Exchange 2010 SP1 ActiveSync device lockdown

The other day I began working on locking down ActiveSync so that only pre-approved devices could sync.  I found that there where a lot of things available that gave portions of the solutions or hinted at parts, but none that gave the full solution (excuding one site which I didn't find until later). 

I'm not going to give a full layout of all the options, but below I intend to layout the method that I'm using.  From this it can easily be modified to do add rules for the needs or your organization.

ActiveSync in Exchange 2010 SP1 can control devices by allowing (default), blocking, and quarantine of the device.  This is handled by identifying the device via the Device ID.  The Device ID appears to differ depending on the device type, but for example with Apple's iPad the id is the Serial Number with Appl appended to the begining. So, ApplDFGGYUDVBFJ2 is what one might look like if your serial number was DFGGYUDVBFJ2.  My understanding is that Andoid is not generated from the serial number.

I'm going to cover doing this through Powershell. It can also be done through the Exchange ECP via this excellent post by the exchange team (this is the one I found after I was done doing it through Powershell)
http://blogs.technet.com/b/exchange/archive/2010/11/15/3411539.aspx

1. Open the Exchange Management Shell
2. Get-ActiveSyncOrganizationSettings | fl DefaultAccessLevel
1. This will report your current default level, most likely it's set to Allow
3. Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients admin@didyourestart.com
1. Here we are setting the default level to Quarantine and then specifying an email address to be notified when a device is quarantined. You will want this so that you can see what the DeviceID is of new devices (makes for easier adding of devices for allow access)
4. You'll now find that if you try to connect your iPad it will be quarantined. Quarantined devices can be found via the Exchange ECP as described in the link above to blogs.technet.com or via Powershell
1. Get-ActiveSyncDevice | where {$_.deviceaccessstate -eq 'Quarantined'} | ft DistinguishedName
2. This can also be used to find the DeviceID.  On iPad this results in simular to following
1. CN=iPad§ApplDFGGYUDVBFJ2,CN=ExchangeActiveSyncDevices,.....
5. Next step is to allow this device access for the user
1. Set-CASMailbox -Identity username -ActiveSyncAllowedDeviceIDs "ApplDFGGYUDVBFJ2 "
6. You can view the list of allowed devices at anytime by using the following
1. Get-CASMailbox -Identity aarons | fl ActiveSyncAllowedDeviceIDs

To set a user to have multiple devices seperate with a comma:
Set-CASMailbox -Identity aarons -ActiveSyncAllowedDeviceIDs "ApplDFGGYUDVBFJ2","ApplDFGGYUDVBFJ3"

To set a user back to no allowed devices use the following:
Set-CASMailbox -Identity aarons -ActiveSyncAllowedDeviceIDs $Null


Note: I found that sometimes it could take awhile for a device in quarantine to generate an email stating it was in quarantine.  This appeared to be because it didn't actually go to quarantine, but it was just straight out denied.  In my tests this occured when the mailbox was large or contained a large number of messages.


The other part of this controlled setup that we origninally implemented was to also disable ActiveSync for all users and then explicitely enable it for users at the time of need, but if all devices go to quarantine or are blocked this no longer matters and stands in as a way to disable ActiveSync for all users without actually disabling ActiveSync (in case someone still wants to disable ActiveSync: Get-CASMailbox -identity username | Set-CASMailbox -ActiveSyncEnabled $False , you can exclude the -identity username to make it apply to all users)

Citrix XenApp 6 and 6.5 Legacy DefaultPRNFlags

With versions of Citrix XenApp prior to version 6 you could set the reg key DefaultPRNFlags to modify printing options. In earlier posts I referenced using these values for allowing admins access to autocreated printers to suppressing errors in the event log, etc
http://support.citrix.com/article/CTX119684


With the release of XenApp 6 and 6.5 the DefaultPRNFlags key has been changed both to a new location and seperated out into different keys with true / false data.
http://support.citrix.com/article/CTX124885

