THE OFFICIAL BLOG OF THE SBS "DIVA"

Top Platform issues for March from the Partner managed newsgroups.

In this Issue:

TOP SUPPORT ISSUES
NEW & TOP DOWNLOADS

TOP SUPPORT ISSUES
===============
The following "hot topics" were posted and resolved during the month of
February:

 Issue1:
===========================
Subject:
=====
SCOM2007 operator console -> monitoring -> state view show computer
correctly. however, the web console does not show any computer.

Cause:
=====
When you select 2 or more health specific state in the computers node in the
monitoring space of the Ops Manager 2007 console then you cannot see the
computers in Computers View of Web Console. this is a by design, and our
product team is working on this to resolve it in next version of the
product, or an update.

Resolution:
======
we need to select only one state.



Issue 2:
============================

Subject:
=====
Root Management server reports event error 1000:

Faulting application MonitoringHost.exe, version 6.0.6278.0, time stamp
0x47b71437, faulting module HealthServiceRuntime.dll, version 6.0.6278.0,
time stamp 0x47b71433, exception code 0x40000015, fault offset 0x00003da0,
process id 0x1b1c, application start time 0x01c9966a84a906ff.


Cause:
=====
this issue can occur if one of the following is true:

1. SCOM2007 agent is installed on the RMS server.
2. SCOM2007 has some management packs loaded that are causing the problem,
like DELL management pack.

Resolution:
======
1. remove SCOM2007 agent on the RMS server.
2. remove DELL management pack in Operator console.


 Issue3:
===========================
Subject:
=====
"Remember Credentials" feature does not work in RemoteApp and the message
"Your credentials did not work" is received

Cause:
=====
This issue can be caused if the corresponding Group Policies are not
enabled. Authentication protocols are implemented in Windows by security
service providers. Windows Vista introduces a new authentication package
called the Credential Security Service Provider, or CredSSP, that provides a
single sign-on (SSO) user experience when starting new Terminal Services
sessions. CredSSP enables applications to delegate users' credentials from
the client computer (by using the client-side security service provider) to
the target server (through the server-side security service provider) based
on client policies. CredSSP policies are configured via Group Policy, and
delegation of credentials is turned off by default.

Resolution:
======
1. Log on to your Terminal Server (where hosts the applications) as an
administrator.
2. Start Group Policy Editor - "gpedit.msc".
3. Navigate to "Computer Configuration\Administrative
Templates\System\Credentials Delegation".
4. Double-click the "Allow Saved Credentials with NTLM-only Server
Authentication" policy.
5. Enable the policy and then click on the "Show" button to get to the
server list.

6. Add "TERMSRV/<Your server name>" to the server list. You can add one or
more server names. Using one wildcard (*) in a name is allowed. For example
to enable Single Sign-On to all servers in "MyDomain.com" you can type
"TERMSRV/*.MyDomain.com". (Notice the "Concatenate OS defaults with input
above" checkbox. When this checkbox is selected your servers are added to
the list of servers enabled by OS by default). For example, you server name
is Test.mydomain.com, so you will need to add TERMSRV/Test.mydomain.com to
the list.

7. Confirm the changes by clicking on the "OK" button until you return back
to the main Group Policy Object Editor dialog.
8. At a command prompt, run "gpupdate /force" to force the policy to be
refreshed immediately on the local machine.
9. Once the policy is enabled you will not be asked for credentials when
connecting to the specified servers.

For more information:
======
Credential Security Service Provider and SSO for Terminal Services Logon
http://technet.microsoft.com/en-us/library/cc749211.aspx


Issue 4:
===========
Subject:
=====
After Setting up Windows Server 2008 servers, accessing to Windows Server
2003 SP2 server is very slow from the Windows 2008 machines.

Cause:
=====
The problem is caused by SNP features that are enabled in Windows Server
2003 Service Pack 2. These features include Receive Side Scaling (RSS) and
TCP/IP Offloading. SNP enables Windows Server 2003 administrators to
cost-effectively scale their network-based applications while optimizing
server performance and maximizing network throughput. However, SNP
especially TCP/IP Offload has a problem with the Window Scaling feature
which is used by Windows Vista /Server 2008. So we need to disable SNP for
Windows Vista/Server 2008 and Windows Server 2003 SP2 to work together
correctly.

