Saturday, November 10, 2012

Moving All iTunes Information to a New Computer

This morning I decided that since my PC has not had a fresh OS load in almost 3 years and that I recently added in a super fast SSD drive that I would take the time today to do a reload of Windows 7 x64 and all applications.

One of my biggest concerns was losing my family's iPhone, iPad, and iPod syncs.  After doing a lot of research on the web about this I didn't really find any articles that addressed moving EVERYTHING!  I know how to move the music, movies, etc.  I know how to copy the database.  What I wanted to know was how to move everything so my phone and other ijunk will still sync properly.

So I did my own homework on it, tested a few things, and now I have step-by-step instructions here on how to do this.

First I identified the four folders in which iTunes stores everything and can add up to multiple gigabytes of data:

  • C:\Users\Username\AppData\Local\Apple Computer\iTunes
  • C:\Users\Username\AppData\Roaming\Apple Computer\MobileSync\Backup
  • C:\Users\Username\AppData\Roaming\Apple Computer\iTunes
  • C:\Users\Username\Music\iTunes (this may be different if you moved your media folder)

Note:  On your system username would be replaced by the username logged on.

 Here's the new folder structure I will be using after the system is reloaded:  **Note I am not moving the location of C:\Users\Username\AppData\Local\Apple Computer\iTunes.  This folder is not that large but does contain some important XML data.

  • E:\Backup\MobileSync\Backup to relocate C:\Users\Username\AppData\Roaming\Apple Computer\MobileSync\Backup
  • E:\Data\iTunes to relocate C:\Users\Username\AppData\Roaming\Apple Computer\iTunes
  • E:\Data\iTunes to relocate C:\Users\Username\Music\iTunes
The last item of business is to put a pointer in place so that iTunes can find the data where I have moved it to without issue.  This is done by making a link to the new locations from the old.  Below are the commands to run that will accomplish this:

1. C:\mklink /J "C:\Users\Username\AppData\Roaming\Apple Computer\MobileSync\Backup" "E:\Backup\MobileSync\Backup"
2: C:\mklink /J "C:\Users\Username\AppData\Roaming\Apple Computer\iTunes" "E:\Data\iTunes"
3. C:\mklink /J "C:\Users\Username\Music\iTunes" "E:\Data\iTunes"

What this does is allow these files to grow considerably larger, not be on my SSD, and iTunes is none the wiser.  By creating the links the whole move is transparent to iTunes as the application thinks it is accessing data on C: drive.

I hope this helps you to move your iTunes library and even relocate it to a larger drive if necessary.  Good luck!

Wednesday, September 26, 2012

How to Cluster IronPort C-Series Appliances

This will explain the quick overview of how to cluster two of these devices together to provide an easy way to administer multiple IronPorts on the same network.

1. Login to the IronPort using SSL.  I prefer Putty.
3. The CLI will ask if you want to enter cluster mode.  Select Y.
4. You will then see a list of cluster commands.
5. At this point if you have no cluster enter the option to create a cluster.
6. Follow the prompts.  Give it a name, select the ports, etc.  I always recommend setting the cluster to communicate on the internal management IP address.
7. Once the cluster config is complete the IronPort will apply the changes which only takes a minute or so.
8. To add other machines repeat this exact process only selecting the option to join an existing cluster.
9. During the join select the IP address of the first IronPort you put into the cluster.  Follow the prompts and complete the join.

I have found this process very helpful if an IronPort fails because I don't have to take the time to configure the replacement from scratch.  

This setup shares the configs so all you do is bring the replacement IronPort online, give it a static IP address and the same name as the unit you are replacing, login to it via the CLI and join it to the cluster.  

Once you have done that it will copy the configuration  from your cluster and will be ready to run.

Good luck on your cluster setups.

Monday, September 10, 2012

PrivateKeyMissing when running Enable-ExchangeCertificate

PrivateKeyMissing when running Enable-ExchangeCertificate

Enable-ExchangeCertificate : The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint XXXXXXXXX -Services "IIS"

The above error is a result of a glitch with Exchange 2007. This issue does not happen all the time as it is completely random, but when it does happen no certificate can be installed or removed through the Exchange Management Shell (EMS). For whatever reason it may be, the system forgets where it placed the Private Key or the certificate store is damaged.

Repair Damaged Certificate Store:

1) Open MMC (Microsoft Management Console) to the Certificate Manager (Certificates Snap-in) for the Local Computer account.
2) Double-Click on the recently imported certificate (It will be missing the golden key).
3) Go to the Details tab.
4) Click on the Serial Number field and copy down that number. (Leave window open)
5) Open up the command prompt (DOS Prompt -- CMD.exe)
6) Type: certutil -repairstore my "SerialNumber"( SerialNumber is that what was copied down in step 4.)
7) After running the command, go back to the MMC and right-click Certificates and select "Refresh".
8) One should now see the golden key associated with the certificate.
9) Double-check in the Exchange Power Shell with: Get-ExchangeCertificate

Alternatively if the above does not work try the following:
Note: Follow these steps if running Windows Server 2008 only

1) Open MMC (Microsoft Management Console) to the Certificate Manager for the Local Computer account. (Certificates Snap In)
2) Look in the Personal section of the Certificate Manager and there should be icon(s) without a little golden key. (Those with the key have the private key bonded to them.)
3) Delete the icons without the golden key.
4) Go back to the EMS.
5) Run the Import-ExchangeCertificate and Enable-ExchangeCertificate in one line like so: [ Import-ExchangeCertificate -Path c:\ | Enable-ExchangeCertificate -Services "SMTP, IMAP, IIS, POP" ]
*** Please modify the command according to your needs. ***
6) Things should be golden from here and if they are not, please contact Microsoft.