Convert MAK to KMS Client or KMS Host to Client with slmgr.vbs

By default all Windows Vista and above clients are shipped as a KMS client with a GVLK installed. So, by default if you have a KMS host setup then any new installs will work immediately with your KMS environment.
Lets take a look:
on a fresh system open cmd and go to C:\Windows\System32
run cscript slmgr.vbs /dlv
It will report a KMSCLient

Name: Windows Server(R), ServerStandard edition
Description: Windows Operating System - Windows Server(R), VOLUME_KMSCLIENT channel
Activation ID:
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID:
Installation ID:
Partial Product Key: BFGM2
License Status: Initial grace period
Time remaining: 86400 minute(s) (60 day(s))

Key Management Service client information
Client Machine ID (CMID):
DNS auto-discovery: KMS name not available
KMS machine extended PID:
Activation interval: -1 minutes
Renewal interval: -1 minutes

Note the partial product key is BFGM2. Also note the description contains VOLUME_KMSCLIENT channel. From the following link provided by MS we can see that this is the key for Windows Server 2008 Standard KMSClient
http://technet.microsoft.com/en-us/library/ff793421.aspx

But lets say you already activated this client with a MAK key or as a KMS Host with the KMS key and now you want it to be a client again. This process is as simple as changing the key back to the GVLK key.

Note: To convert from MAK to KMSClient it is the exact same steps. (the volume descriptions will be different to represent the MAK instead of KMSHost)
__________________________________________________________________________

In the following example the admin accidentally activated the system using the KMS host key.

- Note that running slmgr.vbs /dlv shows it's a KMS Host

C:\Windows\System32>cscript slmgr.vbs /dlv
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Software licensing service version: 6.0.6002.18005
Name: Windows Server(R), ServerStandard edition
Description: Windows Operating System - Windows Server(R), VOLUME_KMS_B channel
Activation ID:
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID:
Installation ID:
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=48189
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=48190
Use License URL: http://go.microsoft.com/fwlink/?LinkID=48192
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=48191
Partial Product Key:
License Status: Licensed

Key Management Service is enabled on this machine
Current count: 0
Listening on Port: 1688
DNS publishing enabled
KMS priority: Normal

Key Management Service cumulative requests received from clients
Total requests received: 0
Failed requests received: 0
Requests with License Status Unlicensed: 0
Requests with License Status Licensed: 0
Requests with License Status Initial grace period: 0
Requests with License Status License expired or Hardware out of tolerance: 0
Requests with License Status Non-genuine grace period: 0
Requests with License Status Notification: 0

- We can see that it's Windows Server 2008 Standard so we can go to our friends at MS and grab the correct GVLP key of TM24T-X9RMF-VWXK6-X8JC9-BFGM2 (http://technet.microsoft.com/en-us/library/ff793421.aspx)


- Then run cscript slmgr.vbs /ipk TM24T-X9RMF-VWXK6-X8JC9-BFGM2

C:\Windows\System32>cscript slmgr.vbs /ipk TM24T-X9RMF-VWXK6-X8JC9-BFGM2
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Installed product key TM24T-X9RMF-VWXK6-X8JC9-BFGM2 successfully.

- Now if we run cscript slmgr.vbs /dlv again we see

C:\Windows\System32>cscript slmgr.vbs /dlv
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Software licensing service version: 6.0.6002.18005
Name: Windows Server(R), ServerStandard edition
Description: Windows Operating System - Windows Server(R), VOLUME_KMSCLIENT channel
Activation ID:
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID:
Installation ID:
Partial Product Key: BFGM2
License Status: Initial grace period
Time remaining: 86400 minute(s) (60 day(s))

Key Management Service client information
Client Machine ID (CMID):
DNS auto-discovery: KMS name not available
KMS machine extended PID:
Activation interval: -1 minutes
Renewal interval: -1 minutes

- Now we can activate it with the KMS Host that you already have setup on the proper server using cscript slmgr.vbs /ato

C:\Windows\System32>cscript slmgr.vbs /ato
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Activating Windows Server(R), ServerStandard edition...
Product activated successfully.

