Thursday, March 31, 2011

OWA 2010 - You don't have permission to open this page

I just performed cross-forest migration of a number of mailboxes. Mailboxes come across as "linked" mailboxes linking to the account in the source forest. To link the mailboxes to the new user account in the destination forest I used the Disable-Mailbox command to unlink the mailbox from the old account followed by the Connect-Mailbox to link the mailbox to the new user account in the destination forest. Users who had been migrated across to the new forest had problems accessing "Options" in Outlook Web App.



Sorry! Access denied

You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again. If the problem persists, contact your administrator.


I went and created a new mailbox user in the destination forest which I did not migrate. This worked fine. I went and compared attributes between my "test" mailbox account and "jim's" mailbox account.



There were a couple of differences. Jim's mailbox did not have a Role Assignment Policy. The RoleAssignmentPolicy parameter specifies the management role assignment policy to assign to the mailbox when it's created or enabled. If you don't include this parameter when you create or enable a mailbox, the default assignment policy is used. All mailboxes must have at least the default policy! I set the default policy as follows on Jims account

Set-Mailbox "jim" -RoleAssignmentPolicy "Default Role Assignment Policy"

This resolved the problem!

List all Attributes on Active Directory Object

Below is an easy way to quickly identify all attributes on an AD Object using adFind.exe by Joe Richards.

adFind.exe -b "CN=Default Policy,CN=Recipient Policies,CN=Destination,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=destination,DC=local"

Wednesday, March 30, 2011

An unknown error occurred, error code: 0x80070057

I'm performing a cross-forest migration using Prepare-MoveRequest.ps1, Identity Lifecycle Manager and Active Directory Migration Tool.

After a windows 7 PC was migrated to the new forest the user account and his mailbox, Outlook 2010 continued to reference the old Exchange 2003 servers which were failing to refer the user to the new Exchange 2010 servers in the new forest.



I created an Outlook PRF file with the following configuration:

[General]
Custom=1
ProfileName=Outlook
DefaultProfile=Yes
OverwriteProfile=Yes
ModifyDefaultProfileIfPresent=TRUE

[Service List]
;ServiceX=Microsoft Outlook Client
ServiceEGS1=Exchange Global Section
Service1=Microsoft Exchange Server

[ServiceEGS1]
MailboxName=%UserName%
HomeServer=ex2010.destination.local
AccountName=%UserName%
ConfigFlags=0x00000100

[Service1]
OverwriteExistingService=Yes
UniqueService=No
MailboxName=%UserName%
HomeServer=ex2010.destination.local


I attempted to import the PRF into Outlook 2010 using the following command:

outlook.exe /importprf path:C:\outlook.prf

During the import the following error was experienced:

An unknown error occurred, error code: 0x80070057



This turns out to be a bug with Outlook 2010 importing PRF files. I found this on knowledge base 2028193.

http://support.microsoft.com/kb/2028193

After installing the following hotfix my problem was resolved:

http://support.microsoft.com/default.aspx?scid=kb;en-US;2281463

Sunday, March 27, 2011

ADMT Error 0x80004005

I was performing an Active Directory Migration from a Windows Server 2008 DFL/FFL forest with Exchange 2003 to a Windows Server 2008 R2 DFL/FFL forest with Exchange 2010. During the migration I got the following error:

2011-03-28 14:42:03 Unable to store default excluded system properties in database. Unspecified error (0x80004005)
2011-03-28 14:42:03 The following system properties will be excluded:
2011-03-28 14:42:03 mail,proxyAddresses,msDS-PSOApplied,msDS-HostServiceAccount,altRecipient,
2011-03-28 14:42:03 altRecipientBL,attributeCertificate,attributeCertificateAttribute,audio,authOrig,
2011-03-28 14:42:03 authOrigBL,autoReply,autoReplyMessage,businessRoles,carLicense,dLMemDefault,
2011-03-28 14:42:03 dLMemRejectPerms,dLMemRejectPermsBL,dLMemSubmitPerms,dLMemSubmitPermsBL,
2011-03-28 14:42:03 dLMemberRule,deletedItemFlags,delivContLength,delivExtContTypes,
2011-03-28 14:42:03 deliverAndRedirect,deliveryMechanism,departmentNumber,dnQualifier,employeeNumber,
2011-03-28 14:42:03 employeeType,enabledProtocols,expirationTime,extensionAttribute1,
2011-03-28 14:42:03 extensionAttribute10,extensionAttribute11,extensionAttribute12,
2011-03-28 14:42:03 extensionAttribute13,extensionAttribute14,extensionAttribute15,
2011-03-28 14:42:03 extensionAttribute2,extensionAttribute3,extensionAttribute4,extensionAttribute5,
2011-03-28 14:42:03 extensionAttribute6,extensionAttribute7,extensionAttribute8,extensionAttribute9,
2011-03-28 14:42:03 extensionData,folderPathname,formData,forwardingAddress,gecos,gidNumber,
2011-03-28 14:42:03 heuristics,hideDLMembership,homeMDB,homeMTA,homePostalAddress,houseIdentifier,
2011-03-28 14:42:03 importedFrom,internetEncoding,ipHostNumber,jpegPhoto,kMServer,labeledURI,
2011-03-28 14:42:03 language,languageCode,logRolloverInterval,loginShell,mAPIRecipient,
2011-03-28 14:42:03 mDBOverHardQuotaLimit,mDBOverQuotaLimit,mDBStorageQuota,mDBUseDefaults,
2011-03-28 14:42:03 mailNickname,memberUid,monitoredConfigurations,monitoredServices,
2011-03-28 14:42:03 monitoringAvailabilityStyle,monitoringAvailabilityWindow,monitoringCachedViaMail,
2011-03-28 14:42:03 monitoringCachedViaRPC,monitoringMailUpdateInterval,monitoringMailUpdateUnits,
2011-03-28 14:42:03 monitoringRPCUpdateInterval,monitoringRPCUpdateUnits,msDFSR-ComputerReferenceBL,
2011-03-28 14:42:03 msDFSR-MemberReferenceBL,msDS-ObjectReferenceBL,msDS-SourceObjectDN,
2011-03-28 14:42:03 msExchADCGlobalNames,msExchALObjectVersion,
2011-03-28 14:42:03 msExchAggregationSubscriptionCredential,msExchAlternateMailboxes,
2011-03-28 14:42:03 msExchApprovalApplicationLink,msExchArbitrationMailbox,msExchArchiveDatabaseBL,
2011-03-28 14:42:03 msExchArchiveDatabaseLink,msExchArchiveGUID,msExchArchiveName,msExchArchiveQuota,
2011-03-28 14:42:03 msExchArchiveWarnQuota,msExchAssistantName,msExchAvailabilityOrgWideAccountBL,
2011-03-28 14:42:03 msExchAvailabilityPerUserAccountBL,msExchBlockedSendersHash,
2011-03-28 14:42:03 msExchBypassModerationBL,msExchBypassModerationFromDLMembersBL,
2011-03-28 14:42:03 msExchBypassModerationFromDLMembersLink,msExchBypassModerationLink,msExchCU,
2011-03-28 14:42:03 msExchCalendarRepairDisabled,msExchCoManagedByLink,msExchCoManagedObjectsBL,
2011-03-28 14:42:03 msExchConferenceMailboxBL,msExchConfigurationUnitBL,
2011-03-28 14:42:03 msExchContentConversionSettings,msExchControllingZone,msExchCustomProxyAddresses,
2011-03-28 14:42:03 msExchDelegateListBL,msExchDelegateListLink,msExchDeviceAccessControlRuleBL,
2011-03-28 14:42:03 msExchDirsyncID,msExchDumpsterQuota,msExchDumpsterWarningQuota,
2011-03-28 14:42:03 msExchELCExpirySuspensionEnd,msExchELCExpirySuspensionStart,
