blog.saalmink.nl

Today i had to deploy OEM versions of Office 2003 to around 20 systems. Some needed Office 2003 Pro, some needed Office 2003 Basic. And i didn’t want to do it manually. Normally with VLK’s it’s easy. Now, every computer has it’s own unique installation key. What to do?

First get the installation files to the clients (basic or pro). Then perform an installation. Too bad you must enter a key to perform the installation. Later versions of Office don’t have this limitation.
The following command will do the trick. Just use a valid product code from one of your OEM cd’s for the product you’re installing (in this case Pro). Don’t worry; Office will not be activated yet and the license will be removed later.

start /wait c:\install\office2k3_pro\1-main\SETUP.EXE /qb PIDKEY=12345abcde12345abcde12345

Then apply SP3

start /wait C:\install\office2k3_pro\2-updates\Office2003SP3-KB923618-FullFile-NLD.exe /Q

And why not… Office 2007 Compatibility Toolkit (FileFormatConverters)

start /wait c:\install\office2k3_pro\3-2k7compat\FileFormatConverters.exe /quiet /norestart

Now that everything is installed i’m going to remove the license we’ve used to perform the installation. Note that the GUID may be different based on what product you’re installing.

reg delete HKLM\SOFTWARE\Microsoft\Office\11.0\Registration\{91110413-6000-11D3-8CFE-0150048383C9} /v ProductID /f
reg delete HKLM\SOFTWARE\Microsoft\Office\11.0\Registration\{91110413-6000-11D3-8CFE-0150048383C9} /v DigitalProductID /f

So.. this is the complete script:

@echo off
@echo Install Office 2003 Pro with temp license
start /wait c:\install\office2k3_pro\1-main\SETUP.EXE /qb PIDKEY=12345abcde12345abcde12345

@echo Install Office 2003 SP3
start /wait C:\install\office2k3_pro\2-updates\Office2003SP3-KB923618-FullFile-NLD.exe /Q

@echo Install Office 2007 File Format Converters
start /wait c:\install\office2k3_pro\3-2k7compat\FileFormatConverters.exe /quiet /norestart
@echo Install Office 2007 File Format Converters SP1
rem checking this out later, has some "i agree" button i can't get around
@echo Install Office 2007 File Format Converters SP2
rem checking this out later, has some "i agree" button i can't get around

@echo Remove Office temp license
reg delete HKLM\SOFTWARE\Microsoft\Office\11.0\Registration\{91110413-6000-11D3-8CFE-0150048383C9} /v ProductID /f
reg delete HKLM\SOFTWARE\Microsoft\Office\11.0\Registration\{91110413-6000-11D3-8CFE-0150048383C9} /v DigitalProductID /f

exit

When a user logs in and the first Office application opens, it’ll ask to enter the license key and Office will be registered.

Doing a full backup of an Exchange 2003 database was easy.
Start, run, ntbackup, backup, custom, select the exchange object, select a destination file, create a schedule and there you go: your daily scheduled database dump. This (and this is important as we’re dealing with a database) would also commit all data tot the database and purge the transaction logs.
This would then be backupped by any backup application.
More expensive backup solutions would do these kind of database tricks by default. But as i prefer to use non-intelligent, image-based backups (like V2i, Symantec Backup Exec System Recovery, or Drivesnapshot), this had to be done manually.

Doing the same with Exchange 2007 took me some time to find out. Here’s how.

You’ll need Service Pack 2 for Exchange 2007. This includes a plugin for Windows Backup (wbadmin.exe, the successor of ntbackup) so that it’s Exchange-aware.
Please note that Windows Backup can only create backup on a volume basis (complete drive letters or mountpoints only)! That’s why my Exchange 2007 servers have a dedicated drive for the Exchange Database + System files + Transaction Logs. This keeps the backups as small as possible, without extra data. Allthough it’s better to have the Transaction Logs on another drive aswell in case of serious recovery, but i’m going to test that later.
Backups are on a seperate partition too.

