Thursday, October 4, 2012

How to un-protect Excel 2007 spreadsheets without knowing the password


When Microsoft introduced Excel 2007, they introduced new file types – we all know them by now: xlsx, xlsm, xltx, etc. These file types are often referred to as Open XML. That’s because the new file types are essentially packages that contain XML files. If you take an xlsx file and change the extension to zip, you’ll be able to see all the xml documents that make up your Excel file.

The new Open XML file types come with lots of benefits. One of the major benefits is that you can change the content and properties of an Excel 2007 file simply by manipulating the XML documents that make it up.

Well, while playing with the Open XML files, I discovered that you can remove spreadsheet protection simply by applying a simple edit to the xml within the Excel file.

Having said that, people do protect their excel worksheet for a variety of reasons, So what can we do if we need to amend something on this worksheet?
I decide that I want to un-protect this sheet, but I don’t know the password. Because this is Excel 2007, teh spreadsheet protection can be removed from within the XML.
The procedures below will show you have to go about doing this.


Step 1: Make a backup of your file in case you really monkey it up.
Step 2: Change the file extension to from filename.xlsx to filename.zip.
Step 3: Extract the contents of the zip file.
Step 4: Go to the extracted files and navigate to the xml for the target sheet (found in the ‘xl\worksheets’ directory)

Step 5: Open the target sheet’s xml document using an XML editor (You can use notepad and search for the field "sheetProtection") 
Step 6: Find the ‘sheetProtection’ tag and remove the entire line.

Step 7: Save the edited xml document and replace the old xml document found in the original zip file.
Step 8: Change the extension back to xlsx.
Step 9: Viola! The sheet is no longer protected :)

Wednesday, October 3, 2012

SCOM Agent for Workgroup not showing up on SCOM Console


In order to monitor a server that is in another domain/workgroup, a certificate will have to be imported to the server which the SCOM agent has been deployed. 

At times, you may wonder how is that with the certificate being imported into the server via MOMcertimport tool, the agent still do not show up under the pending management list of server on the SCOM console.
This usual has gotta do with the certificate.
To verify if the correct certificate is being used you may go to the below to check
  1. Log on to the computer with an account that is a member of the Administrators group.
  2. On the Windows desktop, click Start, click Run, type regedit, and then click OK.
  3. On the Registry Editor page, expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand Microsoft Operations Manager, expand 3.0, and then click Machine Settings.
  4. In the results pane, right-click ChannelCertificateSerialNumber
    (The value in this key should match the serial number of teh certificate in the reverse order)

    In any event that the value is wrong, you may choose to enter it manually else you can run the momcertimport tool again.

Thursday, September 20, 2012

How to recover user mailbox data from deleted mailboxes using Recovery Storage Group (RSG) in MS Exchange 2003 via

The Recovery Storage Group (RSG) is a feature of Exchange Server 2003. In certain situations it removes the requirement of building up an additional recovery server in order to recover mailbox data (to recover public folder data, the recovery server is still required). However, when we restore the backup into RSG, we are unable to use the ExMerge utility to extract data from the mailboxes that have been deleted from the original mailbox store.

Overview of the Recovery Storage Group
Prior to Exchange Server 2003, if you wanted to recover some mailbox data from the backup, you needed to set up a separate Active Directory (AD) forest on a recovery server and restore the backup into this recovery computer. With the RSG feature, this additional recovery server is not required to recover data from a mailbox store in scenarios where both the following conditions are true:

• The logical information in AD about the storage group and mailboxes remains intact and same as before the recovery. That's to say, the mailbox you want to recover must not be deleted or purged from the system, or moved to another mailbox store.
• You want to recover data from a single mailbox, a single database, or simultaneously a group of databases within a single storage group. The database added into RSG must be from a server within the same Administrative Group; furthermore, after we add a database into RSG, we can then only add databases from the same Storage Group.

After you create a RSG and add databases to it, you can either restore online backup sets or copy offline database files to the RSG (please note that enough disk space is necessary for the recovered database in RSG). Then you can use the Exchange Server 2003 version of the Microsoft Exchange Mailbox Merge Wizard (Exmerge.exe) utility or the Recover Mailbox Data Wizard to extract data from the recovered databases in the RSG to the mailbox in the original regular storage group.

How a Recovery Storage Group links back to the original regular storage group
The RSG uses the following two AD attributes to link back to the original regular storage group:


• The msExchMailboxGUID attribute (see Figure A). When a mailbox is created, this attribute is generated as a unique value that distinguishes it from all other mailboxes. The value remains the same for the lifetime of the mailbox. The ExMerge utility uses this attribute to match the mailbox in the RSG to the one in the original regular storage group. When you delete a mailbox, the mailbox attributes will be removed from the AD user account; when you purge a mailbox that has been deleted, the mailbox (and its GUID) is removed from the database. In these two scenarios, ExMerge will fail to extract data from this mailbox in the RSG.


Figure A: The msExchMailboxGUID attribute

• The msExchOrigMDB attribute (see Figure B). This attribute is set on a database in the RSG. It specifies the distinguished name of the original database where the RSG was created, and it will verify if the mailbox you want to recover is still located in the original mailbox store. If the mailbox has been moved to another mailbox store, ExMerge will fail to extract data from the mailbox.