2011-03-28 14:42:03 msExchELCMailboxFlags,msExchEdgeSyncCookies,msExchEdgeSyncRetryCount,
2011-03-28 14:42:03 msExchEdgeSyncSourceGuid,msExchEnableModeration,msExchExchangeServerLink,
2011-03-28 14:42:03 msExchExpansionServerName,msExchExternalOOFOptions,msExchExternalSyncState,
2011-03-28 14:42:03 msExchFBURL,msExchForeignGroupSID,msExchGroupDepartRestriction,
2011-03-28 14:42:03 msExchGroupJoinRestriction,msExchHABShowInDepartments,msExchHideFromAddressLists,
2011-03-28 14:42:03 msExchHomeServerName,msExchHouseIdentifier,msExchIMACL,msExchIMAP4Settings,
2011-03-28 14:42:03 msExchIMAPOWAURLPrefixOverride,msExchIMAddress,msExchIMMetaPhysicalURL,
2011-03-28 14:42:03 msExchIMPhysicalURL,msExchIMVirtualServer,msExchImmutableId,
2011-03-28 14:42:03 msExchInconsistentState,msExchIntendedMailboxPlanBL,
2011-03-28 14:42:03 msExchIntendedMailboxPlanLink,msExchLabeledURI,msExchLicenseToken,
2011-03-28 14:42:03 msExchMDBRulesQuota,msExchMailboxFolderSet,msExchMailboxGuid,
2011-03-28 14:42:03 msExchMailboxMoveBatchName,msExchMailboxMoveFlags,
2011-03-28 14:42:03 msExchMailboxMoveRemoteHostName,msExchMailboxMoveSourceMDBBL,
2011-03-28 14:42:03 msExchMailboxMoveSourceMDBLink,msExchMailboxMoveStatus,
2011-03-28 14:42:03 msExchMailboxMoveTargetMDBBL,msExchMailboxMoveTargetMDBLink,
2011-03-28 14:42:03 msExchMailboxOABVirtualDirectoriesLink,msExchMailboxPlanType,
2011-03-28 14:42:03 msExchMailboxSecurityDescriptor,msExchMailboxTemplateLink,msExchMailboxUrl,
2011-03-28 14:42:03 msExchManagementSettings,msExchMasterAccountHistory,msExchMasterAccountSid,
2011-03-28 14:42:03 msExchMaxBlockedSenders,msExchMaxSafeSenders,msExchMessageHygieneFlags,
2011-03-28 14:42:03 msExchMessageHygieneSCLDeleteThreshold,msExchMessageHygieneSCLJunkThreshold,
2011-03-28 14:42:03 msExchMessageHygieneSCLQuarantineThreshold,
2011-03-28 14:42:03 msExchMessageHygieneSCLRejectThreshold,msExchMobileAllowedDeviceIDs,
2011-03-28 14:42:03 msExchMobileBlockedDeviceIDs,msExchMobileDebugLogging,msExchMobileMailboxFlags,
2011-03-28 14:42:03 msExchMobileMailboxPolicyLink,msExchMobileRemoteDocumentsAllowedServersBL,
2011-03-28 14:42:03 msExchMobileRemoteDocumentsBlockedServersBL,
2011-03-28 14:42:03 msExchMobileRemoteDocumentsInternalDomainSuffixListBL,msExchMobileSettings,
2011-03-28 14:42:03 msExchModeratedByLink,msExchModeratedObjectsBL,msExchModerationFlags,
2011-03-28 14:42:03 msExchOURoot,msExchOWAAllowedFileTypesBL,msExchOWAAllowedMimeTypesBL,
2011-03-28 14:42:03 msExchOWABlockedFileTypesBL,msExchOWABlockedMIMETypesBL,
2011-03-28 14:42:03 msExchOWAForceSaveFileTypesBL,msExchOWAForceSaveMIMETypesBL,msExchOWAPolicy,
2011-03-28 14:42:03 msExchOWARemoteDocumentsAllowedServersBL,
2011-03-28 14:42:03 msExchOWARemoteDocumentsBlockedServersBL,
2011-03-28 14:42:03 msExchOWARemoteDocumentsInternalDomainSuffixListBL,msExchOWASettings,
2011-03-28 14:42:03 msExchOWATranscodingFileTypesBL,msExchOWATranscodingMimeTypesBL,
2011-03-28 14:42:03 msExchObjectCountQuota,msExchObjectID,msExchOmaAdminExtendedSettings,
2011-03-28 14:42:03 msExchOmaAdminWirelessEnable,msExchOrganizationsAddressBookRootsBL,
2011-03-28 14:42:03 msExchOrganizationsGlobalAddressListsBL,msExchOrganizationsTemplateRootsBL,
2011-03-28 14:42:03 msExchOriginatingForest,msExchPOP3Settings,msExchParentPlanBL,
2011-03-28 14:42:03 msExchParentPlanLink,msExchPfRootUrl,msExchPoliciesExcluded,
2011-03-28 14:42:03 msExchPoliciesIncluded,msExchPolicyEnabled,msExchPolicyList,