This gives the following scenario:
C: = Windows 2008 + Exchange 2007 installation
D: = dvdrom drive
E: = dedicated to: Exchange Database, System files and Transaction Logs
F: = dedicated to: Exchange backup/dump

To create the backup, the following command is used:

WBADMIN START BACKUP -backupTarget:F: -include:E: -vssfull -quiet

-vssfull is the option that purges the Transaction Logs
-quiet will not ask “are you sure?” but still shows some output (you might want to pipe this to a file as some sort of log)
This can be scheduled with Windows Task Scheduler (Server manager, Configuration, Task Scheduler, Task Scheduler Library).

Only one instance of the backup is kept on F:, but that’s no problem as all partitions are backed up by the regular backup.

Sometimes you need to access Active Directory Repair mode through RDP.
Add this to your boot.ini and reboot:

/SAFEBOOT:DSREPAIR

Make sure you have the restore password though!
After making your desired changes to the system, remove it from boot.ini and reboot again.

Another happy customer due to the following registry hack:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"RasDisable"="1"

aka

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v RasDisable /t REG_SZ /d "1" /f

Having problems with sending mail?
You might want to try to simulate a smtp session to see what goes wrong exactly.

Start a msdos prompt and type:

C:\WINDOWS>telnet smtp.xs4all.nl 25

Your smtp may be different offcourse.

Trying 194.109.6.51...
Connected to smtp.xs4all.nl.
Escape character is '^]'.
220 smtp-vbr11.xs4all.nl ESMTP Sendmail 8.13.8/8.13.8; Mon, 14 Sep 2009 15:03:50 +0200 (CEST)

Type “helo” followed by your domain

   helo bogusdomain.nl
250 smtp-vbr11.xs4all.nl Hello xxxxxxxxx [a.b.c.d], pleased to meet you

Type “mail from:” followed by your email address

   mail from:[email protected]
250 2.1.0 [email protected]... Sender ok

Type “rcpt to:” followed by your email address

   rcpt to:[email protected]
553 5.3.0 [email protected]... Relaying denied,Authenticate with your username and password first

Now we see what is wrong here. This server doesn’t allow me to relay.
Type “quit” to exit.

   quit
221 2.0.0 smtp-vbr11.xs4all.nl closing connection
Connection closed by foreign host.

If you didn’t get an error after “rcpt-to:”, continue with:

250 2.1.5 Ok
   data
354 End data with <CR><LF>.<CR><LF>
   hello hugo

   .
250 2.0.0 Ok: queued as 60D2A4A24A

  quit
221 2.0.0 Bye

Mail should arrive now.

One of my customers has a directory filled with home directories of all students.
Due to some copying, the ownership of all files was set to “administrator”.
Since quota was enabled, quota usage of all students was practically 0.

They needed a fix to set ownership back a.s.a.p.

I created the following batchfile. You need the subinacl utility from microsoft though.

• Put the script in the directory you want to make the changes for.
• Usernames must match the directorynames.

@echo off
for /f "tokens=*" %%a in ('dir /b /ad') do subinacl /file %%a\*.* /setowner=%%a
pause

Maybe you want to grant the users (just to be sure)

@echo off 
for /f "tokens=*" %%a in ('dir /b /ad') do subinacl /file %%a\*.* /setowner=%%a 
for /f "tokens=*" %%a in ('dir /b /ad') do subinacl /file %%a\*.* /grant=YOURDOMAIN\%%a 
pause 

Sometimes you just want people not to show up in your address list.
Here’s a simple vbs script that does the trick.

