Thursday, December 13, 2012

PDF Free Utility to add Passwords and Merge documents

http://translate.google.de/translate?hl=de&sl=de&tl=en&u=http%3A%2F%2Ffreepdfxp.de%2FxpDownload.html

It is a german website; Stefan Heinz is the developer.

Use link above for English site translation (original http://freepdfxp.de/xpDownload.html)

Not only merges PDF’s but will add passwords to them.

Wednesday, December 12, 2012

SHA-1 checksums for files

hash-1

To obtain the hash, you’ll need a utility that calculates SHA-1 checksums for
files – fortunately Microsoft has a free download called the File Checksum Verifier
Utility
. Run fciv.exe from the command line on your reference PC to obtain
the desired checksum:

Tuesday, December 11, 2012

SCCM Task Sequence rebuild not adding computer back into AD

Overview: I am trying to image a computer and it is not joining the 'Contoso' domain
I restructured a sub OU, what changes need to be made to add the computers to the renamed OU?

Resolution: Reset the FQN for each renamed OU in the MDT DataBase.  The task sequence references the MDT database during the step.

SCCM "Closing the allow unknown computer support to take control"

SCCM-unknown

Applies To: System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3

Unknown computer support is an operating system deployment feature in Configuration Manager 2007 R2 that allows unmanaged systems to be discovered and receive operating system deployment.
http://technet.microsoft.com/en-us/library/cc161877.aspx

~But why is it showing up in my SCCM task sequence? ...


This is not an error, it was an informational message just saying that the Task Sequence Availability Checker did not need to add the machine to a collection for task sequences to be available at the next step. This is because we have advertised the task sequences to the unknown computer collections. Any machines that boot up and request task sequences that do not have a record in SCCM will be able to start running one of those advertised task sequences.

We are using non-integrated WDS which means we can’t use the unknown computer support on PXE service points. However, the issue here isn’t to do with unknown computer support anyway, it’s to do with known computers and task sequences not being available to them. That’s why we created the task sequence checker tool to add machines to the right collection at boot time.

Advertising task sequences without mandatory schedules to all machines is out of the question, it would take just one person to think “that task sequence didn’t run on that computer properly, I know I’ll right click and rerun on the advertisement” to rebuild every machine in the company! Obvious no no.

Friday, December 7, 2012

SCCM DCM Creation and KPI

Microsoft Security Compliance manger

Possible to import Backed up GPO's and then export as DCM baseline for compliance.  For computers not on the domain and able to receive a GPO can use teh local policy tool that is included with the SCM tool to import teh Group policy backup instead.

 

 

Verify that bitlokcer is enabled on the C drive

Option Explicit On Error Resume Next Dim objWMI, obj, colTPM

Set objWMI = GetObject("winmgmts:\\.\ROOT\CIMv2\Security\MicrosoftVolumeEncryption") If Err <> 0 Then Script.Quit End If

Set colTPM = objWMI.ExecQuery ("Select * from Win32_EncryptableVolume") For Each obj in colTPM If ( UCase(obj.DriveLetter) = "C:" And obj.ProtectionStatus = 1 ) Then WScript.Echo "BitLocker Enabled on C Drive" WScript.Quit End If Next

SCCM DCM What is it?

What is Desired Configuration Management (DCM)?

DCM is a feature in SCCM that will provide a framework for assisting organizations in both defining and enforcing corporate policies and standards for system configurations, whether related to the operating system or an application installed on the system.

Feature include authoring and scheduling, model-based design leveraging Service Modeling Language (SML) (a component of Microsoft's Dynamic Systems Initiative) which makes the features we're about to discuss possible.

Some of the key scenarios that drove the features Microsoft delivered in the final release of DCM include:

Regulatory Compliance - demonstrating regulatory compliance in system configurations. Not only deploying a compliant standard system configuration, but being able to periodically prove adherence to these policies.

Pre and post change configuration - Verify that no unplanned changes took place during the implementation of a planned change.

Monitoring for "drift" - Verify that new systems are built in accordance to the planned role in your infrastructure, and monitoring for human error and misconfiguration in day-to-day administration. Ensuring corporate policies are implemented in base machine builds and maintained over time.

Streamline Support - Incorporating DCM reporting into the troubleshooting process to drive down time to resolution and overall support costs.

The bottom line - DCM monitors your systems actual configuration against a "desired configuration" model and identifies policies that have drifted outside this policy.

DCM Components

3 key concepts: Configuration Items, Configuration Baselines, and Configuration Packs.

The smallest unit of measure in the DCM model is the Configuration Item (CI). Configuration Items represent a desired object or setting or value on a client or within an application. Configuration items can include registry values, objects on the file system (files, folders) and attributes (firewall settings, NTFS permissions), as well data retrieved via scripts. The Configuration Items fall into one of the following categories:

Application CI - Settings within an application like MS Word, Exchange, or SQL Server.

OS CI - Representing a specific operating system object or setting.

General CI - General settings related to corporate policies like corporate security policy, Sarbanes-Oxley, etc.

These configuration items are reusable, and can be grouped into multiple, logical collections of settings known as a Configuration Baselines, which represent your base unit of management in DCM. Within the configuration baseline, you can define mandatory, optional and prohibited configuration items.?

Configuration Baselines will generally be constructed to map to machine roles (a type or class of system), such as Domain Controller, Exchange 2003 Server, SQL Database Server. Creating all the configuration items for configuration baseline for something like Exchange is time consuming and the use of Configuration Packs comes in. Configuration Packs are pre-defined configuration baselines (templates so to speak) created by Microsoft and 3rd parties representing best practice configuration for common OS and server applications. Configuration packs are designed to be used as a starting point for your own corporate baseline, and then modified to meet your organizations requirements.

Configuration packs templates are best served using the Solution Accelerator Microsoft Security Compliance Manager

Apendix: systemcentercentral.com

Adobe Reader Error Opening a PDF

Adobe-EULA

"Before proceeding you must first launch Adobe Acrobat and accept the End User License Agreement"

To analyze, filter to only AcroRd32.exe process using Process monitor. Then exclude all “SUCCESS” results.

Note the key:

HKLM\SOFTWARE\Adobe\Adobe Acrobat\10.0\AdobeViewer\EULAAcceptedForBrowser NAME NOT FOUND

Confirm the key is not present in Regedit; create a DWORD called “EULAAcceptedForBrowser” & set the Value Data to 1

NOTE: relating to a bug; if "CR" is in the folder or file name : http://forums.adobe.com/message/3791868

Thursday, December 6, 2012

1E NOMAD overview

What is Enterprise View?

http://www.1e.com/helparchive/NightWatchman%20and%20WakeUp/v6.0/User_Guide/User-Guides/Enterprise%20View%20Users%20Guide.pdf

Enterprise View is aimed at personnel who want a quick overview of their network and how the 1E products are working to bring them environmental and cost savings. Enterprise View is a management dashboard, providing at-a-glance overviews of the energy consumption and computer-related information that 1E is gathering on your network.

How does Enterprise View operate?

Enterprise View provides a web-based portal onto the 1E databases. The portal lets you choose from a number of pre-defined tiles to display significant PC and Server information in a handy, summarized format.

NOMAD 1E not responding to a package status request

Overview: During a SCCM task sequence a specific application is to be installed.  The task sequence is designed to use a NOMAD cache to poll the source.  The sequence fails as no available cache is available.

How to troubleshoot?

On the NOMAD cacheing server Open regedit and check the package status details.

Select the sub folder that corresponds to the cached item and review the details on the right.  You should check the following item are present and correct

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\1E\NomadBranch\PkgStatus\LDC002FE]
"Percent"="100.000"
"Version"="2"
"CachePriority"="1"
"CacheToFolder"="D:\\NomadBranchCache"
"ReturnStatus"="Completed Successfully"
"AlreadyCached"="0"

Also check the logs for specific behaviour. C:\ProgramData\1E\NomadBranch\LogFiles

The log should state "CacheStatus: (ELD)  pkgID="LDC002FE"(0) local=100.000%
verifiedUTC=09/04/2012

PXE-E32: TFTP Open Timeout

SYMPTOM

When the PXE client comes up with the PXE copyright message and
completes the DHCP phase, but then displays:

TFTP....

After a
while, the following error message is displayed:

PXE-E32: TFTP open timeout

Depending on the PXE client's system setup boot device list
configuration, the PC then either stops or tries to boot from the next boot
device in the system setup boot device list.

CAUSE 1

The "PXE-E32" error indicates that the PXE did not get a reply from the TFTP server when sending a request to download its boot file. Possible causes for this problem
are:

1. There is no TFTP server
2. The TFTP server is not running
3. TFTP and DHCP/BOOTP services are running on different machines, but the next-server (066) option was not specified

RESOLUTION 1

Make sure that a TFTP server is set up and running. When the TFTP service is running
on a different machine than the DHCP or BOOTP service, you need to add option
066 (next-server) to the DHCP/BOOTP server configuration, and set this option's
value to the IP address or "resolvable hostname" of the TFTP server. When option
066 (next-server) is not defined, the PXE client assumes that the TFTP service
is running on the same machine from which it received its DHCP/BOOTP
configuration information.