Monday, September 03, 2012

Migrate Windows 7 to a new SSD

What you’ll need: your old hard drive; a back-up drive, either internal or external; a blank CD-R/DVD-R or the Windows 7 installation disc and your new SSD.

Step 1: Shrinking your original partition to fit on the smaller

First make sure your original OS drive only contains two partitions -- the system reserved partition and the partition that houses your OS. If you have any others, back everything up from them onto the backup disk as you'll lose them in this process.

Once that’s done, it’s time to shrink your OS partition so it will fit inside the SSD, which is likely to be smaller than the older OS drive. Go to the start menu and right-click 'Computer' before selecting 'Manage'.

Select 'Disk Management' on the left, just under the 'Storage' header.

Right-click your OS partition, which is usually labelled as C:, and then select 'Shrink Volume'. The computer will think for a moment as it queries the volume for available shrink space.

In 'Enter the amount of space to shrink in MB', enter a value that's at least 10% smaller than the usable capacity of your new SSD. For example, if you’re moving over to a 120GB SSD, enter 100,000 to be safe.

If you can’t shrink the partition enough, try defragging the drive first. If that fails, you’ll need to start uninstalling applications from C:. Do this until you’re able to shrink the drive enough. Once it’s shrunk, your new OS partition will be small enough to fit inside your SSD.

Step 2: Create an image of the now shrunken OS drive

Plug in your backup drive, be it an external drive or an internal drive. It must be bigger than the size of your shrunken original OS partition.

Head to the control panel and double-click the 'Backup and Restore' option.

On the left-hand side, select 'Create a system image'. During the backup wizard, it will ask where you want to store the new image -- select your backup drive.

Start the backup and then hurry up and wait -- this can take up to 15 minutes or more to complete.

Once it's finished, you’ll be asked if you want to create a system repair disc. If you don’t have your Windows 7 installation disc, select yes and it will guide you through the creation of a system repair disc. If you do have your Windows 7 installation disc, select no. Then shut down your PC.

Step 3: Install the new hard drive and restore from the image

We’re halfway there -- now it’s time to set up the new drive. Firstly, open your PC case and disconnect all of your drives except for the backup disk. Plug in your new SSD as described in our photo tutorial this week. After double-checking all your connections, boot up your system and insert the repair disc or Windows Install disc in your optical drive.

The computer should boot from the optical disc and at the first screen select the 'Repair your computer' option. Then select the 'Restore your computer using a system image that you created earlier' option from the next screen before clicking next.

On the next screen, select the 'Use the latest available system image (recommended)' option and then click next.

Now you need to double-check you’re not going to wipe any other drives, so click the 'Exclude disks' button.

You should only see one hard drive in the list -- if there are any more, make sure they’re selected with a tick mark otherwise they’ll be erased.

Click 'Next' and finally, 'Finish'. A warning sign will pop up, asking if you’re sure you want to continue -- select Yes.

If this process fails, it means your shrunken partition still wasn’t small enough, so you’ll need to go back to Step 1 and uninstall more applications before shrinking and mirroring the drive again.

If this process works, you’ll be prompted to restart your computer. Click 'Don’t restart', and then click 'Shutdown'.

Step 4: Final Steps

Plug all your other drives back in, but don't plug the original OS drive in at this point. If you want to use that drive, save it for later -- our priority now is to make sure the new drive is working.

Boot the PC up -- Windows should load from your SSD, though it may need a reboot once it's detected a new device in the SSD.

It’s time to go back into the Disk Management area. Go to the start menu, right-click 'Computer' and select 'Manage'. Once again, head into the same 'Disk Management' section on the left as you did in Step 1.

Right-click your new OS partition (again, usually called C:) and select 'Extend Volume', then click next.

Don’t adjust any of the default values -- Windows will automatically calculate exactly how far you can extend the partition to fill your new SSD. Click Next and then Finish, and your partition will be extended to fill the SSD.

Finally, we need to enter a single command via the command prompt in administrator mode. Go to 'Start > All programs > Accessories', then right-click 'Command Prompt' and run it as an administrator. Type this command at the command prompt:

winsat disk

This command makes Windows detect the new drive as an SSD and thus enable all the features unique to these drives. You’re now good to go!

Monday, August 27, 2012

Integrating XenDesktop 5.6 with VMWare VCenter 5 Certificate Error

I ran into this issue earlier today while configuring my first XenDesktop setup using VMWare.  To resolve this issue, you can do one of three things.

Option 1: Purchase an SSL certificate for your vCenter from a third party.

Option 2: Self-sign a certificate from your enterprise certificate authority.

Option 3: Trust the existing SSL certificate  This option is by far the quickest and easiest. To do that, you can follow these steps:
  1. If you are logged in as a local administrator, open Internet Explorer and navigate to https://YOURVCENTERSERVERNAME/
  2. If you are not logged in as local administrator, or a user with sufficient permissions, it is very important that you SHIFT & Right-Click Internet Explorer, and run it as an Administrator, then navigate to https://YOURVCENTERSERVERNAME/
  3. You will get a warning screen that the SSL Certificate is not trusted, select Continue to this web site (not recommended).
  4. Click the Certificate error in the Security Status bar and select View Certificate.
  5. Click Install Certificate.
  6. When the Certificate Import Wizard launches, select Place All Certificates in the following store and click Browse.
  7. When the Select Certificate Store window comes up, make sure you select the check box for Show physical stores.
  8. Find and expand Trusted People, select Local Computer and click OK.
  9. It is important to note that if you don't see the Local Computer option under trusted People, you are not logged in with a user that has sufficient rights, therefore, you must run Internet Explorer as an Administrator.
  10. Click Finish to complete the certificate import process
  11. Click OK when you receive the import successful window
  12. Close your browser, re-open it again, and browse to your vCenter server using the FQDN. The browser should now trust your vCenter server and therefore you should not receive a certificate error. That is how you can verify if the process was successful.  Make sure you test using the FQDN or it will not work.
  13. Repeat the above steps on the XenDesktop server as well.  That way both machines trust the self-signed certificate.
  14. Configure the hosting infrastructure settings on the XenDesktop 5 controller to point to
That's it.  From there you can continue with your configuration.

