Wednesday, September 22, 2010

Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9}

I was getting an error on my Windows XP workstations:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 22/09/2010
Time: 9:34:00 PM
User: KBOMB\administrator
Computer: ARIA
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=kbomb,DC=local. The file must be present at the location <\\kbomb.local\sysvol\kbomb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.

From research on the Internet this can be caused by many things.

In my case my windows 2008 server required SMB Signing. If I logged into a Windows XP workstation and navigated to \\domain.local\sysvol it asked me for username and password. If I navigated to any other share on the domain controllers it worked successfully.

I navigated to the following registry key:


enablesecuritysignature was set to 0... this means the workstation will never take part in signed SMB if the server requests it. I set this to "1" meaning my XP machine can talked signed SMB if my 2008 server requests it.

There is another setting, requiresecuritysignature. This should be set to 0. Setting this to 1 means if the PC at the other end does not support signed SMB it will not communicate.

After making the change I restarted the "workstation" and "server" services.

Ran another gpupdate /force after the change was made.


How to Deploy Microsoft .NET Framework 4 with Group Policy

In this blog post I'm going to show you how to mass deploy .NET Framework 4 to all PC's in your Active Directory domain.


Deploy .NET Framework 4 using a Startup Script:

Download .NET Framework 4

First download .NET Framework 4 from the following location:

Extract the Package

Run the setup file "dotNetFx40_Full_x86_x64.exe"

The setup file will automatically extract to a random directory on the drive with the most available disk space:

When the setup wizard opens do not click next just leave it open!

Create a new Group Policy Object

Create a new group policy object to be used for deployment. Make note of the GUID.

Move the .NET Framework Files

Navigate to a location on the network where you want to store the installation files. I stored them in the following location:


Create a folder called Frameworkv4.

Copy all files from the temporary extracted directory to:


Once the files are copied you can cancel the .NET Framework installation wizard which we started in an above step. We only ran the setup file so it would extract the files.

Create the Administrative Install Points

Create Administrative Install Points for 4 MSI's:
- .NET Framework v4 x86 for Server Core
- .NET Framework v4 x64 for Server Core
- .NET Framework v4 x86 for XP, Vista, Win7, and Full Installations of Windows Server
- .NET Framework v4 x64 for XP, Vista, Win7, and Full Installations of Windows Server

Run the following commands in a command prompt:

msiexec /a \\kbombserver\netlogon\software\frameworkv4\netfx_Core_x86.msi EXTUI=1 TARGETDIR=\\kbombserver\netlogon\software\frameworkv4\AIP\netfx_core_x86

msiexec /a \\kbombserver\netlogon\software\frameworkv4\netfx_core_x64.msi EXTUI=1 TARGETDIR=\\kbombserver\netlogon\software\frameworkv4\AIP\netfx_core_x64

msiexec /a \\kbombserver\netlogon\software\frameworkv4\netfx_extended_x86.msi EXTUI=1 TARGETDIR=\\kbombserver\netlogon\software\frameworkv4\AIP\netfx_extended_x86

msiexec /a \\kbombserver\netlogon\software\frameworkv4\netfx_extended_x64.msi EXTUI=1 TARGETDIR=\\kbombserver\netlogon\software\frameworkv4\AIP\netfx_extended_x64

Deploy .NET Framework with Group Policy

Add the package in Group Policy.

Assign both the x64 and x86 packages extended packages.

x64 will only install on x64 machines.
x86 will only install on x86 machines.

Also assign the core ones if you have Server Core installations of windows.

The packages also need the following MST assigned from Aaron Stebner's WebLog:

The transform changes the condition for CA_BlockDirectInstall to False so it will not be run during the installation process.

If you dont include the MST you will get the following error when the application trys to deploy via MSI:

Place the MST with the MSI and add it to the deployed application:

Note: For the 32bit package make sure you go into advanced deployment options on the deployment tab and untick "Make this 32-bit X86 application available to Win64 machines.