2011-03-28 14:42:03 msExchPolicyOptionList,msExchPreviousAccountSid,msExchPreviousHomeMDB,
2011-03-28 14:42:03 msExchProvisioningFlags,msExchProxyCustomProxy,msExchQueryBaseDN,
2011-03-28 14:42:03 msExchRBACPolicyBL,msExchRBACPolicyLink,msExchRMSComputerAccountsBL,
2011-03-28 14:42:03 msExchRMSComputerAccountsLink,msExchRecipLimit,msExchRecipientDisplayType,
2011-03-28 14:42:03 msExchRecipientTypeDetails,msExchRecipientValidatorCookies,
2011-03-28 14:42:03 msExchRequireAuthToSendTo,msExchResourceCapacity,msExchResourceDisplay,
2011-03-28 14:42:03 msExchResourceGUID,msExchResourceMetaData,msExchResourceProperties,
2011-03-28 14:42:03 msExchResourceSearchProperties,msExchRetentionComment,msExchRetentionURL,
2011-03-28 14:42:03 msExchSMTPReceiveDefaultAcceptedDomainBL,msExchSafeRecipientsHash,
2011-03-28 14:42:03 msExchSafeSendersHash,msExchSendAsAddresses,msExchSenderHintTranslations,
2011-03-28 14:42:03 msExchServerAdminDelegationBL,msExchServerAssociationBL,
2011-03-28 14:42:03 msExchServerAssociationLink,msExchServerSiteBL,msExchSetupStatus,
2011-03-28 14:42:03 msExchSharingPartnerIdentities,msExchSharingPolicyLink,msExchSignupAddresses,
2011-03-28 14:42:03 msExchSupervisionDLBL,msExchSupervisionDLLink,msExchSupervisionOneOffBL,
2011-03-28 14:42:03 msExchSupervisionOneOffLink,msExchSupervisionUserBL,msExchSupervisionUserLink,
2011-03-28 14:42:03 msExchSyncAccountsPolicyDN,msExchTUIPassword,msExchTUISpeed,msExchTUIVolume,
2011-03-28 14:42:03 msExchTextMessagingState,msExchThrottlingPolicyDN,msExchTransportInboundSettings,
2011-03-28 14:42:03 msExchTransportOutboundSettings,msExchTransportRecipientSettingsFlags,
2011-03-28 14:42:03 msExchUMAddresses,msExchUMAudioCodec,msExchUMAudioCodec2,msExchUMCallingLineIDs,
2011-03-28 14:42:03 msExchUMDtmfMap,msExchUMEnabledFlags,msExchUMEnabledFlags2,msExchUMFaxId,
2011-03-28 14:42:03 msExchUMListInDirectorySearch,msExchUMMailboxOVALanguage,
2011-03-28 14:42:03 msExchUMMaxGreetingDuration,msExchUMOperatorNumber,msExchUMPhoneProvider,
2011-03-28 14:42:03 msExchUMPinChecksum,msExchUMRecipientDialPlanLink,msExchUMServerWritableFlags,
2011-03-28 14:42:03 msExchUMSpokenName,msExchUMTemplateLink,msExchUnmergedAttsPt,msExchUseOAB,
2011-03-28 14:42:03 msExchUserAccountControl,msExchUserBL,msExchUserCulture,msExchVersion,
2011-03-28 14:42:03 msExchVoiceMailboxID,msExchWindowsLiveID,msRADIUS-FramedIpv6Route,
2011-03-28 14:42:03 msRADIUS-SavedFramedIpv6Route,msSFU30Aliases,msSFU30Name,msSFU30NisDomain,
2011-03-28 14:42:03 msSFU30PosixMember,msSFU30PosixMemberOf,networkAddress,nisMapName,
2011-03-28 14:42:03 oOFReplyToOriginator,otherMailbox,pOPCharacterSet,pOPContentFormat,personalPager,
2011-03-28 14:42:03 photo,preferredLanguage,promoExpiration,protocolSettings,publicDelegates,
2011-03-28 14:42:03 publicDelegatesBL,registeredAddress,replicatedObjectVersion,
2011-03-28 14:42:03 replicationSensitivity,replicationSignature,reportToOriginator,reportToOwner,
2011-03-28 14:42:03 roomNumber,secretary,securityProtocol,shadowExpire,shadowFlag,shadowInactive,
2011-03-28 14:42:03 shadowLastChange,shadowMax,shadowMin,shadowWarning,submissionContLength,
2011-03-28 14:42:03 supportedAlgorithms,targetAddress,telephoneAssistant,textEncodedORAddress,
2011-03-28 14:42:03 trackingLogPathName,type,uid,uidNumber,unauthOrig,unauthOrigBL,unixHomeDirectory,
2011-03-28 14:42:03 unixUserPassword,unmergedAtts,userPKCS12,userSMIMECertificate,
2011-03-28 14:42:03 x500uniqueIdentifier