Monday, August 20, 2012

Outlook 2010 "Could not Complete the Operation" when Forwarding Email

This issue is a result of the contact information being "misread" or "corrupted".

In Outlook 2010 there are a couple of way to work with this.

1. When you go to forward the message and the person's name automatically appears, simply hover the mouse over it and press DELETE.  This will remove it from the cache.   Now type in the address and the message will complete properly.

2. If you want to clear out all of your cache without trying to address them one at a time, then here are the steps:
  • Open Outlook 2010
  • Open File
  • Click Options
  • Click Mail
  • Select "Empty Autocomplete List"
 That will clear all of the cache items including tasks or appointments that could also be causing the issue.

Microsoft's first recommendation is to clear your Outlook profile and create another one which is sure work but is a bit overkill for such a small issue.

I'm sure the process is similar with other versions of Outlook but YMMV.

Good luck...

Sunday, August 12, 2012

Uninstalling Exchange 2003 during Exchange 2010 Migration

If you are getting the following error:

'The component "Microsoft Exchange Messaging and Collaboration Services" cannot be assigned the action "Remove" because: - One or more users currently use a mailbox store on this server.'

then the odds are good you have an item in AD that is still pointing to the old Exchange 2003 server.  Here's how you get rid of it.

Just open up ADUC, do a find, create a custom query and paste in the command you see below:


Then select VIEW, then choose Columns.

From there you can add in the extra values needed to find out which account is still showing old Exchange 2003 data.  Just add in both attributes with Exchange on them.  Redo the Find Now and you'll be able to sort them by server name to find out the offending accounts.

During my last SBS 2003 to SBS 2011 migration it turned out to be the SBSAdmin account that I had created during the migration steps.

Once these accounts are removed or corrected you can continue your uninstall of Exchange 2003.

Good luck!

Sunday, August 05, 2012

How to Load the Answer File on a SBS 2003 to SBS 2001 Physical to Virtual Migration

I just ran into this issue today during a migration.  Simply put how do I get an answer file into a new VM?  The process is simple.

1. Using another VM, add a floppy drive and select the option to create a new floppy image.
2. Boot the VM and once loaded open the floppy and format it.
3. Copy your SBS answer file to the newly created floppy.
4. Using the VMWare console remove the floppy from your running VM.
5. Once your new SBS 2011 VM gets to the point where you can choose either a new install or migration, select Migration.
6. At this point on the console click to add a floppy and then select your new floppy image from the datastore that contains the answer file.
7. From there continue your migration.

This is a quick easy step to allow your to get the migration answer file loaded without the need for any 3rd party applications or other issues.  It keeps the disc stored on the datastore with your other ISO files and is there for future use if needed.

Good luck with your migration.

**Update: Make sure you removed the virtual floppy image before your next VM restart**

Friday, July 27, 2012

Configure Two Ironport C-Series Devices Where the Backup Hosts the Quarantine

These steps come straight from Cisco and it works like a charm.  This allows the primary device to focus on email filtering and the second device to take care of the quarantine work.  I have another post on how to sync the SLBL on these two devices since users will be getting their information from the backup IronPort.

How to configure two C-Series devices where the backup hosts the Quarantine 
Question: How to configure two C-Series devices where the backup hosts the Quarantine Answer All-in-one-plus-one IronPort Spam Quarantine Configuration
Note: This approach will not work if using Centralized Management.

Many sites will run two IronPort appliances, one that is designated as the "Primary MX" server and processes the majority of mail, and a second appliance as a hot spare that is designated as the "Secondary MX."  If the Primary MX should become unavailable for any reason, then the normal SMTP protocol will redirect traffic to the Secondary MX until the primary is available again.  For sites that wish to deploy the IronPort Spam Quarantine feature for their end-users but do not have enough traffic to justify a dedicated M-Series appliance, we offer the below configuration hints to allow you to configure the Secondary MX system to act as a centralized quarantine for both appliances, and to tell the Primary MX that messages detected as spam should be sent to that central quarantine on the Secondary MX system.

Please note that this configuration should only be used by sites that are not at or near the peak performance throughput on their Primary MX server, or doing equal-weighted load balancing between two appliances, as the additional load of processing end-user quarantined messages could result in reduced throughput in the event of a Primary-to-Secondary fail-over.  For high-volume sites whose multiple appliances are running at or near peak throughput, we recommend deployment of the M-Series appliance to offload quarantine duties from your C-Series appliances.

The second IronPort MGA that will contain the IronPort Spam Quarantine, must be able to identify messages coming from the Primary MTA and force the messages to the Quarantine.  This can be accomplished by using an X-Header once a messages is identified as spam.
To avoid having two IronPort C-Series MGA's scanning the same message be sure to perform the following steps.

