Sysadminsblog.com Anything for sysadmins!

13Sep/116

Event 58 – The disk signature of disk n is equal to the disk signature of disk n

Log Name: System
Source: partmgr
Event ID: 58
Task Category: None
Level: Warning
Description:
The disk signature of disk 2 is equal to the disk signature of disk 0.

This error occurred on one of the virtual machines on the ESX environment. It probably also caused another error a bit further up in the event viewer.

Log Name: System
Source: VDS Basic Provider
Event ID: 1
Task Category: None
Level: Error
Description:
Unexpected failure. Error code: D@01010004

Disk 0 is the system disk, which contains the Windows 2008 R2 installation. Disk 2 on the other hand is non-existent, or better said, hidden. This error can easily cause errors with your backup software like Backup Exec.

You can also run into this error when you're using Hyper-V and you're making a backup using Backup Exec by means of the Hyper-V agent. It will then mount the virtual machine disk on the host server. If the host server disk and the virtual machine disk have the same disk ID they will clash causing event id 58.

If you do the following, you can get the current disk ID:

  1. Start a cmd as administrator
  2. Type:
    diskpart
  3. Type:
    list disk
  4. Type:
    select disk 0

    (replace the 0 with the disk indicated in Event ID 58)

  5. Type:
    detail disk

As you can see, my disk ID is 3B9ED7B7. This seems to clash with another hidden disk that has the same disk ID. To change the disk ID you'll have to download the Windows 2000 resource kit or if you can find it with Google dumpcfg.exe or dumpcfgx64.exe if you're on 64-bit.

Once you've downloaded the utility you'll have to start a cmd as administrator, and run the utility with the parameters -S followed directly with the new disk ID, a space and the number of the disk that you used in the select disk command above.

  1. Start a cmd as administrator
  2. Type:
    dumpcfgx64.exe -S3B9ED7B8 0
  3. Or use diskpart and select disk (ID) then type:
    uniqueid disk id=3B9ED7B8

When you follow the procedure to get your disk ID again you'll notice that it's been changed to the new value.

18Aug/110

Mailbox Import/Export Exchange cmdlets unavailable

The <verb>-MailboxExportRequest and <verb>-MailboxImportRequest cmdlets have been introduced in Exchange 2010 SP1 to simplify the export of messages directly into a PST file from PowerShell. The previous requirement to have Outlook and some other software installed on the exporting computer have been dropped and the whole export process has been moved to the Mailbox Replication Service (MRS). A small disadvantage is that the cmdlets are not available by default as you'll first need to define the proper permission to your role group.

I can write in detail how to add these permissions, but Microsoft has done this quite well already in this technet article: Add the Mailbox Import Export Role to a Role Group

This command will get you started:

New-ManagementRoleAssignment -Name "Import Export_Enterprise Support" -SecurityGroup "Enterprise Support" -Role "Mailbox Import Export"

18Aug/110

Unable to open PST file with mailbox import/export requests

I was trying to an export of a mailbox using the New-MailboxExportRequest CMDlet in Exchange 2010 SP1. However instead of creating a PST it gave me an error.

Unable to open PST file '\\Server\Exports\Test.pst'. Error details: Access to the path '\\ExServer1\Imports\Test1.pst' is denied.;

Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: Access to the path '\\Server\Exports\Test.pst' is denied.

I was soon pointed into the right direction by a blog post by Tony Redmond. He indicated that because the Mailbox Replication Server (MRS) is running as LocalSystem it can't access a network share. By adding the Exchange Trusted Subsystem group to the share permissions you will give the LocalSystem account and therefore MRS access to the share.

4Aug/110

App-V error 4615186-19D0810A-10000005 after importing Adobe Photoshop CS5 sequence project

I created an App-V package of Adobe Photoshop CS5 using the App-V Sequencer. I already read that Adobe Photoshop CS5 was quite a hassle to get sequenced, so I followed a couple of advices I found through Google. The sequencing was actually quite smooth although lengthy. After importing the .sprj file into the Application Virtualization Management Console and starting a Server Refresh in the Application Virtualization Client it consistently refused.

The error I got was 4615186-19D0810A-10000005 which is actually quite well known in the App-V community so it seems.

The refresh, that usually takes a couple of seconds, timed out after 20 seconds. During that time it was showing the status Ongoing.

I did a LOT of debugging before I found the cause of the error. Enabling verbose logging on server and client didn't reveal anything more than I already knew.

[08/03/2011 16:18:50:149 MIME ERR] {tid=3E8:usr=<username>}

Failure on Desktop Configuration Server request to URL {rtsp://appv:554/} with header {Host: appv

Content-Type: text/xml

AppV-Op: Refresh

} (rc 19D0810A-10000005).

Solution

The solution was kind of a longshot, but removing all File Type Associations did do the trick. Afterwards I tried removing them a couple at the time, but I didn't find a specific one that was causing it all. Thankfully it was working when I removed everything but the PSD extension, as that's the bare minimum I wanted.

Filed under: App-V, Microsoft No Comments
29Jul/115

Setting up App-V Management Server

Introduction

Application Virtualization is not the most commonly used technology. However there are quite a lot of advantages to using this software over using GPOs or manually installing software.

  • Centralized application management - Deploy, update and remove applications from a central location
  • Application conflicts - Applications are running in an isolated environment and are therefore not conflicting with other applications installed on the computer.
  • Combine dependent applications in a single package - Deploy a single package to multiple clients without having to worry about dependencies.

As with most software there are some alternatives to App-V. Make sure that you know the pros and cons of each before you make your decision.

I'll skip the pros and cons because these will change quite rapidly and you probably already decided on App-V.

App-V consists of a couple of components.

  • App-V Management Server - Delivers the sequenced applications on-demand.
  • App-V Management System - Consists of the App-V Management Console and the App-V Management Service.
  • App-V Sequencer - Produces the application package consisting of a couple of files.
    • Open Software Description (.osd)
    • Sequenced Application File (.sft)
    • Icon File (.ico)
    • XML Manifest of the Sequence Project (.sprj)
    • A MSI file can be included for offline deployments.
  • App-V Streaming Server - In charge of streaming the packages to clients that lack a good connection to the Management Server.
  • App-V Client - Is installed on the OS of the end-user and communicates with the Management Server. Manages package streaming into cache and publishing refresh, also stores the user-specific information related to the package.

You can find the hardware and software requirements for all the components here.

App-V Infrastructure models

There are several ways of implementing App-V into your environment depending on your requirements.

Stand-Alone Model

The minimalist mode of App-V doesn't require any infrastructure except for the App-V Sequencer and the App-V Client. The packages can be deployed manually, using group policies or using System Center Configuration Manager (SCCM). This is mostly used for smaller companies, and companies that have a lot of Offline users.

Streaming Model

This model is mostly focused on platforms that don't want to run Management Servers. This means that a SQL database is not needed and the permissions are set through ACLs. The difference with the previous model is that by adding the App-V Streaming Server component the applications can be streamed to low-bandwidth clients like clients in branch offices.

Full Infrastructure Model

By utilizing all components of App-V you gain the full advantage of the technology. You can choose not to install the App-V Streaming Server component if you don't have clients on low-bandwidth connections. Using the App-V Management Server will add the application shortcuts within the process of deployment, and also enables features like reporting using a SQL database and central management of application licenses.

Prerequisites

As the management server is using SQL and IIS we'll need to make sure that these are setup correctly before we start. This will minimize the possibility of errors during the setup process.

Adding the IIS role to Windows Server 2008:

  1. Click Start > All Programs > Administrative Tools and select Server Manager
  2. Right-click the Roles node and click Add Roles
  3. Select the Server Roles page click Next and then click Next again
    1. Under Application Development select ASP.NET and when prompted, click Add Required Role Services
    2. Under Security, select Windows Authentication
    3. In the Management Tools node, select IIS Management Scripts and Tools
    4. Under IIS 6 Management Compatibility, ensure that both IIS 6 Metabase Compatibility and IIS 6 WMI Compatibility are selected and click Next
  4. Click Install on the Confirm Installation Selections page
  5. Click Close to exit the Add Roles Wizard

Now we need to tweak IIS a bit by adding some MIME types needed in App-V.

  1. Start the IIS Manager
  2. Select the Default Web Site > SoftGridManagement
  3. Double-click the MIME Types feature
  4. On the action panel, click Add
  5. In the Extension box, type OSD
  6. In the MIME box, type application/softricity-osd
  7. Click OK
  8. Run iisreset to activate the changes

Installing the App-V Management Server

After downloading the Microsoft Desktop Optimization Pack (MDOP) unpack, mount or burn it.

  1. Launch the MDOP autorun
  2. Select Install Management Server 4.5 SP2
  3. Click Next on the welcome screen
  4. Check the I accept license terms and conditions and click Next
  5. Enter you registration information
  6. Select Custom and click Next
  7. I recommend to keep the default features and path and click Next

  8. As my SQL server is not listed, I'll check the box and enter the server name and port, then click Next

  9. Normally you would create a database, unless a DBA already created a database for you. Since I'm my own DBA I'll have App-V create it for me by selecting Create a new database and click Next

  10. I choose not to enable the Use enhanced security for now. You can enable this later if you want to. Click Next.

  11. Accept the defaults for the RTSP (Real Time Streaming Protocol) port: 554

  12. Enter the group name that you want to give administrative access to the App-V Management Console. It will resolve the group and allow you to select a group if multiple results are returned. Click Next.

  13. Enter the group name that you want to give access to the App-V application packages. It will resolve the group allow you to select a group if multiple results are returned. Click Next.

  14. Here you can change the default location where the application content will be stored. Accept the default and click Next.
  15. Click Install to start the installation process.

An installation result will be given and a reboot is requested. After the reboot there are still a couple of tasks to preform.

Share the content folder - The default folder (C:\Program Files (x86)\Microsoft System Center App Virt Management Server\App Virt Management Server\content) will have to be shared to the clients access to the installation packages.

  1. Right-click the folder and select Share with > Advanced sharing

  2. Click Advanced Sharing

  3. Check Share this folder

  4. Click the Permissions button and give the Everyone group Full Control

  5. Click OK, OK, and Close

Set permissions on the content folder - People that need to use the App-V packages need to be able to access them. Therefore the permissions need to be set to allow this.

  1. Right-click the content folder and select Properties
  2. Click the Security tab
  3. Click Edit
  4. Click Add
  5. Enter your App-V users group, Domain Users or even Everyone if you want to
  6. Give the group the Read & Execute, List folder contents and Read permissions
  7. Click OK twice

Set firewall exceptions - If you have the Windows Firewall running on your App-V server you'll have to allow clients access to the App-V components

  1. Start Windows Firewall with Advanced Security
  2. Select Inbound Rules and click New Rule
  3. Select Program and click Next

  4. Click Browse and browse to C:\Program Files (x86)\Microsoft System Center App Virt Management Server\App Virt Management Server\bin\sghwdsptr.exe then click Open and click Next
  5. Select Allow the connection and click Next
  6. Select all options and click Next
  7. Enter a Name, optionally a Description and click Finish
  8. Repeat step 2 to 7 for C:\Program Files (x86)\Microsoft System Center App Virt Management Server\App Virt Management Server\bin\sghwsvr.exe

Now we need to change a couple of App-V settings to make it all work properly.

  1. Open the Application Virtualization Management Console
  2. In the Default Content Path, type \\<servername>\content
  3. Click OK

You can now start the Application Virtualization Management Console.

To make sure that everything is working you can install the App-V client on a workstation and see if the Default Application will stream and run properly.

You can always comment below if you run into any errors.

Filed under: App-V, Microsoft 5 Comments
25Jul/113

Word shortcut for creating blog posts

From Word 2007 Microsoft introduced the option to use Word as a blogging client for WordPress or many other blogging services. However if you blog regularly, you will be annoyed by the normal procedure.

  1. Start Word
  2. Click File > New and
  3. Select Blog post

That's a bit too much clicking (or too many shortkeys) for lazy me. That's why I wanted to shorten this process; here's how.

  1. Find the location of winword.exe
    C:\Program Files\Microsoft Office\Office<version>\WINWORD.EXE
    Word 2007:    12
    Word 2010:    14
  2. Find the location of Blog.dotx
    C:\Program Files\Microsoft Office\Templates\<language ID>\Blog.dotx
    English - US:    1033
    Dutch - NL:    1043
    German - DE:    1031
    Find your language ID here: http://technet.microsoft.com/en-us/library/cc179219.aspx
  3. Rightclick your desktop and select New > Shortcut
  4. Enter the following location:
     "&lt;location winword.exe&gt;" /q /t"&lt;location Blog.dotx&gt;"<br/><strong>"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /q /t"C:\Program Files\Microsoft Office\Templates\1033\Blog.dotx"</strong>
  5. Enter a suitable name for the shortcut like Microsoft Word 2010 - Blog
  6. Click Finish

I added the shortcut to my start menu in the Microsoft Office folder. This way I can type blog after pressing the Windows Key followed by an enter to start Word with the blog template.

19Jul/110

Slow mail delivery to Outlook client from Exchange 2010

I just had a lot of problems with email being delivered to my Outlook 2010 really slow. The following findings are the result of my troubleshooting:

  • Messages are delayed ranging from a couple of minutes up to an hour when using Outlook 2010 (using RPC or Outlook Anywhere)
  • Messages are not delayed in OWA
  • PowerShell shows the messages being delivered into the proper folder (Get-MailboxFolderStatistics)
  • Message tracking shows that the internal transport is not delayed
  • Reconnecting your Outlook will force the download of the delayed messages (CTRL+Right click the taskbar icon, selecting Connection status)
  • Messages are not delayed using ActiveSync

After hitting Google with these findings it soon pointed me to the problem and also the solution.

RPC traces showed that the server couldn't contact the clients somehow.

The solution

Install Exchange 2010 SP1 Update Rollup 3 (v3)

Description of Update Rollup 3 for Exchange Server 2010 Service Pack 1

Download Update Rollup 3 for Exchange Server 2010 Service Pack 1

The installation of the Update Rollup will require a reboot of the Exchange server, but it will solve this particular issue along with other issues.

The article that pointed me in the right direction and also the source of some of the troubleshooting steps can be found right here.

15Jul/110

SharePoint 2010 Trusted Identity Token Issuer Error

I was setting up SharePoint to use Federated Authentication using Azure Access Control Service (ACS) when it ran into an error. After checking the SharePoint logs I ran into the following lines:

07/15/2011 10:23:36.54     w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Claims Authentication     eu2n    Monitorable    Trusted login provider 'Public Account' is not sending configured input identity claim type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'    

07/15/2011 10:23:36.54     w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Monitoring     b4ly    High     Leaving Monitored Scope (SPSecurityTokenService.GetTokenLifetime()). Execution Time=125,240686737495    

07/15/2011 10:23:36.56     w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Claims Authentication     fo1t    Monitorable    SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm. at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest() at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsIdentity identity, RequestSecurityToken request, Boolean initializeForActor) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsPrincipal principal, RequestSecurityToken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetTokenLifetime(Lifetime requestLifetime) at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityT...    

07/15/2011 10:23:36.56*    w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Claims Authentication     fo1t    Monitorable    ...oken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)

Also the event viewer returned the following error:

Log Name: Application

Source: Microsoft-SharePoint Products-SharePoint Foundation

Date: 15-7-2011 10:23:36

Event ID: 8306

Task Category: Claims Authentication

Level: Error

Keywords:

User: DOMAIN\user

Computer: sharepoint.domain.local

Description:

An exception occurred when trying to issue security token: The trusted login provider did not supply a token accepted by this farm..

Quite obviously when I select Windows Live ID it doesn't return the expected type of claim; namely http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.

Solution

In Azure ACS you can set what type of data is retrieved and also what type it returns. The Windows Live ID Identity Provider doesn't support email address as a claim type, however you can map the only available input claim type to any other type that you use to validated the incoming claim in SharePoint.

My SharePoint environment is setup to allow validation through emailaddress. I'll have to map the 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' claim type to the 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' claim type as shown below.

  1. Navigate to your Azure ACS URL (https://<ServiceNamespace>.accesscontrol.windows.net/v2/mgmt/web)
  2. Click Rule groups
  3. Click the Rule group that is used by your SharePoint environment
  4. Click on the only entry with Windows Live ID as Claim Issuer
  5. Check Select Type in the Then section and select the proper claim type (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress) that SharePoint is expecting
  6. Click Save and check the results

Now try to log in to your SharePoint environment with the Windows Live ID and it should work flawlessly.

One thing to note is that the login name is an odd string of characters instead of a nicely structured email address. Unfortunately there is no way of getting a nice looking login name using Windows Live ID as there is no other option than returning the nameidentifier. This seems kind of odd since it's a Microsoft product and the most restricted Identity provider is also from Microsoft. I hope that Microsoft will add other options soon.

4Jul/118

Installing and Configuring ADFS 2.0

As we're setting up collaboration sites on our SharePoint 2010 farm, we wanted to provide the ability to have external logins using Facebook or Google accounts. Everything soon pointed into the direction of Active Directory Federation Services. As the version 1.0 that comes with Windows Server 2008 R2 is already outdated I needed to download the 2.0 version. Make sure that you download the proper version as you might run into some very strange errors otherwise. Since I'm running Windows 2008 R2 x64 I selected the RTW\W2K8R2\amd64\AdfsSetup.exe.

When the installation started the IIS part took quite some time. When I figured it was stuck and the TrustedInstaller.exe was using around 750MB of memory I decided to kill the process as it might crash the entire server. As this seemed the right thing to do, the consequences where somewhat strange. When I restarted the installation it ran into an error right away stating that the install of KB981002.msu could not complete. I tried installing this update manually, but it indicated that the system doesn't need the update. I rebooted the system and retried the installation, which then proceeded without a hitch.

SSL

Make sure that you have a Certificate Authority installed in your domain. You can use these certificates for Exchange servers, SharePoint Servers and also need it for the ADFS server.

If you don't have a proper certificate installed you might get an error like this, which might put you on the wrong track. Just create a new certificate, or use one that is already installed.

To create a SSL certificate request in IIS you have to open IIS Manager, select the host and double-click the Server Certificates icon. You have your certificate options on the right.

         

When you installed the SSL certificate in IIS, you can set it by right clicking the website in IIS and select Edit Bindings. Then edit or add a https port and select the SSL certificate you want to use.

        

Configure ADFS 2.0

As I didn't have a Federation Server running anywhere I needed to create a new Federation Service. Here are the steps:

  1. After the install the ADFS configuration was started.

    

  1. Click the AD FS 2.0 Federation Server Configuration Wizard to start the configuration.
  2. Select Create a new Federation Service
        
  3. Select New Federation server farm
        
  4. The certificate should be automatically selected. You get the option to select the Federation Service name
        
  5. Create a service account for the ADFS services The following permissions are needed for this account:
        Service Logon right. This right is required for an account to logon using the service logon type.
        Audit Privilege right. This right is required to generate audit log entries.
    See this post for setting the permissions. You can use the same guide for the service logon.

        

  6. A summary of the settings will be presented. ADFS will be installed with a Windows Internal Database service. However you can change this later on.
        
        

If the name of the federation service is already in use you might be presented with an error: "The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again." You'll have to use setspn.exe to set the proper SPN.

Filed under: ADFS, Microsoft 8 Comments
28Jun/110

Migrating the ADFS 2.0 Configuration Database to MS SQL

By default when you configure ADFS 2.0 it will create a Windows Internal Database for its configuration database. However if you have a MS SQL server running already this is kind of unnecessary. Thankfully it's possible to migrate the ADFS 2.0 databases to MS SQL.

Preparations

It's smart to start with a backup of the Federation Server.

If your federation server is running in a farm and it's behind a load balancer, temporarily remove it from the load balancing configuration.

On the Primary federation service

  1. Download the SQL Server 2008 Management Studio Express software and install it (you'll need sqlcmd)
  2. Stop the ADFS 2.0 service. Start an elevated command prompt and type:
    net stop adfssrv
  3. Connect to the Windows Internal Database and detach the databases by running the following commands:
    sqlcmd -S \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query<br/>use master<br/>go<br/>sp_detach_db 'adfsconfiguration'<br/>go<br/>sp_detach_db 'adfsartifactstore'<br/>go
  4. Connect to the MS SQL server and attach the databases by running the following commands (note that the paths are local paths on the SQL server so make sure that the files are on the local server):
     sqlcmd -S &lt;SQLServer\SQLInstance&gt;<br/>use master<br/>go<br/>sp_attach_db 'adfsconfiguration', 'c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsconfiguration.mdf', 'c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsconfiguration_log.ldf'<br/>go<br/>sp_attach_db 'adfsartifactstore', 'c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsartifactstore.mdf', 'c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsartifactstore_log.ldf'<br/>go<br/>alter database AdfsConfiguration set enable_broker with rollback immediate<br/>go
  5. Change the configuration database connection string to point to the new MS SQL server by running the following PowerShell commands:
    $SecTokenServ = Get-WmiObject -NameSpace root/ADFS -Class SecurityTokenService<br/>$SecTokenServ.ConfigurationdatabaseConnectionstring="data source=&lt;SQLServer\SQLInstance&gt;; initial catalog=adfsconfiguration;integrated security=true"<br/>$SecTokenServ.Put()
  6. Start the ADFS 2.0 service. Start an elevated command prompt and type:
    net start adfssrv
  7. Change the configuration database connection string to point to the new MS SQL server by running the following PowerShell commands:
     Add-PSSnapin Microsoft.ADFS.PowerShell<br/>Set-ADFSProperties -ArtifactDBConnection "data source=&lt;SQLServer\SQLInstance&gt;; initial catalog=adfsartifactstore;integrated security=true"
  8. Stop and start the ADFS 2.0 service:
    net stop adfssrv
    net start adfssrv

Don't forget to add the primary federation server to the load balancing configuration.

To migrate other ADFS 2.0 servers in the farm start by removing the server from the load balancing configuration and stopping the service (net stop adfssrv) on that server. Then start at step 5 of steps above.

Afterwards add the servers back into the load balancing configuration to have it accept requests.

Filed under: ADFS, Microsoft No Comments