CAUSE 2

This problem occurs after you apply security update MS08-037.  For more information, click the following article number to view the article in the Microsoft Knowledge Base:
953230

MS08-037: Vulnerabilities in DNS could allow spoofing


RESOLUTION 2

Windows Server 2008 R2


Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
      (http://support.microsoft.com/kb/322756/            )

How to back up and restore the registry in Windows


To work around this problem if you do not require Windows Deployment Services to use a static port range, you can configure Windows Deployment Services to dynamically query WinSock for available ports instead of using a port range.
To do this, follow these steps:

  1. Start Registry Editor. To do this, click Start

    Collapse this imageExpand this image , type regedit in the Start Search box, and then press ENTER.



    Collapse this imageExpand this image



    If you are prompted for an administrator password or for confirmation, type the password or provide confirmation.

  2. Locate and then click to select the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WDSServer\Parameters


  3. Right-click UdpPortPolicy, and then click Modify.

  4. In the Value data box, type 0, and then click OK.

  5. On the File menu, click Exit to exit Registry Editor.

  6. Restart Windows Deployment Services.



WDS logging can be enabled by editing the value of this registry key and setting it to
1:

HKLM\SOFTWARE\Microsoft\Tracing\WDSSERVER\EnableFileTracing

This then logs to %WINDIR%\tracing\WDSServer.log

One thing which can go wrong with TFTP is that WDS tries to use a temporary range of UDP ports, if any of these are already in use instead of nicely failing the connection and trying again on another port it simply borks, and fails, silently (unless you enable
the log...)

The logging in question is:

[8436] 12:01:36:
[698808][WDSPXE] [WDSPXE][UDP][Ep:10.10.0.11:4011] Sent To:10.10.0.114:68
Len:1024
[8436] 12:01:36:
[d:\longhorn\base\ntsetup\opktools\wds\wdssrv\server\src\udphandler.cpp:369]
Expression: , Win32 Error=2
[8436] 12:01:36: [WDSTFTP][UDP][Ep=0]
Registration Failed (rc=2)
[8436] 12:01:36:
[d:\longhorn\base\ntsetup\opktools\wds\wdssrv\server\src\ifhandler.cpp:238]
Expression: , Win32 Error=2

Oddly it seems that under "normal" operation
you get a lot of these:

[9488] 12:42:17:
[d:\longhorn\base\ntsetup\opktools\wds\wdssrv\server\src\udpendpoint.cpp:811]
Expression: , Win32 Error=5023

Monday, November 12, 2012

HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003

Assign the Imported Certificate to the Web Site



  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the left pane, click your server.

  3. In the right pane, double-click Web Sites.

  4. In the right pane, right-click the Web site you want to assign the certificate to, and then click Properties.

  5. Click Directory Security, and then click Server Certificate.

  6. On the Welcome to the Web Certificate Wizard page, click Next.

  7. On the Server Certificate page, click Assign an existing certificate, and then click Next.

  8. On the Available Certificates page, click the installed certificate you want to assign to this Web site, and then click Next.

  9. On the SSL Port page, configure the SSL port number. The default port of 443 is appropriate for most situations.

  10. Click Next.

  11. On the Certificate Summary page, review the information about the certificate, and then click Next.

  12. On the Completing the Web Server Certificate Wizard page, click Finish, and then click OK.


http://support.microsoft.com/kb/816794

Thursday, November 8, 2012

VMWARE: Where can i find the Dell VMware 5.1 ISO for R620 / R720

As you may be aware finding the VMware 5.1 ISO for Dell is a bit challenging.  The Dell Driver and Support page is not working properly and it is a bit frustrating.

Please see the direct link to the Dell FTP server below.

Dell VMware 5.1 ISO for R620 / R720

 

Thanks to a twitter response Dell provided the following link.

http://www.dell.com/support/drivers/us/en/04/DriverDetails/Product/poweredge-r620?driverId=XWYR5&osCode=XI51&fileId=3005015335

Friday, November 2, 2012

MDT 2012 stuck on Processing Bootstrap Settings

This can happen if you are not logged in with "the" local administrator account.

I normally create a scratch "Build" account then shortly delete it after I enable the local admin account and finish the build under the local admin account before sysprep and capture

VMWare error: Unable to perform the operation. There is no available vRam capacity.

Cannot Add or Connect an ESXi Host to vCenter Server
You cannot add an ESXi host to vCenter Server.

Problem
You attempt to add or connect an ESXi host to vCenter Server but the operation is unsuccessful and you receive
the following error message.

"Unable to perform the operation. There is no available vRAM capacity."

Cause 

The vCenter Server system to which you tried to add the host to is licensed with a license key of vCenter Server Essentials that is part of the Essentials Kits. vCenter Server 5.0 Essentials licenses are hard-enforced, you cannot exceed the amount of pooled vRAM for vSphere 5.0 Essentials license keys that are assigned to the ESXi 5.0 hosts while the hosts are managed by vCenter Server. The memory that is configured to the powered-on virtual machines on the host that you try to add or reconnect exceeds the amount of pooled vRAM for vSphere Essentials. For details about vRAM and vRAM pooling, see “Licensing for ESXi 5.0 Hosts,” on page 68.

Solution
Reduce the amount of memory that is configured for the powered-on virtual machines and retry to add or
connect the ESXi host to vCenter Server.

Thursday, November 1, 2012

"Bootmgr is missing" from deployed .wim file

BOOTMGR errors is if your PC is trying to boot from a drive that is not properly configured.  In other words, it’s trying to boot from a non-bootable source.

Cause:

This error occurs when either of the following conditions is true:

  • The Windows Boot Manager (Bootmgr) entry is not present in the Boot Configuration Data (BCD) store.

  • The Boot\BCD file on the active partition is damaged or missing.


It is most likely the captured wim image had a corrupt/missing Bootmgr record.

Open WInPE and run the command below.

bcdboot c:\windows /s c:

Now you should recapture the Wim and test a new Task Sequence deployment.

Bootrec.exe /RebuildBcd

 

http://support.microsoft.com/kb/927391

Here is the content of that article:

Resolution:


Method 1: Repair the BCD store by using the Startup Repair option


You can use the Startup Repair option in the Windows Recovery Environment to repair the BCD store. To do this, follow these steps:

  1. Put the Windows Vista installation disc in the disc drive, and then start the computer.

  2. Press a key when you are prompted.

  3. Select a language, a time, a currency, and a keyboard or another input method, and then click Next.

  4. Click Repair your computer.

  5. Click the operating system that you want to repair, and then click Next.

  6. In the System Recovery Options dialog box, click Startup Repair.

  7. Restart the computer.


Method 2: Rebuild the BCD store by using the Bootrec.exe tool


If the previous method does not resolve the problem, you can rebuild the BCD store by using the Bootrec.exe tool in the Windows Recovery Environment. To do this, follow these steps:

  1. Put the Windows Vista installation disc in the disc drive, and then start the computer.

  2. Press a key when you are prompted.

  3. Select a language, a time, a currency, and a keyboard or another input method, and then click Next.

  4. Click Repair your computer.

  5. Click the operating system that you want to repair, and then click Next.

  6. In the System Recovery Options dialog box, click Command Prompt.

  7. Type Bootrec /RebuildBcd, and then press ENTER.

    • If the Bootrec.exe tool runs successfully, it presents you with an installation path of a Windows directory. To add the entry to the BCD store, type Yes. A confirmation message appears that indicates the entry was added successfully.

    • If the Bootrec.exe tool cannot locate any missing Windows installations, you must remove the BCD store, and then you must re-create it. To do this, type the following commands in the order in which they are presented. Press ENTER after each command.
      Bcdedit /export C:\BCD_Backup

      ren c:\boot\bcd bcd.old

      Bootrec /rebuildbcd



  8. Restart the computer.


Method 3: Rebuild the BCD store manually by using the Bcdedit.exe tool


If the previous method does not resolve the problem, you can rebuild the BCD store manually by using the Bcdedit.exe tool in the Windows Recovery Environment. To do this, follow these steps:

  1. Put the Windows Vista installation disc in the disc drive, and then start the computer.

  2. Press a key when you are prompted.

  3. Select a language, a time, a currency, and a keyboard or another input method, and then click Next.

  4. Click Repair your computer.

  5. Click the operating system that you want to repair, and then click Next.

  6. In the System Recovery Options dialog box, click Command Prompt.

  7. Type the following command, and then press ENTER:
    cd /d Partition:\Windows\System32

    Note Partition represents the letter of the partition on which Windows Vista is installed. Typically, this is partition C.

  8. Type the following command, and then press ENTER:
    bcdedit /enum all

    In the Windows Boot Loader section of the output from this command, note the GUID that is listed for resumeobject. You will use this GUID later.