Procedure overview:

1. On the Primary

1. Ensure messages received from Primary MX MGA are scanned for Anti-Spam filtering
2. When Spam Positive and/or Suspect Positive, send to the IronPort Spam Quarantine and add X-Header: X-Ironport-Quarantine

2. On the Secondary

1. add a Mail Flow Policy which by-passes Anti-Spam scanning
2. Add a new Sender Group called "Quarantine_From_Primary", set the order # to 1.
3. Configure this Sender Group to accept messages from the Primary appliance
4. Configure this Sender Group to use the Mail Flow Policy created previously

5. Configure the local quarantine on the "secondary" MGA
6. Edit Log Global Settings to monitor the X-header: X-Ironport-Quarantine

3. Test

If this is not setup correctly one message will actually be scanned by both MGA’s before ending up in the quarantine.  
(The following example is using a Sender Group on the secondary MX MGA called "QUARANTINE_FromMail2")

Primary Server
Thu Apr 27 15:05:45 2006 Info: New SMTP ICID 1348 interface Mail ( address reverse dns host verified yes
Thu Apr 27 15:05:45 2006 Info: ICID 1348 ACCEPT SG SUSPECTLIST match sbrs[-2.0:-0.5] SBRS -1.4
Thu Apr 27 15:05:45 2006 Info: Start MID 1661 ICID 1348
Thu Apr 27 15:05:45 2006 Info: MID 1661 ICID 1348 From:
Thu Apr 27 15:05:45 2006 Info: MID 1661 ICID 1348 RID 0 To:
Thu Apr 27 15:05:45 2006 Info: Start MID 1661 ICID 1348
Thu Apr 27 15:05:45 2006 Info: MID 1661 ICID 1348 From:
Thu Apr 27 15:05:45 2006 Info: MID 1661 ICID 1348 RID 0 To:
Thu Apr 27 15:05:45 2006 Info: MID 1661 Message-ID '<>'
Thu Apr 27 15:05:45 2006 Info: MID 1661 Subject 'Fwd: Impotenc-e hellp no doc visilt'
Thu Apr 27 15:05:45 2006 Info: MID 1661 ready 13559 bytes from
Thu Apr 27 15:05:45 2006 Info: MID 1661 matched all recipients for per-recipient policy DEFAULT in the inbound table
Thu Apr 27 15:05:51 2006 Info: MID 1661 using engine: CASE spam positive
Thu Apr 27 15:05:51 2006 Info: EUQ: Tagging MID 1661 for quarantine
Thu Apr 27 15:05:51 2006 Info: MID 1661 antivirus negative
Thu Apr 27 15:05:51 2006 Info: EUQ: Tagging MID 1661 for quarantine (X-Ironport-Quarantine)
Thu Apr 27 15:05:51 2006 Info: MID 1661 queued for delivery
Thu Apr 27 15:05:51 2006 Info: Delivery start DCID 4789 MID 1661 to RID [0] to offbox IronPort Spam Quarantine
Thu Apr 27 15:05:51 2006 Info: Message done DCID 4789 MID 1661 to RID [0]
Thu Apr 27 15:05:51 2006 Info: MID 1661 RID [0] Response 'ok:  Message 22017 accepted'
Thu Apr 27 15:05:51 2006 Info: Message finished MID 1661 done

Secondary Server
Thu Apr 27 15:05:50 2006 Info: New SMTP ICID 121070 interface Mail ( address reverse dns host unknown verified no
Thu Apr 27 15:05:50 2006 Info: ICID 121070 ACCEPT SG QUARANTINE_FromMail2 match SBRS rfc1918
Thu Apr 27 15:05:50 2006 Info: Start MID 22017 ICID 121070
Thu Apr 27 15:05:50 2006 Info: MID 22017 ICID 121070 From:
Thu Apr 27 15:05:50 2006 Info: MID 22017 ICID 121070 RID 0 To:
Thu Apr 27 15:05:55 2006 Info: ICID 121070 close
Thu Apr 27 15:05:50 2006 Info: Start MID 22017 ICID 121070
Thu Apr 27 15:05:50 2006 Info: MID 22017 ICID 121070 From:
Thu Apr 27 15:05:50 2006 Info: MID 22017 ICID 121070 RID 0 To:
Thu Apr 27 15:05:50 2006 Info: MID 22017 Message-ID '<>'
Thu Apr 27 15:05:50 2006 Info: MID 22017 Subject '[SPAM] Fwd: Impotenc-e hellp no doc visilt'
Thu Apr 27 15:05:50 2006 Info: MID 22017 ready 13907 bytes from
Thu Apr 27 15:05:50 2006 Info: MID 22017 matched all recipients for per-recipient policy DEFAULT in the inbound table
Thu Apr 27 15:05:50 2006 Info: EUQ: Tagging MID 22017 for quarantine (X-Ironport-Quarantine)
Thu Apr 27 15:05:50 2006 Info: MID 22017 queued for delivery
Thu Apr 27 15:05:54 2006 Info: RPC Delivery start RCID 10882 MID 22017 to local IronPort Spam Quarantine
Thu Apr 27 15:05:54 2006 Info: EUQ: Quarantined MID 22017
Thu Apr 27 15:05:54 2006 Info: RPC Message done RCID 10882 MID 22017
Thu Apr 27 15:05:54 2006 Info: Message finished MID 22017 done
Detailed Steps for Primary Server

1. Ensure messages received from Primary MX MGA are scanned for Anti-Spam filtering

1. Ensure that Anti-Spam scanning is enabled
2. Configure the appropriate Anti-Spam policies on the Incoming Mail Policies page to send Positive and/or Suspect spam to the IronPort Spam Quarantine (now hosted on the Secondary MX appliance)

1. (Mail Policies -> Email Security Manager -> Incoming Mail Policies)

2. Configure the default Mail Policies: Anti-Spam settings ; Positively-Identified Spam Settings actions also to include additional X-header:

1. Header Name: X-Ironport-Quarantine
2. header Text: offbox (any text value will work)

3. If desired, repeat the above for Suspected Spam Settings
4. Setup an External Quarantine

1. Designate the Secondary MX appliance as an External Quarantine host by navigating to Monitor -> Quarantines -> External Quarantines 
2. Click the "Add Quarantine..." button
3. Enter a descriptive name so you know you are routing to your Secondary MX appliance
4. Enter the IP address of the Secondary MX appliance
5. Change the default port from 6025 to 25
6. Submit
7. Commit changes