- Then you can run cscript slmgr.vbs /dlv again and get a good activation description

C:\Windows\System32>cscript slmgr.vbs /dlv
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
Software licensing service version: 6.0.6002.18005
Name: Windows Server(R), ServerStandard edition
Description: Windows Operating System - Windows Server(R), VOLUME_KMSCLIENT channel
Activation ID:
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID:
Installation ID:
Partial Product Key: BFGM2
License Status: Licensed
Volume activation expiration: 259200 minute(s) (180 day(s))
Key Management Service client information
    Client Machine ID (CMID): 5a05921b-8405-4d46-af89-f40a3d60b698
    KMS machine name from DNS: machinename.fqdn:1688
    KMS machine extended PID:
    Activation interval: 120 minutes
    Renewal interval: 10080 minutes

From this we can see that we've now successfully activated the KMSClient against the KMS Host listed at "KMS machine name from DNS:" and that it will activate again in 180 days.

Once again, here's the KMS Client Setup Keys
http://technet.microsoft.com/en-us/library/ff793421.aspx

Understand and Installing KMS Server

There are 2 different types of keys with todays Office and Windows products, KMS and MAK. These are used to manage Windows Server 2008 and 2008 R2, Windows Vista and 7, and Office 2010.

MAK - Multiple Activation Key - Activate one-time basis against MS hosted activation services (across internet)
KMS - Key Management Service - Activate systems within internal network

KMS and MAK can be mixed in an environment based on client needs.

Frequently Asked Questions About Volume License Keys
http://www.microsoft.com/licensing/existing-customers/product-activation-faq.aspx

Why use KMS?
1. MAK has usage limits, this is important in corporate environments especially with virtual desktop environments. Improperly utilizing MAK keys can lead to all of the activations being consumed (see FAQ site linked above).
2. Easier to manage new deployments with KMS. Set it and forget it

Why use MAK?
1. Mobile workstations that will not have visibility to KMS host within timeframe required for activation limits (180 days).
2. Very small deployments of less than 25 workstations, or less than 5 servers (running described OS). See below for KMS Host activation thresholds. Note: if in a vdi environment then review support for MAK deployment by the software vendor (ie Citrix XenDesktop supports MAK for Windows 7 with PVS, but does not support MAK for Office 2010 at time of this writing).

What is a CMID?
The CMID is how KMS identifies unique machines. This is important in environments that utilize virtualization such as XenApp and XenDesktop (or other virtual technologies).

KMS Host activation thresholds:
The activation threshold how many end clients have to request a license from the host before the host will activate and start handing out valid licenses. This is different by product:
Windows OS - Either 5 Server client requests or 25 Workstation client requests
Office 2010 - 5 client requests
Once the proper number of clients have requested activation then the Host will begin handing out licenses.

The KMS Host will also cache twice the number of clients to ensure that the count does not drop below the required count to remain activated.

This is important to note for a few reasons:
1. If your planning redundancy of kms hosts then the number of clients is somewhere over double the minimum number of clients needed for activation. This is due to having to meet the threshold on two hosts and the fact that each has a activation threshold cache.
2. Application virtualization and vdi/workstation virtualization technologies may actually only count as 1 client since they will all have the same CMID.

I will not be focusing on installing / configuring redundant KMS hosts. It should be noted that you can configure the weight / priority of hosts in this type of environment.

Client Discovery:
Client discovery by default is done through dns via a srv record through tcp port 1688. Note that Windows 7 firewall by default blocks so it needs enabled.

Understanding KMS
http://technet.microsoft.com/en-us/library/ff793434.aspx


Installation
Installation of KMS Host is as easy as plugging in the KMS license key for the Windows OS or installing the service for Office.

Note: extra steps may be needed for depending on which OS flavor it would be hosted on. Extra patches may be needed for 2003 and 2008 hosts.

Windows OS Host setup
1. Pull your KMS license key out of your Volume license site. This key should ONLY be used on servers you intend to be hosts.
2. Open Control Panel\System and Security\System
3. Change product key
4. Enter your KMS product key
5. Click Yes to the prompt warning you that you are using a KMS key that will setup activation services

Note that a Windows Server 2008 R2 can activate both servers and clients.
http://technet.microsoft.com/en-us/library/ff793412.aspx

Office 2010 Host setup
1. Go to your volume license downloads
2. Download the "Office 2010 Key Management Service Host". Note that if you have different versions you may see one for Professional, Standard, etc. Either one will do (don't need both). This doesn't include the actual keys
3. Get the Office suites KMS key from the license agreement page
4. Run the installer and accept the EULA.
5. When it asks for the host product key enter the KMS key

Fresh installations of the OS or Office by default are set to search out a KMS host and activate (via the DNS srv record).


Viewing KMS info
In order to see information about the KMS Host you can use the slmgr.vbs script. This is done from a command prompt at C:/Windows/System32

To display Windows license information use cscript slmgr.vbs /dlv
This does not display information regarding Office licensing

In addition you can use /dlv all to display information on all licenses (ie Windows and Office)

If you only want to see office KMS licensing information you can add the activation id of the product. Thus it would look like this:
cscript slmgr.vbs /dlv bfe7a195-4f8f-4f0b-a622-cf13c7d16864


DNS Srv Record
If we look in DNS we'll find a new srv record for each KMS Host.
You'll find the records under the Forward Lookup Zones - your domain - _tcp
The records will be named _VLMCS

Forfiles to manipulate files based on date

Nothing new here...
You can use Forfiles to manipulate files based on their date.

/P Path to search
/M SearchMask
/S Subdirectories
/C Command
/D Date (valid as "mm/dd/yyyy" or in greater than + or less than -)

Examples:
Search current and subdirectories for files older than 30 days from current date and echo them to screen
forfiles /s /d -30 /c "cmd /c Echo @file"

Same but only display iso's
forfiles /s /m *.iso /d -30 /c "cmd /c Echo @file"

Same but this time display the full path to the file
forfiles /s /m *.iso /d -30 /c "cmd /c Echo @path\@file"


So now we have the basic concept you could use this to script to delete files older than x days/date.
forfiles /p C:\backups /s /d -30 /c "cmd /c del @path"
or move them to cheaper storage
forfiles /p C:\backups /s /d -30 /c "cmd /c move /y @path C:\Destination"

Server 2008 R2 Print Server with 64 and 32bit drivers

Scenario: Mixed environment of 32 bit and 64 bit workstations / Terminal servers. You want to use one print server to serve out both architectures of both native and third party drivers.

Example drivers:

• Native HP Laserjet 5
• Native HP Laserjet 2200 PCL5
• Native HP LaserJet 4100 PCL6
• etc

First, prep your server and get the Print and Document Services role installed. I did this on 2008 R2 with SP1.

Open Print Management. Go to drivers and click add.

x64 install - this one is easy...

1. Next
2. Choose x64, Next
3. Click Windows Update and wait (this gets you more drivers such as the LJ 5, yes it normally takes that long)
4. Select your driver
5. Next
6. Finish (may take awhile if it's pulling from Windows Update)
7. Told you it was easy.

But now you need the exact same driver in 32bit...

x32 install - Native drivers

1. You have to pull the native driver from a x32 2008 server. So you'll need at least one 2008 SP2 32bit server in your environment.
2. Click Add driver
3. Next
4. Choose x86, Next
5. Note the list is blank, click Have Disk
6. enter the following path where servername is the name of your 2008 32bit server. file://servername/c$/Windows/System32/DriverStore/FileRepository/prnhp*****
7. In my case the actual inf was named prnhp001.inf_87f859f3. Not sure if this is always the case.
8. Select the exact same driver that you did for x64.
9. Note that for this to work properly it has to be the exact same driver name.

You know have the 32bit and 64 bit version of the Native MS driver.

Now you can do the same thing with your Third Party driver, but point the "Have Disk" to the .inf that you downloaded from their website. Note that again, you'll have to download both the 32bit and 64bit version of the same driver (unless of course they have 1 download that contains both versions)

Your driver windows should look something like this when your done... Notice that I have a x86 and x64 for each driver listed, but that they have the exact same name.

Hint: you can make driver names match via editing the .inf prior to driver installation. Test it well if you do as your mileage may vary from my results.

Deloy Citrix Merchandising Server with Receiver 2.0 using anonymous access

Citrix Merchandising server 2.0 adds in the ability to deploy the receiver with tokens. This allows the receiver to be utilized with anonymous access and elimates the need for users to login for receiver updates (note this doesn't change the need to login for online plugin which will be presented as a receiver login prompt, don't confuse the 2 different authentication prompts)

For this I used both Merchandising server 2.0 and 2.1 along with Receiver 2.0 and 2.1.

Configure the Merchandising Server

1. Download and import the merchanding server (8GB HD space req)
2. Configure with IP, subnet, etc and install the latest XenServer tools. Use receiver.yourfqdn as the hostname
3. open https://ipaddress/appliance
4. login as root with the default password (found in the citrix edocs, note this is different than the unix password you configures from the console)
5. Configure Active Directory
1. Source Name = your call
2. Server Address = IP address to DC
3. Server port = 389 or 3268
4. Bind DN = user account to sync ldap (ie ldap@here.contoso.com)
5. Bind Password = the password to the ldap account
6. Base DN = your base dn (ie DC=here,DC=contoso,DC=com)
7. Save (if it errors you did it wrong)
6. Permissions
1. In the search users box type your domain user first or last name (username will result in nothing)
2. Select the radial button and click Edit
3. Change to Admin
4. Repeat for all other admins
5. Logoff
7. Enter a dns record for "receiver" pointing to the merch server IP address
8. point your browser to https://receiver/appliance
9. Logon as your newly configure admin account. Note that you'll need to use domain\username for now
10. Go to configurations - options
11. Enter your support desk email, website, phone as desired. Ensure you select Token Expiration of Never (unknown to me at this time if you set it to expire if the end clients will update automatically, or if it will just break it).
12. Enter the default domain name desired (note that this will fix the need for using the domain\username format)
13. Save
14. Go to configurations Authentication
15. Click Generate Token (needed for the anonymous access)
16. Click Save
17. Now we need to generate an ssl cert. Since most intermediaries now require all ssl certs be generated with 2048 or higher you won't be able to use the CMS built in cert request as it only generates at 1024. I used IIS7 for this.
1. Open IIS manager
2. On the server find Server Certificates
3. Click Create Certificate Request
4. Common name = receiver.ncgi.com
5. Fill out rest of the request and generate the csr
6. Copy the contents of the CSR and generate a cert (I used Godaddy)
7. download the completed cert
8. In IIS7 select the cert and click "Complete Certificate Request"
9. Once finished select the cert and click export
10. enter a location and password
11. Download and install openssl http://www.openssl.org/related/binaries.html
12. Convert the new cert from pfx format to pem using openssl
13. open command prompt and navigate to where you installed openssl (default is C:\openssl\bin)
14. openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\receiver.pem –nodes
15. Enter the password you gave it when you exported it.
18. Now that we have a cert in the proper format we can import it to the receiver. Go to configuration - ssl certifcate management
19. Change the drop down to "import certificate from a certificate authority"
20. For "Public Certificate File" browse to the newly created pem file
21. For "Private Key File" browse to the newly created pem file
22. Enter the password
23. Submit
24. The CMS will reboot at this point. When it comes back up you'll notice that you don't get a cert warning anymore (provided everything was done right).
25. Dedicate an external IP address and map the external address to your internal address at your firewall. You'll need port 443 open obviously.
26. Get the A-records mapped externally for receiver.fqdn to point to your external address if you haven't already
27. under plug-ins click Get new
28. select a plug-in that you want and click Download to server
29. under Deliveries click Create/Edit
30. Create
31. Delivery Name = Default
32. Check mark default delivery
33. enter how often to check for updates
34. Add a plug-in to push as the default package
35. Set the schedule for Deliver Now
36. Click Schedule