Figure 2: The msExchOrigMDB attribute

So, what is the problem?
As described above, you will encounter problems when you try to use ExMerge to extract data from mailboxes in the RSG under the following situations:
• The mailbox has been moved to another mailbox store
• The mailbox has been deleted or purged from the system

You may encounter the following error message when you try to use ExMerge to retrieve a list of mailboxes from a RSG:
An error was encountered with one or more users when retrieving the list of mailboxes homed in the selected databases on server 'ServerName'. Please refer to the log file, 'ExMerge.log', for more information.
And from the ExMerge log, you may see the following error:
[14:13:08] Error! Cannot identify the user with the msExchMailboxGuid C\03\96f\5D\B1\3BD\81\99\1F\91C2\5B7. The legacyExchangeDN is /O=ORGNIZATION/OU=SITE/CN=RECIPIENTS/CN=USER.

Problem Resolution
Depending on the scenario, you can use different methods to recover the data:

Scenario 1: The mailbox has been moved to another database
In this scenario, we can use the following two methods to recover the data from the mailbox.
Resolution: Move the mailbox back to the original database or modify the msExchOrigMDB attribute
The most efficient method in this scenario is to move the mailbox back to the original database where the RSG was created. Then ExMerge should work fine to retrieve the mailbox list and to extract the data from RSG.
If you are unable to move the mailbox back for any reason, you can modify the msExchOrigMDB attribute on the RSG database and point it to the database that you moved the mailbox to.

To do this, please follow the steps below:
1. Start the ADSI Edit utility. This is included in the Windows 2000 and 2003
Support Tools: click Start -> Run, type adsiedit.msc and press Enter.
2. Locate the mailbox store that you moved the mailbox to. To do this, expand the
following the containers:
Configuration Container [YourServerName.YourDomainName.YourTopLevelDomain]
CN=Configuration,DC=YourDomainName,DC=YourTopLevelDomain
CN=Services
CN=Microsoft Exchange
CN=YourOrganizationName
CN=Administrative Groups
CN=YourAdministrativeGroupName
CN=Servers
CN=YourServerName
CN=InformationStore
and then click CN=YourStorageGroup.
3. In the right pane, right-click the database object and click Properties.
4. Locate the distinguishedName attribute.
5. Right-click the value that is in the "Value(s)" box and click Copy.
6. Click Cancel.
7. Locate and click the RSG database object in the
CN=Configuration,DC=YourDomainName,DC=YourTopLevelDomain container.
8. In the right pane, right-click the RSG database object and click Properties.
9. Locate the msExchOrigMDB attribute.
10. Click Clear.
11. Right-click an empty area of the Edit Attributes box and click Paste.
12. Click Set and click OK.
13. Quit ADSI Edit.

For more information, refer to the following Microsoft TechNet article:
How to Change the msExchOrigMDB Attribute Using ADSI Edit
http://technet.microsoft.com/en-us/library/aa996434.aspx

Scenario 2: The mailbox has been deleted from the database, but not yet purged
Resolution: Reconnect the deleted mailbox to the original or a new user account
When a mailbox is deleted but not yet purged, it becomes an orphaned mailbox in the Exchange server database and is available in the Deleted Mailbox Dumpster (before the retention time expires). Under this situation, you can reconnect the deleted mailbox to the original user account and then recover the data.
If you cannot reconnect the mailbox to the original user (for example, you have created another mailbox and associated it with the original user account), you can just create a new user account (with no mailbox enabled) and then reconnect the orphaned mailbox to this newly-created user. This will work because the msExchOrigMDB attribute does not change on the mailbox even if we associate it with a new user account.

Scenario 3: The mailbox has been purged (permanently deleted) from the database
Resolution: Create a new storage group, or modify the msExchMailboxGuid attribute on a user to point to the mailbox we want to recover data from

If you are running Exchange Server 2003 Enterprise Edition, you can create a new regular storage group and copy the recovered database from RSG to this new storage group. You can then directly extract the mailbox data from the new storage group. For more detailed information see the following Microsoft Knowledge Base article:
You receive an error message when you use the Exmerge tool
http://support.microsoft.com/kb/919088

However, you cannot use this method on an Exchange Server 2003 Standard Edition because you are limited to one storage group in this edition. In this situation, you can directly modify the msExchMailboxGuid attribute on another mailbox to represent the one you want to recover (according to the principle of the msExchMailboxGuid attribute introduced above).

To do this, please follow the steps below:
1. The GUID shown in ExMerge log is in a different format than the actual
msExchMailboxGuid attribute. So first of all, you need to convert this GUID in
the ExMerge log into a format that contains 16 units with each unit having 2
hexadecimal numerals. Let's take C\03\96f\5D\B1\3BD\81\99\1F\91C2\5B7 as an
example:

i. For units like C\ and 03\, only 1 or 2 characters, leave it as is.
ii. For units like 96f\, 3 characters, split into 2 units: 96 and f.
iii.For units like 91C2\, 4 characters, split into 3 units: 91, C and 2.
iv. Following the rule described above, convert the original GUID into:
C 03 96 f 5D B1 3B D 81 99 1F 91 C 2 5B 7.
v. Then, for each single character, replace it with its ASCII code. So the GUID
is: 43 03 96 66 5D B1 3B 44 81 99 1F 91 43 32 5B 37. (You can visit
http://www.lookuptables.com to check the ASCII code.)