Detailed Steps for Secondary Server

1. On IronPort that will host the Quarantine (Secondary) add a Mail Flow Policy

1. Select the Mail Flow Policies, beneath the HAT Overview
2. Click the Add Policy, button
3. Name the policy, example: SpamQuarantine 
4. Connection Behavior set to Accept    
5. In the Security Features, turn off Virus Protection and Spam Protection
6. Turn Off Sender Verification
7. Select  Submit

2. Add a new Sender Group called "Quarantine_From_Primary", set the order # to 1.

1. Open the HAT Overview, add a new Sender Group
2. Click Add Sender Group
3. Name: Quarantine_From_Primary
4. Set Order to 1
5. Add comments
6. Select the new Policy created, example SpamQuarantine
7. Leave other fields, unchecked
8. Click the Submit and Add Senders, at the bottom right.
9. Enter the IP of the Primary IronPort.
10. Add comments
11. Check Submit
12. Configure Local Quarantine
13. Enable Local quarantines 
14. Monitor-> Quarantines-> Local Quarantines

3. Edit Log Settings

1. System Administration > Log Subscriptions -> "Global Settings" box,
2. click "Edit Settings..."
3. In the "Headers (Optional)" text box add: X-Ironport-Quarantine

4. Test 

1. Send messages that have spam (use X-header: X-Advertisement: spam)
2. Send messages that do not contain spam
3. Review the logs

Use BGInfo with Server 2008 R2

This is a great program to use if you work with a lot of different servers and you need to keep track of what you are connected to.  It also gives the ability to see the specifics of the box without the need to run all of that information down.

Here's the process:

1.  Create a text file named AutoRunBGInfo.reg and place it on your desktop.
2.  Enter the text in the file as follows - 


"BGInfo"="\"C:\\BGInfo\\Bginfo.exe\" \"C:\\BGInfo\\config.bgi\" /timer:0 /silent"

3.  Now place a folder on C:\ named BGInfo.  Inside there place the BGinfo.exe file and your config.bgi file.  The config.bgi file is created when you customize the information you want on your server's desktop.  Below I have a list of the ones I use and in the same order.

4.  Start BGInfo once manually, accept the programs question, and then load the config.bgi file to set the wallpaper.  

5.  That's all.

Now that you've done this process everytime you login to the server you will get a fresh update of the statistics.  Having things such as free drive space at a glance is great when doing network maintenance tasks.

My BGInfo config: (All text in white except for the colors below.  Change yours to match the wallpaper's contrast so you can see it easily)

User and Computer Info

Host Name:   
OS Version:   
OS Bits:    bit
Hardware Bits:    bit
Service Pack:   
IE Version:   
Boot Time:   

Free Space:   
Network Settings

IP Address:   
Subnet Mask:   
Default Gateway:   
DNS Server:   
MAC Address:   
Network Speed:   
Machine Domain:   

Virtual (or Physical)

Model:    * or * will show here.

AD User List Query

I found this script on the web some time ago and it's great to dump all of the users out of AD into an Excel file.  I've been asked to do this many times for a variety of reasons.  Just copy this text exactly, place the script on a DC and run.  That's all it takes.

Dim ObjWb
Dim ObjExcel
Dim x, zz
Set objRoot = GetObject("LDAP://RootDSE")
strDNC = objRoot.Get("DefaultNamingContext")
Set objDomain = GetObject("LDAP://" & strDNC) ' Bind to the top of the Domain using LDAP using ROotDSE
Call ExcelSetup("Sheet1") ' Sub to make Excel Document
x = 1
Call enummembers(objDomain)
Sub enumMembers(objDomain)
On Error Resume Next
Dim Secondary(20) ' Variable to store the Array of 2ndary email alias's
For Each objMember In objDomain ' go through the collection

If ObjMember.Class = "user" Then ' if not User object, move on.
x = x +1 ' counter used to increment the cells in Excel

    objwb.Cells(x, 1).Value = objMember.Class
    ' I set AD properties to variables so if needed you could do Null checks or add if/then's to this code
    ' this was done so the script could be modified easier.
SamAccountName = ObjMember.samAccountName
Cn = ObjMember.CN
FirstName = objMember.GivenName
LastName =
initials = objMember.initials
Descrip = objMember.description
Office = objMember.physicalDeliveryOfficeName
Telephone = objMember.telephonenumber
EmailAddr = objMember.mail
WebPage = objMember.wwwHomePage
Addr1 = objMember.streetAddress
City = objMember.l
State =
ZipCode = objMember.postalCode
Title = ObjMember.Title
Department = objMember.Department
Company = objMember.Company
Manager = ObjMember.Manager
Profile = objMember.profilePath
LoginScript = objMember.scriptpath
HomeDirectory = ObjMember.HomeDirectory
HomeDrive = ObjMember.homeDrive
AdsPath = Objmember.Adspath
LastLogin = objMember.LastLogin

zz = 1 ' Counter for array of 2ndary email addresses
For each email in ObjMember.proxyAddresses
     If Left (email,5) = "SMTP:" Then
Primary = Mid (email,6) ' if SMTP is all caps, then it's the Primary
     ElseIf Left (email,5) = "smtp:" Then
        Secondary(zz) = Mid (email,6) ' load the list of 2ndary SMTP emails into Array.
        zz = zz + 1
     End If
' Write the values to Excel, using the X counter to increment the rows.

