March 2006 - Posts
Continuing from my previous post, I found another easy-cheeky way to block MSN Messenger from ISA 2000 Server in Cached Mode or Integrated Mode. All you have to do is create a Site and Content Rule to block the *.msgr.hotmail.com destination set.
Procedure
1. Create a new destination set for "*.msgr.hotmail.com". To create a destination set, follow the procedure;
To create a destination set -
- Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management
- In the console tree of ISA Management, right-click Destination Sets, point to New, and then click Set.
- For array policy destination sets, where?
Internet Security and Acceleration Server > Servers and Arrays > Name > Policy Elements > Destination Sets
- For enterprise policy destination sets, where?
Internet Security and Acceleration Server > Enterprise > Policy Elements > Destination Sets.
- In Name, type a name for the destination set such as "Block MSN".
- (Optional) In Description, type a description for the destination set.
- Click Add and Click Destination and type "*.msgr.hotmail.com".
2. Create a Site and content rule using the "Block MSN" destination set to deny "*.msgr.hotmail.com".
To create a site and content rule -
- In the console tree of ISA Management, right-click Site and Content Rules, point to New, and then click Rule.
- For array policy, where?
Internet Security and Acceleration Server > Servers and Arrays > Name > Access Policy > Site and Content Rules
- For enterprise policy, where?
Internet Security and Acceleration Server > Enterprise > Policies > Enterprise Policy > Site and Content Rules
- Type the name of the rule "Block MSN Messenger"
- Click the deny radio button and then click next.
- Click the Deny access based on destination radio button then click next.
- Select Specified destination set.
- Now select "Block MSN" destination set that is created earlier.
- Click Next and Finish.
You have successfully created "Block MSN Messenger" site and content rule using "Block MSN" destination set that will deny access to "*.msgr.hotmail.com". Restart 'Microsoft ISA Server Control' service to test and let me know if that works or if that doesn't.
Yesterday I was trying to block MSN Messenger from ISA 2000 Server in Cached mode. I have done that before on ISA 2000 Server in Integrated mode using MSNIM.vbs script available from ISA Server Tools Repository - http://isatools.org/ (Thanks Jim for excellent tools site).
When I ran the script, it gives the following message;
Creating (or updating) the FW App Settings
Creating (or updating) the protocol definition
Creating (or updating) the protocol rule
Error 0x80040361; At least one protocol must be specified. - while trying to set ISA up for MSN Messenger
I quickly wrote to ISA Server guru Jim Harrison and he replied - "ISA 2000 can't block MSN Messenger using MSNIM.vbs script in cache mode".
In Part -II we will see a cheeky method to block MSN Messenger from ISA 2000 Server.
MORE INFORMATION
Instant Messaging with ISA Server
http://www.microsoft.com/technet/prodtechnol/isa/2000/maintain/isaimsec.mspx
Common Application Signatures
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/commonapplicationsignatures.mspx
ISA Server Tools Repository
http://isatools.org/
Microsoft ISA Server Firewall and Cache resource site
http://www.isaserver.org/
Scripts for ISA Server
http://www.isascripts.org/
Dr. Tom Shinder's ISA Firewall Space
http://spaces.msn.com/drisa/
ISA Server Blogs
http://www.microsoft.com/isaserver/community/default.mspx
ISA Server Community (MVP's)
One of the forum members on http://groups.msn.com/NTarabia posted a problem on NTarabia with a strange issue and I thought to share that here.
Question: "When I double click any folder instead of opening the folder its going for the Search Option"
Answer:
You have the following options;
1. Run this command from command prompt
regsvr32 /i shell32.dll and do a Reboot. This should fix the search companion.
2. The other option is - Click Start, Run and enter REGEDIT and Navigate to:
HKEY_CLASSES_ROOT\Directory\Shell
Set the Default value to "none" without the quotes. To do this, double click where it says Default. If you want to do this automatically, then take a look at my script as attached on http://www.msnusers.com/NTarabia/Documents/PPT%20Slides%2FFIX%5FSearchCompanion%20%28zipped%29%20Folder.zip
Files: Fix_SearchCompanion_DIR.reg & Fix_SearchCompanion_DRIVE.reg. Run the files from the command prompt and restart your machine.
3. Also, take a look at a detailed solution offered by one of the MVP’s on http://windowsxp.mvps.org/searchwindow.htm
4. Last but not least, I also found an article on Microsoft;
Search Companion Starts If You Double-Click a Folder
http://support.microsoft.com/?kbid=321186
In CRM 3.0 Crystal Reports moved on to SQL Reporting Services (SRS) and after the CRM 1.2 migration, you will not be to access the reports that were created /developed / customized in version 1.2.
To confirm the same, I quickly wrote to some of the Microsoft Dynamics CRM MVP's and they quickly responded (Kudos).
Anne Stanton: It is correct that Microsoft dropped Crystal and that you can't "migrate" the reports to SRS. Needless to say one of the huge disadvantages of customizations (the environment always changes). On the other hand there is built into 3.0 the ability to get access to your reports for manual conversion.
Matthew Wittemann: The bad news is that Crystal Reports are no longer supported in version 3.0. CRM 1.2 included a built-in license for Crystal Enterprise, which allowed the CRM system to serve up Crystal reports to licensed CRM users. Since CRM 3.0 now uses SQL Reporting Services, Microsoft did not include any license for Crystal. In order to continue providing access to Crystal reports to the end users, you would need to purchase a license of Crystal Enterprise Server. The other option is to re-create your custom reports in SQL-RS. There are also services on the internet that will convert your Crystal report to a SQL report for a small charge. (You can google “Convert Crystal Reports To SQL”). If you have a copy of the Crystal Report designer, you can continue creating reports against CRM databases and saving them as PDFs for manual distribution, though this is obviously not ideal.
Larry Lentz: To the best of my knowledge they do not migrate to CRM 3.0.
Andreas Donaubauer: You will have no possibility with an update from Crystal Reports (CRM 1.2) to SQL Reportingservices (CRM 3.0). Only one way - make again under SQL Reportingservice.
Jürgen Beck: There is not really an upgrade way from old CRM 1.2 reports (Crystal reports) to the new CRM 3.0 SSRS-reports. The easiest way is to forget the old reports and created new one with SRS.
Mike Snyder: Unfortunately there isn’t a great Crystal Report migration story regarding Microsoft CRM 1.2 customers upgrading to Microsoft CRM 3.0. Customers will need to recreate their reports for SQL Reporting Services, or use run their old Crystal Reports using a Crystal Reporting Server. Customers can, of course, access these Crystal Reports through the Microsoft CRM 3.0 User Interface by uploading the report as a “link to Web page” instead of a file. Simply specify the URL of the Crystal Reporting server and customers can run the reports from within Microsoft CRM.
That was good enough and I gave up the option to convert though I found some hints who do convert Crystal Reports to SQL. http://www.rpttosql.com/index.html & http://www.ktlsolutions.com/t-crystalconverter.aspx
I have seen folks in the newsgroup seeking assistance in deploying Internet Explorer 6.0 using WSUS. As a matter of fact, WSUS only supports security updates aka patches and hotfixes to a particular application (categories) or Operating System and it does not support Application / OS upgrades.
Microsoft has another product called SMS to do such tasks.
UPDATED (April 26, 2006):
Bobbie has posted an update on microsoft.public.windows.server.update_services
Bobbie Harder (MSFT):
I should mention folks on the question of upgrading IE via WSUS - we do have future expectations of being able to support this in future versions of IE. No precise timelines known now but it is under heavy consideration and a key ask from many of our customers.
MORE INFORMATION
How to deploy Internet Explorer without local administrator logon
http://support.microsoft.com/?kbid=296702
Internet Explorer Administration Kit Home Page http://www.microsoft.com/technet/prodtechnol/ie/ieak/default.mspx
IE Blog
http://blogs.msdn.com/ie/
HOW TO: Deploy and Manage Internet Explorer 6 Service Pack 1 on Windows 2000-Based Computers
http://support.microsoft.com/kb/814567/en-us
What can you expect in WSUS 3.0?
http://msmvps.com/blogs/athif/archive/2006/04/12/What_can_you_expect_in_WSUS_3_0.aspx
Bobbie Harder [MSFT] has posted an update on WSUS Product Team Blog. The news is another new product category aka Windows Vista Dynamic Installer will be added to WSUS Synchronization Options.
ISSUE# 3
So, now you have restored the database, corrected the mappings in Deployment.xml and we are ready to install CRM 3.0. Before you actually install CRM 3.0, run Microsoft CRM 3.0 Upgrade Advisor Wizard (CrmUpgradeAdvisor.exe). Advisor Wizard is a diagnostic tool that you can use to determine if your Microsoft CRM 1.2 installation can be upgraded to Microsoft CRM 3.0 and also make sure you have the licensing information.
You might see some Errors in the Upgrade Advisor report as shown and update the SQL SP3 to SP4;
+ <Error CheckId="E195606F-7BE7-49dc-9BFB-ADC4F144C79D" CheckType="Microsoft.Crm.Setup.Server.SqlServerValidator" GroupId="Sql" Description="Version" message="Minimum required version is SQL 2000 SP4 (8.0.2026).">
<HelpLink>SqlServerValidator.Version.htm</HelpLink>
</Error>
+ <Error CheckId="D6E8BA5F-B1E9-40ba-B36C-E06F837FDA92" CheckType="Microsoft.Crm.Setup.Server.SqlServerValidator" GroupId="Metadata" Description="Version" message="Minimum required version is SQL 2000 SP4 (8.0.2026).">
<HelpLink>SqlServerValidator.Version.htm</HelpLink>
</Error>
</Errors>
The most important thing is to make sure the Windows and SQL Service Pack and HOT FIX level of the production server is similar to that of the test server.
If the versions do not match then an error may occur when you reinstall Microsoft CRM to a new server, "Setup was unable to register the security service." If you click Ignore to continue the install process you will receive the error, "Error 1053: The service did not respond to the start or control request in a timely fashion." when trying to start the Microsoft CRM Security Service after a reboot.
This is due to a mis-match in the Service Pack level on the test server as compared to the actual database version which means the Microsoft SQL server specified in the MSCRM registry key is not equal to Microsoft SQL server that holds the CRM databases. You will find a list of hotfixes installed in the following location: C:\Program Files\Microsoft CRM\Hotfix Keyfiles\Server and all you have to do is to install those hotfixes on the test server. But in case you do not have all those fixes then, there is a cheeky workaround which I found in the NG as follows;
To resolve this, you have to compare the database version with MSCRM registry key with the production server and you will need to modify the registry so that MSCRM database version and registry version match.
1. On the CRM SQL server open SQL Enterprise Manager by clicking Start, click Programs, Click Microsoft SQL Server and then finally click Enterprise manager.
2. Within SQL Enterprise Manager click the + sign to the left of the Databases folder and then click the + to the left of the Your_Organization_Name_MSCRM database.
3. Click on the Tables object beneath the Your_Organization_Name_MSCRM database and then right-click on the table BuildVersion in the right window. Select Open Table and then click Return all rows.
4. Within the BuildVersion table note the values for BuildNumber, MajorVersion, MinorVersion, and Revision. You will need these values later when verify them against the registry.
5. Now go to the Microsoft CRM Server and click Start, click Run, type regedit and click OK.
6. Locate the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM
7. Within the MSCRM subkey find the Database Version registry value, right-click on it and select Modify.
8. The Database Version registry value will look something like the below value:
1.2.3297.0
9. Modify this value to reflect BuildNumber, MajorVersion, MinorVersion, and Revision values that you had noted from the BuildVersion table in step 4.
a. The MajorVersion will reflect the first number in the above example.
b. The MinorVersion will reflect the second number in the above example.
c. The BuildNumber will reflect the third number in the above example.
d. The Revision will reflect the forth number in the above example.
NOTE: You will probably only have to modify the Revision number.
10. Click OK.
11. Now right click on CRM_Server_Version registry value and select Modify.
12. Make sure that the CRM_Server_Version registry value matches the value of the Database Version registry value that you just modified.
13. Click OK and close the registry editor.
14. Now on the CRM Server click Start, click Run, type services.msc and click OK.
15. Within the Services window locate the Microsoft CRM Security service, right-click on it and select Start.
ISSUE# 2
Moving ahead to the next issue you might encounter error: "An error occurred during mapping the computer accounts - the mapping failed" if the “Deployment.xml” file contains mapping of old (in my case it was old CRM server) servers which are not existing in the Active Directory.
<mapping type="computer" role="" dbname="" oldguid="{3fbd6178-2aad-4911-8b46-8f00547de3e0}" newguid="<update manually>" oldname="CN=CRM-OLD-SERVER,CN=Computers,DC=sadad,DC=com" newname="<update manually>" oldsid="S-1-5-21-622582695-539100016-4190993944-1642" newsid="<update manually>" />
To circumvent this problem, you have to delete the above mapping for OLD-SERVERS. Save Deployment.xml and run RedeployWizard.exe successfully.
As discussed in my previous blog entry, lets now take a peek at some of the issues you might encounter whilst CRM 1.2 Migration to CRM 3.0.
ISSUE# 1:
1. Importing “Mapping.xml” and “Deployment.xml” XML files might fail on the new test server with error: "An error occurred during mapping the computer accounts - the mapping failed". To resolve this error, open import.log for more details. There is a KB article which discusses about hot fix but that might not help. More information on http://support.microsoft.com/kb/889685/EN-US/
The reason you get this error is due to the fact that the computer names of the TEST CRM Server, GUID and SID are not updated (newguid="<update manually>", newname="<update manually>", newsid="<update manually>".
) and during the import process it attempts to reuse and eventually it fails with an error occurred during the mapping of computer accounts. The mapping failed. Exception of type System.Exception was thrown (SDTransform).
To resolve this, open “Deployment.xml” in notepad (Make a copy of that before you actually edit). Watch for word-wrap and search for the following tag (<mapping type="computer");
<mapping type="computer" role="" dbname="" oldguid="{206e4599-8fa2-4e37-b893-6791f81b6369}" newguid="<update manually>" oldname="CN=CRM-PRODUCTION,CN=Computers,DC=DOMAIN,DC=com" newname="<update manually>" oldsid="S-1-5-21-622582695-539100016-4190993944-1640" newsid="<update manually>" />
Note that the XML file says to update the newguid="<update manually>", newname="<update manually>", newsid="<update manually>" of the new CRM TEST Server.
You have the newname of the TEST CRM Server. Now, the task is to get the newguid & newsid. This is achieved by using ADSIEDIT & GETSID.exe.
ADSIEDIT - ObjectGUID
- Install ADSIEDIT from Windows Server 2003 Support Tools.
- Launch ADSIEDIT.msc and browse through Domain - DC=DOMAIN,DC=COM - CN=COMPUTERS - CN=TEST-CRM-SERVER-NAME.
- Right click CN=TEST-CRM-SERVER-NAME, Click on Properties - Double Click on Attribute: objectGUID and copy the hexadecimal value and you have to paste in the deployment.xml file newguid="<Paste objectGUID>".
GETSID - Get Security ID
You can identify the SID by using GetSID.exe. Getsid.exe is a simple tool that returns the SIDs for two user accounts that you specify and tells you whether the accounts' SIDs match. You must provide two account names. If you want to determine the SID for only one account, the simplest solution is to specify the same account twice.
- Install GETSID from Windows XP SP2 Support Tools.
- The syntax for Getsid.exe is - getsid \\server1 account \\server2 account. For instance; CMD: getsid \\TEST-CRM-SERVER-NAME administrator \\TEST-CRM-SERVER-NAME administrator
- Copy the SID to paste in the deployment.xml file newsid="<update manually>"
Now, simply paste the above values in the deployment.xml file as explained above. Run RedeployWizard.exe again and the import should be successful.
In the next blog entry, we will see some more issues with related to “Deployment.xml” file. Stay tuned!
Ok, I am involved in CRM 1.2 migration to CRM 3.0 and I thought I had rather share my CRM migration experience :-).
Before you do and In-Place-Upgrade, you might want to easily replicate the CRM 1.2 installation in test-bed using Microsoft Business Solutions CRM Redeployment Tools which includes User Data Export Wizard and the Microsoft CRM Redeployment Wizard.
1. Backup the following from the Production aka Live Server;
- Run User Data Export Wizard (\Export folder), to extract
Active Directory information about CRM OU, its structure, the CRM users, their roles and group memberships n 2 XML files named “Mapping.xml” and “Deployment.xml”. XML
Now, you will have to backup the CRM SQL Database from the production server
a. Organization_Name_MSCRM Database
b. Organization_Name_METABASE
- Also, use BackupCrystal.exe (\ReportsTool folder) to backup Organization_Name_Crystal Database. (Note: Crystal password should be blank)
- Export the Customizations - To export Customization.xml, Browse to Start -> Programs -> Deployment Manager and right click on the top node and select Export Customizations.
- Export the Work Flow - To export Workflow.xml , Browse to Start -> Programs -> Microsoft CRM > Export Workflow.
2. Restore the following to the TEST SERVER;
- Restore the MS CRM Databases (On the NEW Server)
a. Organization_Name_MSCRM Database
b. Organization_Name_METABASE Database
- Install Redeployment Tools.
- Import “Mapping.xml” and “Deployment.xml” XML files on the test-bed, use Microsoft CRM Redeployment Wizard (\Redeploy folder) to import Active Directory information about CRM OU, its structure, the CRM users, their roles and group memberships in to the Active Directory, (Note that you will need to have Active Directory, Exchange Server & CRM Server with SQL Database in your test-bed)
3. Now, you might want to run Microsoft CRM 3.0 Upgrade Advisor Wizard (CrmUpgradeAdvisor.exe) to determine if your Microsoft CRM 1.2 installation can be upgraded to Microsoft CRM 3.0. Make sure the report is clean before you proceed.
4. Install CRM 3.0.
5. Finally, Import Workflow.xml and Customization.xml.
This is not so easy and you might encounter several issues. In my next blog entries, I will try to cover those :-)
“We are what we repeatedly do. Excellence, then, is not an act but a habit.” --Aristotle
Another new product category for Windows Internet Explorer 7.0 Dynamic Installer will be availabe via WSUS as posted on WSUS Product Team Blog. More information on Internet Explorer 7 Beta 2 Preview landing page http://www.microsoft.com/windows/ie/ie7/default.mspx.
Many a times, WSUS Admins want to configure WSUSAdmin Console for read-only purpose which means they should be able to read reports e.t.c without manipulating any settings. Officially this is not supported in WSUS 2.0. Kudos to Rob Dunn who came up with a cheeky workaround. More information on;
How do I configure the WSUS console for read-only access for reporting purposes? http://www.vbshf.com/vbshf/wsus/wsus_faq.htm#_Toc137608207
Beginner’s Admin FAQ for Windows Server Update Services
http://www.vbshf.com/vbshf/wsus/wsus_faq.htm
Thanks Rob!
Storing WSUS Content on SAN is not supported and WSUS cannot be installed on a cluster. The content must be stored locally on WSUS Server. More over, WSUS runs under the context of the "Network Service" account which will not have permissions to external network resources.
Microsoft now releases ISO-9660 CD image files that contain all the security updates that are released on the Microsoft Windows Update Web site for Windows. The ISO image files are released at the same time as security updates are released on the Windows Update Web site.
MORE INFORMATION
http://support.microsoft.com/kb/913086
You may see Error 0x8024400A in WindowsUpdate.log. This is caused by a known issue in with Windows Server 2003 http.sys and IIS. IIS 6.0 may send an "HTTP 100 Continue" response in the middle of the response stream when you send a POST request.
WARNING: SyncUpdates failure, error = 0x8024400a , soap client error = 10,
soap error code = 0, HTTP status code = 200
2005-10-14 08:43:14 1116 634 PT WARNING: Sync of Updates: 0x8024400a
2005-10-14 08:43:14 1116 634 Agent * WARNING: Failed to synchronize, error
= 0x8024400a
2005-10-14 08:43:14 1116 634 Agent * WARNING: Exit code = 0x8024400a
2005-10-14 08:43:14 1116 634 Agent *********
2005-10-14 08:43:14 1116 634 Agent ** END ** Agent: Finding updates
Further information about the issue and obtaining the hotfix can be found on http://support.microsoft.com/?id=898708 . This hotfix (free of cost) does require Service Pack 1 to be installed to the Windows Server 2003.
MORE INFORMATION
http://www.wsuswiki.com/ClientFAQ
http://support.microsoft.com/?id=898708
If you are wondering why WSUS is not updating Office 2000 updates, then the simple reason is OFFICE 2000 IS NOT SUPPORTED through WSUS. WSUS will only support Office XP & Office 2003.
With Exchange Service Pack# 2, Intelligent Message Filter V2 updates are available every first and third Wednesday through Microsoft Update and Automatic Updates technologies like Windows Server Update Services (WSUS) and System Management Services (SMS).
To enable the updates, you must create the ContentFilterState registry DWORD Value of 1 entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange as explained on http://support.microsoft.com/?kbid=907747#XSLTH3131121123120121120120. Adding this value will enable the Exchange Server 2003 to receive updates from AU, WU or WSUS. Note that SMTP Service has to be restarted.
From WSUS, you must add the following Update Classification - "Update Rollups" which will then download IMF updates as well as Windows Malicious Software Removal Tool.
As posted on WSUS Product Team Blog, "Today you will see a new product category in your WSUS synchronization options dialog, Microsoft Client Protection, which is part of the new “System Protection Products” family."
Bobbie, thanks for the update :-)
This time, I wanted to block/permit Skype (2.0.0.97) messenger using ISA. There is a good discussion about allowing Skype from ISA Server on www.isaserver.org discussion lists. According to Skype Technical FAQ, The minimum requirement is that Skype needs unrestricted outgoing TCP access to all destination ports above 1024 or to ports 80 and 443 (the former is better, however).
If you don’t allow either of those, Skype will not work reliably at all. Now, even if you open these ports, skype will not work if you authentication enabled on outgoing ISA web proxy requests. Actually, the fact is Skype does not support authenticating proxies or authenticating firewalls.
Following is an excerpt / snippet of ISA Web Proxy log which tells the story. As you can see, the request fails with HTTP Status Code 407 which means Proxy Authentication Required and eventually if fails to connect.
Source IP, anonymous, -, N, 3/21/2006, 9:45:48, w3proxy, PROXY-MN, -, 69.204.225.214, -, 443, 0, 39, 2722, SSL-tunnel, -, CONNECT, -, -, -, 407, -, -, -
Source IP, anonymous, -, N, 3/21/2006, 9:45:48, w3proxy, PROXY-MN, -, 69.204.225.214, -, 443, 0, 108, 2722, SSL-tunnel, -, CONNECT, -, -, -, 407, -, -, -
So, if you want to open ports for Skype or allow Skype from ISA then you might want to disable authentication on outgoing ISA web proxy requests. That's the only way it works :-(.
PROCEDURE:
1. Open the ISA Management console. Right click on your server name and click the Properties command.
2. In the server’s Properties dialog box, click on the Outgoing Web Requests tab.
3. On the Outgoing Web Requests tab, remove the checkmark from the Ask unauthenticated users for identification checkbox.
Bobbie Harder, WSUS PM has posted some good information with regard to New location to find information about WSUS updates. Thanks Bobbie.