Monthly Archives: August 2012

Install a Certificate for Remote Desktop Services or Terminal Services on a Terminal Server

You’ll need a .pfx certificate in this guide, so once you have your certificate and any intermediates that need to be installed, export the certificate and include the entire chain the export, assign a password and then save the .pfx somewhere where you can access it from the terminal server.

On the Terminal Server in Question:

  1. Click “Start” and then “Run”.
  2. Enter “mmc” and then click “OK”.
  3. Click on the “File” menu and then select “Add/Remove Snap-in…”.
  4. Click “Certificates” and then click “Add >”, when prompted choose option “Computer Account” and then click “Next >”.
  5. Select “Local Computer” and then click “Finish”.
  6. Click “OK” to complete the add snap-in wizard and then expand “Certificates (Local Server)”.
  7. Right click on the “Personal” folder and then select “All Tasks”, then “Import…”.
  8. Click “Next >” and then locate the .pfx you’ve saved earlier. Click “Next >”
  9. Enter your password, and then click “Next >”, click “Next >”, click “Finish”.
  10. Now open “Remote Desktop Session Host Configuration”.
  11. Right click on “RDP-tcp” in the center of the window and select “Properties”.
  12. On the “General” tab, click the “Select” button, Select your certificate, and then click “OK”.
  13. Click “OK” one more time, and then all future connections will be secured by the certificate.

 

Outlook 2010/2007 stuck in disconnected state for one user

Ran into a problem today with an Outlook 2010 client that would not leave the “disconnected” state. I restarted the computer, verified the mailbox was still active in Exchange 2003, and verified that this problem was not effecting other users, even ones on the same PC. I tried to create a new outlook profile, but during the setup I kept getting the same error:

“Microsoft Exchange Server reported error: The server is
not available. Contact your administrator if this condition persists”

It appears that just this one user cannot connect to exchange, the way that we solved this problem was by increasing the maximum number of connections that each user can make to Exchange 2003. Follow these steps on your Exchange server:

  1. Open Regedit
  2. Navigate to HKLM\CurrentControlSet\Services\MicrosoftExchangeIS\ParametersSystem
  3. Create a new DWORD called “Maximum Allowed Sessions Per User” and set it to decimal 64.
  4. Restart the “Microsoft Exchange Information Store” service
  5. Attempt to reconnect with the user’s outlook.

Hopefully this took care of your problem user.

 

Analyzing Dump Files using WinDbg on Windows 7

I Figured I’d toss this information up here because every time I get a new computer I end up spending an hour of my life figuring this out again, it’s not overly complicated, but why spend any more time than I have to right?

  1. Okay, well first things first, we need to download and obtain the Windows 7 SDK from here.
  2. Start an installation, and when prompted, choose custom.
  3. Install only the Debugging Tools for Windows components
  4. Launch the Windbg.exe tool and enter the following command to set your symbol locations: .sympath SRV*C:\symbols*http://msdl.microsoft.com/download/symbols
  5. Go to the File Menu, click “Save Workspace”
  6. Create a new System Environment Variable to remember that location for the future:  _NT_SYMBOL_PATH = symsrv*symsrv.dll*c:\symbols*http://msdl.microsoft.com/download/symbols
  7. Now you can start to analyze Crash dump files by clicking on File and then Open Crash Dump.

Download SBS, Small Business Server 2011 Volume License Media

I recently ran into an issue where I was expecting to be able to download the Open/Volume License Media for SBS 2011 and was surprised to find out that Microsoft does not allow you to download it, they force you to have the physical media sent to you via the mail.

I’m happy to announce that if you just head over and download the trial media, that the Volume License key works and you can use the Trial media, and Volume key to get your SBS 2011 server up and running. You can download the trial media for SBS here.

Windows 7 refuses to enable Offline Files, Sync Center will not stay enabled

I just had a super headache of a problem, I had Windows 7 laptops that would not, for the life of me, keep sync center enabled. I’d enable it, and then after a reboot it would be disabled again, nothing in the logs, just disabled. I got creative and forced it to be enabled via a GPO, but still! After a reboot it would be disabled.

I read a bunch of KB articles, and the final result was a combination of Oplocks and re-initalizing the offline files cache. Here is what I did, and I’m happy to report that it’s worked on more than one computer having the same issue:

Enable Opportunistic Locking

  1. Open Regedit
  2. Navigate to HKEY_Local_Machine\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\
  3. Create a new REG_DWORD titled “EnableOplocks” and set it to “1”
  4. Navigate to HKEY_Local_Machine\SYSTEM\CurrentControlSet\Services\MRXsmb\Parameters\
  5. NOTE: Create a new key “Parameters” if it does not exist under MRXsmb
  6. Create a new REG_DWORD titled “OplocksDisabled” and set it to “0”
  7. Reboot the computer

Reinitialize the Offline Files Cache

  1. Open Regedit
  2. Navigate to HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\NetCache
  3. Create a new REG_DWORD titled “FormatDatabase” and set it to “1”
  4. Reboot

You should now be able to enable offline files (If not already being enforced by a GPO) and it will ask you to reboot, afterwards it should remain enabled.

 

Apply Internet Explorer Settings with Group Policy without preventing users from making additional changes

Let’s say you want to roll out some default settings to IE, but you don’t want to prevent users from making additional changes. In the past I’ve seen this done through the Site to Zone Assignment List GPO but you end up with users who can’t modify those settings once they are set at the GPO level. The problem is this: say you’ve got a partial list of websites that should be placed in Trusted sites, but you don’t have the full list and you know users are going to need to add additional sites ad hoc.

Here is the better way to configure these settings:

  1. Open Group Policy Management Console, and Create a new GPO
  2. Expand User Configuration, Policies, Windows Settings, and Internet Explorer Maintenance, and finally Security
  3. Double click on “Security Zones and Content Rating”
  4. If and when the “Internet Explorer Enhanced Security Configuration” warning appears click on “Continue”
  5. Change the “Security and Privacy Settings” section to “Import the current security zones and privacy settings” and then click the “Modify Settings” button
  6. Make all of the appropriate changes for your environment and then press OK. These will now be the default settings for any users whom this GPO effects.

To be clear, I’ve not tested to see if these settings will re-apply if they are removed by the users, but my hunch is that if the users tries to remove any of these settings, they will be reapplied the next time the GPO is processed.