objwb.Cells(x, 2).Value = SamAccountName
objwb.Cells(x, 3).Value = CN
objwb.Cells(x, 4).Value = FirstName
objwb.Cells(x, 5).Value = LastName
objwb.Cells(x, 6).Value = Initials
objwb.Cells(x, 7).Value = Descrip
objwb.Cells(x, 8).Value = Office
objwb.Cells(x, 9).Value = Telephone
objwb.Cells(x, 10).Value = EmailAddr
objwb.Cells(x, 11).Value = WebPage
objwb.Cells(x, 12).Value = Addr1
objwb.Cells(x, 13).Value = City
objwb.Cells(x, 14).Value = State
objwb.Cells(x, 15).Value = ZipCode
objwb.Cells(x, 16).Value = Title
objwb.Cells(x, 17).Value = Department
objwb.Cells(x, 18).Value = Company
objwb.Cells(x, 19).Value = Manager
objwb.Cells(x, 20).Value = Profile
objwb.Cells(x, 21).Value = LoginScript
objwb.Cells(x, 22).Value = HomeDirectory
objwb.Cells(x, 23).Value = HomeDrive
objwb.Cells(x, 24).Value = Adspath
objwb.Cells(x, 25).Value = LastLogin
objwb.Cells(x,26).Value = Primary

' Write out the Array for the 2ndary email addresses.
For ll = 1 To 20
objwb.Cells(x,26+ll).Value = Secondary(ll)
' Blank out Variables in case the next object doesn't have a value for the property
SamAccountName = "-"
Cn = "-"
FirstName = "-"
LastName = "-"
initials = "-"
Descrip = "-"
Office = "-"
Telephone = "-"
EmailAddr = "-"
WebPage = "-"
Addr1 = "-"
City = "-"
State = "-"
ZipCode = "-"
Title = "-"
Department = "-"
Company = "-"
Manager = "-"
Profile = "-"
LoginScript = "-"
HomeDirectory = "-"
HomeDrive = "-"
Primary = "-"
For ll = 1 To 20
Secondary(ll) = ""
    End If
    ' If the AD enumeration runs into an OU object, call the Sub again to itinerate
    If objMember.Class = "organizationalUnit" or OBjMember.Class = "container" Then
        enumMembers (objMember)
    End If
End Sub
Sub ExcelSetup(shtName) ' This sub creates an Excel worksheet and adds Column heads to the 1st row
Set objExcel = CreateObject("Excel.Application")
Set objwb = objExcel.Workbooks.Add
Set objwb = objExcel.ActiveWorkbook.Worksheets(shtName)
Objwb.Name = "Active Directory Users" ' name the sheet
objExcel.Visible = True
objwb.Cells(1, 2).Value = "SamAccountName"
objwb.Cells(1, 3).Value = "CN"
objwb.Cells(1, 4).Value = "FirstName"
objwb.Cells(1, 5).Value = "LastName"
objwb.Cells(1, 6).Value = "Initials"
objwb.Cells(1, 7).Value = "Descrip"
objwb.Cells(1, 8).Value = "Office"
objwb.Cells(1, 9).Value = "Telephone"
objwb.Cells(1, 10).Value = "Email"
objwb.Cells(1, 11).Value = "WebPage"
objwb.Cells(1, 12).Value = "Addr1"
objwb.Cells(1, 13).Value = "City"
objwb.Cells(1, 14).Value = "State"
objwb.Cells(1, 15).Value = "ZipCode"
objwb.Cells(1, 16).Value = "Title"
objwb.Cells(1, 17).Value = "Department"
objwb.Cells(1, 18).Value = "Company"
objwb.Cells(1, 19).Value = "Manager"
objwb.Cells(1, 20).Value = "Profile"
objwb.Cells(1, 21).Value = "LoginScript"
objwb.Cells(1, 22).Value = "HomeDirectory"
objwb.Cells(1, 23).Value = "HomeDrive"
objwb.Cells(1, 24).Value = "Adspath"
objwb.Cells(1, 25).Value = "LastLogin"
objwb.Cells(1, 26).Value = "Primary SMTP"
End Sub
MsgBox "Done" ' show that script is complete 

Monday, July 09, 2012

How to Create a USB install disc from ESXi ISO file.

I had to setup ESXi on some brand new Gen 8 HP ProLiant servers that had two hard drive cages and no optical drive.  Since I never carry a USB optical drive this was the best way to go.

I've outline a few very simple steps below to make your USB key bootable with ESXi so just boot from the USB drive and you're good to go.

Good luck!

1. Download UNetbootin and run the software.  Here are links to the different versions you may need. (WindowsMac OS XLinux).

2. Download the VMware vSphere ISO file.  Note to use the newest 5.0.0 update 1 as of this writing. -> VMware Download Center.

3. Start the UNetbootin application and choose Diskimage (ISO) and browse to the downloaded ISO file.  There are several options of top for many operating systems and applications if you happen you want to make one of those as well.

4. Choose Type: USB Drive and choose the correct USB drive letter that you want the bootable installer to be installed to.

5. Let the program run and you are finished.  Make sure you edit the boot sequence in your BIOS (UEFI mode on some systems) to boot from USB instead of CD/DVD-ROM or HDD.

The vSphere 5 documentation can be found online here.

Friday, July 06, 2012

HP Compaq 6200 Pro DownGrade to XP AHCI Driver

I ran into this one recently where a customer wanted to downgrade these new machines to Windows XP since their company currently does not have any plans to migrate from it.  Below are the steps I had to take in order to install Windows XP and then setup the AHCI driver afterwards

The main thing I had to do was to put the SATA controller in IDE mode first in order to get Windows XP to install.  The can be done by pressing ESC or F9 on the PC when it first boots. 

Here is the step by step process to do that:

1. After Windows XP is installed, install the chipset driver first & reboot:​oftwareDescription.jsp?lang=en&cc=us&prodTypeId=1...