  9. Type the following command, and then press ENTER:
    bcdedit -create {bootmgr} -d “Description

    Note Description represents the description for the new entry.

  10. Type the following command, and then press ENTER:
    bcdedit -set {bootmgr} device partition=Partition:

    Note Partition represents the letter of the partition. Typically, the letter is C.

  11. Type the following command, and then press ENTER:
    bcdedit /displayorder {GUID}

    Note GUID represents the GUID that you obtained in step 8.

  12. Type the following command, and then press ENTER:
    bcdedit /default {GUID}

    Note GUID represents the GUID that you obtained in step 8.

  13. Type the following command, and then press ENTER:
    bcdedit /timeout Value

    Note Value represents the time in seconds before the Windows Boot Manager selects the default entry that you created in step 12.

  14. Restart the computer.


If you are booting from a Server 2008 install disk, when you use the “Repair your computer” option, the available options look like this:

You can access the repair option on a Server 2008 disk by choosing “command prompt”, then running  “x:\sources\recovery\StartRep.exe”.

I did this and it worked like a champ!  It found an error, corrected it, and the server was back up and running 10 minutes later.

I have also done this on Server 2008 using a Windows Vista install disk.  Slightly risky, but the server was down anyway, and I was in a pinch.  That also worked.  Along the same lines, I would guess that a Windows 7 install disk would work for Server 2008 R2 if you had no other option.  But don’t hold me to that!

Thursday, October 25, 2012

SCCM How to deploy a client

Overview

Within Config manager the client is within the "All Systems" collection however, under the column 'Client' the answer is NO.

Stage 1

First thing to do is click on "Client installation methods"  located under Site Settings.  Then right click on "Client Push Installation" and select properties.  On the general tab if you click on "Enable Client Push Installation to assigned resources" any system discovered throug AD (or other) will have a client automatically installed.  Depending on you environment consider this tick box.

On the Accounts tab you must input account credentials that will have administrative access to the admin$ share of the client system.  The account that can access desktops may be different to domain controllers so you can put multiple accounts in here and it will try them in order.

On the Client tab you can specify the Site code.  It is also possible to define SMS cache size rather than the 5gb default. See Microsoft for additional properties http://technet.microsoft.com/en-us/library/bb680980.aspx

Client agents under Site Settings will list the agents that will be pushed out with the SCCM client.
The computer client agent is critical.  On the properties tab is important you have set a Network access account.  This agent will connect back to the SCCM server looking installation folders so it must have suitable access delegated.

Stage 2

Now SCCM is configure correctly and agents have the appropriate account setup for connection.  Right click the system without the client, Then "Install Client".  This will bring up a wizard, i like to select include only clients in this site's boundaries and Always install (repair ...). Finish the wizard.

Stage 3

Check the log files for errors! c:\Prgram Files\Microsoft Configuration Manager\Logs

Using Trace32 open the CCM log on the SCCM server.  Which will show the client deployment process so we can see if it is succeeding.



On the client system you can open the CCMSetup log file to monitor the client installation (this can take a while to complete (located admin$\system32\ccmsetup\ccmsetup.log)

On the client there are three key log to know that your client install was successful (located dmin$\system32\ccm\logs)

"Clientlocation.log" confirm the current management point is correct.
"Location services.log" Confirm the current AD site of machine is "" correct
"Execmgr.log"  This log reads policy from the management point. So advertisements creates a policy which the client reads .  "Software distribution agent was enabled" will not be in red.

Stage 4

Within the control panel there will now be three additional icons.  The Configuration Manager, Run Advertised Programs, Remote control Properties, and Program Download monitor.

There are two services installed on the client system.
SMS Agent Host
SMS Task Sequence Agent

How to send internet traffic out the ISP (not through the BES server)

http://www.blackberryforums.com.au/forums/general-bes-discussion/3946-how-send-internet-traffic-out-isp-not-through-bes-server.html

When you are on BES you have the three browsers by default, they are Internet Browser (use BlackBerry APN), BlackBerry Browser (uses BES MDS service) and the Carrier’s WAP Browser (Vodafone Live). If you use Vodafone Live you change be charged extra for the data usage so this isn't really recommended. What you should do on the BES is go "I.T Policy > Default Policy > Browser Policy Group" and change the following:

1. MDS Browser Title = MDS Internet
2. Allow IBS Browser = True
3. MDS Browser Use Separate Icon = True

After changing these policies you Internet Browser that uses the BES internet connection will be called "MDS Internet" and you should also see a separate "Browser" icon. This separate Browser icon will bypass your BES internet and use the free Blackberry APN get internet data

Monday, October 22, 2012

SCCM PXE Task Sequence

Step 1

1 Check DHCP scope has option 66 with the SCCM server name set as the value.
2 WDS service is installed and running.
3 Under site Systems select the SCCM server and make sure "ConfigMgr PXE service point" role is installed
3.1 For a lab environment. Enable "Allow this PXE... to repond to incoming PXE requests" and "Respond to PXE request on all network interfaces".
4 Create a Collection called "Bare Metal OSD deployment"

Step 2

5 Click on "Computer Asscocation"  > "Import computer Information" > Import single computer
5.1 Enter Computer name and MAC address to define system > Add to "Bare Metal OSD deployment" collection
6 Under the node OSD in SCCM click on "Task Sequence"> Select the TS you want to deploy to the collection > Right click and "Advertise", specify the "bare metal OSD deployments".
6.1 Set as mandatory assignemtn. Tick "Ignore maintenance windows when running program and "Allow system restart outside maintenance Window.
6.2 Select "access content directly from a DP ...."

Summary

Setup WDS, DHCP scope, PXE point service, Advertised Task Sequence, Imported system via MAC address and added to collection. SCCM is ready next step is to restart the computer defined for a network boot, typically F12.

The computer will advertise that it is looking for a PXE service, the DHCP server will point it to the SCCM server that will then pick up the computer and push a Win PE image following the TS options.

Deployment

7 While SCCM WinPE  is deploying the WIM file it is possible to press F8 to bring up a DOS window and exam the SMSTSLog directory.

\\Map network drive: enter credentials
x:\> net use z: \\sccm\c$\tempsmslog

\\Copy all logs files to z:\
x:\> copy z:\ *.log

Now on your SCCM server\c$\tempsmslog folder you will find a smsts.log file.  Open with trace32 to troubleshoot.

7.1 Alternatively within SCCM select the Reporting Node and run the "Deployment status of all task sequence advertisements".  This report details the last action, exit code and Action output.

Blackberry How to factory reset your device.

Here's how to FACTORY RESET the device.

Install Blackberry Desktop Manager on a PC.  Connect the Blackberry to the PC with a USB cable.

From a DOS prompt (command) window on the users PC (from Start - Run  type cmd <OK>  then change directory path to:

C:\Program Files\Common Files\Research In Motion\Apploader     by typing cd\ (enter)  followed by cd Program Files (enter) then cd Common Files (enter)  etc etc

Run the command:   Loader.exe /resettofactory

That will bring the Blackberry back to the state it should be in when you get a brand new one out of the box.

BES Troubleshooting Enterprise Activation

Troubleshooting the enterprise activation process can be broken down into 4 stages – when troubleshooting activation issues, let the process complete or until an error messages appears.



For more help with Enterprise Activation issues – KB13852

 

1.1.1        Stage 1 – Authentication

1.       The BESAdmin creates a new user and assigns an activation password using the Blackberry Manager (4.1.x) or the Blackberry Administration Service (5.0.X). The user list store in the blackberry Configuration Database is updated with the new user name, email address, mailbox information, activation password, activation status and other user account information.

Points of Failure – BAS, Configuration Database

 

2.       The Blackberry Dispatcher assigns the new user to a Blackberry Messaging Agent. The Blackberry Messaging Agent starts to monitor the user’s mailbox on the messaging server for new email messages. An email message containing the ETP.dat file attachment is required to continue the activation process over the Vodafone Network.

Points of Failure – Dispatcher, Messaging Agent

 

3.       The user goes to the Enterprise Activation screen on the blackberry and enters the email address and activation password. The user selects the menu key and clicks Activate. The blackberry displays Activating username@company_name.com

Points of Failure – Device

 

4.       The Blackberry creates an activation request email message that contains the email address, PIN and public key authentication information, based on the activation password typed in by the user. The activation request email message is encrypted and is sent to the RIM Relay over the Vodafone Network.

Points of Failure – Device, Network

 

5.       The RIM Relay receives the activation email message and identifies uit as an activation request. The RIM Relay forwards the email message using SMTP to the email address that was used for the Enterprise Activation screen.

