TechPublishing Now MS Certified

TechPublishing Now MS Certified
Professor Robert McMillen, MBA Microsoft Certified Trainer and Solutions Expert

Sunday, September 5, 2010

Windows updates won't install

Here is a new one for me. On my Windows 2008 64 bit installation I had an error that can also happen with Vista and Windows 7. When running Windows updates I get an error 80072f8f. After looking up all the scenarios I found that I should make sure my date and time is correct, which it was. I also found you should re regsuter 3 DLLs, but in some cases I read 4 DLLs.
That didn't work, so then I went here:

I downloaded the root repair and it fixed the certificate issues with not trusting the Microsoft certificate. After that updates now work.

Thursday, July 29, 2010

Inbound GMail issues

If you have anyone with inbound Gmail problems I found out that if they have Exchange 2003, and the Intelligent Message filter turned on, you have to have it a level of 6 or higher. Otherwise it will be rejected. There won't be any message in your server, but the sender will get a generic reject notice.

Friday, July 2, 2010

How to see what ports are open and listening

I came across an issue with my server not listening on 3389 for terminal server access after the last update bombed the computer. I wasn't sure if the issue was because of a conflicting port so I ran the following command from a prompt:
netstat -a -o
That tells me what ports the server is listening on following by a PID number off to the right.
Then I ran:
tasklist /svc
This ties the PID to the task or service running it. Now I can see what is trying to use the port and resolve the conflict.

Tuesday, June 22, 2010

Windows Bugs and More

It was our own server that went down yesterday. We were here until late into last night troubleshooting our server after we tried to do a Windows update to install Sharepoint 2010. The update not only made the server boot extremely slow but it changed our automatic services to disabled, such as Exchange 2007.
When I tried to enable it as automatic it would cause the services program to freeze up.
One thing many people should be aware of with Server 2008 is that there is no system restore and no way to do a Windows repair like you could with previous versions of Windows server.
Since it was a Microsoft bug we decided to call them. Although we get free support from our Microsoft Gold Partner status, a lot of people don't realize you can get free support no matter who you are if your server went down due to a Microsoft update.
After calling them we had to wait many hours for a call back but eventually they sent us the fix for it. We had to make a registry entry DWORD to place a higher priority on HTTP proxy than was set by the update. Afte rthat we rebooted and changed the status of our services to automatic and it all came back up.

Friday, June 18, 2010

Portland ITEC show

Went to the Portland ITEC show. It was moved to a smaller venue due to less people wanting to spend money on a booth. We partnered with IBM and brought out our Blade Center for show and tell. I gave a speech on the changing times for IT staff brought about by the cloud. I think it went pretty well, but I had the lunch hour talk and people were munching away and not responding as much as most of the talks I give.
It was still fun and we are following up on all the leads.

Calendar items delayed in Exchange 2003

I noticed that if you send a calendar item or update to a user from an Exchange 2003 server to someone with an Exchange 2007 server you may get a message delayed error or it will fail. Sometimes you get the error but the message goes through. All very strange. It has to do with 2007's inability to deal with 2003's message headers. A hot fix from Microsoft fixed us right up however.
Here is the URL to the article:

Friday, June 11, 2010

Upgrade to SBS 2008 from 2003 problems

I had another difficult one today. When upgrading to 2008 SBS from 2003 you first have to make sure that SBS service pack 1 is installed. This is not the same as Windows 2003 SP 1 or 2. So after trying to install that it says that KB891193 has to be installed. So I download that and it gives me an error about not being able to find the specified path.
It turns out that if the clientapps folder either gets moved, or has its permissions changed then that update won't work and you can't move forward. So go into regedit and lookup the following key:
Check to see if that destination  exists and you have full permissions to everything. Also you need tobe logged in as the administrator with full default rights. Since it's a domain controller you can't log in as the local administrator, but you still have to be in as the domain administrator.
Once that's run you can now run the SBS service pack 1. These files are both over 200 MBs so make sure you have time and bandwidth to download them from Microsoft.
After that you can continue with the migration.