The following steps are used for installing AHCI drivers in Windows XP operating system installed using the IDE mode.

2. Download AHCI driver from the HP Driver site.

3. Right-click the My Computer icon, click Manage, select Device Manager

4. Click the + symbol beside IDE ATA/ATAPI controllers so see all of the hardware devices.

5. You will find the Intel native SATA storage controller driver installed.

6. Right-click  the Serial ATA storage 4 Port controller listed, and click Update Driver .

7. In Welcome to the Hardware Update Wizard, select No, not this time. Click Next .

8. Select Install from a list or specific location (Advanced) . Click Next

9. Select Don't search I will choose the driver to install . Click Next

10. Click Have Disk

11. Click Browse

12. Select location where you saved ACHI drivers.

13. Select iaAHCI.inf

14. Click Open

15. This will list several SATA AHCI Controllers. From this list, select the Intel(R) Desktop/Workstation/Server Express Chipset SATA AHCI Controller. Click Next.

16. The Update Driver Warning will be shown. Click Yes.

17. The driver will install, and completing the Hardware update Wizard appears. Click Finish

18. You can find the updated controller in the device manager.

19. During restart boot to the BIOS setup utility . Go back to your device configurations sub menu and change the SATA Mode back to ACHI, save settings there (F10) and upon exit, save changes and reboot.

Now, the SATA driver is successfully installed and the desktop will boot into Windows with SATA Device Mode set to AHCI.

Thursday, June 21, 2012

Promote 2008 Server Core to a Domain Controller

To promote the server to be a DC in your domain, enter the following command:

Dcpromo /unattend /replicaOrnewDomain:replica
/replicaDomainDNSName:mydomain.local /ConfirmGC:yes
/username:mydomain\administrator /Password:*

This will run dcpromo adding the server as a global catalog server to the mydomain.local domain. The Domain restore Mode password will be set to LetMeIn123. You will be asked to enter the domain administrator password when the command is run (by way of the /password:* command)

Allow the process to complete.  Once it does the server will automatically reboot and will be a domain controller.

Wednesday, June 20, 2012

Rename Windows Server 2008 Core

I ran into this today and here's how to do it.  Just don't try this on a domain controller.  This works for a member server only.

To rename the server we use the netdom utility. The command is
Netdom renamecomputer OldComputerName /newname:NewComputerName

Sunday, June 17, 2012

Fix VSS Errors Windows XP and Server 2003

Installing a backup device that uses a backup agent means the VSS writers have to be free of errors.  You can fix this by opening a command prompt (administrator level if needed) and typing in "vssadmin list writers".  This will run for a few seconds then list all of the writers on the system.  They should all show as "stable and ready".  If they are not, below are the steps you can take to fix this problem.

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
3. On the Edit menu, click Delete, and then click Yes to confirm that you want to delete the subkey.
4. Exit Registry Editor.
5. Click Start, click Run, type services.msc, and then click OK.
6. Right-click the following services one at a time. For each service, click Restart:
  • COM+ Event System
  • COM+ System Application
  • Microsoft Software Shadow Copy Provider
  • Volume Shadow Copy
7. Click Start, click Run, type cmd, and then click OK.
8. At the command prompt, type vssadmin list writers, and then press ENTER.
9. If the VSS writers are now listed, close the Command Prompt window. You do not have to complete the remaining steps. If the VSS writers are not listed, type the following commands at the command prompt. Press ENTER after each command.
  • cd /d %windir%\system32
  • net stop vss
  • net stop swprv
  • regsvr32 ole32.dll
  • regsvr32 oleaut32.dll
  • regsvr32 vss_ps.dll
  • vssvc /register
  • regsvr32 /i swprv.dll
  • regsvr32 /i eventcls.dll
  • regsvr32 es.dll
  • regsvr32 stdprov.dll
  • regsvr32 vssui.dll  (does not work in Windows XP)
  • regsvr32 msxml.dll
  • regsvr32 msxml3.dll
  • regsvr32 msxml4.dll
Note The last command may not run successfully.
10. At the command prompt, type vssadmin list writers, and then press ENTER.
11. Confirm that the VSS writers are now listed.
12. At the command prompt, type vssadmin list shadows and then press ENTER.
13. Confirm that there are no errors listed.  On Windows XP you should see: No shadow copies present in the system.
14. Congratulations your machine should work again with any VSS compatible programs.

Wednesday, June 13, 2012

Group Policy Object to Block the Office File Validation Add-In

This "update" from Microsoft caused a lot of issues with files being opened (12 minutes for a 25K Excel 2003 spreadsheet) across a network.  Once the issue was isolated it wouldn't have made sense to go to all of the machines on every network affected and manually remove it.  Well you're in luck because here's a group policy template you can create and apply to your networks to prevent this update from causing you any problems.

CATEGORY "Microsoft Office Validation Add-In"
POLICY "Enable in Excel"
KEYNAME "Software\Policies\Microsoft\Office\11.0\Excel\Security\FileValidation"
VALUENAME "EnableOnLoad"
POLICY "Enable in PowerPoint"
KEYNAME "Software\Policies\Microsoft\Office\11.0\PowerPoint\Security\FileValidation"
VALUENAME "EnableOnLoad"
POLICY "Enable in Word"
KEYNAME "Software\Policies\Microsoft\Office\11.0\Word\Security\FileValidation"
VALUENAME "EnableOnLoad"

Tuesday, June 12, 2012

Backup Cisco Configs Using Putty

You can easily capture the configuration file from any network devices like Cisco Routers, Switches etc.. with putty. Follow below steps..