This is due to the difference of the schema versions, some attributes are not migrated to target domain.

The system attribute exclusion list contains two attributes by default: mail and proxyAddresses. ADMT also reads the schema in the target domain. If the target domain schema is further extended, it adds any attributes to the list that are not part of the base schema. Attributes in this list are excluded from migration operations even if the attribute is not specified in the attribute exclusion list.

For more information about this see the article below "Migrating and Restructuring Active Directory Domains Using ADMT v3.1"

http://www.microsoft.com/downloads/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en

The self-extracting zip file is part of a multidisk zip file

I require the hotfix Cumulative update package 4 for SQL Server 2008 documented under KB963036.

http://support.microsoft.com/kb/963036

I sent in a request for the hotfix, Microsoft emailed me the download link. I retreived the file 374964_intl_x64_zip.

When I run it and attempt to extract the archive I get the following message.

"The self-extracting zip file is part of a multidisk zip file. Please insert the last disk of the set."



I am given no option other then to press OK. When I press OK three times I get the following error:

"An error occured while unzipping. One or more files were not succesfully unzipped. The error code is 110."



I believe there may be something wrong with the hotfix. I contacted Microsoft using the appropriate Security Essentials portal for hotfix related problems.

https://support.microsoftsecurityessentials.com/Default.aspx

I will update this post when I hear back from Microsoft with the solution.

Resolution

I redownloaded the hotfix and it now works!

What's the difference between SSL Bridging and SSL Tunneling?

Many firewalls on the market support the concept of SSL Bridging and SSL Tunneling. Microsoft firewalls that support this functionality include:
- Internet Security and Acceleration (ISA)
- Forefront Threat Management Gateway (TMG)

What is the difference between SSL Bridging and SSL Tunneling?

SSL Bridging involves decrypting the traffic on the firewall, inspecting the HTML code and filtering it for malware and any content policies that may be applied. The traffic is then re-encrypted usually using a different certificate provided by an Internal Certificate Authority and passing it onto the end client.