Always wait for the network at computer startup and logon

My Windows 7 PC's all booted too fast and missed the application deployment during startup. They all received the following error in the event logs:

Log Name: System
Source: Application Management Group Policy
Date: 22/09/2010 8:28:12 PM
Event ID: 101
Task Category: None
Level: Warning
Keywords: Classic
Computer: kbombpc.kbomb.local
The assignment of application Microsoft .NET Framework 4 Extended x64 from policy Microsoft .NET Framework 4 failed. The error was : %%1274

To resolve this I had to set the following group policy:

Computer Configuration --> Administrative Templates --> System --> Logon --> Always wait for the network at computer startup and logon

Error 25003. Error occurred while initializing fusion.

Hey guys sorry I'm currently getting the following error when it deploys:

Event Type: Error
Event Source: MsiInstaller
Event Category: None
Event ID: 10005
Date: 22/09/2010
Time: 10:09:40 PM
Computer: ARIA
Product: Microsoft .NET Framework 4 Extended -- Error 25003. Error occurred while initializing fusion.

Will let you know as soon as I have a fix.

Tuesday, September 21, 2010

How to find Wireless Channels in Windows

To find the wireless channels in windows open a command prompt and run the following commands:

show all

scroll down...

Monday, September 20, 2010

Exchange 2007 Certificates Whitepaper

Exchange 2007 Certificates Whitepaper - very good article:

Exchange 2010 with Threat Management Gateway

How to publish Exchange 2010 through Threat Management Gateway (TMG)

Enable MAPI Encryption Group Policy

In Exchange 2010 MAPI Encryption is enforced by default. Outlook 2003 does not support MAPI Encryption by default. This means Outlook 2003 cannot talk to Exchange 2010 unless its turned on.

The following KB article explains all regardless if your enabling MAPI encryption on Outlook 2003 via Group Policy or Disabling MAPI encryption on Exchange 2010.

Sunday, September 19, 2010

Enable Link State Suppression

When running the Exchange 2010 Pre-Deployment Analyzer you will probably get this message:

Before introducing Exchange Server 2010 into this topology, the 'SuppressStateChanges' configuration parameter should be set to '1' on server EXCHANGE03SERVER. This parameter is essential if you plan to create multiple connectors to the dedicated Exchange 2010 routing group.

Exchange Server 2003 includes functionality to detect automatically changes in the state of a link. This information can be used to inform other servers running Exchange Server 2003 that an alternative route should be used instead of the lowest cost primary route. Link state information is divided into major and minor changes. A major change occurs when the administrator changes the routing topology, such as the addition of a new connector or a cost change. Minor updates occur when the system automatically detects the failure or restoration of a link.

This feature works well in small to medium-sized organizations. However, in large multi-site environments, mass network fluctuation can cause link update floods for the minor version. To be truly effective, link state data must be broadcast to all the servers in the organization. Additionally, when state changes, the whole link state table is rebroadcast, which can cause a significant amount of data to be transmitted over the network. In these scenarios, it may be useful to suppress minor link state changes. The SuppressStateChanges registry value is a custom configuration setting used to suppress minor link state changes. When SuppressStateChanges is set to a value of 1 (or any value greater than 0), all link state traffic generated by a connector state change on this Exchange Server computer are suppressed.

In Exchange 2010 you want to link every Exchange 2003 routing group to the Exchange 2010 routing group to utilize the new hub transport technology for routing messages around your organisation. Because of this you must disable link stage suppression on all your Exchange 2003 servers before installing Exchange 2010.

To do this perform the following steps:

1.Open a registry editor, such as Regedit.exe or Regedt32.exe.

2.Navigate to HKLM\System\CurrentControlSet\Services\RESvc\Parameters.

3.Right-click Parameters and select New | DWORD value. Name the new DWORD value SuppressStateChanges.

4.Double-click SuppressStateChanges.

5.Set Base to Decimal.

6.In the Value data field, enter 1.

7.Close the registry editor and then restart the Simple Mail Transfer Protocol (SMTP), the Microsoft Exchange Routing Engine, and the Microsoft Exchange MTA Stacks services for the change to take effect.

What are Exchange Development Kit (EDK) Connectors?