1. Launch putty and connect to your Cisco router/switch
2. Enter the user exec mode (router> enable)

3. Enter the terminal length 0 command (router# terminal length 0) in order to force the router to return the entire response at once, rather than one screen at a time.  This allows you to capture the configuration without extraneous −−more−− prompts generated when the router responds one screen at a time.
4. Right-click on the menu bar of the Putty screen and select “Change Settings
5. Go to Session and click on Logging, select “Log all session output
6. Click on Browse and choose the location and name of the file (I like to place my config file on my desktop – C:\Documents and Settings\Administrator\Desktop\config.txt)
7. Click apply.
8. Now enter the show run command (router# show run), then log out and see the output in config.txt on your desktop (or the location you chose).

This is a pretty simple thing to do and can be a real life saver if you happen to lose the config on a device.  It sure is a lot easier to copy and paste it back in instead of recreating it from scratch.  Cisco equipment is great but I have seen instances where the running config wasn't saved to the memory and after a restart it reset back to an old startup config or back to brand new (worst case).  

You now have the power!

Monday, June 11, 2012

Configure an External Time Source in Windows Server 2008 R2

Configure an external time source

This computer is configured to hold the primary domain controller (PDC) emulator operations master role (also known as flexible single master operations or FSMO) in the forest root domain. This computer should not use itself as a time source. Configure an external time source as the authoritative time source for the forest, or configure a member domain controller as the time source peer. The configuration must be done manually. Perform the following procedure on the computer that is logging the event to be resolved.
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To configure a manual time source peer:
  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type w32tm /config /manualpeerlist:server,0x8, /syncfromflags:manual /update, where server is the name of the time source that you want to configure, and then press ENTER. ((I recommend for an Internet source))
  3. Restart the Windows Time service. At the command prompt, type net stop w32time & net start w32time, and then press ENTER.
  4. Resynchronize the Windows Time service client with the time source peer. At the command prompt, type w32tm /resync, and then press ENTER.
To learn more about the Windows Time service and related tools, see Windows Time Service Tools and Settings (


To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.
To verify that the Windows Time service is synchronizing correctly:
  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type W32TM /resync, and then press ENTER.
  3. At the command prompt, type W32TM /query /status, and then press ENTER. This command displays the status of the Windows Time service synchronization. The Last Successful Sync Time line of the output displays the date and time that you ran the W32TM /resync command in the previous step. Also, check the computer name that is shown as the Source. This should be the name of a domain controller (or an administrator-configured time server) in the same Active Directory domain as the local computer.
To verify that the Windows Time service synchronized successfully with its time source, confirm that Event IDs 35 and 37 appear in Event Viewer. If there was a recovery from a previous failure to synchronize with the time source, you also see Event ID 138, which indicates that the Windows Time service is synchronized correctly.

Renewing the Self-Signed Certificate: Exchange Server 2007

This is another perfectly written article that I have borrowed on this subject.  I got it from Exchangepedia and the author Bharat Suneja deserves all the credit.
Exchange Server 2007 issues itself a self-signed certificate for use with services like SMTP, IMAP, POP, IIS and UM. The certificate is issued for a period of one year.
The self-signed certificate meets an important need – securing communication paths for Exchange services by default. Nevertheless, one should treat these certificates as temporary. Although the self-signed certificates work perfectly well for internal SMTP communication between Hub Transport servers, and between Hub Transport and Edge Transport servers, it’s not recommended to use them for any client communication on an ongoing basis. For most deployments, you will end up procuring a certificate from a trusted 3rd-party CA (or perhaps an internal CA in organizations with PKI deployed).
Should you decide to leave the self-signed certificate(s) on some servers and continue to use them, these will need to be renewed when they expire — just as you would renew certificates from 3rd-party or in-house CAs.
 1. To renew the certificate for server, a server with CAS and HT roles installed:
Get-ExchangeCertificate -domain “” | fl
Note the services the certificate is enabled for (by default: POP, IMAP, IIS, SMTP on CAS + HT servers). Copy the thumbprint of the certificate.
Get a new certificate with a new expiration date:
Get-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F” | New-ExchangeCertificate
To create a new certificate with an exportable private key, use the PrivateKeyExportable parameter. For example:
New-ExchangeCertificate -PrivateKeyExportable $true
If the existing certificate is being used as the default SMTP certificate, you will get the following prompt. The default SMTP certificate is used to encrypt SMTP sessions between transport servers in your organization.
Overwrite existing default SMTP certificate,
‘C5DD5B60949267AD624618D8492C4C5281FDD10F’ (expires 8/22/2008 7:20:34 AM), with certificate ’3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E’ (expires 1/28/2009 7:37:31 AM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is “Y”):
Type y to continue. A new certificate is generated.
Thumbprint   Services   Subject
———-   ——–   ——-
3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E   …..   CN=E12Postcard
The new certificate is generated and enabled. Examine the new certificate:
Get-ExchangeCertificate -thumbprint “3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E” | fl
2. The old certificate is enabled for IIS, POP, IMAP and SMTP. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP – IIS is missing.
You can enable the certificate for IIS (in addition to any other services it may already be enabled for — it adds to existing values of the certificate’s Services property).
Note: Once you enable a certificate for a particular Exchange Server service, there’s no way to disable it (for that service). You must remove the certificate (if the certificate is CA-issued, export the certificate along with its private key before you do so), import it again and enable it for the services you need to. This is generally not a concern with self-signed certificates— you can generate additional self-signed certificates and optionally remove the old one, since there’s no CA interaction or costs involved.
Setting the Services parameter to None does not do anything in this case.
To enable the certificate for IIS:
Enable-ExchangeCertificate -thumbprint “3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E” -services IIS
3. Test services are working with the new certificate. If it works as expected, the old certificate can be removed:
Remove-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F”