REM On Error Resume Next

groep = inputbox("Which group?")

set objRootDSE = GetObject("LDAP://RootDSE")
strdomainname = objRootDSE.Get("defaultNamingContext")

set objgroup = getobject("LDAP://cn=" + groep + ",cn=users," + strdomainname)
objgroup.GetInfo

arrmember = objgroup.GetEx("member")

for each objmember in arrmember
	set objuser = getobject("LDAP://" + objmember)
	objuser.MSExchHideFromAddressLists = TRUE
	objuser.SetInfo
next

Today i logged in to a server and this is what i saw:

Microsoft has an article on this matter: http://support.microsoft.com/kb/906510

I have no clue what caused this, however the resolution is simple. Import the following .reg file:

Windows Registry Editor Version 5.00 

[HKEY_USERS\.DEFAULT\Control Panel\Colors] 
"ActiveBorder"="212 208 200" 
"ActiveTitle"="10 36 106" 
"AppWorkSpace"="128 128 128" 
"Background"="102 111 116" 
"ButtonAlternateFace"="181 181 181" 
"ButtonDkShadow"="64 64 64" 
"ButtonFace"="212 208 200" 
"ButtonHilight"="255 255 255" 
"ButtonLight"="212 208 200" 
"ButtonShadow"="128 128 128" 
"ButtonText"="0 0 0" 
"GradientActiveTitle"="166 202 240" 
"GradientInactiveTitle"="192 192 192" 
"GrayText"="128 128 128" 
"Hilight"="10 36 106" 
"HilightText"="255 255 255" 
"HotTrackingColor"="0 0 128" 
"InactiveBorder"="212 208 200" 
"InactiveTitle"="128 128 128" 
"InactiveTitleText"="212 208 200" 
"InfoText"="0 0 0" 
"InfoWindow"="255 255 225" 
"Menu"="212 208 200" 
"MenuText"="0 0 0" 
"Scrollbar"="212 208 200" 
"TitleText"="255 255 255" 
"Window"="255 255 255" 
"WindowFrame"="0 0 0" 
"WindowText"="0 0 0"

Big thanks to my friend at Tech Notes for helping me out so quickly.

SSL, the basics:

A SSL certifcate enables secure communication (encryption) between client and server. For this to work, there are 3 checks performed by your client (which can be a computer, pda, smartphone, etc):

1. Date of the certificate. Is it valid? Isn’t the certificate expired yet?
2. Trusted Authority. In short: which trusted company sold this certificate? e.g. Verisign, Thawte, etc. Your client has a list of well-known and trusted companys. If this company is on the list, this certificate can be trusted also.
3. The common name. If the common name on the certificate is www.domain1.com and you want to visit webmail.domain1.com through ssl, check 3 fails.

Exchange 2007 and SSL

After installing Exchange 2007, a self-signed SSL certificate is installed by default. This SSL certificate is used to secure communication between both Internet clients (Exchange ActiveSync, Outlook Web Access, Outlook Anywhere, POP3 and IMAP4) and internal clients (Outlook 2007) to the Client Access server.

Exchange Server 2007 also introduces a new Exchange web service called the Autodiscover service. The autodiscover service is used to configure Outlook 2007 clients. More specifically, the Autodiscover service is used by Outlook 2007 client features such as the Availability service (free/busy), Auto Account Setup (automatic profile creation), Out of Office (OOF), Offline Address Book (OAB), and Unified Messaging (UM). This means that in order for these features to work correctly, the Autodiscover service must be properly configured. Since the Autodiscover service is a web-based service, it’s located on the Client Access server (CAS). And since it’s a webbased service, it needs an SSL certificate that is accepted by all clients, internal but also on the internet.

We now have one problem.
As the common name of the server is different, based on where you reside at that moment, you’ll need a SSL certificate with at least 5 different common names, e.g.