SSL Tunneling involves relaying the traffic unmodified still encrypted with the digital certificate to the end client. No filtering can be applied when a router is configured with SSL Tunneling.

Some companies may not wish to have SSL Bridging configured. When dealing with sensitive traffic such as online banking, I for one would be very concerned if I saw the SSL traffic coming to me with a certificate from an Internal Certificate Authority!

Friday, March 25, 2011

Convert Octet String into Readable String

Below shows you how to view an users GUID in Windows Server 2003.

In Server 2003 all GUID attributes in Active Directory were displayed in ADSI edit as Octet values for each Active Directory object.



In Server 2008 ADSIedit GUID attributes are now displayed in a readable format.



If you only have Server 2003 how can you read the GUID on Active Directory objects? Use the following script, here we are finding the GUID of my user account on my KBOMB domain.

Set objUser = GetObject("LDAP://CN=Clint Boessen,OU=Internal,OU=Users,OU=KBOMB,DC=kbomb,DC=local")

arrbytGuid = objUser.objectGuid
strHexGuid = OctetToHexStr(arrbytGuid)
strGuid = HexGuidToGuidStr(strHexGuid)

Wscript.Echo "Guid in display format: " & strGuid

Function OctetToHexStr(arrbytOctet)
' Function to convert OctetString (byte array) to Hex string.

Dim k
OctetToHexStr = ""
For k = 1 To Lenb(arrbytOctet)
OctetToHexStr = OctetToHexStr _
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function

Function HexGuidToGuidStr(strGuid)
' Function to convert Hex Guid to display form.
Dim k

HexGuidToGuidStr = ""
For k = 1 To 4
HexGuidToGuidStr = HexGuidToGuidStr & Mid(strGuid, 9 - 2*k, 2)
Next
HexGuidToGuidStr = HexGuidToGuidStr & "-"
For k = 1 To 2
HexGuidToGuidStr = HexGuidToGuidStr & Mid(strGuid, 13 - 2*k, 2)
Next
HexGuidToGuidStr = HexGuidToGuidStr & "-"
For k = 1 To 2
HexGuidToGuidStr = HexGuidToGuidStr & Mid(strGuid, 17 - 2*k, 2)
Next
HexGuidToGuidStr = HexGuidToGuidStr & "-" & Mid(strGuid, 17, 4)
HexGuidToGuidStr = HexGuidToGuidStr & "-" & Mid(strGuid, 21)
End Function


When I run the visual basic script I get my GUID.



I also have code here for converting SID from octect, hex or binary to String values. This script was developed by a guy named Richard who is an MVP in Microsoft MVP Scripting and ADSI.

Option Explicit
Dim objUser

Set objUser = GetObject("LDAP://CN=Clint Boessen,OU=Internal,OU=Users,OU=KBOMB,DC=kbomb,DC=local")
Wscript.Echo ObjSidToStrSid(objUser.objectSid)

Function ObjSidToStrSid(arrSid)
' Function to convert OctetString (byte array) to Decimal string (SDDL) \Sid.
Dim strHex, strDec

strHex = OctetStrToHexStr(arrSid)
strDec = HexStrToDecStr(strHex)
ObjSidToStrSid = strDec
End Function ' ObjSidToStrSid

Function OctetStrToHexStr(arrbytOctet)
' Function to convert OctetString (byte array) to Hex string.
Dim k

OctetStrToHexStr = ""
For k = 1 To Lenb(arrbytOctet)
OctetStrToHexStr = OctetStrToHexStr _
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function ' OctetStrToHexStr

Function HexStrToDecStr(strSid)
' Function to convert Hex string Sid to Decimal string (SDDL) Sid.