Points of Failure – Antivirus software, spam filters, provisioning, users mailbox, messaging server, network

 

















































































IssueReason Solution
Failure to add user to the BESIncorrect permissions for the BESAdmin accountEnsure the permissions are correct for the BESAdmin account – KB02276
 Incorrect MAPI subsystem installed on the BESEnsure the MAPIsubsystem is equal or higher than the Exchange versions – KB10197

Recreate the MAPI profile – KB10285
 User Data cannot be written to the BB Configuration DatabaseBackup the BB Configuration Database - KB10292 and increase the size - KB10969
An Error has occurred. Please contact your system administrator appears on the BB deviceIncorrect password entered on the EA screenThe activation ETP.dat email message has reached the user’s mailbox and the BES has rejected the activation password and sent the error message to the BB device. The BES will allow 4 more attempts with the current password before a new EA password has to be created.
No EA application exists on the BB deviceThe BB device may not be provision correctlyConfirm that the provisioning of the BB device is correct via XML i.e. Enterprise or Dual provisioned. If necessary, refer to customer services to have the correct tariff applied to the account.
 The BB device may not be registered correctly on the VF networkConfirm that the BB device has in capital letters of either GPRS, EDGE, 3G. And is able to Register Now via the Hosting Routing Table – KB00014
 The BB device may not be running Ver. 4 or later of the device softwareConfirm that the BB device is running ver. 4 or higher of the software. To install BB device software – KB03901
The BB device stops responding at the Activating... status screen for 10 minutes. It then retries every 10 minutes, displaying a status of Retrying... after 40 minutes the process ends with the message The server is not responding. Please contact your System Administrator.

During this stage, the activation email messages do not arrive in the user’s mailbox.
The BB device may not be provision correctlyConfirm that the provisioning of the BB device is correct via XML i.e. Enterprise or Dual provisioned. If necessary, refer to customer services to have the correct tariff applied to the account.
The BB Device is not in a wireless network coverage area.Confirm that the BB device has the correct signal type. Can the BB device send a PIN message to check coverage?
The users has entered in an incorrect email address in the EA screenThe user must retry the EA process with the correct email address.
An activation password was not createdCreate an activation password
The activation email message was moved to another folder than the inbox.Confirm that there are no filtering or forwarding rules on the Messaging Server or the user’s mailbox to a folder other than the inbox.
The user’s mailbox is full.Confirm that the user’s mailbox can receive email messages.

 
The BB device stops responding at the Activating... status screen for 10 minutes. It then retries every 10 minutes, displaying a status of Retrying... after 40 minutes the process ends with the message The server is not responding. Please contact your System Administrator.

During this stage, the activation email messages do not arrive in the user’s mailbox.
The user’s email messages are being routed to a .pst folder or .ost folder.Confirm that the user’s email mailbox is configures to leave a copy of the messages on the Messaging Server.

Personal and Offline folders are inaccessible to the BES.
The ETP.dat message is not reaching the user’s inbox because it is being deleted or modified by a virus scanning application.Confirm that the company’s antivirus software is not rejecting activation email message and that the EPT.dat attachment is not being deleted, flagged or modified.
The ETP.dat attachment is not reaching the user’s inbox because it is being identified as spam.Confirm that the company’s firewall is not filtering email messages from the blackberry,net domain.

Confirm that the company’s anti spam software is not flagging the activation email message and modifying its title, contents or the ETP.dat attachment.

Confirm that the users email application is not moving the activation email message to the default junk email message folder.

 

 

1.1.2        Stage 2 - Encryption Verification

1.       On arrival in the user’s mailbox, the Blackberry Messaging Agent identifies the new activation request email message and removes it from the user’s mailbox. The Blackberry Messaging Agent recognises the EPT.dat attachment in the activation request email message and begins the authentication process.

Points of Failure – Messaging Agent, Messaging Server, Users Mailbox

 

2.        The Blackberry Messaging Agent compares the authentication key received in the activation request email message with the authentication key generated from the activation password and stored in the Blackberry Configuration Database. If the authentication keys match, the blackberry Messaging Agent notifies the Blackberry device that the activation request has been received. The Blackberry Messaging Agent and the Blackberry device then generate their encryption keys that will be used to encrypt and decrypt all data

Points of Failure – Blackberry device, Messaging Agent

 

 


























IssueReason Solution
The BB device stops responding at the Activating... status screen for 10 minutes. It then retries every 10 minutes, displaying a status of Retrying... after 40 minutes the process ends with the message The server is not responding. Please contact your System Administrator.

During this stage, the activation email messages with the ETP.dat attachment appear in the user’s mailbox.
The BES does not receive the UDP notification for the new email message from the Messaging Server.Confirm that there BES can communicate with the Messaging Server
Incorrect MAPI subsystem installed on the BES.Ensure the MAPIsubsystem is equal or higher than the Exchange versions – KB10197

Recreate the MAPI profile – KB10285

 
The BESAdmin account does not have the correct permissions to access the user’s mailbox and retrieve the ETP.dat activation email message.Ensure the BESAdmin account permissions are correct for the users mailbox – KB10823

The EPT.dat activation email message must arrive in the user’s mailbox before the BESAdmin account is notified is notified that the email message has been received.
An Error has occurred. Please contact your system administrator appears on the BB deviceThe Enterprise Service Policy has restricted which BB devices can be activated on the BESConfirm that the Enterprise Service Policy allows the BB device to be activated on the BES

 

 

1.1.3        Stage 3 - Receiving services

3.       At this stage, the BES and the Blackberry device have established an encryption key and have verified their knowledge of the encryption key to each other. The Blackberry device now displays the message Encryption Verified. Waiting for Services. All data between the BES and the Blackberry device from now on is compressed and encrypted using this encryption key.

4.       The Blackberry Messaging Agent forwards the request to the Blackberry Policy Service to generate the service books. The Blackberry Policy Service adds the unique authentication key that the Blackberry Domain uses to sign IT policy data and then forwards the IT policy data through the Blackberry Dispatcher to the Blackberry Router and then to the Blackberry device. The Blackberry Policy Service waits for confirmation from the Blackberry device that the IT policy has been applied successfully.

Points of Failure – Configuration database, Messaging Agent, Policy Service, Blackberry device

 

5.       The Blackberry device applies the IT policy and sends a confirmation to the BES. The IT policy applied to the Blackberry device. The IT policy applied to the Blackberry device is now in a read-only state and can be modified only by IT policy updates sent from the same Blackberry Domain.

Points of Failure – Blackberry device

 

6.       When the Blackberry Policy Service receives the confirmation that the IT policy has been applied successfully, the Blackberry Policy Service generates and sends the service books to the Blackberry device.

Points of Failure – Configuration database, Policy Service, Blackberry device

 

7.       The Blackberry device receives the service books and displays the following message Services Received. Your email address, username@company_name.com is now enabled. At this point the users can send and receive email messages on the Blackberry device.

Points of Failure – Blackberry device

 


























IssueReason Solution
The BB device stops responding at Waiting for Services...The BB Policy Service or the BB Synchronisation Service is not started or responding.Confirm that the BB Policy Service and the BB Synchronisation Service are started or restart the services if required.
The BB Policy Service is processing the service books and the IT policy.Allow sufficient time for the BB Policy Service to process the service books and the IT policy.
Another user with the same PIN is active in the BB Configuration Database.Remove the duplicate user account from the BES.
IT Policy Rejected. Please wipe handheld and try again appears on the BB device.The BB device was previously active on another BES and has a conflicting IT policy.

This happens when the previous BES and the current BES do not share the same BB configuration database.
The user must delete all data using the Security Wipe option on the BB device to allow the new BES to overwrite the IT policy from the previous BES.

 

1.1.4        Stage 4 – Slow Synchronisation

8.       The slow synchronisation process begins. The Blackberry device requests the synchronisation configuration information from the Blackberry Synchronisation Service, the configuration information indicates whether wireless data synchronisation on the BES is turn on and which PIM databases can be synchronised. The configuration information also provides database synchronisation types (one way or two way) and conflict resolution settings.

Points of Failure – Synchronisation Service, Blackberry device

 

9.       The Blackberry Synchronisation Service returns the configuration information and synchronises the databases in the Blackberry device.

Points of Failure – Configuration Database, Blackberry device, users’ mailbox, Synchronisation Service

 

10.   The slow synchronisation process is complete when all the databases are synchronised between the Blackberry device and the BES. The blackberry device displays Activation Complete and the user account status displays Completed in the BAS console.

 








































IssueReason Solution
The EA process only completes the synchronisation process of the Calendar database.The BB Synchronisation Service is not started or responding.Confirm that the BB Synchronisation Service are started or restart the services if required.

Confirm that the MS XML parser is installed.
The BES has network connection issues with the MS SQL Server.Confirm that there are no network connectivity issues between the BES and the BB Configuration Database.
Not all databases synchronised successfully – Address Book appears on the BB device.Due to requirements for contact information, some entries in the Address Book application might have been skipped.Confirm that all contacts have a first name, last name or company name. When a contact entry is missing information in all 3 fields then the entry is not synchronised and this error message is displayed on the BB device.
PIM databases are not synchronised after the enterprise activation process has finished.The IT policy is disabling wireless bulk load, PIM synchronisation or individual PIM applications.Confirm that the IT policy allows for wireless synchronisation of PIM applications.
The EA process stops responding and the slow synchronisation process cannot complete.Content Protection is enabled on the BB Device.Turn off Content Protection before stating the EA process again.
Multiple users are attempting the slow synchronisation process at the same time.If Multiple users are attempting the slow synchronisation process at the same time, then it may take long to complete depending on BES settings and workload and the Messaging Server performance.
The Desktop [SYNC] service is corrupt.Delete and undelete the Desktop [SYNC] service books – if necessary resend from the BES.