When running the Exchange Pre-Deployment Analyzer I got the following message:

Exchange Development Kit (EDK) connector 'Connector for Captaris RightFax (WSPER14)' was found in the organization. Exchange Server 2010 does not support EDK connectors. This connector will need to remain on existing Exchange 2003 servers.

What are Exchange Development Kit (EDK) Connectors?

EDK connectors are third-party applications built to connect to communication systems such as fax machines, Short Message Service (SMS), telex, or to connect to other messaging systems, such as Lotus Notes, that use a gateway connector. Non-Microsoft vendors use the Exchange Development Kit (EDK) to develop proprietary connectors.

Wednesday, September 15, 2010

How to GREP in Powershell

In Linux and Unix world when we want to grab a line that contains specific output we would just use the following command:

command | grep search

In powershell to do the same thing we use this command:

command | ls *search*

For example we run the following command to list a whole bunch of output for:


We want to to identify all lines that have the word "Name" in it. Run the following command:

Get-AcceptedDomain | fl *name*

Very easy.

Tuesday, September 14, 2010

Exchange 2007 CCR Cluster - The cluster quorum or resource group 'Cluster Group' is offline on node

I ran into an issue with an Exchange 2007 CCR cluster where the cluster name and cluster IP resources would not come online.

When running Test-ReplicationHealth the following error was experienced:

The cluster quorum or resource group 'Cluster Group' is offline on node 'PEREXM01'. Cluster 'TWMAIL1-CL’ may not be remotely reachable, or it may have lost redundancy. The following resources are offline:
Cluster Name: Offline
Cluster IP Address: Failed

In my situation this error was caused by a duplicate IP address. The cluster IP address was used on another device on the internal network taking own the cluster.

Diagnosing Windows Cluster Issues

Working with a Microsoft Engineer on a cluster issue today. He showed me a really cool command to get some diagnostic log information about cluster related problems.

The command to get this information is:

cluster.exe ClusterName log /gen

You may receive the following error:

System error 1825 has occured (0x00000721)
A security package specific error occured.

If you receive this error remove the ClusterName.

cluster log /gen

The cluster debug log file get stored in the following location after running this command:


Flush Transaction Logs in Exchange

This article applies to all versions of Exchange from 5.5 to 2010.

The following knowledge base article gives you all the fruit about flushing transaction logs but I assume you just want to know how to do it right?

Your Exchange Logs get deleted when your database backup completes. When your exchange server receives an email it dumps the email to the transaction logs. When the exchange server free's up it then plays these logs into the database. Sometimes Exchange may not have played all the log files into the database, so you cant simply "delete" them.

1. Dismount the all Exchange Mailbox Databases under the Storage Group you wish to clean up.

2. Use the ESEUTIL program to view if all the logs have been played into the Exchange Database.

eseutil /MH database.edb

If all the databases are in a Clean Shutdown or Consistent state, you may remove all the transaction logs. Older versions say "Consistent", New Versions of Exchange say "Clean Shutdown". In my screenshot I'm using Exchange 2010.

Note: If it is not in a "Clean Shutdown" or "Consistent" state, you can use eseutil to reply the log files into the database or remount the database and allow Exchange to replay them.

Caution: Do not delete log files if the state is not "Clean Shutdown" or "Consistent" as you will loose email!

3. Delete all log files including the chk file. The checkpoint file keeps track of which log files have been and have not been played into the database. Since there are no log files anymore, the checkpoint is not needed.

Caution: If your database is in the same directory as your log files be careful you dont accidently delete your edb database file as well!

4. Re-mount your exchange databases in your storage group. This will automatically create a new checkpoint file ready to go!

Monday, September 13, 2010

ClusterRpc has failed. Specific error is: Cluster Common Failure Exception: Access is denied.

In a CCR cluster the following command was executed in Exchange Management Shell:


The following error was experianced:

ClusterRpc has failed. Specific error is: Cluster Common Failure Exception: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Test-ReplicationHealth : High priority check ClusterRpc has failed. Specific error is: ClusterRpc has failed. Specific error is: Cluster Common Failure Exception: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

If you experiance this error, don't be a noob like me. Right click on Exchange Management Shell and click Run as administrator... Darn UAC!