2. Start the AD Users and Computers snap-in, and create a new user with the same name and same organizational unit (OU) as referred to in the ExMerge log.
3. Start the ADSI Edit snap-in: click Start menu -> Run, type adsiedit.msc and
press Enter
4. Expand the Domain container, and expand the OU container which stores the new user (for example, CN=Users).
5. Highlight the newly-created user account in step 2 and open its Properties.
6. Locate the msExchMailboxGuid attribute.
7. Click Clear.
8. Copy the converted GUID: 43 03 96 66 5D B1 3B 44 81 99 1F 91 43 32 5B 37.
9. Right-click an empty area of the Edit Attributes box and click Paste to override with "43 03 96 66 5D B1 3B 44 81 99 1F 91 43 32 5B 37" (without quotation marks).
10. Click Set and click OK.
11. Quit ADSI Edit.
12. Run ExMerge again and connect to the RSG. This time we should see the mailbox
we want to recover. Follow the ExMerge wizard to extract the data.

Summary
In Exchange Server 2003, there is a feature called Recovery Storage Group (RSG) which helps you to easily recover data (including messages, mailboxes or an entire database) without building up an extra recovery computer. However, due to the working mechanism of RSG, you cannot directly recover a deleted or purged mailbox. The above is some ways to workaround this limitation

Monday, September 10, 2012

Suggested WMI Hotfixes

Microsoft has released a fast publish article to address the numerous WMI issues that has been reported.
WMI issues will have high level symptoms as below and for me, the concerns are towards SCOM and SCCM

  • Loss of functionality with enterprise management/monitoring software for various machines. Software examples: Microsoft SCOM/SMS etc
  • Loss of functionality related to Citrix terminal services load-balancing.
  • Loss of functionality for WMI-based scripts.
  • Slow user logon times on Citrix terminal servers.
  • Slow user logon times on Windows clients where WMI-based group policy filters are in-place

The article is as below
http://support.microsoft.com/kb/2591403/en-us?sd=rss&spid=12925

Monday, September 3, 2012

Who Deleted That Active Directory Object?

Have you ever encountered that an AD object be it an user, computer etc is deleted and no one owns up?
In this situation, the usual questions will be when did it happened, where did it happened (Which DC?), who is the culprit.
You can say that you will be able to trace the culprit by pouring over the security logs if you had enabled auditing but picture this, what if you have over 80 domain controllers and you have no idea when did the deletion take place.
The following procedure will help you provide you the means to get the answers

To get the Distinguished Name of the Delete Object

1)  First open up LDP and connect to a server.
2) Next, bind to the DC you are connected to, click connections and then bind again.
(If all the fields are blank, it will bind with the user credentials that you are currently logged on as)
3) Click on Browse and then Search. Make sure that the control to return deleted objects is properly configured so that the deleted objects will be returned
4) Now we will need to search for the deleted objects. If you go to View and then Tree and leave it blank, it will go to the default naming context which by default is the domain naming context. Once this shows up in the left hand side, expand it then go to the deleted objects container , alt click and then choose search. With this, you will just search for that container and we can look for an attribute that we are looking for.
5) Once the object is located, copy the DN and it will be used in the next step

Who, When , Where?
To gather the information to which when and where, repadmin can be used as below

Repadmin /showobjmeta “DN which was copied in step 5 earlier”

You will get the information as below but what we are actually looking for here is in fact the isdeleted attribute.
This will tell you when the object was deleted and from which domain controller

For the who, you may go to the Domain Controller identified earlier to run through the security logs.
The event ID to look for will be Event ID 630

Thursday, August 16, 2012

A meeting update message or a meeting cancellation message from an Exchange 2003 user is not delivered to external attendee


It was brought to my attention that there is a random issue when a user cancels a meeting and some of the attendees are not notified via a cancellation. Upon digging further, the users that are not receiving these cancellation are found to be external users.
Conversation with the IT folks in these users' companies are that their messaging infrastructure is running on Lotus Notes and Exchange 2007.
The issue has been found to be that of the below and the procedures listed can be used to check if the issue is affecting your Exchange 2003 setup.
Issue
When sending meeting changes or cancellations to another mail server outside of your exchange 2003 organization messages get stuck in the queue and if the diagnostics logging of the MSExchangeTransport component is set to maximum, the following warning is logged:
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: Exchange Store Driver
Event ID: 327
If an administrator tries to open the message in the Exchange System Manager console, the administrator may receive the following error message:Unable to open for delivery
To verify this is the issue follow these steps on the message that is stuck.
  1. Launch MFCMAPI and select OK. (MFCMAPI can be downloaded from  http://mfcmapi.codeplex.com/)
  2. Choose Session –> Logon –> Display Store Table
  3. Select the proflle used to open the mailbox
  4. In the returned items look for the row that has "Mailbox – <username>" and double click to open the row
  5. In the new "Mailbox – <username>" window expand the Root – Mailbox folder
  6. Expand the IPM_SUBTREE (or the mailbox) folder
  7. Open the calendar folder by double clicking on it.
  8. In the new "Calendar" window navigate to the appointment item (you can sort by Subject by clicking the Subject column)
  9. Right click the appointment item and choose "Display Recipient Table" from the menu
  10. In the recipients table scroll to the right until you can view the column named "PR_RECIPIENT_TRACKSTATUS"
  11. Note the number value for each recipient and this will indicate their tracking status on the item.
  12. If the value is 0 then it means that the tracking status is not available.
The solution
A hotfix is released by Microsoft to correct this issue as the KB below
http://support.microsoft.com/kb/938650