' SID anatomy:
' Byte Position
' 0 : SID Structure Revision Level (SRL)
' 1 : Number of Subauthority/Relative Identifier
' 2-7 : Identifier Authority Value (IAV) [48 bits]
' 8-x : Variable number of Subauthority or Relative Identifier (RID) [32 bits]
'
' Example: '
' \Administrator
' Pos : 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
' Value: 01 05 00 00 00 00 00 05 15 00 00 00 06 4E 7D 7F 11 57 56 7A 04 11 C5 20 F4 01 00 00
' str : S- 1 -5 -21 -2138918406 -2052478737 -549785860 -500

Const BYTES_IN_32BITS = 4
Const SRL_BYTE = 0
Const IAV_START_BYTE = 2
Const IAV_END_BYTE = 7
Const RID_START_BYTE = 8
Const MSB = 3 'Most significant byte
Const LSB = 0 'Least significant byte

Dim arrbytSid, lngTemp, base, offset, i

ReDim arrbytSid(Len(strSid)/2 - 1)

' Convert hex string into integer array
For i = 0 To UBound(arrbytSid)
arrbytSid(i) = CInt("&H" & Mid(strSid, 2 * i + 1, 2))
Next

' Add SRL number
HexStrToDecStr = "S-" & arrbytSid(SRL_BYTE)

' Add Identifier Authority Value
lngTemp = 0
For i = IAV_START_BYTE To IAV_END_BYTE
lngTemp = lngTemp * 256 + arrbytSid(i)
Next
HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

' Add a variable number of 32-bit subauthority or
' relative identifier (RID) values.
' Bytes are in reverse significant order.
' i.e. HEX 01 02 03 04 => HEX 04 03 02 01
' = (((0 * 256 + 04) * 256 + 03) * 256 + 02) * 256 + 01
' = DEC 67305985
For base = RID_START_BYTE To UBound(arrbytSid) Step BYTES_IN_32BITS
lngTemp = 0
For offset = MSB to LSB Step -1
lngTemp = lngTemp * 256 + arrbytSid(base + offset)
Next
HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)
Next
End Function ' HexStrToDecStr

Thursday, March 24, 2011

Datacenter Activation Coordination mode

In a scenario where the first datacenter contains two DAG members and the witness server, and the second datacenter contains two other DAG members. If the first datacenter loses power and you activate the DAG in the second datacenter (for example, by activating the alternate file share witness in the second datacenter), if the first datacenter is restored without network connectivity to the second datacenter, the DAG may enter a split brain syndrome.

Datacenter Activation Coordination (DAC) mode prevents split brain syndrome from occurring by including a protocol called Datacenter Activation Coordination Protocol (DACP). After a catastrophic failure, when the DAG recovers, it won't automatically mount databases even though the DAG has a quorum. Instead DACP is used to determine the current state of the DAG and whether Active Manager should attempt to mount the databases.

Datacenter Activation Coordination (DAC) mode is disabled by default.

Datacenter Activation Coordination (DAC) mode is disabled by default.
DACP was created to address this issue. Active Manager stores a bit in memory (either a 0 or a 1) that tells the DAG whether it's allowed to mount local databases that are assigned as active on the server. When a DAG is running in DAC mode (which would be any DAG with three or more members), each time Active Manager starts up the bit is set to 0, meaning it isn't allowed to mount databases. Because it's in DAC mode, the server must try to communicate with all other members of the DAG that it knows to get another DAG member to give it an answer as to whether it can mount local databases that are assigned as active to it. The answer comes in the form of the bit setting for other Active Managers in the DAG. If another server responds that its bit is set to 1, it means servers are allowed to mount databases, so the server starting up sets its bit to 1 and mounts its databases.

But when you recover from a primary datacenter power outage where the servers are recovered but WAN connectivity has not been restored, all of the DAG members in the primary datacenter will have a DACP bit value of 0; and therefore none of the servers starting back up in the recovered primary datacenter will mount databases, because none of them can communicate with a DAG member that has a DACP bit value of 1.

To enable DAC mode use the following powershell command:

Set-DatabaseAvailabilityGroup -Identity TOPHDAG01 -DatacenterActivationMode DagOnly


To view weather DAC mode is enabled you may run:

(Get-DatabaseAvailabilityGroup).DatacenterActivationMode

This will say either Off or DagOnly

Friday, March 11, 2011

Logon Script from Profile Tab Not Working

When specifying the logon script via the user account ensure you do not enter a full UNC path.