Exchange 2010 Service Pack 1 Setup Fails

Today I'm building a new Exchange 2010 environment with 2 servers running in Hub Transport and Client Access in a CAS Array, and 2 backend servers running a Database Availability Group cluster. The two front end servers running HT and CAS also have NLB setup running ontop of VMWare vSphere.

This is a vanilla install, no 3rd party software, and no funky system changes.

I installed Service Pack 1 on the backend DAG servers this worked fine.

However on the two front end servers running the CAS and HT roles the following error was experianced when installing Service Pack 1:

Taken from the ExchangeSetup log file:

[09/13/2010 09:19:33.0276] [1] The following 1 error(s) occurred during task execution:
[09/13/2010 09:19:33.0276] [1] 0. ErrorRecord: Service 'Microsoft Exchange Service Host (MSExchangeServiceHost)' cannot be started due to the following error: Cannot start service MSExchangeServiceHost on computer '.'.
[09/13/2010 09:19:33.0292] [1] 0. ErrorRecord: Microsoft.PowerShell.Commands.ServiceCommandException: Service 'Microsoft Exchange Service Host (MSExchangeServiceHost)' cannot be started due to the following error: Cannot start service MSExchangeServiceHost on computer '.'. ---> System.InvalidOperationException: Cannot start service MSExchangeServiceHost on computer '.'. ---> System.ComponentModel.Win32Exception: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it
--- End of inner exception stack trace ---
at System.ServiceProcess.ServiceController.Start(String[] args)
at Microsoft.PowerShell.Commands.ServiceOperationBaseCommand.DoStartService(ServiceController serviceController)
--- End of inner exception stack trace ---
[09/13/2010 09:19:33.0292] [1] [ERROR] The following error was generated when "$error.Clear();
if (get-service MSExchangeServiceHost* where {$ -eq "MSExchangeServiceHost"})
restart-service MSExchangeServiceHost
" was run: "Service 'Microsoft Exchange Service Host (MSExchangeServiceHost)' cannot be started due to the following error: Cannot start service MSExchangeServiceHost on computer '.'.".
[09/13/2010 09:19:33.0292] [1] [ERROR] Service 'Microsoft Exchange Service Host (MSExchangeServiceHost)' cannot be started due to the following error: Cannot start service MSExchangeServiceHost on computer '.'.
[09/13/2010 09:19:33.0292] [1] [ERROR] Cannot start service MSExchangeServiceHost on computer '.'.
[09/13/2010 09:19:33.0292] [1] [ERROR] The service cannot be started, either because it is disabled or because it has no enabled devices associated with it
[09/13/2010 09:19:33.0292] [1] [ERROR-REFERENCE] Id=BridgeheadRoleSetterComponent___115c1108e99e4560bd2c03c0fec99908 Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
[09/13/2010 09:19:33.0292] [1] Setup is stopping now because of one or more critical errors.
[09/13/2010 09:19:33.0292] [1] Finished executing component tasks.
[09/13/2010 09:19:33.0323] [1] Ending processing Install-BridgeheadRole

Notice in the the bold text in the log file above "The service cannot be started, either because it is disabled". Thats the problem! The Exchange Setup disables all the services during the installation. Then when it tries to start the service, it forgets to take it out of a disabled state hence failing to start.

Notice during the Exchange 2010 SP1 setup wizard if you look at the services.msc console the setup changes all the services to "Disabled".

Change them all back to "Manual" during the setup.

Continue to monitor these services during the Exchange 2010 SP1 setup and keep tapping F5 to refresh. The setup keeps changing these setting back to Disabled. Every time this happens set the services back to Manual.

Following this procedure I was able to allow Exchange 2010 SP1 to successfully install on my CAS Array NLB front end servers.

Very weird issue!

Saturday, September 11, 2010

How do I change the location of Exchange 2010 log files

In Exchange 2007 log files were configured on the storage group. In Exchange 2010 storage groups no longer exist!

So how do you change the location for your transaction logs?

Well this is now done with the Move-DatabasePath cmdlet. As per Exchange 2007 this command is also used to change the location of the mailbox database as well!