Thursday, June 10, 2010

Finally, an MCITP

I passed the 70-647 test today which is the third and final test to get my Microsoft Enterprise MCITP. There are only 15k of us worldwide at this point. This compares to around 400k back in the NT 4 version. This test was a little harder for me than the 70-649. I studied months for it and I found it much easier. The test I took today I only studied for a couple of weeks. I didn't get as good of a score, but a pass is a pass. Plus there were a bunch of questions that were not on any study guide or in any book, so I had to really think hard about what I was reading.
I have been studying for so long I am having study withdrawal. Decided to watch a scary movie. Should be fun sleeping tonight.

Wednesday, June 9, 2010

Access to Exchange 2007 mailboxes has changed

I was trying to help a customer open another person's mailbox after upgrading to Exchange 2007. The old way was to give administrator rights in System Manager in exchange 2003, but that no longer works with this new version. I went in and gave full permission rights in 2007 after hunting it down, but even that didn't work.

If you are an administrator trying to get access to everyone's email there is a command in Exchange Power Shell to do it.
get-mailbox | Add-mailboxpermission -User yourdomain\yourusername -AccessRights FullAccess

You still can't open it in Outlook using file- open- other user's folder, but you can add it as a separate profile. From there you can share the inbox or any other folder to open it in your profile later.

Monday, May 31, 2010

Windows 2008 Administrator disabled on new installs

I couldn't believe it but I had it happen twice since R2 came out. The administrator for the domain is disabled for some reason. Going in under another adminstrator name or using safe mode with the administrator account allows you to reactivate it using the command:
Net User Administrator /active:yes
What will Microsoft think of to make our lives miserable next?

Sunday, May 30, 2010

More Studying!

I am now studying for the 70-647 Microsoft Enterprise test. It seems to be similar to the 649 so hopefully it won't be that big of a stretch.
I noticed a couple things about SSTP VPN this week. A couple of weeks ago I posted a config on how to set it up. I noticed a couple of problems since then. On Windows 2008 R1, there is a bug thta keeps this form working. I haven't figured out why yet, but I will. On R2 it works just as I had explained, but on Vista computers you may have to add a regsitry command that Microsoft recommends.
On Vista I can connect to the SSTP VPN but I can't pass any traffic. Microsoft says to do this:
  1. Start Registry Editor (Regedit.exe).
  2. In Registry Editor, locate the following registry key:
  3. Set the following registry value:
    Value Name: IPEnableRouter
    Value type: REG_DWORD
    Value Data: 1
    A value of 1 enables TCP/IP forwarding for all network connections that are installed and used by this computer.
  4. Quit Registry Editor.
I made these changes and it works great. Give it a try.

Thursday, May 27, 2010

Passed the test

Today I took the 70-649 upgrade to 2008 test. Passed with a 970. I was so happy to get that one over with. Now just one more test to be a 2008 Enterprise MCITP. Then I think I will go back to making more How To Videos on You Tube.
I was pretty worried about this one so I over studied for it if that's possible. I took the test when it first came out in 2008 and failed it. There just wasn't good study materials back then. New tests are like that. But now there is a wealth of good stuff and I was able to use it to pass the test.

Friday, May 14, 2010

Blackberry Server Issue

We had a customer yesterday that had their Blackberry server suddenly stop sending mail. I remoted into the server and found that they had an SRP identifier connection error.
The key started with a T instead of an S. That told me that they were using a temporary key and it just expired on them.
They had the key that started with an S but even after I installed it there was a connection error.
The issue with this is that you have to call RIM for support, and if you don't have a contract you either have to pay for the ticket or explain to them they just need to activate a key that they already sent you.
Fortunately I had a contract so it was not as big of a problem but it still took several hours before I could get them to figure out how to activate their own key.
Well, at least we get paid by the hour, and it wasn't our mistake.

Thursday, May 13, 2010

Exchange 2003 store keeps dismounting

We have a customer that had their Exchange store crash. Normally we can restart or remount the store fairly easily, or at worst restore from backup. It didn't work for this customer, so I had to do something more drastic.
I used the eseutil /p command followed by the store path to repair the databases. I don't normally use this because it could damage the store further. Exchange 2003 is just a big Access database, unlike Exchange 2007 which is SQL.
Access is not very robust when you start messing with links from email to headers, but in this case it was the only solution.
After running the repair I had to delete the E00 files and then run eseutil again with the /d switch to defragment the database. It really fragments a lot when you run the /p, so this is to speed the store back up again.
Everything mounted great after that, but the next day it crashed again. I looked at all the log files and noticed just before it crashed that the backup program was running, so I disabled it and fixed the store the same way again. It was all good for five more minutes until it crashed again. Then I suspected a hard drive sector problem.
This time I defragged the hard drives, and then rebooted and ran a scandisk. It found a lot of errors. After it rebooted I ran the fix again, and this time it stuck. No more crashing.
But the hard drives are on their way out so we had to sell the customer a new server because this one was many years old. Planned obsolescence is an awesome business model.

Wednesday, May 5, 2010

Dealing with inexperienced users

I stayed late in Seattle last night fixing and replacing a firewall. I'm not a big Sonicwall fan. They have a high failure rate with my customers, but sometimes you get stuck with them because they already have a lot of them before I start assisting them. I got it all fixed up around 9 PM.
The next morning I get a panicked call that no one is working. I think maybe I now have three bad Sonicwalls, as the first two went down on me in the past few month. But it turned out to be very different from that. I remotely logged into the firewall and saw everything still up and running, so I called them back and asked them to tell me the issue. The first lady said "the computer has a strange message. It says the screen is locked". It turns out that they never do that. They only log off or shut their computers off so that was a new screen for them (despite having used computers for so many years they couldn't remember their first one).
I told her to hit ctl-alt-del and type in her password. It worked and she was happily working away.
The next computer user said that her computer was on but the screen was off, and she wanted to know what I had done to her computer. Apparantly her computer never went to sleep before, so I told to press any key.
After doing so the monitor came on and everything was working.
How can people not know the basic functions of their computers? Well it's like this. Non technical people only do the bare minimum on the computer to do their job. If anything deviates from that they get extremely stressed. Some to the point of being in tears and losing sleep.
If you are new to IT then you will learn this as well. They aren't stupid. They're just complacent.

Monday, May 3, 2010

SSTP VPN setup

I just setup my first SSTP VPN. There are just a few difference from PPTP and it’s more secure and faster to use. You only need to port forward 443 to the server. The documentation out there leaves out key things for people who want to set one up with a single NIC that’s behind a firewall like we mostly do.

First go to server manager and then add roles. Choose to add the Web IIS role and click next. Go with all the defaults except go ahead and check all the boxes under the security section.
Complete the install and open up IIS. Click on the server on left and then double click the server certificates on the right. Create a domain certificate. Fill in the blanks, but the only important one is the common name. You have to create an A record for a public common name with the DNS host like Network Solutions. If you already have one then go ahead use that.

You have to have an internal certification authority already installed. This is by default on all SBS servers, but you may have to do this manually by adding the certificate services role if you don’t. If you already have one then it will show up in the list. You can call the friendly name anything you want, and click finish.

Next go back into roles and add the Network policy and access services role. Choose Routing and remote access services and the remote access service and routing options. The new role appears. Open it and right click on the Routing and remote access option and choose to Configure and enable.
Choose custom and only the VPN option.

Change the VPN client on the workstation to use SSTP as its first choice and log in.

Thursday, April 29, 2010

Couldn't start routing and remote access in Windows 2008

I was trying to install the network policy service in 2008 to setup a Radius server. The policy wouldn't install properly, so I uninstalled and reinstalled with the same results. After poking around I tried to manually start the remote access service. It said that the dependancy service wouldn't start. I went through each dependency and found that everything started except for Telephony. I tried to start it and it would start and then stop right away.
I went into the properties and looked at who was logging in to start this service. It said it was the Network service. For some reason the rights for Network were not enough to start it. I could have looked everywhere, but instead I changed it to the local system account and it started up. Now the rest of the services started and the policies installed. Success!

Wednesday, April 28, 2010

Lots of interviews this week

Yesterday we recorded our radio show for KUIK and KKOL. Lost of good topics this week including information about the iPhone 4 leak. I was interviewed today by Lars Larson for his national show discussing the constitutional ramifications of the case and how technology changes law. I was also on CBS affiliate KOIN in Portland today discussing how to make a computer run faster. Eric Taylor brought his wife's PC in. He was confident the issue was not a virus because he had Norton 360 on it, but he was surprised when I found over 200 viruses and spy-ware programs that got past it. The computer runs a lot faster now, and it was a fun segment.

Monday, April 26, 2010

Studying for a Microsoft test

Had a lot of little issues today, but nothing too perplexing.
The big news is that I started studying for my last two tests to get my 2008 Microsoft Enterprise MCITP.
I hate studying for tests when I haven't been doing them for a while. If you get out of the groove it takes a lot of mental will power to get back into them. It's way easier if you just keep one going after the other. The last test I passed was the Vista test. It was pretty easy and only took about a month to prepare for.
The 70-649 is a much harder test, so I will be working on this for a while. I've passed so many of these I decided to pull out all of my certifications. I'm coming up on around 40 of them. Many people get these paper certs and never really use them. There are 400,000 MCSE's on NT 4, but by the time you get to 2008 it drops to 55,000.
These tests are way harder than the the late 90's when I started on NT 4. I think it's thinning out the herd.

Wednesday, April 21, 2010

Hive error after server crash

Life is full of surprises. The server disaster of the day was a server that crashed sometime in the night for a customer and came up with a hive corruption error on reboot. All the exe files worked but anything with an msc extension didn't.

After nosing around I did the following: I went into the C drive and pushed out the permissions without making any changes. I figured something caused a permissions change and that would fix it. Then I re registered all of the Volume Shadow Copy service files after stopping vss. Not all of the files regsitered properly but most of them did. MSC files started to work.

After that I was able to start DHCP and some other services that were down including Shadow Copy. Then I re ran Service PAck 2. After rebooting we still had a hive error and IE wouldn't work right. MSTDC also wasn't starting. To fix MSDTC I added a %systemroot%\system32\dtclog folder. It was missing. Then I ran msdtc -resetlog from a command prompt.  The MSDTC service then started.

Since the server was running IE 7 I went ahead and copied over the setup files for IE 8 and ran the upgrade. After a reboot everything came back without error.

Tuesday, April 20, 2010

Exchange 2003 Global Address List

Saw a strange GAL problem today with a new SBS 2003 install from a few months ago. We didn't see it at the time but the GAL wasn't updating. The first step was to go to System Manager and rebuild the list the list under the recipients update service. Then restart the MTA stacks.
Since that didn't work we deleted and recreated the Gloabl Address List. Now the server GAL showed the new list properly. Next we went to an Outlook client and went to see if it updated. It didn't so we deleted and re added the offline GAL from the server. We then logged off and back on and it still didn't show up. After waiting some time however, it finally updated itself.

Wednesday, April 14, 2010

Saw the new IBM servers

Ex5 came out and I went to a lunch and learn in Portland to check them out. There are some pretty amazing changes going on with the new architecture. I also like that they have a new SAN that is just solid state drives.
The biggest change besides the faster processors is that they have tons of RAM slots. This way you can create a lot more VMs.
At the end I asked them why they are still using Intel chips instead of their own Cell chips, and they did not want to answer the question. I should look further into this.
They use them in the PS3 game console and work amazing. What reason could they have for not using them in a server?