• the netbios name of the computer, lets say: “EXCH2K7SRV02”
• the fully qualified domain name in the local network; EXCH2k7SRV02.domain1.local
• the fully qualified domain name on internet; webmail.domain1.com
• the fully qualified domain name for the autodiscovery in the local network; autodiscover.domain1.local
• the fully qualified domain name for the autodiscovery on internet; autodiscover.domain1.com

SAN certificate

With Exchange Server 2007 a new type of certificate is introduced; it’s called a subject alternative name (SAN) certificate. The interesting thing about a SAN certificate is that it allows us to include multiple FQDNs (aka common names) in one single certificate.
So in case you wondered: this SAN certificate has nothing to do with your SAN storage. It’s something different.

Request a SAN certificate

Start the Exchange 2007 Management Shell
In the Powershell we type:

[PS] C:\Windows\System32> New-ExchangeCertificate -DomainName EXCH2k7SRV02, EXCH2k7SRV02.domain1.local, webmail.domain1.com, autodiscover.domain1.local, autodiscover.domain1.com -FriendlyName Domain1SSLCertificate -GenerateRequest:$True -Keysize 1024 -path c:\certreq.txt -privatekeyExportable:$true -subjectName "c=US, o=My Company, CN=domain1.com"  -privatekeyExportable:$true

As you see, with the “-DomainName” parameter, i’m requesting a certificate for 5 Subject Alternative Names which makes it a SAN certificate.
Make the “-FriendlyName” something obvious. And remember it, you’ll need it later!
I mark the private key as exportable (”-privatekeyExportable:$true”) in order to re-use the certificate whenever i want to transfer it to another server. I know this is less secure, but i’ve been in a lot of situations where customers didn’t remember where they bought the certificate or didn’t have the appropriate login info etc. So that’s why.
In the “-subjectName”, specify your country “c=US”, organisation “o=My Company” and the domain you are working with “CN=domain1.com”.
As you see (”-path”) the request is stored in a file called c:\certreq.txt. The content of this file is required to actually request the certificate at your SSL reseller or your own active directory CA.

Import the SAN certificate

Once you’ve got the certificate, save it to c:\certnew.cer.
In the Exchange Management Shell type:

[PS] C:\Windows\System32> Import-ExchangeCertificate -path c:\certnew.cer -friendlyname "Domain1SSLCertificate"

So this is where you’ll need that friendlyname again.
After his command you’ll see a “thumbprint” on your screen. My example: “795E704F73D47F6053A493961CB23DB349731141”
The certificate is now imported.

If you forgot the thumbprint, you can look it up by typing:

[PS] C:\Windows\System32> Get-ExchangeCertificate -DomainName "EXCH2K702"

All you have to do right now is activate the certificate for the required Exchange services. Do this by typing:

[PS] C:\Windows\System32> Enable-ExchangeCertificate -thumbprint 795E704F73D47F6053A493961CB23DB349731141 -services "IIS,POP,IMAP"

How to make sure your client is in the right timezone and synchs with your preferred ntp server?

Control.exe TIMEDATE.CPL,,/Z (GMT+01:00) Amsterdam, Berlijn, Bern, Rome, Stockholm, Wenen
net time /setsntp:ntp.xs4all.nl
net time /querysntp
w32tm /Resync

Event viewer nicely logs the resync action:

Type gebeurtenis: Informatie
Bron van gebeurtenis: W32Time
Categorie van gebeurtenis: Geen
Gebeurtenis-ID: 35
Datum: 12-8-2009
Tijd: 10:04:10
Gebruiker: n.v.t.
Computer: HUGO7900SSF
Beschrijving:
De tijdservice is nu bezig met het synchroniseren van de systeemtijd met de tijdbron ntp.xs4all.nl (ntp.m|0×1|10.0.11.76:123->194.109.22.18:123).

Zie Help en ondersteuning op http://go.microsoft.com/fwlink/events.asp voor meer informatie.

If you want to make changes to the registry for the “default user” there is one BIG misunderstanding that i want to clarify here.

HKEY_USERS\.DEFAULT is NOT the Default User!

