BFTech Impressions

You completed your migration. Everything was working great. You did some cleanup in ADSIEdit. A while later, after a reboot, your Public Folders went missing! The event log errors look something like this: MapiExceptionADPropertyError: Unable to mount database. (hr=0×80004005, ec=2418)

Well, if you were dumb like this guy and myself, you did this:
“It started when I removed the Exchange 2003 First Adminstrative Group from Active Directory with adsiedit. The old EX2003 server was not in the Old Administrative Group, but Ex2007 public folders had a dependency on a “Folders Hierarchies” object in the old Administrative Group.”

Here are the instructions to fix it:
Open ADSI Edit, connect to a Domain Controller, change the context to Configuration.

Create the Folder Hierarchies under the Exchange Administrative Group
Navigate to Configuration ⇒ Services ⇒ Microsoft Exchange ⇒ [your organization] ⇒Administrative Groups ⇒ [your administrative group]
Right click on and select New Object
Select msExchContainer as class and click Next
Enter the following as value: Folder Hierarchies, click Next, Finish

Create the Public Folders Tree Object
Right click Folder Hierarchies and select New Object
Select msExchPFTree as class, click Next
Enter the following as value: Public Folders, click Next
Click on More Attributes button, select msExchPFTreeType and set the value to 1
Click OK, Finish

Populate the msExchOwningPFTreeBL attribute object of the PF Store
(Tell the Public Folder database where to find the new folder hierarchy you just created)
Double click the newly created “Public Folders” object
Double click distinguishedName, copy the value to the clipboard, click Cancel
Exchange 2007: open properties of Configuration ⇒ Services ⇒ Microsoft Exchange ⇒ [your organization] ⇒ Administrative Groups ⇒ [your administrative group]⇒ Servers ⇒ [your server] ⇒ Information Store
Exchange 2010: open properties of Configuration ⇒ Services ⇒ Microsoft Exchange ⇒ [your organization] ⇒ Administrative Groups ⇒ [your administrative group] ⇒ Databases ⇒ [your Public Folder database]
Double click the msExchOwningPFTree attribute, paste the value that was copied to the clipboard in step 2
Click OK twice

Here’s a screen shot of where to find the attribute. Click for full size image.

Try to mount the Store
Restart the Microsoft Exchange System Attendant Service
Open Exchange System Manager and try to mount the PF store
It is usually found under Organization Configuration ⇒ Mailbox ⇒ Database Management tab.

There are some almost-correct instructions out there for this problem:
You may find similar instructions telling you to use “msExchPublicFolderTreeContainer” for the class of the Folder Hierarchies object. I followed those instructions the first time around, and as a result the Public Folder database would mount, but when I opened the Public Folder Management Console in the Toolbox, I got this error:
Couldn’t find a MAPI public folder tree. It was running the command ‘get-publicfolder -getchildren -identity ‘\’ -server ‘myserver.mydomain.local”
So do yourself a favor and use “msExchContainer” instead. Thanks, James Luo, you’re the man!

This post is copied from here. Thanks, Josh!

Recently I changed over to a new company (sort of, long story) and had to import all my calendar items onto the new Exchange server. Actually, I wanted all my email, tasks, and everything to move, so I exported my entire mailbox as a PST and then opened it while connected to the new server and moved everything from the PST onto the server. It was all fine until I noticed all my calender items all now begin with “Copy: ” Most annoying. So I wrote a VBA script to take the word “Copy: ” out of the beginning of all my appointments. Actually, the concepts behind the script are useful anytime you’d want to loop through a list of Outlook items. Here’s the script:

Sub deleteCopyText()
Dim counter As Integer
Dim objOL As Outlook.Application
Dim objNS As Outlook.NameSpace
Dim colCal As Outlook.Items
Dim objAppt As Outlook.AppointmentItem
Set objOL = CreateObject(“Outlook.Application”)
Set objNS = objOL.GetNamespace(“MAPI”)
Set colCal = objNS.GetDefaultFolder(olFolderCalendar).Items
counter = 0
For Each objAppt In colCal
If Left(objAppt.Subject, 6) = “Copy: ” Then
‘MsgBox objAppt.Subject
objAppt.Subject = Replace(objAppt.Subject, “Copy: “, “”)
‘MsgBox objAppt.Subject
objAppt.Save
counter = counter + 1
End If
Next
MsgBox “Complete. ” & counter & ” items renamed.”

End Sub

This script will ignore anything that does not begin with “Copy: “. You can uncomment out the msgbox lines if you want to see what change it is going to make one by one. To run it, open Outlook. Pres alt+F11 – this will get you into the VBA environment. Right click Project1 in the Project window and select “Insert -> New Module” Paste the code above (from sub deleteCopyText() to end sub()). Press F5 to run the script or if you want to be cautious, press F8 and it will run it one line at a time (press F8 repeatedly until you are satisfied it is doing what you think it should, then press F5 to run the script without stopping). You probably won’t want to run the script with the msgbox lines uncommented if you have lots of calendar items, otherwise it will pop up two message boxes that you have to clear for each calendar item it is going to change. If that happens to you, press Ctrl+Break to stop the script. You could also comment out objAppt.Save if you just wanted to run the script to see how many calendar items it is going to change (no changes will actually be made).

POSTED BY JOSH AT 9:55 AM on MONDAY, DECEMBER 07, 2009

Recently, I was uninstalling Symantec Endpoint Protection from a Windows XP workstation, and it didn’t want to go quietly.

I went through this KB article from Symantec’s website, but I found it to be incomplete in a very frustrating way. Specifically, I call your attention to this section:

Step 5: Restore Network Adapters

1. Right-click on My Network Places and click Properties.
2. Right-click on the network adapter and click Properties.
3. If the “Teefer2 Driver” is listed under “This connection uses the following items:”, then select the “Teefer2 Driver” and click theUninstall button to remove the driver.
4. Click Close to close dialog box.
5. Right-click on the adapter Connection and select Repair. (Only available on Windows XP and 2003)
6. Repeat this process for each affected network adapter.

NOTE: The Teefer2 driver no longer shows under network adapter properties as of mr3.

Well, guess what revision we had? MR3 or higher, because there was NO Teefer2 driver visible in the NIC properties. Does that mean the driver wasn’t hijacking your network card? Oh, you wish!

After following the KB article, SEP seemed to be (mostly) gone (Security Center still complained that it was not started), but the network card was basically non-functional. IPCONFIG resulted in a blank readout. Running a repair failed with an error message about not being able to communicate with TCP/IP (sorry, I didn’t write that one down). It worked OK in Safe Mode with Networking though.

I proceeded to rip the Teefer2 driver out of Device Manager with the “show hidden devices” option turned on, and yanked it out of the registry wherever I could find it. I ended up with a broken network card driver. It had a yellow exclamation mark. When I removed it and let Windows re-detect it, I got this error: “An Error Occured During The Installation Of The Device. The system cannot find the specified file.”

After a fair amount of web searching, I found this thread.

Basically, the solution was this: using regedit, backup and then delete the REG_BINARY value ‘CONFIG’ (not the “network” key) from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network.

That’s it! After doing that, I told Device Manager to look for new hardware, and it found the NIC drivers and I was surfing the web in no time.

There is a Microsoft KB article on a similar topic. It’s a different situation, but it shows that the removal of this registry value is a valid troubleshooting step for clearing out the config of a messed-up network card, in case you have any doubts.

I tried sending an e-mail to Lance. I was going to send him a thank-you gift, but the e-mail bounced. Thanks, Lance, wherever you are!

You may receive the following message when you try to connect to a company workstation using Remote Web Workplace on SBS 2011:
“This computer can’t connect to the remote computer because no certificate was configured to use at the terminal services gateway server.”

There are a number of possible causes for this error, but in this case, we were NOT using the self-signed certificate, and had carried over the SSL certificate from a previous server and manually added it to the SSL site bindings in IIS Management.

In order to eliminate the error, we needed to tell Remote Desktop Gateway which SSL certificate to use. I found a handy help topic in SBS for this. But first we had to find Remote Desktop Gateway Manager.

It’s not installed by default. First you have to go into Server Manager and “Add Feature”. It’s under Remote Server Administration Tools -> Role Administration Tools -> Remote Desktop Services Tools. Check the box for

Here’s the SBS help topic:

Select an Existing Certificate for Remote Desktop Gateway
After you obtain and install a certificate for the RD Gateway server, you must map the certificate to the RD Gateway server by using Remote Desktop Gateway Manager. If you map an RD Gateway server certificate by using any other method, RD Gateway will not function correctly.

Note:
This procedure is not required if you created a self-signed certificate for RD Gateway.

To import the Remote Desktop Gateway certificate:

1. On the RD Gateway server, open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
2. In the Remote Desktop Gateway Manager console tree, right-click the local RD Gateway server, and then click Properties.
3. In the Properties dialog box for the RD Gateway server, on the SSL Certificate tab, click Select an existing certificate from the RD Gateway <RD Gateway Server Name> Certificates (Local Computer)/Personal store, where <RD Gateway Server Name> is the name for the computer on which the RD Gateway server is running.
4. Click “Import Certificate”.
5. In the Import Certificate dialog box, click the certificate that you want to use, and then click Import.
6. Click OK to close the Properties dialog box for the RD Gateway server.

If this is the first time that you have mapped the RD Gateway certificate, after the certificate mapping is completed, you can verify that the mapping was successful by viewing the RD Gateway Server Status area in Remote Desktop Gateway Manager. Under Configuration Status and Configuration Tasks, the warning stating that a server certificate is not yet installed or selected and the View or modify certificate properties hyperlink are no longer displayed.

Tags: SBS 2011

• These instructions are based on Windows Server 2003 and Watchguard XTM 11.3.2 on an XMT 23 appliance, using Policy Manager version 11.3.2-B290753.
• You can view the documentation that this configuration is based on here.

Overview:

• In the firewall, configure the Active Directory Authentication Server.
• In the firewall, configure the Moobile User VPN with SSL.
• On the Active Directory Domain Controller, create a security group named “SSLVPN-Users” and populate it with users.
• On the workstation, install the Watchguard Mobile VPN with SSL Client.

Details below.

Set up the Authentication Server in the Firewall:

1. Click Setup -> Authentication -> Authentication Servers.
2. Click the Active Directory tab.
3. Check the box to enable it.
4. Type the IP address of the Active Directory Domain Controller server.

Note: if your AD server is on the other side of a BOVPN tunnel, see the WG documentation for how to configure this.


5. In the port field, put either 389 (if the DC is NOT a Global Catalog server) or 3268 (if the DC is a GC server).
6. In the Search Base field, type your LDAP search base.

Note: If your internal AD domain name is “company.local” and your security groups are in an OU called “CompanyGroups”, then your search base might be “CN=CompanyGroups,DC=company,DC=local”. You can shorten this to just “DC=company,DC=local” if you’re not sure of the path to your OU and you don’t mind it searching the entire AD.
If you need help finding your search base, refer to the WG documentation.

7. The Group String should already be set to “memberOf”. Leave it at default.
8. You only need a DN and password of Searching User under special circumstances. Refer to the WG documentation if you have any questions about this. Most configurations will not require this, so leave it blank if you’re not sure.
9. Click OK.

Set up Mobile VPN with SSL in the Firewall:

1. Click VPN -> Mobile VPN -> SSL.
2. Check the box to activate Mobile VPN with SSL.
3. Drop down the Authentication Server list and choose Active Directory.
4. Select the external IP address for the users to connect to.

Note: If you have any inbound port translation rules for SSL, for example Outlook Web Access or Remote Web Workplace, you will need to use a different IP address that does not have a conflicting rule, or change the port number on the Advanced tab of Mobile VPN with SSL properties. If you change the port, you reduce the likelihood of the VPN working in diverse environments such as airports, hotels, wireless hotspots, etc. where they may have restricted ports for internet access.

5. Drop down the Network and IP Address Pool list and choose Bridge VPN traffic.

Note: you may choose to configure your setup differently. This step does not change the configuration of the authentication server. If you might want to connect via routed traffic instead of bridged traffic, see the WG documentation for details.

6. If you are using Bridging, then drop down the “Bridge to interface” list and select “Trusted”.
7. Specify a start and end IP address for the firewall to draw from. Document these and exclude them from your DHCP pool to avoid IP address conflicts.
8. Click the Advanced tab.
9. If needed, you can adjust the Authentication and Encryption methods here as well as keepalive settings. Most configurations will not require this.
10. If port 443 is in use on the Primary Firebox IP Address you specified on the General tab, you will need to change the port in the “Data channel” area.
11. Specify a DNS domain name. This should match your internal Active Directory domain name, for example “company.local”.
12. Specify a DNS server for DNS name resolution.
13. If appropriate to your network, specify a WINS server for netBIOS name resolution.
14. Click OK.

On the Domain Controller:

1. Create a Global Security Group in or under the OU you specified in your Search Base earlier.
2. The name of the security group MUST BE “SSLVPN-Users”. It is case sensitive.
3. Populate the security group with VPN users.

On the Workstation:

1. Open a web browser and connect to https://(firewall IP address or FQDN)[:port]/sslvpn.html. You can leave off the colon and the port if the port is 443.

Note: You can also download the client software from the WG website and distribute it manually.

2. Accept the SSL certificate warning (if any) and proceed to the web page.
3. Log into the Watchguard firewall using a domain user account that is in the SSLVPN-Users security group.
4. Download one of the client packages and install it.

• When the client software asks for the server information, use the external IP address or FQDN of the firebox. Add a colon and a port number if it is not using 443. For example: “mail.company.com:444″.
• The username and password is their domain username/password, assuming that it is a member of the SSLVPN-Users security group. You do not need to qualify the user account with “domain\”.

Tags: AD Authentication, Mobile User VPN, VPN, Watchguard