Move-DatabasePath -Identity [-ConfigurationOnly ] [-Confirm []] [-DomainController ] [-EdbFilePath ] [-Force ] [-LogFolderPath ] [-WhatIf []]

How to setup Exchange 2010 Federation

One of the new features of Exchange 2010 is Federation. It allows companies to share exchange related data with external companies such as Free/Busy and contacts.

In previous versions of Exchange you would have to create a forest trust between the organisations and use the Inter-Org Replication Tool for replicating public folders and Identity Integration Feature Pack (IIFP) for replicating contacts.

I was going to spend some time writing an article on how to configure this however someone already beat me to the chase. I just read a fantastic article by Steve Goodman which runs through through each of the steps in making Exchange 2010 federation work.

Please have a read, here is the link to his blog site:

An Insight Into Exchange 2010 Email Moderation

Email Moderation is a new feature that allows a moderator to moderate emails before they reach their destination. If you have not read about moderation yet please read the following the following post I wrote a few months ago:

In this post we will be looking at how moderation works and the processes that go on in the back end.

The moderated transport application consists of the following components:


The transport categorizer initiates the approval process. When the categorizer detects a moderated recipient while processing a message, it reroutes the message to the arbitration mailbox.

Store driver

The store driver processes the messages that the categorizer marks for moderation. When the store driver encounters such a message, it stores the original message in the arbitration mailbox and sends approval requests to the moderators. When a moderator responds with a decision, the store driver marks that decision on the message that's stored in the arbitration mailbox. If an approved message is submitted again by the Information Assistant, the store driver removes the approval workflow wrappers so the message that's delivered is identical to the original message submitted by the sender.

Information Assistant

The Information Assistant process monitors the arbitration mailbox. The Information Assistant resubmits any approved messages to the submission queue for delivery to the intended recipients, or it deletes rejected messages. The Information Assistant is also responsible for sending rejection notifications to the sender. In addition, it cleans up the arbitration mailbox by deleting any stale or orphaned messages from the arbitration mailbox. For example, if a moderator simply deletes an approval request instead of making a decision, the corresponding message waiting for approval in the arbitration mailbox needs to be removed by the Information Assistant.

Arbitration Mailbox

The arbitration mailbox is used to store the original message that's awaiting approval. By default, one arbitration mailbox is created for moderated transport during setup. It's used for all moderated recipients. You can add additional arbitration mailboxes for load balancing purposes. If you're using multiple arbitration mailboxes, you need to specify which mailbox to use for each moderated recipient.

What processes occur in the backend?

The following screenshot is taken from Microsoft's TechNet Website:

1.The sender creates a message and sends it to the moderated recipient.

2.The categorizer intercepts the message, marks it for moderation, and then reroutes it to the arbitration mailbox.

3.The store driver stores the message in the arbitration mailbox and sends an approval request to the moderator.

4.The moderator uses the buttons in the approval request to either accept or reject the message.

5.The store driver marks the moderator's decision on the original message stored in the arbitration mailbox.

6.The Information Assistant reads the approval status on the message stored in the arbitration mailbox, and then processes the message depending on the moderator's decision:

6-a.If the moderator has approved the message, the Information Assistant resubmits the message to the submission queue, and the message is delivered to the recipient.

6-b.If the moderator has rejected the message, the Information Assistant deletes the message from the arbitration mailbox and notifies the sender that the message was rejected.

If the moderator doesn't respond to the message within five days, the Information Assistant will delete the message from the arbitration mailbox and notify the sender that their message has expired.

Handling Multiple Moderated Recipients

Taken from TechNet:

It's possible to send a message to a group of recipients that includes both moderated recipients and recipients that aren't moderated. In this case, a separate approval process occurs for each moderated recipient.

Consider a message that's sent to 12 recipients, one of which is a moderated distribution group. The categorizer splits this message into two messages. One message is delivered immediately to the 11 recipients that aren't moderated, and the second message is submitted to the approval process for the moderated distribution group.

If a message is intended for more than one moderated recipient, a separate copy is created for each moderated recipient and is submitted to the approval process.