Monday, April 12, 2010

SQL is a pain

I have been working on upgrading a customer from Symantec Backup Exec 10d to 12.5 today. I hadn't done one that was this old for a while so I forgot to you have to be on at least 11d in order to do this. So I had to completely uninstall 10d in order to do a fresh install.
The uninstall went fairly well, but the install of 12.5 failed with some error codes I had to look up. Since I was working remotely I forgot you had to be in console mode in remote desktop in order to get it to work right, so I ran an mstsc /v server /console.
I re ran the setup only to be stopped again. This time it was SQL. There was a half way installed version of SQL 2005 Express from a previous vendor. It wasn't showing up in add and remove programs but it it was definitely there. Now I had to go through the registry and uninstall each registry key by running an msiexec command for each SQL key that was found. KB article 909967 explains all of this.
The problem is that one of these keys still won't uninstall, so it's time to call Microsoft.

Friday, April 9, 2010

Sorry IPAD, maybe it's just me

I just don't think the IPAD will be a laptop, netbook, or any other replacement for anything. It may be a whole new reason to be plugged in, but I don't see it as a replacement. More than half of the apps are games according to PC World. So you'll be able to play solitaire or Qbert more often. You can't play console games with your fingers, so it won't replace that. Maybe we'll be more like South Korea where games are more important than taking care of our kids, or our kids will be on the IPAD so much we'll get more sleep.
We may even decide to travel with them to watch movies and send email, but we'll still need our laptops.
In a few years this could, and possible will change. This just doesn't work in it's current consumer only form.

Tuesday, April 6, 2010

Verizon FIOS support

I had noticed we had a bad route last night, so I called up FIOS support to tell them we needed them to fix it so we could go to a certain block of IP addresses on the internet. It was for one of our customers who needed to traverse into another ISPs block of addresses to get to a website. I got this horrible support lady who told me she couldn't help me because as long we could get to the internet in general, then there was no problem. When we have a customer with a T1, we deal with these routing issues all the time. The ISP, even Verizon, typically has no problem in looking at trace route logs to assist and find out where the bad router is.
So this Verizon lady said to me "As long as you can get out to a website then its not our problem. Do you want me to change the entire internet just for you?"
Then I asked to have her create a ticket so it can be escalated above her, and she said no. Then her supervisor was consulted and he said no. So I asked to speak to him and he took an hour to call me back. In the meantime the customer is going crazy trying to get to this site.
Finally when he called me back I reamed him and he did escalate it and it was resolved. But that was two hours I will never get back.

Monday, April 5, 2010

The old dog won't let go

We are trying to set our company up to support a new office for an existing customer, but the old IT provider just won't let go. Don't you just hate that?
They won't give us access to any of the hardware, and of course they're the only ones with the passwords. It may be time to go and do some resetting.

Did a lot of interviews over the weekend for the new IPAD. I did the Lars Larson show, Jeff Krupf show, and Koin News. Lots of fun telling people to wait for the next IPAD release.

Friday, April 2, 2010

No dialin box for VPN in Windows 7?

I just had a call from one of my business partners and he told me he ran into a problem. He wanted to use the dial up box so he could VPN into the network so he could login to a Windows domain just like he did in Windows XP. Since the dial up box is missing I told him to do the following. First create your VPN connection in the Network and sharing center.
Go to the Windows\system32 folder. Create a file called dial.bat. Type in rasdial "connection name" username and password and save it.
Then go to Control Panel, Administrative tools, Task Scheduler and create a new task. Allow it to run whether or not the user is logged in, and with the highest admin privilege. Then choose the trigger tab. Add a trigger to have it run at system startup. Then choose the next tab over to have it run a program. Choose to run the bat file that you just created. Reboot and he was able to login to the domain. I hope that helps somebody out there with the same issue.