Resolution:
======
Set the following Registry keys to "0" if they are "1". To do so,
1. On the servers, open a command prompt and type "regedit".
2. Browse to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
3. In the right pane, check the following key and set the values to "0". If
the values are not present, please add them accordingly:
Value =EnableTCPChimney
Type = DWORD
Data = 0

Value =EnableTCPA
Type = DWORD
Data = 0

Value =EnableRSS
Type = DWORD
Data = 0

4. Reboot the servers and test again.

Alternatively, we can apply the following hotfix that disables the network
task offloading on the Windows Server 2003 machine:
"An update to turn off default SNP features is available for Windows Server
2003-based and Small Business Server 2003-based computers"
http://support.microsoft.com/default.aspx?scid=kb;EN-US;948496

Issue 5
================
Subject:
=====
We are not able to access share folder on Windows Server 2008 server even if
we are using administrator privilege with proper permission. The built-in
Administrator account will not have such problem.

Cause:
=====
a result of Admin approval mode (AAM) for User Account Control(UAC).

Admin Approval Mode (AAM) is a UAC configuration in which a split user
access token is created for an administrator. When an administrator logs on
to a Windows Server 2008-based computer, the administrator is assigned two
separate access tokens. Without AAM, an administrator account receives only
one access token, which grants that administrator access to all Windows
resources.

With UAC turned on, we will get access denied message when connecting to
network shares. This is expected behavior.

Resolution:
======
Turn off UAC on the Windows Server 2008 machine:
1. On the Windows Server 2008 machine, click Start, select Control Panel.
2. Double click User Accounts.
3. Click "Turn User Account Control On or Off" link.
4. Deselect "Use User Account Control(UAC) to help protect your computer".
5. Click OK and restart your computer.

Issue 6: Outbound VPN access through the ISA server
================================================
Resolution:

Establish the site-to-site VPN tunnel between the VPN server in network A
(the ISA server) with the VPN server in network B. Then the computers in
these two networks can access each other through the VPN tunnel.

To establish the site-to-site VPN tunnel, you can ref to the below article
for your reference.

Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office
Connection Wizard
http://www.isaserver.org/tutorials/Creating-VPN-ISA-2006-Firewall-Branch-Office-Connection-Wizard-Part4.html

Introduction (Virtual Private Networking with Windows Server 2003: Deploying
Site-to-Site VPNs)
http://technet.microsoft.com/en-us/library/cc758391.aspx

Deploying a PPTP-based Site-to-Site VPN Connection
http://technet2.microsoft.com/WindowsServer/en/library/da73a145-8a44-4575-b5c0-e95982f277ab1033.mspx?mfr=true

If you do not want to establish the site-to-site VPN connection, you need to
configure the outbound VPN access through the ISA server by defining the
access rule on the ISA server.

The rule can be defined as follows,

Rule name: Allow L2TP/IPSEC access
Action: Allow
Source: Internal
Destination: External
Protocol: IKE Client, IPSec NAT-T Cient, L2TP client and IPSec ESP
client(you need to check what's the protocol used by the remote VPN server
to establish the L2TP VPN)
Apply to: Allow users

You also need to disable the firewall client installed on the laptop and
configure the laptop as SecureNAT clients.

Issue 7: client cannot access HTTPS web site through ISA proxy
================================================
Resolution:

1. URL Sets are applicable only for HTTP Traffic.
2. For HTTPS sites, we can use a Domain name Sets.  Configure HTTPS Site by
a Domain Name Set.

Sincerely,

Sherry

NEW & TOP DOWNLOADS
================
Windows Server 2008 Service Pack 2 and Windows Vista Service Pack 2 Release
Candidate - ALL Language Standalone DVD ISO
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=dba0fc54-d35c-4978-ac0d-e3224cfe1736