Wednesday, August 8, 2012

Token Size report for users

I was posed a question as to how can we tell what is the Token Size for each users in the environment.
Microsoft provides a tool for use to calculate 1 user (http://www.microsoft.com/en-us/download/details.aspx?id=1448). But this tool from what I know only allows calculation of the token size for the current logon user and if computation of token size for another user is needed, the user's credentials will have to be provided (Which is a challenging task).
With that I set out to create a vbs for this and the below is the output that I would like to share.
The computation formula is based on 


Following formula to determine whether it is necessary to modify the MaxTokenSize value or not
TokenSize = [12 X number of user rights] + [token overhead] + [40 X number of group memberships] + 8s
This formula uses the following values:
·         d:  The number of domain logical groups a user is a member of plus the number of universal groups outside the user’s account domain plus the number of groups represented in SID history.
·         s:  The number of security global groups that a user is a member of plus the number of universal groups in a user’s account domain.
·         User rights include rights such as “Log on locally” or “Access this Computer from the network”. The only user rights that are added to an access token are those user rights that are configured on the server that hosts a secured resource.  Most of the users are likely to have only two or three user rights on the Exchange server. Administrators may have dozens of user rights. Each user right requires 12 bytes to store it in the token.
·         Token overhead includes multiple fields such as the token source, expiration time, and impersonation information. For example, a typical domain user has no special access or restrictions; token overhead is likely to be between 400 and 500 bytes.
·         Estimated value for ticket overhead can vary depending on factors such as DNS domain name length, client name and other factors.
·         Each group membership adds the group SID to the token together with an additional 16 bytes for associated attributes and information. The maximum possible size for SID is 68 bytes.  Therefore, each security group to which a user belongs typically adds 44 bytes to the user’s token size.

*** Assumes that [12 X number of user rights] + [token overhead] = 1200

The script is as below. To user copy and save the file as vbs

'Start of VBS

Const ForReading = 1

Const ADS_SCOPE_SUBTREE = 2

TotalGroups=0
UniversalGroup=0
LocalGroup=0
GlobalGroup = 0
I = 2

' Clean up.
Set objGroupList = Nothing
Set objUser = Nothing

'_________________________________________________________________________________

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(INPUT_FILE_NAME, FOR_READING)
strSite = objFile.ReadAll
objFile.Close

' Create Excel Spreadsheet
Set app = CreateObject("Excel.Application")
Set wb = app.Workbooks.Add
wb.Activate
Set ws = wb.Sheets.Add

On Error Resume Next
app.Visible = True

ws.Cells(1,1).Value = "Display Name"
ws.Columns(1).ColumnWidth = 30
ws.cells(1,2).value = "SAMACCountName"
ws.columns(1,2).columnwidth = 30
'ws.Cells(1,3).Value = "Total Groups"
'ws.Columns(3).ColumnWidth = 10
ws.Cells(1,4).Value = "Local group"
ws.Columns(4).ColumnWidth = 10
ws.Cells(1,5).Value = "Universal group"
ws.Columns(5).ColumnWidth = 10
ws.Cells(1,6).Value = "Global group"
ws.Columns(6).ColumnWidth = 10

ws.Cells(1,6).Value = "Token Size"
ws.Columns(6).ColumnWidth = 10


'Replace the domain with your domain in your environment
Strdomain = "DC=contoso,DC=msft"

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
    "Select SAMAccountname,distinguishedname,displayname from 'LDAP://" & strDomain & "' " _
        & "Where objectcategory='user' AND SAMAccountname = '*'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst


Do Until objRecordSet.EOF

ws.cells(I,1).Value = objRecordSet.Fields("displayname").Value
ws.cells(I,2).value = objRecordSet.Fields("SAMAccountname").Value
  On Error Resume Next
wscript.echo objRecordSet.Fields("distinguishedname").Value

' Bind to the user object in Active Directory with the LDAP provider.
Set objUser = GetObject("LDAP://" & objRecordSet.Fields("distinguishedname").Value)

' Bind to dictionary object.
Set objGroupList = CreateObject("Scripting.Dictionary")

' Enumerate group memberships.
Call EnumGroups(objUser)
' ws.cells(I,3).value = TotalGroups
ws.cells(I,4).value = LocalGroup
ws.cells(I,5).value = UniversalGroup
ws.cells(I,6).value = GlobalGroup
'Token Size Computation based on http://support.microsoft.com/kb/327825
Tokensize = 1200 + localgroup*40 + 8*(UniversalGroup + GlobalGroup)
ws.cells(I,7).value = Tokensize

'To reset the numbers after each user
TotalGroups=0
UniversalGroup=0
LocalGroup=0
GlobalGroup = 0

objRecordSet.MoveNext
I = I + 1

Loop

'You may wish to change this to any path as needed.
ws.SaveAs "D:\Scripts\CalculateTokenSize\" & "usertoken.xlsx"
app.quit