Friday, October 19, 2012

Logs in c:\windows\system32\LogFiles\W3SVC1 filling up C: drive

A solution is to periodically purge the oldest logfiles. This is easily done by creating a scheduled task with following command:

C:\>Forfiles.exe /P C:\WINDOWS\system32\LogFiles\W3SVC1 /M *.log /D -30 /C "Cmd.exe /C del @path"

 

See http://technet.microsoft.com/en-us/library/cc753551(v=ws.10).aspx

Thursday, October 18, 2012

Cannot open your default email folders Microsoft exchange is not available.Either there are network problems or the exchange server is down for maintenance.

You'll probably see Event ID 9646 is logged in the application event log of your Exchange Server 2003 computer for a client opening many MAPI sessions.

This KB relates to the error below: http://support.microsoft.com/kb/842022

However, i found that moving the users mailbox to another store resolved this issue without making registry changes.

On a server that is running Microsoft Exchange Server 2003, an event that resembles the following event is logged in the Application log:

Event Type: Error
Event Source: MSExchangeIS
Event Category: General
Event ID: 9646
Description:
Closing Mapi session "/o=Organization/ou=Administrative Group/cn=Recipients/cn=Recipient" because it exceeded the maximum of 32 objects of type "session".

When this issue occurs, you may also receive the following error message in Microsoft Office Outlook 2003:


Unable to open your default e-mail folders. The Microsoft Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Server is down for maintenance.


Ports that Systems Management Server 2003 uses to communicate through a firewall or through a proxy server

http://support.microsoft.com/kb/826852

Port Requirements: SMS site server to Active Directory


SMS 2003 site servers require access to the Active Directory global catalog server in order to do the following:

  • Publish site systems to Active Directory

  • Publish and query for Active Directory site boundaries

  • Run Active Directory discovery methods











































Service NameUDPTCP
LDAP389389
LDAP SSLN/A636
RPC Endpoint Mapper135135
Global Catalog LDAPN/A3268
Global Catalog LDAP SSLN/A3269
Kerberos8888


Port requirements: SMS 2003 site server to the child site, to the secondary site, or to the SMS SQL Server












Port 445Server Message Block (SMB)


Port requirements: SMS 2003 site server to remote SMS SQL Server database. Proxy management points, management point, server locator points, and reporting points to the SMS SQL Server database












Port 1433TCP (SMS site server to SQL server)


Note For more information about SQL server ports, see the section “Microsoft SQL Server ports” section.

Port requirements: SMS 2003 Advanced Client to Active Directory


In an Active Directory environment, the Advanced client makes a Lightweight Directory Access Protocol (LDAP) query to the global catalog server to find a management point that matches the client’s IP address. The following ports are required in Active Directory to allow the client to contact the global catalog server.


























Port 389UDP (User Datagram Protocol) LDAP Ping
Port 389TCP LDAP
Port 636TCP LDAP (SSL Connection)
Port 3268TCP (explicit connection to Global Catalog)
Port 3269TCP (explicit SSL connection to Global Catalog)


Port requirements: SMS 2003 Advanced Client to Management Point or to distribution point




















Port 80Hypertext Transfer Protocol (HTTP)
Port 139Client sessions (for non BITS-enabled DPs)
Port 445Server Message Block (for non BITS-enabled DPs)


Note When you use a Background Intelligent Transfer Service (BITS)-enabled distribution point through a firewall, only port 80 needs to opened both the management point and BITS-enabled distribution point. All communications will be initiated from the client. If you are only opening port 80, you will need to specify the management point by using the following script:


dim oSMSClient 
set oSMSClient = CreateObject ("Microsoft.SMS.Client")
oSMSClient.SetCurrentManagementPoint "MP NetBIOS name",0
set oSMSClient=nothing



Without access to the active directory or WINS in the environment, the advanced client will need an lmhosts file on the client computers. You will need entries for one or more MPs. For example, the following MP has an IP address of 10.0.0.1and a site code of AAA10.0.0.1 "MP_AAA x1A" #PRE. For more information about how to write an LMHOSTS file, click the following article number to view the article in the Microsoft Knowledge Base:
180094 How to write an Lmhosts file for domain validation and other name resolution issues

Port requirements: SMS Remote Control System service: Wuser32





















































Application protocolProtocolPorts
SMS Remote ChatTCP2703
SMS Remote ChatUDP2703
SMS Remote Control (control)TCP2701
SMS Remote Control (control)UDP2701
SMS Remote Control (data)TCP2702
SMS Remote Control (data)UDP2702
SMS Remote File TransferTCP2704
SMS Remote File TransferUDP2704


SMS Remote Control UDP


When you use NetBIOS over TCP/IP for SMS Remote Control, the following ports are used:


















Port 137Name resolution
Port 138Messaging
Port 139Client sessions


Note When you use NetBIOS over Novell NWLink, you must configure the router to forward type 20 packets. Type 20 packets provide NetBIOS support.

Microsoft Windows NT UDP


The following list includes the core UDP ports that Windows NT uses, and it also lists their respective functions:




































Domain Name System (DNS)UDP53
Dynamic Host Configuration Protocol (DHCP)UDP67
Remote procedure call (RPC)TCP135
Windows Internet Name Service (WINS)UDP138
NetBIOS datagramsUDP138
NetBIOS datagramsTCP139


Note The SMS Administrator console must have TCP port 135 open for communication. Otherwise, the console cannot display all the items in the console tree.

Microsoft SQL Server ports


If you use the TCP/IP Net-Library, enable port 1433 on the firewall. Use the Hosts file or an advanced connection string for host name resolution.

If you use named pipes over TCP/IP, enable port 139 for NetBIOS functions.

Microsoft does not recommend that you enable UDP ports 137 and 138 for NetBIOS name resolution by using B-node broadcasts. Instead, you can use a WINS server or an Lmhosts file for name resolution.

By default, SQL Server uses TCP (not UDP) port 1433 to listen on TCP/IP. To change the port, run SQL Server Setup on the server and then click Change Network Support. If SQL Server uses port 1433, the client Net-Library works. If SQL Server uses a custom port number, the client must specify that port in the Data Source Name (DSN).

SMS RAS Sender


SMS can also use the SMS RAS Sender with Point to Point Tunneling Protocol (PPTP) to send and to receive SMS site, client, and administrative information through a firewall. Under these circumstances, the following port is used:











PPTPTCP1723


Security


To help improve the security of your computer, you can configure your firewall to use Internet Protocol (IP) filters that permit only registered addresses to pass through the firewall.

If you enable specific ports on a proxy server or on a firewall, this may affect the security of your computer. For additional information about security issues, visit the following Microsoft Web site:

For more information about how to restrict TCP/IP ports for DCOM, click the following article number to view the article in the Microsoft Knowledge Base:
300083 How to restrict TCP/IP ports on Windows 2000 and Windows XP

Tuesday, October 16, 2012

Modify Exchange 2003 Quotas above the 2Gb GUI AD Users and Computers Limit

Modify Exchange 2003 Quotas above the 2Gb GUI AD Users and Computers Limit

  1. Login to DC with ADSI Edit installed

  2. Create an MMC and add the ADSI Edit snap in

  3. Connect to the domain

  4. Navigate through ADIS Edit GUI to find user

  5. Right click and choose "properties"

  6. Modify these values


MDBOverQuotaLimit (Prohibit Send at.... value)

MDBStorageQuota (Issue Warning at....value)

e.g.

Set MDBOverQuotaLimit = "3000000" to set a 3.0Gb limit

Set MDBStorageQuota = "2800000" to set a 2.8Gb warning

SMS SCCM WDS MDT Windows 7

Tips- How to package software


Switches


-r
Causes Setup.exe automatically to generate a silent setup file (.iss file), which is a record of the setup input, in the Windows folder.

 

Packages


cmd files must have drive letter
more info at http://www.appdeploy.com/
tick "suppress program notifications" to stop systray bubble/add and remove programs

Useful silent (un)install code:

  • msiexec /I "xxxx.msi" transforms="xxxx.mst" /qn /norestart (/qn shows no interface, /qb shows basic progress bar)

  • msiexec /x "xxxx.msi" /qn /norestart

  • C:\WINDOWS\IsUninst.exe -fC:\xxx\xxx.isu -a (-a is for silent)


IMAGEx


Enter “imagex /info img_file“, where “img_file” represents the location of the WIM file. You should see now the description of the WIM file as an XML file. The name of the tag for the image number is IMAGE INDEX.

Create a new folder where the image shall be mounted. This is the image path. Now, you can mount the image:

imagex /mount img_file img_number img_path

imagex /mountrw img_file img_number img_path

Once you’ve modified the image you can unmount it with this command:

imagex /unmount /commit img_path

DISM


dism /Mount-Wim /wimfile:d:\boot.wim /index:1 /MountDir:d:\mount
or
dism /Mount-Wim /wimfile:d:\boot.wim /index:2 /MountDir:d:\mount
or
dism /Mount-Wim /wimfile:d:\install.wim /index:3 /MountDir:d:\mount

http://technet.microsoft.com/en-us/library/dd744360%28v=ws.10%29.aspx


dism /Mount-Wim /wimfile:"E:\DeploymentShare\Operating Systems\Windows7x64-Aug12\Windows7x64.wim" /index:1 /MountDir:e:\mount
dism /Unmount-Wim /MountDir:e:\mount /commit
Dism /image:e:\mount /Set-UserLocale:EN-gb
Dism /image:e:\mount /Set-UILang:EN-us
Dism /image:e:\mount /Set-SysLocale:EN-gb
Dism /image:e:\mount /Set-InputLocale:EN-gb
Dism /image:e:\mount /Set-AllIntl:EN-gb
Dism /image:e:\mount /Set-SKUIntlDefaults:EN-gb

 

Add Drivers to Vista Boot Image


1. Update the WDS boot image to include the new third-party network driver. To do this, follow these steps.

Note The following procedure assumes that the Windows Automated Installation Kit (AIK) is installed on the WDS server. If the Windows AIK is not installed on the WDS server, you can perform the same procedure on another computer that does have the Windows AIK installed. Then, map a network drive to the WDS server.
a. On the WDS server, click Start, click Run, type wdsmgmt.msc, and then press OK.
b. Under your WDS server, double-click Boot images.
c. Right-click the boot image that you want, and then click Disable.
d. Right-click the same boot image, click Properties, and then click General.
e. Note the name and location of the boot image that is displayed in the File name box.
f. At a command prompt, type the following:
C:\program files\windows aik\tools\petools\copype.cmd x86 c:\windowspe-x86
Note Keep this command prompt window open for the next step.
Imagex /info o:\remoteinstall\boot\x86\images\kinstall.wim
Notes

  • Drive:\remoteinstall represents the path at which the Remoteinstall folder is installed.

  • Boot.wim is the name of the boot image.
    g. Note the boot index number of the bootable image that is displayed. To identify the boot index number, locate the line that contains "boot index: X."


Note X is the boot index number. The number indicates that image number X is marked as bootable and that the image is to be updated. The second image is the default image that you would typically modify. However, always verify which image is marked as bootable.
h. At a command prompt, type the following:
Imagex /mountrw Drive:\remoteinstall\boot\x86\images\boot.wim 2 mount
peimg /inf=driver.inf mount\Windows
imagex /unmount /commit mount
Notes

  • Drive:\remoteinstall represents the path at which the Remoteinstall folder is installed.

  • Driver.inf is the name of the third-party driver.

  • The Imagex /mountrw command mounts the specified image, with read/write permissions, to the specified directory.
    2. Enable the boot image on the WDS server. To do this, follow these steps:
    . On the WDS server, click Start, click Run, type wdsmgmt.msc, and then click OK.
    a. Under WDS server, double-click Boot images.
    b. Right-click the boot image that you want, and then click Enable.


----











copype.cmd x86 c:\windowspe-x86



imagex /info O:\RemoteInstall\Boot\x86\Images\Kcapture.WIM

imagex /mountrw O:\RemoteInstall\Boot\x86\Images\Kcapture.WIM 3 mount


------------------------

[ option1- one driver]


peimg /inf="[path to .inf]" /image=C:\windowspe-x86\mount

-------------------------------------

[ option2- multidriver]


for /R O:\RemoteInstall\driver_to_inject\network\760-960\780 %i in (*.inf) do peimg /inf=%i c:\windowspe-x86\mount\windows\

---------------------------------------------


imagex /unmount /commit C:\windowspe-x86\mount



imagex /unmount /commit mount


----------





 



Labels: 



Microsoft deployment Toolkit (MDT)


Instructions:
These instructions are brief and hopefully a useful first step.

How to deploy and Windows server 2003 image to bare metal (set to capture the file at the end of the task sequence)

1 On the computer you wish to deploy an OS instance power on and press F12 when prompted.  Select network boot (PXE boot).  Be ready to press F12 again when prompted otherwise it will time out and proceed to the next item in the boot order. Proceeding will Format the computer and delete all data!
2 Select 'Lite Touch Windows PE (x64)-Engineering' to pull down the WinPE file.
3 This produces a MDT Wizard, enter your domain credentials.
4 Select 'Microsoft Server 2003 Standard x64' from the task sequence.
5 Complete the wizard and 'begin'.
5.1 If you choose to capture the image after deployment specify the capture location as \\contoso\DeploymentShareEng$\captures
6 Upon completion you will have Server 2003 installed (and if selected a captured image).

How to sysprep and capture a current image.

1 On the computer you wish to capture click Start > Run and type \\contoso\DeploymentShareEng$\scripts\LiteTouch.vbs
2 This produces a MDT Wizard, enter your domain credentials.
3 Select 'sysprep and capture' from the task sequence.
4 Save the capure to \\contoso\DeploymentShareEng$\captures
5 Complete the wizard and 'begin'.
6 Upon completion you will have a WIM file located in \\contoso\DeploymentShareEng$\captures which can be used in other task sequences.

Microsoft Office 2007 Pro Plus troubleshooting

Microsoft Office 2007 Pro Plus


Microsoft Office 2007 Pro Plus 

Microsoft Office Excel 2007 to analyze your business information, create spreadsheets, and track time, costs, resources, and people
Microsoft Office Word 2007 to create, manage, save, and edit documents
Microsoft Office Publisher 2007 to produce professional publications
Microsoft Office Outlook 2007 to manage tasks, daily appointments, and email
Microsoft Office PowerPoint 2007 to create dynamic sales presentations
Microsoft Access 2007 to create a database and then filter, sort, graph, and visualize business information
InfoPath 2007 to lower the cost of executing business transactions and processes with advanced electronic forms technologies

Trouble shooting section


Issue: Error starting Outlook: "Cannot start Microsoft Office Outlook. Cannot open the Outlook window."

Cause and FIX
This problem can occur when file that maintains the Navigation Pane settings becomes corrupted. This file is called profilename.xml, where profilename is the name of your Outlook profile. This file is stored in the following folder:

•Windows XP

C:\Documents and Settings\username\Application Data\Microsoft\Outlook

•Windows Vista, Windows 7

C:\Users\username\AppData\Roaming\Microsoft\Outlook
A good indication this file is corrupted is when the file size is 0 KB.

To resolve this problem, use the following steps.

1.On the Start menu click Run.
2.In the Run dialog box, type the following command:

Outlook.exe /resetnavpane

Note: There is a space between "Outlook.exe" and "/resetnavpane"

3.Click OK
Issue: Exchange 2003 SP2 and Outlook 2007, mapped mailbox indicates the inbox has one or more unread messages.  However, they are not being displayed in the reading pane.

Connecting directly to the mailbox via wmail reveals the unread messages as well many more read emails that were not present in the mapped mailbox.

Cause and FIX

1 You are able to see all emails when connecting to the mailbox directly (i.e via wmail) but not as a mapped mailbox. The reason is the emails are being sent with a special properties set. The 'sensitivity' setting is defined as 'Private' which mean only the intended recipient user can see the email not users sharing the mailbox.
Issue: Outlook starts with the error message "There is no email program associated to perform the requested action"

Cause and FIX
After clicking on the OK button Outlook appears to respond correctly. Does not relate to missing Plugins or other messages, only when you start Outlook the first time.  Looking at Default file extensions in Windows 7 was not revealing as the current settings mimic another working computer.

After investigation the FIX involved copying [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook] registry from another working computer.  The computer with the error message was missing all of the keys even after re-installing the software.

Issue: If a user has an issue where PowerPoint changes the hyperlink the user inputs from (e.g.) M:\Eng\pdfexample.pdf to ../../root/eng/pdfexample.pdf then please follow the below instructions to fix:

Following stops PowerPoint messing with links on save.

Tools -> Options -> General -> Web Options -> Files -> Update links on save.
Needs to be unchecked.

How to enable Sharepoint, Kerberos and NTLM on Firefox

Sharepoint compatibility with firefox

This is to enable Sharepoint,  Kerberos and NTLM on Firefox.

about:config
Filter for network.automatic-ntlm-auth.trusted-uris
Enter: domain.local, domain.com, domain2.com

Filter for: network.negotiate-auth.delegation-uris

Enter: domain.local, domain.com, domain2.com

Filter for: network.negotiate-auth.trusted-uris

Enter: domain.local, domain.com, domain2.com

PDF writer returns multiple PDF documents not just one!

Q) When i go to produce a PDF from an Excel spreadsheet, it will break my multi worksheet document into several PDF requests.

A) The issue was caused by having different page properties on different worksheets. When sent through the Adobe PDF printer (or Cute PDF) as soon as it got to a worksheet with different properties is will see it as a different request and prompts for a PDF file name.

To resolve this issue see below.

1 Right click a worksheet and "select all sheets"
2 Select 'Page Layout' tab and 'Print Titles'
3 On the 'Page' tab select the print quality to 600 DPI and click OK

This will make a change on all worksheets, and if you go to file print or through Acrobat > combine it will convert all

How to collect information on a computer remotely

Open a command prompt and type  wmic csproduct get identifyingnumber,vendor,name
This will query WMI and return the Serial number, Computer model, Manufacturer.

Windows keyboard shortcuts

1. Windows Logo + L


Walking away from the screen for a while? Keep prying eyes out of your stuff with this quick shortcut that locks the PC instantly.

2. Shift + Delete


The lazy way to delete stuff in Windows is to drag it to the Recycle Bin. An even lazier way is to highlight the file and press Delete. And if you're ultra-lazy (and smarter than the average user), you can bypass the Recycle Bin entirely by pressing Shift + Delete. The downside is that you won't get the opportunity to easily restore the file from the Recycle Bin if you later decide you want it back, but you also won't have to bother emptying the Recycle Bin if you use this method to ditch unwanted files.

3. Shift + CTRL + N


Windows 7 made it a little easier to create new folders in Windows Explorer. Now you can just hit Shift + Ctrl + N in any folder to create a new untitled folder right where you are. The new folder will appear with the name ‘New folder' already highlighted so you can type in your own name for it and hit Enter to move on to the next task.

4. Windows + M (or Windows + D)


Got a bazillion windows cluttering your screen? Press Windows + M to instantly minimize all current windows to the Taskbar. It's a great way to restore your sanity, and an even better way to hide what you're working on from unexpected interlopers. When you want all the windows back again, press Windows + Shift + M and every currently running window will pop open again.

5. Windows + Spacebar


If you just want to take a quick peek at your desktop (for instance, to locate a file you've dropped there), there's no need to completely minimize all your windows with the Windows + M shortcut. Instead, press Windows + Spacebar, and all of your open windows will turn transparent so you can see right through them. This even works with maximized windows and full-screen views. To return your view to normal, simply let go of the keys.

6. Windows + Shift + Left or Right Arrow


If you use a dual-monitor setup to maximize your screen real estate, you might like to use one monitor as your primary working screen and the other as a holding pen for active windows. Or maybe you just need to move a window from one side to the other for some reason. In either case, hitting Windows + Shift + Left Arrow will move a current window to from the right display to the left, and using Right Arrow will move it from the left display to the right. If you only have one monitor, these commands will dock your window to the designated side of the screen.

7. Windows + 1, 2, 3, etc.


Windows 7 introduced a new feature that lets you pin apps to your Taskbar for quick access. An even quicker way to access those apps is with this slick keyboard shortcut. Press Windows + 1 to launch the first pinned app in your Taskbar (from left to right). Windows + 2 launches the second one, Windows + 3 launches the third one, and so on.

8. Windows + T


Windows + number launches pinned apps in your Taskbar, but if your apps are already open, there's a quick way to scroll through them. Press Windows + T and you'll highlight the first open app in your Taskbar. Press it again and you'll move to the second open app. As you scroll through them, you'll get a preview box just as you would if you were hovering over the icon with your mouse. When you get to the app you want, hit Enter to bring it to the foreground. This shortcut only works with open apps, and ignores unopened apps that you've pinned to your Taskbar.

9. Windows + (+/-)


Want a closer look at whatever's on your screen? Hit Windows and + to zoom in for a magnified view. While you're magnified, moving the mouse around the screen will move you to the far corners and bring them into view. Windows and - zooms you back out again.

10. How to quickly open browser tabs in the background


You could right-click the link and choose "Open Link in New Tab," but this little keyboard shortcut can save you the trouble. All you have to do is hold down the Control key (on Windows) or Command (on Mac) and click the link you want to open. This will open a tab in the background and you won't have to deal with it right away. You can also do this with bookmarks and bookmark folders that are sitting in your toolbar.

How to remove Windows 7 Offline files

http://social.technet.microsoft.com/Forums/en/w7itproui/thread/9c89236e-a315-4755-b642-070c120a0448 (I tested this on Win7 and it worked for me):

1. Navigate to the following location in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Csc\Parameters

2. Create a new DWORDValue called FormatDatabase , with the value 1
3. Reboot (the new key we created will delete itself after rebooting along with the Offline cache)

Transparent Caching



When you enable transparent caching, Windows 7 keeps a cached copy of all files that a user opens from shared folders on the local volume. The first time a user opens the file, the file is stored in the local cache. When the user opens the file again, Windows 7 checks the file to ensure that the cached copy is up to date and if it is, opens that instead. If the copy is not up to date, the client opens the copy hosted on the shared folder, also placing it in the local cache. Using a locally cached copy speeds up access to files stored on file servers on remote networks from the client. When a user changes a file, the client writes the changes to the copy of the file stored on the shared folder. When the shared folder is unavailable, the transparently cached copy is also unavailable. Transparent caching does not attempt to keep the local copy synced with the copy of the file on the remote file server as the Offline Files feature does. Transparent caching works on all files in a shared folder, not just those that you have configured to be available offline.

Transparent caching is appropriate for WAN scenarios and has several similarities to BranchCache. Some significant differences are that clients on the local area network do not share the cache and that file servers hosting the shared folders do not need to be running Windows Server 2008 R2 to support transparent caching. It is also possible to use transparent caching on clients running Windows 7 Professional and on clients that are not members of an AD DS domain, something that is not possible with BranchCache. Windows 7 triggers transparent caching when the round-trip latency value exceeds the amount specified in the Enable Transparent Caching policy

Before Windows 7, to open a file across a slow network, client computers always retrieved the file from the server computer, even if the client computer had recently read the file. With Windows 7 transparent caching, client computers cache remote files more aggressively, reducing the number of times a client computer might have to retrieve the same data from a server computer.

The first time a user opens a file in a shared folder, Windows 7 reads the file from the server computer and then stores it in a cache on the local disk. The second and subsequent times a user reads the same file, Windows 7 retrieves it from disk instead of reading it from the server computer.

To provide data integrity, Windows 7 always contacts the server computer to ensure the cached copy is up-to-date. The cache is never accessed if the server computer is unavailable, and updates to the file are always written directly to the server computer. Transparent caching is not enabled by default on fast networks.

IT Professionals can use Group Policy to enable transparent caching, to improve the efficiency of the cache, and to save disk space on the client, configuring the amount of disk space the cache uses and preventing specific file types from being synchronized.

These benefits are transparent to end-users and provide an experience for users at branch offices that more closely resembles the experience of being on the same LAN as servers. Additionally, the improved cache efficiency can reduce utilization across WAN links.

Microsoft TechNet Web page: http://technet.microsoft.com/en-us/library/dd637828.aspx.



 

Removing device drivers from Windows machines

Applies to: All versions of Windows.

Follow these steps to view and remove these unnecessary device drivers:

  1. Press [Windows]+[Break] to bring up the System Properties dialog box.

  2. Select the Advanced tab and click the Environment Variables button.

  3. Click the New button below the System Variables panel.

  4. In the New System Variable dialog box, type devmgr_show_nonpresent_devices in the Variable Name text box and 1 in the Variable Value text box.

  5. Click OK to return to the System Properties dialog box and then click OK again.

  6. Select the Hardware tab and click the Device Manager button.

  7. In Device Manager, go to View | Show Hidden Devices.

  8. Expand the various branches in the device tree and look for the washed out icons, which indicate unused device drivers.

  9. To remove an unused device driver, right-click the icon and select Uninstall.

How to sign a powershell script

How to sign a powershell script


http://blogs.technet.com/b/heyscriptingguy/archive/2010/06/16/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-1-of-2.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2010/06/17/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2.aspx

$cert=(dir cert:currentuser\my\ -CodeSigningCert)

Set-AuthenticodeSignature demoscript2.ps1 $cert -TimestampServer http://timestamp.comodoca.com/authenticode

My PKI root is called pki.harper.labs, and it is already trusted by my domain members, as shown in the following image.



I will follow these steps:

  1. Make the code signing certificate template available on my issuing certificate server.

  2. Request a code signing certificate for my user.

  3. Sign my Windows PowerShell script and run it.

  4. Deploy the code signing certificate as a trusted publisher through Active Directory.


Step 1: Make the code signing certificate template available on my issuing certificate server


Let’s start with making the code signing certificate available on the issuing certificate server so that our certificate server will issue code signing certificates. I do this at the issuing certificate server, and I start the Server Manager console and open the Active Directory Certificate Services node.

