modify certain this registry values:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: EnableTCPChimney
Value: EnableRSS
Value: EnableTCPA
Data: 0 or 1
Each component can be individually enabled or disabled. Set the value to "0" to disable it.

Windows Time Service time correction setting

Description
The Windows Time service by default in Windows 2000 and 2003 allows for a positive or negative time correction of any amount for domain controllers. This can cause serious problems in a forest should a dramatic time shift occur. This can even occur when synchronizing with other authoritative sources as hardware problems, software problems or human error can cause them to provide the wrong time. Some of the problems that can occur from a dramatic time change are Windows Server 2003 based domain controllers may be quarantined, deleted objects may be prematurely purged before end-to-end replication of the deletion is fully replicated (causing lingering objects), user and computer passwords may expire unexpectedly, and trust passwords becoming out of sync.

Resolution
Modify the default value on the following registry.
The registry key(s) are different depending upon the operating system version.
Windows 2003/2008
Path: HKLM\System\CurrentControlSet\Services\W32Time\Config
Value: MaxNegPhaseCorrection
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: there is an accompanying MaxPosPhaseCorrection value to control positive time changes.)
Windows 2000
Path: HKLM\System\CurrentControlSet\Services\W32Time\Parameters
Value: MaxAllowedClockErrInSecs
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: Windows 2000 has a single value to control both positive and negative time changes.)
Change them to a positive/negative value of 48 hours (0x2A300 or 172,800 seconds).

Could not start DHCP Client Services

Description:
One day you discover that DHCP client services on some of your server cannot be started. It gives you “access is denied” error message. The DHCP client services already use network service account to logon. You suspect that one of the recent windows patch that causes the issue.

Resolution:
The Network Service requires permissions to open the‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters’ registry keys for the DHCP Client service to start. Some updates can remove the Network Service permissions to these registry keys. Please check and re-add them if necessary.
1) Open Regedit.
2) Navigate to ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp' and click on Parameters.
3) Click on Edit menu then go to Permissions.
4) In the 'Permissions for Parameters' window, click on Add.
5) In the 'Select Users, Computers and Groups' window, type in "Network Service" (without the quotes) and click 'Check Names'. You may need to change the Location to "System".
6) Click OK.
7) In the 'Permissions for Parameters' window, highlight the Network Service group and give it Full Control and Read permission by selecting the check boxes.
8) Click OK
Try starting the DHCP client service again.

Cannot Upgrade from Windows 2003 Service Pack 1 to Windows 2003 Service Pack 2

Description:
You are having an issue when trying to upgrade your Windows 2003 Service Pack 1 server to Windows 2003 Service Pack 2. The upgrade process runs for a while and stops in the middle because of WMI error. You cannot do the upgrade from Add/Remove program too.

Resolution:
The issue cause by some corrupt files inside %windir%\system32\wbem\repository. Files in this folder is the database of WMI, if the files in this folder are corrupt, the WMI service will not work correctly. Delete the files in the folder %windir%\system32\wbem\repository. After restart the WMI service again, the files in this folder will be rebuilt again.
Below is the script to do it automatically:
################
sc config winmgmt start= disabled
net stop winmgmt /y
%systemdrive%
cd %windir%\system32\wbem
if exist repository.old rmdir /s/q repository.old
rename repository repository.old
for /f %%s in ('dir /b /s %windir%\system32\wbem\*.dll') do regsvr32 /s %%s
regsvr32 /s %windir%\system32\tscfgwmi.dll
wmiprvse /regserver
winmgmt /regserver
sc config winmgmt start= auto
net start winmgmt
for /f %%s in ('dir /b *.mof') do mofcomp %%s
for /f %%s in ('dir /b *.mfl') do mofcomp %%s

Invalid FSMO Role Owner for Application Partition

Description:
When running the ADRAP program you found the following warning/error.
The following application partition contains an invalid FSMO role owner:
Partition: cn=infrastructure,dc=forestdnszones,dc=corp,dc=com
FSMO:CN=NTDS Settings\0ADEL:97d…,CN=Server01\0ADEL:67…,CN=Servers,CN=SITEA,CN=Sites,CN=Configuration,DC=corp,DC=com

Resolution:
Use adsiedit.msc and reset the fSMORoleOwner attribute on the infrastructure master of your root domain. Use the value from Distinguished Name (DN) attribute of the corresponding application partition as the new value. You may need to use an account which has Enterprise Admin permission.

Exchange 2007 High Level Sample Design

Design I:
· Role separation
· No redundancy

Design II:
· Local Continuous Replication (LCR)

Design III:
· Single Copy Cluster (SCC)

Design IV:
· Cluster Continuous Replication (CCR)

Group Policy for safe sender lists in Outlook 2007 does not work

Description:
You have set Outlook 2007 safe sender list through GPO however it isn’t applying to users. You’ve check that the GPO was applied successfully.

Resolution:
Change the safe sender list path to \\servername\sharefolder\filename. It cannot use the %logonserver%\sharefolder syntax.

Proxy Exception at Internet Explorer does not work

Description:
You have set proxy exception for IE through Group Policy (GPO). For some reason the setting won’t apply to user’s computer. You verified that the GPO has the right setting and has no conflict with other GPO. You also confirmed that the GPO was applied to user’s computer, but the computer registry contains different data.

Resolution:
Please check the exception list content. Make sure there’s no invalid character or value. If the http address in Proxy Exception list contains more than two “/” characters, the IE Branding extension would accept this setting. You should remove the rest of the “/” from the http address in proxy exception list.

Exchange SMTP Internet Connector frequently down

Description:
You have Exchange 2003 Front-End server configure to route emails to third party appliance smart host. One day the Exchange Internet connector frequently converted to down state causing mail queue when sending to external address. No issue when the connector is configures to use DNS instead of smart host to dispatch email. You have check for possible Antivirus or SMTP Protocol issue using Winroute and Regtrace but everything looks ok.
On the Netmon trace result, you can see that Exchange didn’t receive ACK for certain packet from the smart host and it terminates the connection after some times.

Resolution:
Make sure that the network speed and duplex setting at the smart host is the same with the connection setting at core switch. Running manual setup might be required to eliminate the issue.

Missing PTR Record in DNS

Description

You create a PTR record on your Active Directory Integrated DNS Server. After a while the PTR record suddenly missing. Your Active Directory and your DNS server are working fine. Replication between Domain Controller also working normally.

Resolution

Be sure the "register this connection's addresses to the DNS" checkbox option is enable, the server than will automatically register its ptr record to the DNS server.

Enable Strict Replication Consistency

Description
Supposed a domain controller get disconnected from the replication topology for an extended period and then later on reconnect it. You need to make sure that no outdated Active Directory objects can be replicated within the forest.

Resolution
Use regedit command and go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Create a Strict Replication Consistency with REG_DWORD data type. Set 1 as the value.

This setting ensures that no outdated objects are reintroduced into Active Directory Domain Services (AD DS).
You need to set it on all of the Domain Controller within the Forest.

Error when burning CD

Have you ever get an issue when trying to burn some files to a CD/DVD?
In my case I got error writing Lead-In when trying to burn some file using UltraISO on my IBM T42 CD ROM (HL-DT-ST RW/DVD GCC-4242N). I can use it to read any CD/DVD with no issue.
I try to change the burner software to Nero but got similar error too. Try to lower the burning speed with no luck.
Previously I remember that I can burn a CD with that CD ROM, somehow it's just stop working.
I try to search for a driver update but cannot find any. A firmware update maybe available but I think that's too much for the issue.
Finally I try to clean the lenses. Just wipe it with a clean tissue, try to burn, and it works.

AD Modify

If you ever need to change an attribute for a lot of user in Active Directory, you might want to use ADModify.Net tools. It is available free.

Following is the example for querying any user that has empty mobile phone number field in Active Directory.

(&(&(objectcategory=person)(objectclass=user))(!mobile=*))