'_____________________________________________________________


Sub EnumGroups(objADObject)
' Recursive subroutine to enumerate user group memberships.
' Includes nested group memberships.
Dim colstrGroups, objGroup, j
objGroupList.CompareMode = vbTextCompare
colstrGroups = objADObject.memberOf

If IsEmpty(colstrGroups) Then
Exit Sub
End If


If TypeName(colstrGroups) = "String" Then
Set objGroup = GetObject("LDAP://" & colstrGroups)
If Not objGroupList.Exists(objGroup.sAMAccountName) Then
objGroupList(objGroup.sAMAccountName) = True
Select Case objGroup.GroupType
    Case 2
        GlobalGroup = GlobalGroup +1
    Case 4
localgroup = Localgroup +1
    Case 8
UniversalGroup=UniversalGroup +1
    Case -2147483646
GlobalGroup = GlobalGroup +1
    Case -2147483644
        localgroup = Localgroup +1
    Case -2147483640
UniversalGroup=UniversalGroup +1
End Select


Call EnumGroups(objGroup)
End If
Set objGroup = Nothing
Exit Sub
End If

For j = 0 To UBound(colstrGroups)
Set objGroup = GetObject("LDAP://" & colstrGroups(j))
If Not objGroupList.Exists(objGroup.sAMAccountName) Then
objGroupList(objGroup.sAMAccountName) = True

Select Case objGroup.GroupType
    Case 2
        GlobalGroup = GlobalGroup +1
    Case 4
localgroup = Localgroup +1
    Case 8
UniversalGroup=UniversalGroup +1
    Case -2147483646
GlobalGroup = GlobalGroup +1
    Case -2147483644
        localgroup = Localgroup +1
    Case -2147483640
UniversalGroup=UniversalGroup +1
End Select

Call EnumGroups(objGroup)

End If

TotalGroups=TotalGroups+1


Next
Set objGroup = Nothing
End Sub

'End of VBS

Friday, July 27, 2012

SCOM Subscriptions automatically disabled repeatedly

An issue was flagged to my side that certain IT teams are not getting the alerts that they have been subscribed to.

Upon logging onto the SCOM Console it has been found that these notification subscriptions were getting disabled every 30 minutes. The weird thing was that not all subscriptions were being disabled and the same subscriptions were the same subscriptions every time. I tried re-enabling them and had the same result, the subscriptions kept being disabled. After some digging through the operations manager logs I found this warning:


Log Name: Operations Manager
Source: Health Service Modules
Date: 7/27/2012 5:53:22 PM
Event ID: 11452
Task Category: None
Level: Warning
Keywords: Classic
User: N/A

Computer: RMSserver

Description:
Validate alert subscription data source module encountered an alert subscription data source with configuration that has gone out of scope. Disabling the alert subscription data source module.

Alert subscription name: Subscription45c18cec_e95d_4af6_877e_072844d147d0

One or more workflows were affected by this.
Workflow name: Microsoft.SystemCenter.ValidateAlertSubscription
Instance name: RMSServer
Instance ID: {AF86A1AC-F1F5-9BF7-1E89-F60F73982EB6}
Management group: ManagementGRP



The problem turned out to be that someone in the team has just recently cleaned up the SCOM Admins user group and one of the users removed from the group had created this subscriptions. By putting the user back in the SCOM Admins group and re-enabling the subscriptions the problem was solved but we really didn’t want this user (Who has left the company) in the SCOM Admins group.

What is the root cause of this? When a subscription is created the user who created the subscriptions SID is associated with that subscription. There is a workflow that checks every half hour for SIDs no longer valid. They could be invalid because their accounts access that had been removed, or possibly because the account has been disabled or deleted.

The Solution

To fix the issue permanently, the management pack “Microsoft.SystemCenter.Notifications.Internal” is exported in xml format.
This management pack is unsealed and contains all subscriptions.
Inside the management pack I searched for one of the subscriptions that were being disabled and one that was wasn’t. I then replaced the SID of the subscription that is disabled with the SID of the subscription which is enabled.
After replacing the SIDs I re-imported the management pack and re-enabled all subscriptions and the problem was solved for good.
Here is an example of one of the SIDs I had to replace.

<ExpirationStartTime>12/01/2010 10:00:21</ExpirationStartTime>
<IdleMinutes>5</IdleMinutes>
<PollingIntervalMinutes>1</PollingIntervalMinutes>
<UserSid>S-1-5-21-1202660629-706699826-839522115-63827</UserSid>
<LanguageCode>ENE</LanguageCode>
<ExcludeNonNullConnectorIds>false</ExcludeNonNullConnectorIds>
<RuleId>$MPElementlt;/RuleId>

Monday, July 16, 2012

SCCM Package Stuck at "Install Pending" State Persistently


One of my SCCM Primary Site servers encountered some issues over the past week and at this time a package was being copied to all Primary Site Servers including the one having issues.

After the issue on the Primary Site Server is resolved, it has been found that after repeated attempts to remove and re-copy the package will end up having a similiar frustrating outcome of the package showing up as "Install Pending"

The method which was used to resolve this requires modification to the SCCM SQL Database tables directly (Attempt it at your own risk)

1) Remove the assigned DP from the Package and allow some time for the changes to take effect. Only proceed to step 2 once you have verified that the package is not at "Install Pending" state

2) Logon to the SQL Database for SCCM on Both top-tier and parent primary site server.
Run the SQL Query below against the PkgStatus table in the SCCM Database

Delete FROM PkgStatus WHERE ID='<Package ID>' AND SiteCode = '<Site Code>'

3) Give it some time before adding the DP to the same package

The procedure is applicable for all DPs inclusive of BDPs

Windows Server 2008 stops responding and hangs at the "Applying User Settings" stage of the logon process

An issue was flagged to me last week that a HyperV Guest running on Windows 2008 Sp2 is starting up extremely slowly (Applying Computer settings, Applying Security Policies etc) and it can take up to hours for the Server to reach the Logon Screen.