\\source.local\netlogon\logon.bat does not work.



logon.bat does does work.



The logon script field in the user account properties automatically points to the netlogon directory.

The publisher could not be verified.

When running scripts of network shares you may receive the following warning:

The publisher could not be verified. Are you sure you want to run this software?



This prevents the logon script from automatically running when a user logs into their workstation.

Create a group policy object and navigate to User Configuration --> Administrative Templates --> Windows Components --> Attachment Manager

Add "logon.bat" to the "Inclusion list for moderate risk file types" setting.



You can also use wild cards such as *.bat and comma's to separate entries.

Monday, March 7, 2011

Internet Explorer 9

As I'm a Microsoft Engineer I always put Microsoft products first. I use Internet Explorer 8.0 on my desktop PC and high performance laptops.

Being a IT geek I have a number of computers I use for different purposes. I purchased a Asus Eee PC netbook for when I'm on the go and want something light and portable (with a USB port) which rules out the iPad!

I installed Windows 7 Ultimate on the Eee PC netbook and set the windows theme to "Windows Classic" to provide best optimized performance.

My Eee PC only has a Intel Atom N450 @ 1.44GHz processor that delivers a performance score of 2.3 (pretty poor).



Internet Explorer 8.0 ran like a dog! Performing simple tasks such as utilizing Exchange 2010 Outlook Web App and Facebook continuously hung and become unresponsive. As a result I was forced to install Google Chrome - the performance difference between IE 8.0 and Chrome was amazing!

After just getting back from the MVP summit in Seattle I was speaking with some of the Internet Explorer 9 MVP's. They mentioned that Internet Explorer 9 was completely redesigned and now provides fantastic performance - even faster then Chrome! This I had to see for myself as I found it very hard to believe them (being IE junkies).

I just installed IE 9.0 RC on my Eee PC and yes it is amazingly fast (It is performing faster then Chrome!) If you have tried IE 9.0 Beta and were unimpressed I encourage you to try RC. Between the Internet Explorer 9 Beta and Internet Explorer 9 RC releases, over 2,000 changes have been made to improve browser performance for real customer scenarios.

Internet Explorer 9 RC starts faster, loads webpages faster, and allows you to interact with web pages faster than ever before. One thing I liked is it actually timed how long it took to load each of my browser Add-on's. I was then able to disable Add-on's such as Microsoft Corporation "Search Helper" which took 0.22 seconds to load. It prompted me to do this - making this very easy for end users!

The Site loading indicator is making sense now! Was very disappointed with previous versions.

However Microsoft failed to listen to the community on some key features. Internet Explorer 9 RC is still missing a Spell Checker - ahhg. This means you need to download a third party add-on to perform this functionality. A download manager would also be an awesome addition.

Microsoft have lead the way in terms of hardware acceleration for web browsing. Check out this comparison video comparing a web app which takes advantage of graphics acceleration (Chrome vs IE9).

http://www.youtube.com/watch?v=jhi70EJlw7w

IE9 is also compliant with all HTML5 standards.

I have now uninstalled Chrome from my Asus EeePC and I'm back on the Microsoft ship for web browsing on low performing devices.

The following URL's are comparison articles comparing the current web browsers on the market to Internet Explorer 9.

http://www.nirmaltv.com/2010/09/16/internet-explorer-9-vs-google-chrome-6-vs-firefox-4b/

http://news.softpedia.com/news/IE9-RC-vs-Chrome-10-9-vs-Opera-11-vs-Firefox-11-Performance-Comparison-183973.shtml

For benchmark tests refer to this blog post:
http://haxterslab.blogspot.com/2011/02/internet-explorer-9-rc-review.html

Feature Comparison:
http://windows.microsoft.com/en-US/internet-explorer/products/ie-9/compare-browsers