We will start with a look at the code signing certificate template. Find the template in the Certificate Templates node right under the Enterprise PKI node. This is called the Certificate Templates snap-in (and if you want you can open it up as a standalone snap-in in the Microsoft Management Console [mmc.exe]). This is shown in the following image.



I will not discuss how to create copies of the template here, so I will just use the existing certificate template. If you double-click the code signing template, you will get a property sheet with a few tabs, as shown in the following image.



Because we are not creating a duplicate copy, we cannot change any of the values on the General tab. If we created a duplicate, we could change those. For example, how long should the certificate be valid? The same goes for Request HandlingSubject Name, and Extensions. If we wanted to change those, we would have to create a duplicate.

What we will look at is the Security tab. We are interested in the permission to enroll---who should be able to enroll for a code signing certificate? I create a group in Active Directory called Codesigners, and I grant the Read and Enroll permissions shown in the following image.



Then I make members of this group the users who should be able to get a code signing certificate. I click OK, and continue to the make the certificate template available on my issuing certificate server.

Next, I open the Certificate Authority console (the node is named pki.harper.labs in my environment, and is found under the Certificate Templates node in Server Manager, as shown in the next image). In the Certificate Authority console, you also see a Certificate Templates node. If you want to check if the code signing certificate template is available for enrollment, see if it is shown in the list. This is shown in the following image.



If the code signing template is not shown, we will add it. Right-click the Certificate Templates node, point to New, and then click Certificate Template to Issue, as shown in the following image.

g

From the list that appears, such as is shown in the following image, select the code signing template, and then click OK. This list is read from Active Directory, and if you just created the template, you might have to wait until it is replicated to all domain controllers.



We are now able to request a code signing certificate, and enroll the users we gave Enroll permission on the template.

Step 2: Request a code signing certificate for my user


This step is done from my client computer, as a user that is member of the Codesigning group. I open the certificates snap-in through the Microsoft Management Console (mmc.exe). Then I add the Certificates snap-in by clicking File, and then clicking Add/Remove Snap-in. This is shown in the following image.



Click Certificates in the left pane, as shown in the following image. Click Add, and then click OK.



You want the snap-in to manage your user account, so click My user account. Now that you have loaded the snap-in, let’s request a code signing certificate. Right-click Personal, point to All Tasks, and then click Request New Certificate.



Just click Next in the first dialog box. Because we are requesting a certificate from our enterprise PKI, in the next dialog box, select the Active Directory Enrollment Policy, and then click Next, as is shown in the following image.



Because we made the code signing template available in step 1, you should see the template for code signing available for enrollment. You only see the certificates you have permissions for in the list, so if the code signing template does not show up, have a closer look at the permissions. Click the Code Signing certificate. If you look at the details, you will see the validity period of the certificate (the default template is one year or 365 days, as the details say).



All the information that is needed to create the certificate is automatically configured, but if you want, you can change some of it if you click Properties. For example, if you want to make the private key exportable so that you can export/import the private keys to other computers, you can configure this by clicking Properties, and then clicking the Private Key tab, as shown in the following image. This is necessary if you want to use the same certificate on multiple computers.



When you are ready, click Enroll. Wait while the certificate is being generated and issued. Click Finish. You have now created a certificate for code signing!



Just a quick reminder that your requirements for signed scripts are set using the Set-ExecutionPolicy cmdlet (or by Group Policy).
























SettingDescription
UnrestrictedNo requirements; all scripts allowed
RemoteSignedAll local scripts allowed; only signed remote scripts
AllSignedAll scripts need to be signed
RestrictedNo scripts allowed


For this demonstration, my executionpolicy is set to AllSigned. If I just try to run my script, it will fail, as shown in the following image.



We will use the cmdlet Set-AuthenticodeSignature to sign the script. I will start storing the code signing certificate in a variable named $cert.

$cert=(dir cert:currentuser\my\ -CodeSigningCert)

Then I am ready to sign my script with the Set-AuthenticodeSignature cmdlet. This is shown in the following image.



As you see, the status is valid, so the signing was successfully done. Please note that I recommend that you supply theTimeStampServer parameter. This will make sure the script works even though the certificate that signed it is expired. It will tell the system that the code signing certificate was valid at the time of signing. (Okay, I can imagine there are some situations where this might not be correct, but I also guess it will be good enough for most of us.) If you do not use theTimeStampServer parameter, the script will stop to work when the certificate used for signing expires. There are multiple sources for timestamping out there. Use one that suits you.

Let us try to run the scripts again, and see what happens. The results are shown in the following image.



We get a question if we want to run the script or not. The question says that this is a script from an untrusted publisher. In Step 4, I will show you how to make the publisher (code signing certificate) trusted for your domain.

As for this computer, you can now make this publisher trusted by choosing A for Always run. If you choose V for Never run, you will explicitly make this publisher untrusted, and scripts signed by this certificate will not run.

Let’s stop and see what exactly is happening here. If you make any choice persistent (such as Always run or Never run), the code signing certificate is stored as a trusted or untrusted publisher on your computer. You can see this through the GUI if you open mmc.exe and load the Certificates snap-in, as shown in the following image.



Or, you could also do this from Windows PowerShell:

dir cert:\CurrentUser\TrustedPublisher

dir cert:\CurrentUser\Disallowed

As you will see in Step 4, you can also control this setting through Group Policy. For now, you can just click Run Once, and the script is allowed to execute. If you open the script, you will see that the signature is attached at the bottom.



You can also use validate the signature using the Get-Authenticode cmdlet.



In this step, I showed you how to sign a Windows PowerShell script, and also how to make it trusted or untrusted on your computer. In the next step, we will make the code signing certificate trusted in our domain using group policy.

Step 4: Make the code signing certificate trusted in my domain

If you were to deploy this in your domain, you would probably use Group Policy to make sure the code signing certificate in use is a trusted publisher. To do this there a two steps:

1. Export the code signing certificate.

2. Create a policy and import the code signing certificate into trusted publishers.
Export the code signing certificate

Let’s start with exporting the code signing certificate from the client computer where we requested the certificate.

Start the Certificates snap-in as shown in Step 2 yesterday. Open the Personal node, and then Certificates. In the content pane, you will now see your certificate. (The one with Intended Purpose set to Code Signing). Right-click the certificate, click All Tasks, and then click Export. You can see this in the following image.



Click Next in each of the three dialog boxes you see. Make sure that you save the certificate somewhere you can access it from the computer on which you are going to run Group Policy Management. There is no security risk making the public part of this certificate available, so you can store it wherever you want.



This finishes the export part from the client. Now we need to open up the Group Policy Management Console. This is a part of the Server Administration tools and is usually found if you have installed RSAT (Remote Server Administration Tools) on your client or on your domain controller. For this demonstration, I will run this from one of my domain controllers.
Create a policy and import the code signing certificate into trusted publishers

When I open the Group Policy Management Console, I start by creating a new policy. I open my domain (harper.labs), right-click it, and click Choose Create a GPO in this domain, and link it here.



Make sure that you create this Group Policy object (GPO) where you want it in your own domain. For this demonstration, I create it at the domain level. I give the policy the name Certificates Policy, and I click OK.



Select the policy (Certificates Policy) in the navigation pane, right-click it, and click Edit, as shown in the following image.



Wait for the Group Policy Editor to start, and then click Computer Configuration, click Policies, click Windows Settings, and then click Public Key Policies. You are now ready to start the import. Right-click Trusted Publishers, and then clickImport.



In the dialog box that asks you for the certificate to import, select the certificate you exported earlier. Then click Next.



As shown in the following image, make sure the certificate is placed in the Trusted Publishers store, and click Next.



Now finish the wizard by clicking Finish. You have imported the certificate as a trusted publisher, which is shown in the following image.



You can confirm this by looking inside the Trusted Publishers node in the Group Policy Editor as shown in the following image.

g

So, the next time the policy is updated on computers in your domain, they will add this certificate as a trusted publisher. You can now run scripts signed by this certificate without being asked if the certificate is trusted or not. You can also do the same with untrusted certificates if you want.

I will test this from my client computer. I will first make sure that the certificate is not in my trusted publishers list. This should be done through the Certificates snap-in on my client.



Then I run gpupdate /force from my Windows PowerShell window. The results are shown in the following image.



When the update is finished successfully, I refresh the Trusted Publishers list in my Certificates snap-in. My certificate should now be listed as trusted, as shown in the following image.



Psh[Cookham8]>Set-AuthenticodeSignature .\helloworld.ps1 -cert $cert

   Directory: C:\foo

SignerCertificate                         Status                                       Path                                        

-----------------                         –----                                       –--                                        

                                         UnknownError                                 helloworld.ps1      

If I then use notepad to save the file as ansii, the results are what you want.

Psh[Cookham8]>Set-AuthenticodeSignature .\helloworld.ps1 -cert $cert

   Directory: C:\foo

SignerCertificate                         Status                                       Path                                        

-----------------                         –----                                       –--                                        

D42B4A6B4DBB8C697E5CA2CDD51A7F1F9325B632  Valid                                        helloworld.ps1