Even though I could logon to the server , it has been found that multiple services inclusive of the below are not started. Weird!!

Print Spooler
Terminal Services
Server service
Remote Registry
Windows Management Instrumentation (WMI)
Distributed Transaction Coordinator
Any services that are related to applications

After several rounds of troubleshooting which includes

- Booting to Safe mode (Booting to safe mode flies)
- Re-installing the HyperV integration Disk
- Tweaking Physical NIC settings

I finally came across a Microsoft Article (http://support.microsoft.com/kb/2004121) that more or less describes what I am facing.

This issue occurs because of a deadlock in the Service Control Manager database.

The Service Control Manager tries to start the HTTP.sys service and then puts a lock in place in the Service Control Manager database. Then, HTTP.sys makes a call that requires Cryptographic Services during startup. Then, a request is sent to start Cryptographic Services. However, a lock is already in place in the Service Control Manager database. Therefore, a deadlock occurs.

To verify that this is true, run "sc querylock" from command prompt.
The output below will indicate that the Service Control manager (SCM) databse is locked

QueryServiceLockstatus - Success
IsLocked : True
LockOwner : .\NT Service Control Manager
LockDuration : 1090 (seconds since acquired)


To Resolve the issue

You can modify the behavior of HTTP.SYS to depend on another service being started first. To do this, perform the following steps:

1) Open Registry Editor
2) Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP and create the following Multi-string value:DependOnService
3) Double click the new DependOnService entry 
4)Type CRYPTSVC in the Value Data field and click OK.
5) Reboot the server

Thursday, July 12, 2012

RDP clients and ICA clients cannot connect to a Windows Server 2003-based terminal server after hotfix 938759 is applied to the server

Encounter an issue of users being unable to logon to some of our Citrix Servers running on Windows 2003 R2 Sp2 after deployment of the security update (KB2653956, http://support.microsoft.com/kb/2653956)


It seems to be known issue that only affects Windows 2003 server but Not Windows 20008 Servers. The issue can be corrected by applying the hotfix listed in the KB below.
http://support.microsoft.com/kb/958476


Interesting that this is not corrected by Microsoft in the fix to prevent the issue from affecting the Windows 2003 Server and instead provided a hotfix to correct those that maybe affected
:(

Tuesday, July 10, 2012

Removing Delete Computers from SCOM View


There will be times when the SCOM agent has been a decommissioned server but after some time, this object is still displayed on the SCOM Computers view.

If removal is required, the SQL statement below will enable you to do so

UPDATE [OperationsManager].[dbo].[BaseManagedEntity] SET [IsDeleted] = 1   WHERE [DisplayName] LIKE 'servername'

Wednesday, June 20, 2012

SCOM SNMP Threshold Type


SCOM SNMP monitors/rules creation could be easy to create but it could be also a pain to configure the thresholds.
The SCOM Console makes assumption that whatever is being created for rules and monitors thresholds as strings.
Hence, when we have a need to have a threshold which requires the a numeric comparison such as greater than or less then, the string value her will not work.


To work around this, either you can export the management pack and start editing the XML or the easier way out which I prefer will be the below procedure
1)      export the management pack to XML
2)      Use the System Center Operations Manager 2007 R2 Authoring Console (http://www.microsoft.com/en-us/download/details.aspx?id=18222) open the exported MP in step 1. Navigate to the monitors on the left window


3)      Select the correct monitor and then right click, properties and configuration.

4)      Under each >>>XpathQuery and >>>value, you will see >>>@Typ. You will need to change 4 similar attributes like this to Integer. (Refer to screenshot above for sample)
5)      Once this is completed, save the modified management pack.
6)      Re-import the management pack into SCOM.

Thursday, March 29, 2012

Performance issue accessing WebDav Folders on Windows 7

Some users may encounter a performance issue when Sharepoint resources is being access via WebDav folders under Windows 7.
The same file will have a better performance if it is accessed directly from the Sharepoint Site Via Internet Explorer.
It has been mentioned in some forums in the Internet that the below will solve the issue
The resolution is pretty basic but well no one will really care if it works J
Open Internet Explorer
Open Tools -> Internet Options -> Connections -> LAN Settings
Disable 'Automatically detect settings'
Open your WebDAV or Sharepoint volume and look at it fly.

Friday, March 16, 2012

Missing Outlook Calendar Entries .. X-files???