This is actually the registry for the Local System account. Changes in this hive will be applyed before a user logs in.
A clear example: when making the following change:

Windows Registry Editor Version 5.00

[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"Wallpaper"="C:\Windows\mywallpaper.bmp"

the background called “mywallpaper.bmp” will be loaded onto the background while pressing ctrl+alt+del and entering your credentials. (e.g. this is how Dell or HP use their own backgrounds on a pre-installed system).

Ok so how do you make changes to the default user?

It’s actually pretty simple.
As you should know the registry for a user is placed in a file called ntuser.dat in the %userprofile% directory. Therefor, in c:\documents and settings\Default User you’ll find the registry for the default user (doh!).

Now load this file as a temporary hive to enabled making changes to it.
Start a dos prompt. Then type:

reg load HKU\Temp "c:\documents and settings\Default User\NTUSER.DAT"

Start regedit and go to HKEY_USERS\Temp and you’ll see the registry for the default user.
Make the desired changes. When done, close regedit to avoid locking issues and back in your dos prompt type:

reg unload HKU\Temp

And you’re done!
New users without existing profile will inherit the Default User profile and therefor inherit the changes you just made.

“Ok one question though, why not use (domain) policies for such purposes?”
Good question. Policies will always be a better solution because changes to the policies will automatically be applied to existing user profiles and changes to the default user profile will only be used when a user logs in and the user has no existing profile.
There are, however, settings that can not be changed from (domain) policies (at least not in current Windows versions…). Examples:

• Power management (screensaver, disks going to stand-by), etc
• Schemes for audio/sounds
• (one of my favorites) Quick Launch behaviour (e.g. the number of items, the locked status, etc)
• … etc!

Conclusion
Now you know how to edit the default user registry.
Think about making these changes when preparing an image that you’re going to deploy to a network. Or at least apply the changes to the clients before all users are going to log in!

Some actions require an elevated dos prompt.
The fastest way:

• Click on the Windows (start) button
• type: cmd in the search bar
• hold down ctrl+shift and then press enter

NOTES:

• Do not try to do this from the Run box (Win+R), this MUST to be done through the search bar.
• UAC must be enabled otherwise it won’t work

I’m involved in a lot of network migrations (client/servers).
Usually, migrating the server isn’t that difficult. However, the software on the clients can be tricky. There can be a lot of registry keys, ini files or all sort of pointers pointing to the old servername.

There’s one sneaky trick that makes it all a lot easyer!

• Raise your domain funtional level to 2003.
• Download and install the latest Support Tools
• Use netdom to add a server alias, e.g.

  netdom computername newserver /add:oldserver.domain.local

• Import this regfile:

  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
  "DisableStrictNameChecking"=dword:00000001

So simple, yet so much used..

<meta HTTP-EQUIV="REFRESH" content="3; url=https://webmail.customer.com/exchange/">
<HTML>
<br>
<br>
<br>
<t>You will be redirected in 3 seconds ...</t>
<br>
</HTML>

Regedit
Connect to remote registry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000

Then reboot the machine remotely, e.g.

shutdown -m \\yourserver -r -t 0

Thnx to my mate at http://www.tech-notes.nl

Most of you probably know that ctrl+shift+esc brings up the task manager.

Today i learned a sneaky way to disable that combination

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
"debugger"="Disabled"

Office 2007 features a new toolbar in all applications, called the Quick Access Toolbar.
A user may add or remove their own buttons.

By default, the .qat files containing the user’s settings are saved in the following location in Windows XP or Windows Server 2003:
C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Office

And for Windows Vista or Windows Server 2008 in:
C:\Users\usernameAppData\Local\Microsoft\Office

Here’s how to make sure this bar roams with the user:

Locate and then click to select the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Toolbars
If you use policies, select the following registry subkey:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Common\Toolbars

New DWORD value called “QuickAccessToolbarRoaming” with value “1”

regfile:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Toolbars]
"QuickAccessToolbarRoaming"=dword:00000001

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Common\Toolbars]
"QuickAccessToolbarRoaming"=dword:00000001