A moderated distribution group may contain other moderated recipients. In this case, after the message to the distribution group is approved, a separate approval process occurs for each moderated recipient that's a member of the distribution group. However, you can also enable the automatic approval of the distribution group members after the message to the moderated distribution group is approved. To do this, you set the BypassNestedModerationEnabled parameter of the moderated distribution group to $true using the Set-DistributionGroup cmdlet.

Moderation and Exchange 2007 Hub Transport Servers

If you have Exchange 2007 Hub Transport servers mixed with your Exchange 2010 environment you must configure an Expansion Server on any item you have moderated. If you do not do this, the store driver on the Exchange 2007 Hub Transport server will simply deliver the message bypassing moderation. To enable an expansion server for a distribution group use the following command:

Set-DynamicDistributionGroup -Identity "GroupIdentity" -ExpansionServer "Exchange2010HubTransportServer"

So you want the basic cmdlet on how to enable moderation huh?

Below is an example on how you would go enabling moderation on a distribution group:

Set-DistributionGroup "All Employees" -ModerationEnabled $true -ModeratedBy "","" -ByPassModerationFromSendersOrMembers "HR" -SendModerationNotifications Internal

Exchange setup /m:RecoverServer

In this article I'm going to shed a little light around the RecoverServer command located on the Exchange 2007 and 2010 media. Running Setup /m:RecoverServer on a server tells Setup to read the configuration information from the Active Directory directory service for a server with the same name as the server from which you are running Setup. This tool can be extremely useful for the following scenarios:

- Your hardware has failed.

- You are performing a dial-tone recovery, where Active Directory is intact.

- You are performing a site recovery, where Active Directory is intact.

Setup /m:RecoverServer is for recovery only. Do not use it as a repair tool, to recover from a failed install, to recover from a failed uninstall, or to reconfigure a server. It is only for recovering a server that was once fully functional, or to move a server to new hardware and maintain the same name.

Setup /m:RecoverServer cannot be used across operating systems. A server that was originally running Windows Server 2003 can be recovered only on Windows Server 2003, and a server that was originally running Windows Server 2008 can be recovered only on Windows Server 2008.

Setup /m:RecoverServer will only migrate setting information stored in Active Directory. Any local customizations or databases are not migrated with this method.

Scenario's when Setup /m:RecoverServer will not work:

- If it is an edge transport server. Remember edge servers should not be a member of an active directory domain, they should be installed in Workgroup mode.

- If the computer object representing the Exchange Server has been deleted.

- If a server on your network has the same name as the server your trying to restore.

- To repair a failed install. The Setup /m:RecoverServer option assumes a consistent configuration in Active Directory for the server. If Setup failed, the information in Active Directory might not have been fully written. In this situation, you should run Setup again.

For more information on this command please see:

Friday, September 10, 2010

Exchange 2010 Sizing

Microsoft has released a spreadsheet for Sizing Exchange 2010 to suit the number of users and business requirements. This will let you know things such as:
- How much memory do I need?
- How many servers?
- What are my storage requirements

and so on...

The sizing tool is an excel spreadsheet that can be downloaded from here:

Microsoft has released a 25 minute video that shows you how to use this spreadsheet and what all the functions do. This is available from:

Another handy link around sizing memory in Exchange 2010 is:

The rule of thumb when sizing an Exchange Server 2010 mailbox server is to start with 2GB of RAM for a server; then add 5MB of RAM for each mailbox that will be homed on it. For example, on a server with 3,000 mailboxes, at least 17GB of RAM would be required (2GB + (3000*.005GB)).

Tuesday, September 7, 2010

Certificate Authority Standalone or Enterprise?

In this post I will be showing you a few quick ways how to determine if a certificate authority is a stand alone certificate authority or an enterprise certificate authority.

Method 1:

Use the certutil command:

certutil -cainfo

Method 2:

Check if there is a Certificate Templates folder in the certificate console. Certificate Templates only appears if the certificate authority is an enterprise CA.

In this screenshot we have a stand alone CA:

Method 3:

The "Cert Publishers" Active Directory group. All members of this group are enterprise certificate authorities.