There will be times that we encounter issues that user reports that certain calendar entries / invites that goes missing.
Usually, we will look into the usual suspects of
1)      - Someone (Perhaps a delegate) change the time
2)      - Blackberry
3)      - Different outlook version used by a manager and delegate

But if nothing is found, it could be another case of X-files
Now here’s the life server, I chanced upon a tool, CalCheck, that was created by one of Microsoft Escalation engineer .
The below is an extract of what this tool will do


Download CalCheck from the Microsoft Download Center.
This utility works with:
§  Microsoft Office Outlook 2003
§  Microsoft Office Outlook 2007
§  Microsoft Office Outlook 2010 (32-bit)
§  Microsoft Office Outlook 2010 (64-bit)
§  Microsoft Exchange Server 2003
§  Microsoft Exchange Server 2007
§  Microsoft Exchange Server 2010
Important: The 64-bit version of this tool is only for use with the 64-bit version of Microsoft Outlook 2010.
The download is a ZIP file - just unzip it in an empty directory, open a command window in that directory, and run it.

What CalCheck does
The Calendar Checking Tool for Outlook (CalCheck) is a command-line program that checks Microsoft Outlook Calendars for problems. The tool opens an Outlook profile to access the Outlook Calendar. It performs various checks, such as permissions, free/busy publishing, delegate configuration, and automatic booking. Then each item in the calendar folder is checked for known problems that can cause unexpected behavior, such as meetings that appear to be missing.
As CalCheck goes through this process, it generates a report that can be used to help diagnose problem items or identify trends.
Checks performed
The following Calendar-specific checks are performed and logged in the report:
§  Permissions on the Calendar
§  Delegates on the Calendar
§  Free/Busy publishing information
§  Direct Booking settings for the Mailbox or Calendar
§  Total number of items in the Calendar folder
The following item-level checks are performed and logged in the report:
§  No Organizer email address
§  No Sender email address
§  No dispidRecurring property (causes an item to not show in the Day/Week/Month view)
§  Time existence of the dispidApptStartWhole and dispidApptEndWhole properties
§  No Subject for meetings that occur in the the future or for recurring meetings (a warning is logged)
§  Message Class check (a warning is logged)
§  dispidApptRecur (recurrence blob) is checked for time on overall start and end times, not for exceptions
§  Check for Conflict items in the Calendar
§  Check for duplicate items, based on certain MAPI properties
§  Check if over 1250 recurring meetings (a warning is logged) and 1300 recurring meetings (an error is reported); 1300 is the limit
§  Check if you are an attendee and you became the Organizer of a meeting
§  Check meeting exception data to ensure it is the correct size
Server Mode
You also have the option to run CalCheck in Server Mode. In Server Mode, CalCheck attempts to open all mailboxes on the Exchange server and perform the checks listed in the "Checks Performed" section of this article. Server Mode generates a CalCheckSvr.log file, which lists the mailboxes that have errors. Additionally, CalCheck generates a separate CalCheck__.log file for each mailbox. This log file shows more mailbox-specific detail.
To use Server Mode, you must use a messaging profile associated with an account that has permissions to all of the mailboxes on the specified Exchange server. To run server mode, use the “-S” command-line switch.
Example
Running to check a single mailbox/calendar:
If you don’t specify a profile on the command line - then you will be prompted to choose a profile as in the above screenshot.
Once you have chosen your profile - the tool will run - and you will see similar output as long as everything is successful:
Looking at this window shows you that there is a CalCheck.log, and where to go and find it. Opening that will show some info like the following:
02/17/2012 05:09:20PM Calendar Checking Tool - Version 1.0
02/17/2012 05:09:20PM ====================================
02/17/2012 05:13:45PM Opening mailbox: Mailbox 02/17/2012 05:13:45PM /O=Org/OU=OU/cn=Recipients/cn=Mailbox
02/17/2012 05:13:45PM Local time zone: Eastern Standard Time 02/17/2012 05:13:45PM Successfully opened the Calendar folder. 02/17/2012
05:13:45PM Processing calendar for Mailbox
02/17/2012 05:13:46PM Successfully located and opened the local free busy message for this mailbox.
02/17/2012 05:13:47PM Publishing 2 month(s) of free/busy data on the server.
02/17/2012 05:13:47PM Resource Scheduling / Automatically accept meeting requests is disabled.
02/17/2012 05:13:47PM ====================================
02/17/2012 05:13:47PM Delegates for this mailbox:
02/17/2012 05:13:47PM ===========================
02/17/2012 05:13:47PM No delegates are set.
02/17/2012 05:13:47PM ===========================
02/17/2012 05:13:47PM Permissions on this Calendar:
02/17/2012 05:13:47PM =============================
02/17/2012 05:13:47PM Default: None
02/17/2012 05:13:47PM Manager: Reviewer
02/17/2012 05:13:47PM Coworker1: None
02/17/2012 05:13:47PM Coworker2: Reviewer
02/17/2012 05:13:47PM Coworker3: Reviewer
02/17/2012 05:13:47PM =============================
02/17/2012 05:13:48PM Found 1404 items in the Calendar. Processing...
02/17/2012 05:13:48PM WARNING: No Subject on this item. You may want to add a Subject to this item.
02/17/2012 05:13:48PM Properties to help investigate this reported item: 02/17/2012 05:13:48PM Subject:
Location: No subject on recurring item
Start Time: 01/11/2011 10:00:00PM
End Time: 01/11/2011 10:30:00PM
Last Modifier: Mailbox
Last Modified Time: 02/04/2011 02:48:08PM
Is a recurring appointment: true
Sender Name: Mailbox
Sender Address: /o=Org/ou=OU/cn=recipients/cn=Mailbox
Organizer Name: Mailbox
Organizer Address: /o=Org/ou=OU/cn=recipients/cn=Mailbox
Recurrence Start: 12:00:00.000 AM 1/11/2011
Recurrence End: 12:00:00.000 AM 2/1/2011
Recurrence End Type: End After X Occurrences
Number of Exceptions: 0x0000