Microsoft’s article on this:
http://support.microsoft.com/kb/958062

If you want to customize your Office 2007 setup, here’s how:

setup.exe /admin

Then go through all steps in the customization wizard.
Be sure to have “completion notice” turned on and “suppress modals” turned off (this is to get to see errors, if any exist). Once you’re done with testing, go through the customization again to modify the MSP to disable completion notice and enable suppress modals. For completely silent install, you MUST set the DisplayLevel to “none”.
Save the resulting patch file in the same folder as o2k7 setup files.
Now just execute this command for silent install:

setup.exe /adminfile CUSTOM.MSP

OR

If you have Office 2007 Enterprise VLK, you could even drop the CUSTOM.MSP file in the “Updates” folder and setup will pick it up automatically (without any switches being used). For this, ensure you have WindowsInstaller 3.1 already installed. You can add in further MSP files (e.g. extracted from SP2 update EXE) as well, to have updates applied during install.

The IntelPPM should be enabled on all Intel systems. If not, the processor will overheat.
But it can not be enabled on systems with an AMD processor. The system won’t boot and result in a 0×000007 bluescreen.

This is something you need to know if you want to create images and deploy it on different systems.

_disable_intelppm.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intelppm]
"Start"=dword:00000004

_enable_intelppm.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intelppm]
"Start"=dword:00000001

It’s actually a pretty big security issue, but i’m glad it exists :)
Can’t access your raid configuration anymore? Forgot your password?

areca master password: MNO974315743924 (works on 1160, 1210 (McBIOS), …)

And just a reminder:
areca default archttp32 user/pass: admin/0000

RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove

Just a reminder for myself on how to rebuild degraded 3ware arrays on some of my linux machines with the cli tool.

Scenario:
The degraded drive is connected to port 2.
The drive is connected to controller 0.
Port 0 is member of unit 0.

1. Remove the drive

   tw_cli maint remove c0 p2

2. Now replace the drive
3. Enable the new drive

   tw_cli maint rescan c0

4. Assign the drive to a temporary unit

   tw_cli maint createunit c0 rspare p2

5. rebuild the array

   tw_cli maint rebuild c0 u0 p2

This week i was copying large amounts of data to a Maxtor USB disk using the midnight commander. While the midnight commander was gathering information about the amounts of data to be processed (taking at least 20 minutes or more), the usb disk was going into standby mode.
By the time it was ready and wanted to start copying data, i got all kinds of i/o errors on /dev/sdb (the usb disk).
So i did a filesystem check on the usb disk and started over again. The same happened.

Then it occured to me: the usb disk was going to standby mode. It will come back alive whenever the OS wants to read or write data, but it takes too long resulting in i/o errors.

This command prevents the disk from going to standby mode:

sdparm --clear STANDBY -6 /dev/sdb 

edit:
Today i played around with some usb disks that don’t support the command above, so i had to dig further.
Seems like i missed this option in my (custom compiled) kernel: ” [*] USB selective suspend/resume and wakeup “. This is actually the real fix.

When logging off from a Windows 2000, XP or 2003 machine system processes and applications occasionally maintain connections to registry keys in the user profile after a user logs off. In those cases the user session is prevented from completely ending. This can result in problems when using Roaming User Profiles in a server environment.

Therefor, always install the User Hive Cleanup service from Microsoft:
http://www.microsoft … 18-b570-42470e2f3582.

After doing so i’ve seen some errors in the eventviewer when using Symantec Antivirus v10 or Endpoint Protection. These programs have “Tamper Protection” which means they will block programs from messing around with the main processes from Symantec.
In this case it’s actually pretty clear who’s blocking the registry :)

When using linux as a router you also might want to forwards some ports.

This should do the trick (it will when using my script from the other post):

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.50:80
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT

But more generally it might be necessary to add an extra line first to allow traffic to your nic connected to the internet at all:

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.50:80
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT