THE OFFICIAL BLOG OF THE SBS "DIVA"

The Official SBS Blog : WSUS 3.0 SP1 Installation Behavior:
http://blogs.technet.com/sbs/archive/2008/05/16/wsus-3-0-sp1-installation-behavior.aspx

Matt Makowicz who came to New Orleans for the conference, flew back for his son's communion and then flew back to New Orleans for the remainder of the conference. http://www.ambitionmission.com/  How's that for major "Dad" brownie points.

Matt reminded me of memory lane.... he remembered that one of the ways you could get clients 'into' SBS 4.0 was to buy Lantastic Modem Share for $60 and then buy the upgrade version of SBS 4.0 as it was considered a competitive 'upgrade' to get into SBS 4.0.  Man I had forgotten that.

"He lives in New Jersey with his lovely wife and four children."

Make that his lovely "amazing" wife and four children. 

http://www.ambitionmission.com/blog

SVCHOST 100% hanging systems after upgrading to WSUS 3.0 SP1 - microsoft.public.windows.server.update_services | Google Groups:
http://groups.google.com/group/microsoft.public.windows.server.update_services/browse_thread/thread/aee38f4f2c28168a/988031068bfdb1ea?lnk=st&q=#988031068bfdb1ea
100% CPU utilization on svchost.exe or Automatic Updates service - TechNet Forums:
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3241867&SiteID=17

So if you've seen some SVChost issues recently, check to see if you are running Computer Associates.

..and then ask yourself... what antivirus these days "just works" as less of them seemingly do these days.

http://blogs.msdn.com/aaron_margosis/attachment/691411.ashx

LuaBuglight 1.0 can be downloaded from there

http://blogs.msdn.com/aaron_margosis/archive/2008/05/09/info-about-lua-buglight-2-0.aspx  |  Comments

I recently did a TechNet webcast about the upcoming LUA Buglight 2.0.

You can view the webcast here, and download the slides here.

I hack up my Vista.  I really do.  In order to ensure that my users have a very nice experience, when I have a sucky, crappy old application, because the same brick walls I hit in XP running as a user are the same brick walls in Vista, I hack up the registry in Vista to ensure that the users don't have UACs ever time they open up the application.

But I'm looking forward to LuaBuglight 2.0

P.S. it's my opinion that I'm not lowering the security of the OS by taking the program files\Intuit and giving it full permissions.  Given that the application demands the alternative that we run as administrator, making judicial permission changes balances the risk.

Intuit has now changed the way they program.  But the reality is that I must have older versions inside my office.  The risk of hacking up the registry of the OS is vastly superior to turning off UAC or runAs Administrator for that entire application, in my opinion.

The Official SBS Blog : SBS Best Practice: Backup and Restore of IIS Configuration:
http://blogs.technet.com/sbs/archive/2008/05/15/sbs-best-practice-backup-and-restore-of-iis-configuration.aspx

Essential Business Server (EBS) demo with Bjorn | Media | TechNet Edge:
http://edge.technet.com/Media/Essential-Business-Server-EBS-demo-with-Bjorn/

There are times that I showcase my "customer" viewpoint.  We were chatting earlier about the features in the Essential Business Server and one of the folks said that some partners he had been talking to wanted to have their own firewall product rather than the forefront gateway, not because of technical merit mind you...but "due to the margins they make on the firewall they sell".

Doesn't that sound a bit odd or is it just me?

There are folks out there that present themselves as "trusted advisors" that are not going down the "Amy Babinchak's rules of firewall shopping" and instead picking the firewall soley based on the product kickback they get?  That just sounds a bit odd is all.  In the CPA world we have to disclose when we get commissions and what not.  So it will be interesting to see how this holds out.

Isn't that edge piece the most important thing you can choose?  And yet rather than evaluate and place in there the right solution or in the case of EBS the right integrated solution, they want to know what sort of margins Forefront kicks back?

Doesn't that taint your decision making process?

As a beancounter I understand that we're here to make a buck, but at least make sure that the thing you are getting the margin on has value to your customer, won't you? 

The following “hot topics” were posted and resolved during the month of
April:

Office:

PRODUCT: Word 2007

Issue Description:
------------------------------
When you send emails from Word 2007, the email is sent to the Outbox.
However, the send email window stays and never closes.

Cause:
------------------------------
The addins in Outlook. "Business Contact Manager for Outlook addin" or
"ribbonCustomizer Add-in" may cause such an issue.

Resolution:
------------------------------
1. Exit Outlook.
2. Click Start > Run > type outlook /safe, click OK.
3. Send emails from Word 2007 again. It should work fine now.
4. And then restart Outlook into normal mode, click the Tools menu > Trust
Center.
5. Choose Addins > choose Com Addins, click Go.
Uncheck the addins one by one. Click OK, OK. Test the issue until the issue
is fixed.

6. Thus, you can narrow down which addin causes such an issue and then
disable it to fix the issue. If you do want to use that addin in Outlook, to
workaround the issue, manually close the email window after you sent it.

PRODUCT: Entourage/Outlook

Issue Description:
------------------------------
When you send *jpg file attachments via Entourage and receive the email with
Outlook 2003/2007, you cannot open or preview the *.jpg file on the PC.

Cause:
------------------------------
It is caused by a security update for Outlook - KB945432
When you installed the patch KB945432 on the PC with Outlook 2003, Emails
with .JPEG attachments from Entourage clients cannot be opened on machines
that are running Outlook 2003 with patch KB 945432 installed.

Resolution:
------------------------------
It is a known issue. Follow the steps below to remove the Patch KB945432 to
temp workaround it.

1. On the PC with Outlook 2003, go to Start > Control Panel > Add or Remove
Programs.
2. Check the option "show updates".
3. Select the patch KB945432. And choose Uninstall/Remove to remove it.
4. Restart the PC and check the *.jpg file attachments. What is the result?

Also, apply the hotfix 951701 will fix the issue. However, the hotfix is not
published. If this issue is urgent or your would like to obtain this hotfix
at your convenience, you may contact Microsoft Customer Service and Support
(CSS) directly to obtain the hotfix in a timely manner. For a complete list
of CSS phone numbers and information about support costs, visit the
following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

PRODUCT: Excel 2007

Issue Description:
------------------------------
When you open Excel and then open an Excel file, the blank sheet is not
replaced by the opening file. Thus, there is an additional blank worksheet.

Cause:
------------------------------
There is an Excel file (blank worksheet) in the XLSTART folder which will be
auto loaded when Excel starts.

Resolution:
------------------------------
#1 Check the Excel Startup folder.
Please backup and then delete any files that are located in the following
Excel Startup folders. Following folders is for Excel 2003. If you are using
other version, please change the folder accordingly (Excel 2007: Office12).

-- C:\Program Files\Microsoft Office\Office11\Startup
-- C:\Program Files\Microsoft Office\Office11\Xlstart
-- %userprofile%\Application Data\Microsoft\Excel\XLSTART
-- The folder specified in the "At startup, open all files in" box (on the
General tab of the Options dialog box) in Excel program

Note: Some of the above folders may be hidden.
#2 Come into Excel safe mode to test the issue

Under Excel safe mode, it doesn't load the third party addins, Excel setting
registry keys, and the files in the startup folder.

1. Click Start->Run, type "Excel /safe" (without the quotation marks) in the
Open box.
Note: There is a space between the Excel and the /safe switch.
2. Click OK. Open an Excel file to see if there is still an additional blank
spreadsheet.

PRODUCT: Project Server 2007

Problem description
----------
One workstation cannot connect to Project Server via Project Professional
when the Project Server is protected by a certificate, receiving the
following error message:
Bad Certificate (CERT_REV_FAILED) (ID 0x800a1529)

Resolution
----------
Modify the IE certificate revocation settings:
Go to Internet Options > Advanced tab and disabled the following two
options:
- Check for publisher's certificate revocation
- Check for server certificate revocation

PRODUCT: WSS 3.0 with SP1

Problem description
----------
How to add/select users from other domains while the target domain and the
native domain only has one-way trust.

Cause
----------
We can use the peoplepicker-searchadforests command line to specify a user
account to access the target domain.

stsadm -o setproperty -url http://servername:port -pn
peoplepicker-searchadforests -pv
"domain1:contoso,username,password;domain2:nwtraders,username,password"

To shorten the delay, we can use the
Peoplepicker-activedirectorysearchtimeout command line.

To rollback to the state where peoplepicker doesn't query the target domain,
we can run the command below.

stsadm -o setproperty -url http://servername:port -pn
peoplepicker-searchadforests -pv "NULL"

Additional Reference
----------
Peoplepicker-searchadforests: Stsadm property (Office SharePoint Server)
http://technet.microsoft.com/en-us/library/cc263460.aspx

Peoplepicker-activedirectorysearchtimeout: Stsadm property (Office
SharePoint Server)
http://technet.microsoft.com/en-us/library/cc263496.aspx

Multi Forest/Cross Forest People Picker peoplepicker-searchadcustomquery
http://blogs.msdn.com/joelo/archive/2007/01/18/multi-forest-cross-forest-people-picker-peoplepicker-searchadcustomquery.aspx


PRODUCT: WSS 3.0

Problem description
----------
When you access the WSS 3.0 site from the extranet, you cannot check out
documents in the document library. The error is: "Object reference not set
to an instance of an object".

Cause
----------
By a test, we found that the documents can be checked out in the document
library without issues when accessing the WSS 3.0 site using the internal
URL.

So this issue is most likely caused by the Alternate Access Mappings
settings for the web application.

Resolution
----------
Set the AAM settings as below:

Internal URL: https://portal.xxxxx.co.uk

Extranet Zone;

Public URL for Zone: https://portal.xxxxx.co.uk

PRODUCT: MOSS

Issue Description:
------------------------------
Enabling the Client Integration for this web application resolved this
issue.

PRODUCT: MOSS 2007

Issue Description:
------------------------------
When accessing the page which contains a XMLFORMVIEW webpart that is used to
show InfoPath forms from the extranet, the page cannot be displayed
properly. It works fine when browsing from the intranet.

Cause:
-----------------------------
This is very likely that the URL returned to the user from MOSS 2007 is not
accessible on the extranet. This issue usually occurs if there is a reverse
proxy server standing in the middle and forwards the web requests to an
internal address.

Resolution:
-----------------------------
You set the forward address as the Internal URL in the Alternate access
mapping settings and set the external URL as the Public URL for zone. The
issue then is resolved.

PRODUCT: Project 2007

Issue Description:
------------------------------
One PM receives "ProjectOptCurrencyDigitsInvalid" when trying to create a
new proposal.

Cause:
--------------------------------
The "No. of digits after decimal" of currency is 3 (or a number more than 2)
on the hosting server.

Resolution:
-----------------------------
1. On the hosting server, click on Start > Control Panel > Regional and
Language Settings.
2. Click Customize on the Regional Options tab.
3. Change the "No. of digits after decimal" on the Currency tab to a number
less than 3.

Product: MOSS 2007

Issue description
------------------------------
After you upgrade SPS 2003 to MOSS 2007, you receive an error "HTTP Error
401.1 - Unauthorized: Access is denied due to invalid credentials" when
trying to access the MOSS site that being enabled Kerberos authentication
and a custom host header.  However, this error only occurs on the MOSS
server and you can successfully access the MOSS site from other clients.

Cause:
------------------------------
This is because that Windows Server 2003 SP1 include a loopback check
security feature that is designed to help prevent reflection attacks on your
computer. Therefore, authentication fails if the FQDN or the custom host
header that you use does not match the local computer name.

Resolution:
------------------------------
Disable the loopback check:
1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click Lsa, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck, and then press ENTER.
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor, and then restart your computer.

Related KB Articles:
----------------------------
You receive error 401.1 when you browse a Web site that uses Integrated
Authentication and is hosted on IIS 5.1 or IIS 6
http://support.microsoft.com/?id=896861

In this Issue:

TOP SUPPORT ISSUES
NEW & UPDATED KB ARTICLES
NEW & TOP DOWNLOADS
NEW WEBCASTS

TOP SUPPORT ISSUES
===============
The following "hot topics" were posted and resolved during the month of May:


Issue #1
======
Problem Description
-------------------------
you would like some user accounts and computers to exclude from receiving
the password policy settings. You need to make sure that domain
Administrator account does not get affect it by the GPO.


Cause:
--------
In Windows 2003 environment, we are limited to use a single password policy
per domain. As you mentioned, password policy only work while linked to
Domain node. So all user accounts will be affected by a single password
policy in Windows 2003 environment.


We can apply the password policy settings to Organization Group (OU) or
computer accounts in Windows Server 2008 directly.


Issue #2
=======
Problem Description
-------------------------
DNS records (Forward and Reverse zones) are not registered correctly. The
client IP is resolved to other computer names.


Resolution
--------------
This issue can occur if:

1. DNS scavenging is not enabled on the Reverse lookup zone. Removed client
computers may leave their PTR records there.
2. There are backup/restore applications on DNS server, restoring DNS
database.

Remove Old records and enable DNS scavenging on reverse DNS zones.

Issue #3
======
Problem Description
--------------------------
SRMSVC event 8197 and the FRSM console appear: "Unable to connect to the
FSRM service on the computer..." with a red X.


Cause:
---------
The issue is caused by the BMC software and we manually register the
following dlls.

1 Stop the BMC Patrol agent.

2  Register the following dlls

- Regsvr32 srm.dll
- Regsvr32 srmsvc.dll
- Regsvr32 srmsched_ps.dll

3. Restarted the FSRM service


Issue #4
=======
Problem Description
-------------------------
unable to install the OCS Web Access

Resolution
-------------
1. We download and install MBExplorer by installing IIS 6 Resource Kit
Tools:
http://www.microsoft.com/downloads/details.aspx?FamilyId=56FC92EE-A71A-4C73-B628-ADE629C89499&displaylang=en.

2. Used Metabase Explorer

3. Expand LM and click on W3SVC

4. We go to the properties of WebSvcExtRestrictionList in the right hand
pane.

5. Click on the General Tab.

Check if the "User Type" is set to "FILE" If so, let's change the "User
Type" to "SERVER"

6. Click OK and closed Metabase Explorer

7. Do the following commands to restart the IIS:

IISRESET /RESTART


Issue #5
=======
Problem Description
-------------------------
Windows Server 2008 printer supports both X86 and X64 printer drivers.


Resolution
--------------
To support client computers that use different processor architectures than
the print server, you must install additional drivers. For example, if your
print server is running a 64-bit version of Windows and you want to support
client computers running 32-bit versions of Windows, you must add x86-based
drivers for each printer.

 To add client printer drivers to the print server

 1.  Right-click the printer to which you want to add additional printer
drivers, and then click Manage Sharing.

2.  Click Additional Drivers. The Additional Drivers dialog box appears.

3.  Select the check box of the processor architecture for which you want to
add drivers.

For example, if the print server is running an x64-based edition of Windows,
select the x86 check box to install 32-bit version printer drivers for
client computers running 32-bit versions of Windows.

4.  If the print server does not already have the appropriate printer
drivers in its driver store, Windows prompts you for the location of the
driver files. Download and extract the appropriate driver files, and then in
the dialog box that appears, specify the path to the .inf file of the
driver.

Note:   You might not be able to extract some printer drivers without
installing them. If this is the case, log on to a client computer that uses
the same processor architecture as the printer drivers that you want to add
to the print server, and install those printer drivers. Then use Print
Management from the client computer to connect to the print server, and add
the additional drivers from the Additional Drivers dialog box. Windows
automatically uploads the drivers from the client computer to the print
server.

Issue #6
=======
Problem Description
-------------------------
You are unable to block File and printer share in firewall. Even we
explicitly block port 139 and 445, clients are still able to access server
shares.

Cause:
------------
You have defined a security policy in which "Ports used by System RPC
Applications" is enabled. The ports are enabled by Upload manager and will
always open regardless of whether those ports are explicitly enabled or not

Resolution
--------------
We manually remove "Ports used by System RPC Applications" and reboot the
server. Now, we can successfully block port 139 and 445 while enabling
custom scope successfully.

Issue #7
=======
Problem Description
-------------------------
Unable the activate the Windows 2008 Server Core via slmgr.vbs.

Cause:
--------
There is no KMS server in the current domain.

Solution:
-----------
Change the product key and use the "slmgr.vbs - ato" to activate the server
core.


Issue #8
=======
Problem Description
-------------------------
Virtual Server Host clustering meeting problems when VMs connects to the
three different Virtual networks

Cause:
--------
- Two nodes virtual server hosting cluster
- Three Virtual Networks connect to the same physical network adapter (three
VLAN)

Resolution
--------------
1. Place the .VNC files on the C:\ on each node--------------Notice the
event 1042 on the host server
2. Correct the options.xml file on each node to have  the same ID for each
network----------------Virtual Server service stops responding
3. Install the hotfix 941125-------------------this fixed the issue

944815 Network connection of guest machine is broken after performing a
Cluster failover
http://support.microsoft.com/default.aspx?scid=kb;EN-US;944815

The Virtual Server service may stop responding when the service is starting
if one or more of the virtual machines are configured to automatically start
when the Virtual Server service starts
http://support.microsoft.com/kb/941125/en-us

Issue #9
=======
Problem Description
-------------------------
Host server loses Lan connections when we attach the internal network
adapters


Resolution
--------------
DisableTaskoffload

1. Update the NIC drivers of the host physical NIC

2. Click Start, click Run, type regedit, and then click OK.

3. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

4. Click Edit, point to New, and then click DWORD Value.

5. Type DisableTaskOffload as the entry name, and then press ENTER.

6. Right-click DisableTaskOffload, and then click Modify.

7. In the Value data box, type a value of 1, and then click OK.

8. Quit Registry Editor.

9. Restart your computer.
You experience intermittent communication failure between computers that are
running Windows XP or Windows Server 2003
http://support.microsoft.com/kb/904946




NEW & UPDATED KB ARTICLES
====================
(949229) - Describes a problem that occurs in Virtual PC 2007 and in Virtual
PC 2004. Specifically, the clipboard on the host computer does not function
correctly. A workaround is provided.
- 4/9/2008 - /default.aspx?scid=kb;en-us;949229

(840319) - Lists the host operating systems that you can use to install and
run Microsoft Virtual Server 2005.
- 5/5/2008 - /default.aspx?scid=kb;en-us;840319

(951041) - Describes the supported paths for upgrading from Windows Server
2003 to Windows Server 2008. Also provides upgrade considerations for Server
Core installations of Windows Server 2008.
- 4/28/2008 - /default.aspx?scid=kb;en-us;951041

(950824) - Describes an issue in which the AuthzInitializeContextFromSid
function does not enumerate domain local groups of the domain user account
in Windows Server 2003 when you run the function in a different domain
context.
- 4/29/2008 - /default.aspx?scid=kb;en-us;950824

(109626) - Describes how to enable logging of debug information by using a
debug version of Net Logon and the required debug .dll files.
- 4/21/2008 - /default.aspx?scid=kb;en-us;109626

(258503) - Describes a problem where event ID 5788 and event ID 5789 are
logged when the DNS domain name and the Active Directory domain name differ
on a Windows-based computer.
- 5/5/2008 - /default.aspx?scid=kb;en-us;258503

(294418) - In the following table, the increased maximum resources of
computers that are based on 64-bit versions of Windows and the 64-bit Intel
processor are compared with existing 32-bit resource maximums.
- 4/29/2008 - /default.aspx?scid=kb;en-us;294418

(837361) - Lists the registry entries in Windows Server 2003 that can be
used for Kerberos protocol testing and for troubleshooting Kerberos
authentication issues.
- 4/11/2008 - /default.aspx?scid=kb;en-us;837361

(871236) - Describes new events that appear when user rights are missing
from the Cluster service account.
- 4/30/2008 - /default.aspx?scid=kb;en-us;871236

(885013) - Describes an issue where a Warning event ID 1009 is logged in the
System log on the Terminal Server License server. Requires the addition of a
registry entry to resolve this issue.
- 4/16/2008 - /default.aspx?scid=kb;en-us;885013

(884049) - Describes a problem where the Aclui.dll file displays incorrect
ACLs for Active Directory objects that have permissions set for the Domain
Administrators group. Notice that this is a display issue only. Permissions
are correctly enforced.
- 4/18/2008 - /default.aspx?scid=kb;en-us;884049

(918165) - You may experience one or more issues with the Windows shell or
with Windows Explorer after you apply security update MS06-015 (908531).
- 4/25/2008 - /default.aspx?scid=kb;en-us;918165

(884070) - Discusses a problem that occurs when your program crashes because
of disk errors.
- 4/29/2008 - /default.aspx?scid=kb;en-us;884070

(894571) - Describes an ActiveX control deployment problem that occurs when
you use the methods that are described in KB articles 241163 and 280579 to
deploy an ActiveX control through Active Directory. Resolution is provided.
- 4/22/2008 - /default.aspx?scid=kb;en-us;894571

(895361) - This article documents the support boundaries for customers who
run Office on 64-bit versions of Windows operating systems.
- 4/29/2008 - /default.aspx?scid=kb;en-us;895361

(925876) - Discusses the Remote Desktop Connection 6.0 client update that is
available for download in the Download Center.
- 4/29/2008 - /default.aspx?scid=kb;en-us;925876

(923628) - Fixes a problem that occurs when you perform a backup in Windows
Server 2003 with SP1. If the backup uses a volume snapshot, the backup
application stops responding.
- 4/30/2008 - /default.aspx?scid=kb;en-us;923628

(950310) - Fixes an issue in which a Windows Server 2003-based computer may
encounter a nonpaged pool memory leak when the Single Instance Storage
driver processes an alternative stream. A workaround is provided.
- 4/29/2008 - /default.aspx?scid=kb;en-us;950310

(935640) - Provides a list of the recommended hotfixes and program updates
for cluster nodes that are running Windows Server 2003 Service Pack 2.
- 4/14/2008 - /default.aspx?scid=kb;en-us;935640

(947478) - Describes a problem that may occur on a Windows Server 2003-based
computer that has a McAfee product installed.
- 5/5/2008 - /default.aspx?scid=kb;en-us;947478

(951202) - Fixes an issue in which the Diskpart.exe utility is unable to
convert local disks to dynamic disks on a Windows Server 2003-based computer
that has the Cluster service installed.
- 4/25/2008 - /default.aspx?scid=kb;en-us;951202


NEW & TOP DOWNLOADS
================
Step-by-Step Guide for Testing Hyper-V and Failover Clustering
http://www.microsoft.com/downloads/details.aspx?FamilyID=cd828712-8d1e-45d1-a290-7edadf1e4e9c&DisplayLang=en

Documentation for Windows Deployment Services in Windows Server 2008
http://www.microsoft.com/downloads/details.aspx?FamilyID=f199c4db-1737-42dc-902b-67fc48bf58d1&DisplayLang=en

Security audit events for Microsoft Windows Server 2008 and Microsoft
Windows Vista
http://www.microsoft.com/downloads/details.aspx?FamilyID=82e6d48f-e843-40ed-8b10-b3b716f6b51b&DisplayLang=en

Windows Server 2008 Multilingual User Interface Language Packs
http://www.microsoft.com/downloads/details.aspx?FamilyID=e9f6f200-cfaf-4516-8e96-e4d4750397ff&DisplayLang=en

Group Policy Documentation Survival Guide
http://www.microsoft.com/downloads/details.aspx?FamilyID=66643d52-bd3d-4b10-972c-316eca5dbedf&DisplayLang=en

Windows Server 2008 Step-by-Step Guides
http://www.microsoft.com/downloads/details.aspx?FamilyID=518d870c-fa3e-4f6a-97f5-acaf31de6dce&DisplayLang=en

Microsoft Operations Framework (MOF) 4.0
http://www.microsoft.com/downloads/details.aspx?FamilyID=457ed61d-27b8-49d1-baca-b175e8f54c0c&DisplayLang=en

Microsoft Baseline Security Analyzer 2.1 (for IT Professionals)
http://www.microsoft.com/downloads/details.aspx?FamilyID=f32921af-9dbe-4dce-889e-ecf997eb18e9&DisplayLang=en

NEW WEBCASTS
==========
MSDN Webcast: Windows Server 2008 and Hyper-V Virtualization for Building
Server Appliances (Level 100)
http://www.microsoft.com/events/EventDetails.aspx?CMTYSvcSource=MSCOMMedia&Params=%7eCMTYDataSvcParams%5e%7earg+Name%3d%22ID%22+Value%3d%221032376314%22%2f%5e%7earg+Name%3d%22ProviderID%22+Value%3d%22A6B43178-497C-4225-BA42-DF595171F04C%22%2f%5e%7earg+Name%3d%22lang%22+Value%3d%22en%22%2f%5e%7earg+Name%3d%22cr%22+Value%3d%22US%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcParams%5e

Momentum Webcast: Client Virtualization Solutions from Microsoft and HP
(Level 100)
http://www.microsoft.com/events/EventDetails.aspx?CMTYSvcSource=MSCOMMedia&Params=%7eCMTYDataSvcParams%5e%7earg+Name%3d%22ID%22+Value%3d%221032375769%22%2f%5e%7earg+Name%3d%22ProviderID%22+Value%3d%22A6B43178-497C-4225-BA42-DF595171F04C%22%2f%5e%7earg+Name%3d%22lang%22+Value%3d%22en%22%2f%5e%7earg+Name%3d%22cr%22+Value%3d%22US%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcParams%5e

TechNet Webcast: Managing Windows Server 2008 with Server Manager (Level
200)
http://www.microsoft.com/events/EventDetails.aspx?CMTYSvcSource=MSCOMMedia&Params=%7eCMTYDataSvcParams%5e%7earg+Name%3d%22ID%22+Value%3d%221032375368%22%2f%5e%7earg+Name%3d%22ProviderID%22+Value%3d%22A6B43178-497C-4225-BA42-DF595171F04C%22%2f%5e%7earg+Name%3d%22lang%22+Value%3d%22en%22%2f%5e%7earg+Name%3d%22cr%22+Value%3d%22US%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcParams%5e

Momentum Webcast: Plan Your Windows Server 2008 Migration in Less Time with
Fewer Resources (Level 200)
http://www.microsoft.com/events/EventDetails.aspx?CMTYSvcSource=MSCOMMedia&Params=%7eCMTYDataSvcParams%5e%7earg+Name%3d%22ID%22+Value%3d%221032375368%22%2f%5e%7earg+Name%3d%22ProviderID%22+Value%3d%22A6B43178-497C-4225-BA42-DF595171F04C%22%2f%5e%7earg+Name%3d%22lang%22+Value%3d%22en%22%2f%5e%7earg+Name%3d%22cr%22+Value%3d%22US%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcParams%5e

The following “hot topics” were posted and resolved during the month of
April:

Windows Client

Product: Internet Explorer
Issue Description:
----------
The address bar did not turn to green when you accessed websites with EV
certificates installed.

Cause:
----------
The latest Root Certificates Update is not installed.

Resolution:
----------
Download the latest Root Certificates Update from the Microsoft Update
Catalog site and install it:
http://catalog.update.microsoft.com/v7/site/Home.aspx

Product: Internet Explorer

Problem description
----------
User1 can use IE without problem. However, User2 cannot view some pages with
a yellow triangle in the bottom left corner. This issue persists after
performing some troubleshooting steps such as creating new user account,
SFC, reinstalling IE7, disabling third party add-ons and resetting IE.

Cause
----------
Some security software such as Norton Internet Security installed on the
computer does not give permissions to the Registry in some users.

Resolution
----------
Run subinACL and secedit to reset some registry permission and security
policies.

Product: Internet Explorer
Issue Description:
----------
Install the certificate on the notebook, it is always listed in Intermediate
Certification Authorities but not in Trusted Root Certification Authorities

Cause:
----------
Incorrect user permission

Resolution:
----------
Use domain administrator rights to install.

Product: Windows XP
Problem description
----------
Some user's offline files disappeared, want to recover the offline files

Cause
----------
The server is down.

Resolution
----------
Use CSCCMD ver 1.1 and run the command "csccmd.exe /extract
/target:C:\ExtractedFiles /recurse" to extract the cached offline files.

Product: Windows XP

Problem description
----------
The following DCOM error is logged in the system event log:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10024
Date:  4/23/2008
Time:  12:13:42 AM
User:  N/A
Computer: STEFANON
Description:
The machine wide group policy Access Limits security descriptor is invalid.
The security descriptor is defined as an invalid Security Descriptor
Definitions Language (SDDL) string. The requested action was therefore not
performed. Please contact your administrator to get the security descriptor
corrected in the Group Policy settings.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Cause
----------
Improper security descriptor setting of the following security option:
DCOM: Machine Access Restrictions in Security Descriptor Definition Language
(SDDL) syntax

Resolution
----------
Delete the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DCOM

Product: Windows XP

Issue Description:
--------------
It shows a message that says iexplore.exe will not close when you shut down
the computer. The computer quickly becomes very slow to respond after
connecting to the Internet.

Cause:
------------
Two unusual startup programs and some malware sites listed in the hosts
file.

Resolution:
-----------------
Eliminate two startup programs and the malware sites listed in the hosts
file.

Product: WINDOWS VISTA

Issue Description:
----------
When you used the Remote Desktop to connect to a server from your Vista
workstation, it displayed a partial logon window and hanged.

Cause:
----------
Improper display and experience settings of the Remote Desktop client.

Resolution:
----------
Reduce the remote desktop size and colors and disable some experience
options:

1. Click Start, type mstsc in the Start Search box and press Enter.
2. Click Options to expand it.
3. Switch to the Display tab, reduce the "Remote desktop size" to "640 by
480 pixels" and the Colors to "256 Colors".
4. Switch to the Experience tab, uncheck all the listed features and click
Connect.

Product: Windows VISTA

Issue Description:
----------
Tried to map a network drive to an older SnapGear NAS on a Vista client. The
logon failed.

Cause:
------------
Windows Vista defaults to use NTLMv2 authentication protocol which does not
work with your NAS.

Resolution:
----------
Change the default authentication protocol by the steps below:

1. Click Start, type secpol.msc in the Start Search box and press Enter.
2. Expand Local Policies->Security Options.
3. In the right pane, locate "Network security: LAN Manager authentication
level" and double click to open it.
4. Select "Send LM & NTLM - use NTLMv2 session security if negotiated" from
the dropdown list and click OK.

Product: WINDOWS VISTA

Issue Description:
----------
The network connection lost after standby. You had to disable and enable the
NIC to re-establish the LAN connection.

Cause:
----------
Incompatible NIC driver.

Resolution:
----------
Update the NIC driver.

Product: WINDOWS VISTA

Issue Description:
-----------------
You are unable to access the shared folder on a Windows Vista computer. The
error 2021 and 2017 are recorded in the event log on this Windows Vista
computer

Cause:
--------------
The error 2021 and 2017 in the Event log usually indicate the insufficient
amount of space for server service to use nonpaged memory pool.

Resolution:
-------------
1. On the Windows Vista computer, click Start > type regedit.exe in the
Start Search box, and press Enter.
2. Navigate to
HKEY_LOCAL_
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters.
3. Changed the registry values MaxWorkItems =12000 and
MaxNonPagedMemoryUsage 0x5000000.

Note: If the two values do not exist, we can manually create them. To create
them, create a new DWORD and input the name: MaxWorkItems and set the value
to 12000. Repeat this step to create MaxNonPagedMemoryUsage and set the
value to 0x5000000.

Product: WINDOWS VISTA

Issue Description:
----------------
On a Windows Vista computer, you are unable to access the shared resources
which are located on a Windows 2003 server by using IP address. However, you
can successfully access them by using computer name.

Cause:
------------
This issue could be caused by the incorrect routing caused by the IPv6
protocol on Windows Vista.

Resolution:
-------------
Disable IPv6 on Windows Vista.

Product: Windows VISTA

Issue Description:
----------
Vista SP1 cannot be installed due to the error code 0x800703F0

Cause:
----------
1. Security software conflicts
2. Corrupt transactional log
3. Some Related services are not started.

Resolution:
----------
1. Uninstall AVG7 and COMODO Firewall Pro
2. Reset transactional log
3. Verify and start related services

In this Issue:

TOP SUPPORT ISSUES
NEW & UPDATED KB ARTICLES
NEW & TOP DOWNLOADS
NEW WEBCASTS

TOP SUPPORT ISSUES
===============
The following "hot topics" were posted and resolved during the month of May:

Issue #1
======
Problem Description
-------------------------
Can't install the management point on it it refer with an error

Component::SMS_MP_CONTROL_MANAGER
Message ID:4951

SMS Site Component Manager failed to install this component, because the
Microsoft Installer File for this component (MP.msi) could not install.

Cause:
-------------
In MPsetup.log we see: WEBDAV Web Service Extension is installed but not
enabled on IIS.

Resolutions
---------------
1. From the server, please open IIS manager by running inetmgr.
2. Click on the "Web service Extensions" node, make sure BITS server
extension and WebDAV extension are allowed there.
3. If you have made any changes, restart IIS solves the issue

Issue #2
=======
Problem Description
-------------------------
When you log on SCCM and run exadschm.exe. Schema extension fails, in logs
see it cannot create necessary object in AD Error code=8206 for majority of
attributes; 8202 for the last four.

Resolution
--------------
Error code 8206 indicates AD replication problems.
Please note that schema update is forest wide thus if you have multiple
domains in the forest, please make sure there is at least one DC in each
domain is functional, also the replication between those DC should work
fine.

After forcing replication between DCs, we can successfully extend the
schema.


Issue #3
======
Problem Description
--------------------------
MOM database keeps increasing size

Cause:
-----------
This issue can occur if one of the following is true:

1. DTS job is not transferring data.
2. Rules collecting much data that is filling databases.
3. There are many agents in the network.

Resolution
-------------
Modify database grooming settings

How to modify the number of days to retain data in the SystemCenterReporting
database in Microsoft Operations Manager 2005
http://support.microsoft.com/kb/887016/

How to troubleshoot DTS and database sizing issues in MOM 2005 Reporting
http://support.microsoft.com/kb/899158


Issue #4
=======
Problem Description
-------------------------
You would like to customize email notification Subject line, by adding
"computer name" in the subject line.

Cause
--------
We have to add regular expression to add computer name into subject line.

Resolution
-------------
Change the subject line to:

Alert: $Data/Context/DataItem/AlertName$ Severity:
$Data/Context/DataItem/Severity$ Computer:
$Data/Context/DataItem/ManagedEntityPath$\$Data/Context/DataItem/ManagedEntityDisplayName$

"E-Mail subject" setting ignored by SCOM 2007
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.mom&tid=d8b08607-2b02-4cd0-9ddf-7bf99680af42&cat=en_US_28500dde-63ed-4dee-a495-2de73147392c&lang=en&cr=US&sloc=&p=1


Issue #5
=======
Problem Description
-------------------------
You receive alerts from SCOM2007 Server: "Terminal Services Active Sessions
metric above baseline"

Cause
-------------
this issue can occur if the current baseline value is not appropriate for
the current network. We can prevent this alert by either disabling the rule
or, creating overrides for it.

Resolution
-------------
1. Modify inner sensitivity and outer sensitivity by overrides.
2. create a custom rule to monitor inactive/active terminal sessions.

OpsMgr by Example: Configuring Baselines
http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!183.entry?wa=wsignin1.0

Operations Manager 2007 Create a unit monitor Wizard
http://technet.microsoft.com/en-us/library/bb309681.aspx


Issue #6
=======
Problem Description
-------------------------
Event Type: Error
Event Source: Windows Server Update Services
Event Category: Clients
Event ID: 13002
Date:  21/02/2008
Time:  9:13:19 AM
User:  N/A
Computer: <SERVERNAME>
Description:
Client computers are installing updates with a higher than 25 percent
failure rate. This is not normal.

Cause
-------------
Corrupt BIST job pending in the BITS queue

Resolution
-------------
Running the following script to reset BITS queue:

===================Reset.bat================
@echo off
rem Batch file to clear the BITS queued jobs:
net stop bits
net stop wuauserv
Del /q "%ALLUSERSPROFILE%\Application
Data\Microsoft\Network\Downloader\qmgr0.dat"


Del /q "%ALLUSERSPROFILE%\Application
Data\Microsoft\Network\Downloader\qmgr1.dat
Rd /s /q "%Windir%\SoftwareDistribution\"
net start bits
net start wuauserv
wuauclt /detectnow
==================Reset.bat====


Issue #7
=======
Problem Description
-------------------------
Your WSUS server doesn't work after you promoting the server to DC

Cause
-------------
1. Local groups have been deleted.
2. Security permissions over registries and files have been changed.

Resolution
-------------
We decide to remove the old installation instance and reinstall WSUS server
per the following steps.

Step1: Delete WSUS installation file and reset IIS
=============
1. Download MSIZAP from
http://www.microsoft.com/downloads/details.aspx?FamilyId=A55B6B43-E24F-4EA3-A93E-40C0EC4F68E5.
2. From a command prompt, type:
For WSUS 3.0: MSIZAP T {2C0D7E35-EE6E-4DC7-BA13-2C68AEDEB59D}
3. From a command prompt, type: sc delete wsusservice
4. Again, From a command prompt, type: MSIZAP T
{2C0D7E35-EE6E-4DC7-BA13-2C68AEDEB59D}
5. From a command prompt, type: aspnet_regiis -i
6. From a command prompt, type: iisreset


Step2: Remove Windows Internal Database
==============
Msizap T {CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB}


Step3: The SQL local groups are also removed once promoting the DC. We
remove the non-exist SQL groups from registries.
==============
1. Start Registry Editor, and then locate one of the following registry
subkeys:
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL
Server\MSSQL.2005\Setup
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.X\Setup

Note Only one of these registry subkeys will exist on your computer.

2. Empty the following registry entries:
o SQLGroup
o FTSGroup
o AGTGroup


Step4: Clean the Windows Internal Database info from registries.
==============
1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server
Edit the "InstalledInstances" value and remove "MICROSOFT##SSEE"

2) Remove the "MICROSOFT##SSEE" subkey under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server

3) Remove the "MSSQL.2005" subkey under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server

4) Rename the following folder:
\%Windir%\SYSMSI\SSEE\MSSQL.2005\MSSQL\Data
to
\%Windir%\SYSMSI\SSEE\MSSQL.2005\MSSQL\Data.old

Issue #8
=======
Problem Description
-------------------------
two WSUS 2.0 clients are having trouble to show up in the WSUS 2.0 website.

Cause
-------------
the clients have the same WSUS client ID. This will cause conflicts.
Normally we see this type of behavior when a client system is generated from
an image. The WSUS client ID is the same for each image, thus conflicting
with the other systems reporting from the same ID. The first client
reporting will win the reporting and the rest of the clients with the same
ID are left behind.


Resolution
-------------
Delete the values in the following Registry location on the clients:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate

AccountDomainSid REG_BINARY
0104000000000005150000001525AF4752AAC86807E53B002B
SusClientId  REG_SZ 820bc698-8e9f-470f-aaa5-0dfca7b53330

And force the client to report to WSUS server per the following command:

net start wuauserv
Run "wuauclt.exe /resetauthorization /detectnow" command.


NEW & UPDATED KB ARTICLES
====================
(926464) - Describes the new Windows Update offline scan tool and changes
that need to be incorporated for use.
- 4/15/2008 - /default.aspx?scid=kb;en-us;926464

(949767) - Fixes a problem in which a task sequence execution may fail, and
you may receive a "no cert available for policy decoding" error message on a
System Center Configuration Manager 2007 client.
- 4/30/2008 - /default.aspx?scid=kb;en-us;949767

(950527) - Fixes a problem in which you cannot deploy software distribution
or software updates packages to Windows Vista SP1, Windows Server 2008,
Windows Server 2003 SP2 and Windows XP SP3 products in System Center
Configuration Manager 2007.
- 4/22/2008 - /default.aspx?scid=kb;en-us;950527

(951579) - Explains that an error message occurs after the Pre-Boot
Execution Environment restarts the System Center Configuration Manager 2007
client computer. Provides a workaround.
- 4/22/2008 - /default.aspx?scid=kb;en-us;951579

(949025) - Fixes a problem where users who have instance rights to the
collection cannot delete the collection.
- 4/25/2008 - /default.aspx?scid=kb;en-us;949025

(832017) - A roadmap of ports and protocols and services required by
Microsoft client and server operating systems, server-based applications and
their subcomponents to function in a segmented network.
- 4/21/2008 - /default.aspx?scid=kb;en-us;832017

(919594) - Describes the cluster resources that must be configured to use
MOM 2005 to monitor a virtual server.
- 4/8/2008 - /default.aspx?scid=kb;en-us;919594

(937826) - Describes how to upgrade the 180-day evaluation version of
Operations Manager 2007 to the full product version. Does not require that
you upgrade individual files. Requires a Select CD image from the Microsoft
Volume Licensing Services Web site.
- 4/25/2008 - /default.aspx?scid=kb;en-us;937826

(950653) - Fixes a problem that occurs in System Center Configuration
Manager 2007. Specifically, software inventory may not work correctly when
the years of the time attributes of an inventoried file are outside the
1970-2038 range.
- 4/14/2008 - /default.aspx?scid=kb;en-us;950653

NEW & TOP DOWNLOADS
================
Microsoft System Center Capacity Planner 2007 Model for Microsoft System
Center Operations Manager 2007
http://www.microsoft.com/downloads/details.aspx?FamilyID=6fec1f12-a62c-4e8d-8a19-56879192adc3&DisplayLang=en

SMS Template Files for Windows XP Service Pack 3 Deployment
http://www.microsoft.com/downloads/details.aspx?FamilyID=544f2355-7c0c-45fe-90b6-cbd3c6853357&DisplayLang=en

Systems Center Operations Manager 2007 SP1 Documentation
http://www.microsoft.com/downloads/details.aspx?FamilyID=d826b836-59e5-4628-939e-2b852ed79859&DisplayLang=en

Migrating Windows Server Update Services to Windows Essential Business
Server
http://www.microsoft.com/downloads/details.aspx?FamilyID=4a9229be-e9dc-40f8-b90e-035bf7879716&DisplayLang=en

NEW WEBCASTS
==========
TechNet Webcast: Configuration Manager 2007 and Network Access Protection
(Level 300)
http://www.microsoft.com/events/EventDetails.aspx?CMTYSvcSource=MSCOMMedia&Params=%7eCMTYDataSvcParams%5e%7earg+Name%3d%22ID%22+Value%3d%221032374498%22%2f%5e%7earg+Name%3d%22ProviderID%22+Value%3d%22A6B43178-497C-4225-BA42-DF595171F04C%22%2f%5e%7earg+Name%3d%22lang%22+Value%3d%22en%22%2f%5e%7earg+Name%3d%22cr%22+Value%3d%22US%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcParams%5e

TechNet Webcast: Managing Windows Server 2008 with Configuration Manager
2007 (Level 300)
http://www.microsoft.com/events/EventDetails.aspx?CMTYSvcSource=MSCOMMedia&Params=%7eCMTYDataSvcParams%5e%7earg+Name%3d%22ID%22+Value%3d%221032378643%22%2f%5e%7earg+Name%3d%22ProviderID%22+Value%3d%22A6B43178-497C-4225-BA42-DF595171F04C%22%2f%5e%7earg+Name%3d%22lang%22+Value%3d%22en%22%2f%5e%7earg+Name%3d%22cr%22+Value%3d%22US%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcParams%5e