Wednesday, March 31, 2010

Finally finished my Exchange 2007 server

I was building an Exchange 2007 server last week so I could test out Communications Server 2007. After installing and putting on a test user I decided to ask Microsoft a question. I wondered how many mailboxes I could put on the MSDN version of this software. They emailed me back and said "we will get back to you". So I waited three days and they said to call the Microsoft Partner program. So I called them and asked the same thing. They said I could install it up to ten times. I said that's not what I was asking. I wanted to know how many cals come on this before it tells me I need more. They said "you can install it up to ten times".
I thought I would go crazy so I told her we weren't speaking the same language. She went to her supervisor and came back and said "you can install it up to ten times", and then she said "we're not technical here". What? Not technical? I thought they were Microsoft.
I went back to MSDN and said they didn't know how to answer my qestion. They replied back that they will get me my answer in about three days. I just heard back from them, and they said " you can install it up to ten times."
I give up.

Monday, March 29, 2010

2007 continued

Well I'm still working on the 2007 install. I will be installing Communicator shortly to incorporate some of the cool features.
In the meantime all kinds of emergencies today. The main one was a virus outbreak at a client who still uses Symantec for AV. We tried to talk them out of it but oh well. A quick way to find out which computer is infected is to go into the firewall. In this case it's a Cisco ASA. From there you can do a show connection protocol tcp port 25. This will show you every computer that's trying to connect by blasting out email. I ignored the server and spam filter and found the one workstation that was infected fairly quickly. I then dispatched a tech and he is cleaning it up.

Friday, March 26, 2010

Exchange 2007 install

Well I decided to upgrade our own Exchange today from 2003 to 2007. There are definitely some things to be aware of when you do this. Use 64 bit instead of 32. Thatw ay when you go to 2010 you will be able to do an in place upgrade. Service pack 2 has been released but you need a license key to install it. Pretty strange. The enterprise version allows you to selectively journal users. Pretty handly if you spend the extra money. You can install it for 120 days without a key however.
I would ike to add the unified messaging, but that is going to take some planning. It would be great to incorporate it into our phone system. I will also have to add Communciator as well to get all the features.
It almost makes me want to move off of our iPhone to Windows phone 7 system, or whatever they're calling it these days, but I think we'll stay with Apple for now.
Now we will have to buy the unified certificate to avoid rpc/http problems. I like it when they add features. I just it when they change things. It's quite the problem for guys who like new toys but hate change.

Thursday, March 25, 2010

It's not me it's you

Don't you just love it when two vendors fight it out? I received a call from a customer that said when they send out an invite to an email server at another company it shows up as an hour later. That company said its not their fault. It must be our customer's problem. So they called me. I said how about I send an invite out to the same guy and see what happens. He emailed back and said that it also came back an hour late, but he still doesn't think it's his server. I told him I would be happy to fix his server if he wanted to setup an account with us. Then he ran windows updates, even though he swore he had already done this, and now it works correctly.

I will be working on an interesting switch problem later today. For some reason it's not passing UDP traffic. I think it may have something to do with the port being tagged for CDP using voice and data VLANs.

Wednesday, March 24, 2010

Upgrading to 2008 SBS

I started a company called All Tech 1 in Portland Oregon about the time of the bubble burst of 2001. After going through a lay-off I decided to go ahead and start it up siince it was a good time in my life to do it.
Yesterday one of my engineers came to me and said that he was stuck on a Windows 2003 to a Windows 2008 upgrade.
The new server was a domain controller, but couldn't replicate AD, and Exchange only saw the original server.
I went in to take a look at it. Almost all issues of replication seem to have something to do with DNS, so that's where I started. There was an entry for an old server pointed to That was the same IP of the new server, but of a different name. After I updated the records I could get one way replication to work, but nothing else.
I made sure the name servers were also correct in the name server tab in DNS. It was also pointed to the old server. I restarted the netlogon service, and DNS server service and now replication was working both ways.
I was given the choice to restart the Exchange and other services, or to restart both servers in order for Exchange to work. I decided to just restart the servers and when it came back up Exchange saw both servers. Things moved much more smoothly after that.

New Blogger

Although I have been blogging for years for CBS affiliate KOIN News in Portland, I thought it would be more advantageous to do a more technical blog about my daily life in the IT industry. I am in the trenches everyday setting up and troubleshooting servers, networks, firewalls, and fighting malware. I run into some really weird things, and I thought it would be useful to tell others in the industry about it.