02/17/2012 05:13:50PM ERROR: Detected a duplicate item in the Calendar. Please check this item.
02/17/2012 05:13:50PM Properties to help investigate this reported item:
02/17/2012 05:13:50PM Subject: Doctor appointment
Location: Doctor’s Office
Start Time: 03/04/2012 04:30:00PM
End Time: 03/04/2012 06:00:00PM
Last Modifier: Mailbox
Last Modified Time: 08/01/2011 06:29:05PM
Is a recurring appointment: false
Sender Name: Mailbox
Sender Address: /o=Org/ou=OU/cn=recipients/cn=Mailbox
Organizer Name: Mailbox
Organizer Address: /o=Org/ou=OU/cn=recipients/cn=Mailbox
For problem items that are found - the report gives you information you can use to go and find the problem items so you can remove it, recreate it, or if possible - fix it, etc.
Command Switches - and what they do
CalCheck [-P ] [-M ] [-S ] [-A] [-F] [-R] [-V] [-No] CalCheck -?

-P Profile name (If this parameter is not specified, the tool prompts you for a profile)
-M Mailbox DN (If this parameter is specified, only process the mailbox that is specified)
-S Server name (Process the complete server unless a mailbox is specified)
-A All calendar items are output to CALCHECK.CSV
-F Create a CalCheck folder, and move flagged error items to the folder
-R Put a Report message that contains the CalCheck.log file in the Inbox
-V Verbose output to the Command Prompt window
-No To omit a calendar item test
The No parameter works with "org" to omit the “Attendee becomes Organizer” test and works with "dup" to omit duplicate item detection
-? Print this message
Some additional tips about specific switches:
“-M” You must use the legacyExchangeDN for the mailbox, and the profile you use must be for a mailbox that has permission to open that other mailbox.
“-A” Will create a CSV file that includes all calendar items - one in each row. There will be several properties listed for each item that can be used to look for problems not detected by the tool:
You can view all items in the Calendar by opening the CSV in Excel. You can sort and filter items based on things like start time, subject, recurring items, etc. This can be useful for finding problems that can’t be detected by CalCheck, or that currently aren’t looked for by CalCheck. If you find a problem item in the CSV, you can open the Calendar and put it into Category view to get a similar view of the Calendar in Outlook.
To do this, in Outlook click the View tab, click the Change View drop down, and choose By Category. This will give a view of the Calendar like the following:
This view shows all the items in the Calendar as a list - similar to looking at emails in the Inbox folder. You can sort on things here like Subject, Location, Start, and End. This can be used to find the problem item in the Calendar folder when it is difficult or impossible to find in the normal Calendar view.
“-F” Will create a CalCheck folder in your folder list, and will move items marked as an Error to that folder:
Items can easily be moved back to the Calendar, or can be deleted from here if not needed, or corrected if possible and then placed back in the Calendar. The general rule of thumb would be to recreate the item and delete the item that was moved out to the CalCheck folder.
“-R” Will create a mail message in the Inbox folder with the CalCheck.log file attached to it. This is useful when running the tool in Server mode - as each user will get their report in their Inbox:
“-No” There are two of these: “-No org” and “-No dup”:
The “-No org” will omit the check for the “attendee becomes the organizer of the meeting” check. Part of this check uses the legacyExchangeDN of the mailbox. If the legacyExchangeDN has changed for any reason - like a migration - then this test will give errors for items that may not really be in error. The error that is logged by CalCheck will show both DNs. Here is an example:
12/21/2011 05:27:25PM ERROR: dispidApptStateFlags is 1, but the address for this mailbox does not match the organizer address.
12/21/2011 05:27:25PM Check to ensure the Organizer Address is correct, and whether or not this user should be the organizer.
12/21/2011 05:27:25PM Organizer Address: /o=Org1/ou=admin group 1/cn=recipients/cn=user1
12/21/2011 05:27:25PM DN for this user: /o=Org2/ou=admin group 2/cn=recipients/cn=user1
12/21/2011 05:27:25PM See KB 2563324 for additional information: http://support.microsoft.com/default.aspx?scid=kb;EN-US;2563324
12/21/2011 05:27:25PM Properties to help investigate this reported item: 12/21/2011 05:27:25PM Subject: Test
The mailbox here is the same actual mailbox - but because the legacyExchangeDN changed - it is marked as an error.
The “-No dup” will omit the duplicate item detection - as this test creates an in-memory list of items and tests each item against that list. This can slow the process down a bit due to the extra processing and memory usage.
What CalCheck does not do
§  CalCheck is a reporting tool only. It will not automatically modify or “fix” any items. It will move items detected as error items to the CalCheck folder if the “-F” switch is used, but otherwise no changes will be made to any items.
§  CalCheck only works against Calendars located on an Exchange server. It will not work against other servers, such as IMAP or POP3, etc.
§  CalCheck can’t find every kind of corruption that can possibly happen to a Calendar item. However - it can find many known problems that can be knocked out without having to spend time combing through a Calendar and/or contacting a help desk.