Package the receiver
Citrix has a tool available for packaging the receiver. It works very well. Unfortunately I don't like it because it forces you package it alongside the Access Gateway client, which I don't necessarily want to push to all my workstations that will be using receiver. If you want to push that client as well then use this to package your receiver with the token.
Otherwise:
Here's an excellent tip on packaging the receiver. http://www.xenappblog.com/2010/receiver-asking-for-logon-information-after-msi-install/
Download the receiver msi from citrix.com. Then make your installation look like the below. Note that the token comes from the "Authentication" tab in the receiver. It's the token we generated way back on step 15.
start /wait msiexec /i "Receiver.msi" /qn ALLUSERS=1 REBOOT="ReallySuppress" SERVER_LOCATION=https://receiver.fqdn.com/appliance/services/applianceService VERBOSE=true AUTOUPDATE=true TOKEN=yourtoken
Alternatively you could use Orca to modify the msi.
New! Citrix has added a new page in their edocs regarding how to push the Citrix receiver and the switches available. You'll find it under Receiver for Windows - Installing Receiver for Windows.

Citrix Online Plugin SSOn with Windows 7 x64

I was having issues getting SSOn working with any version of the Online plugin on Windows 7 x64. Mainly I was working on getting it running with the Citrix Receiver 2.0 deploying Full online plugin 12.1.

Checked that ssonsvr.exe was indeed running.

Found that the GPO template provided by Citrix contains what appears to be invalid entries for the SSOn keys. (note that SSOn for winXP working using these settings)
http://forums.citrix.com/thread.jspa?threadID=262201&start=0&tstart=0

Finally, discovered that it *was* the credentials that SSOn was attempting to use. I found that using the FQDN for the domain field would result in a failure, but using the "pre-Windows 2000" domain name would work.

Bingo, the PNA services site was set to allow only the "pre-windows 2000" version of the domain name. On the services site I added a second allowed domain name as the fqdn and everything took off running. Apparently XP was passing through the domain name that I had allowed, whereas Windows 7 was using the FQDN (which would make sense).

Remove Sleep and Hibernate from Start Menu in Windows 7 via GPO

Looking around on the internet I found a LOT of incorrect and incomplete information on this.


To remove the sleep and hibernation options from the Windows 7 start menu via GPO do the following (this doesn't disable sleep entirely, just removes it from start menu, to disable sleep via GPO you can do a power plan with it set to 0 and then select the power plan):


Sleep:

Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings
Allow Standby States (S1-S3) When Sleeping (Plugged In)
Set to disabled







Hibernate

Note that I tried changing the HibernationEnabled key with no success. Running processmonitor I found that this key and many others are updated, contrary to many of the posts I found on the internet. In addition I found that many of the proposed adm templates for this actually caused GPO processing failure (so beware).


Computer Configuration\Preferences\Windows Settings\Registry
Action - Update
Hive - HKEY_LOCAL_MACHINE
Key Path - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value Name - DisableHibernate
Value Type - REG_SZ
Value Data - %systemroot%\system32\powercfg.exe -h off
Common Tab - Apply once and do not reapply (optional)

BlackBerry Express Dispatcher service fails to start

Recently in an installation of BB Express with SQL Server 2005 Express I had some issues with the Dispatcher and SQL.

Event Type: Warning
Event Source: BlackBerry Dispatcher pubBESExpress
Event Category: None
Event ID: 25137
Date: 5/17/2010
Time: 10:11:24 AM
User: N/A
Computer:
Description:
{ConnectionItem::ConnectToDB} Failed to connect. Connection string is Provider=SQLNCLI.1;Server=servername\SQLEXPRESS;Database=BESMgmt;

This error was followed by:
Event Type: Warning
Event Source: BlackBerry Dispatcher pubBESExpress
Event Category: None
Event ID: 25105
Date: 5/17/2010
Time: 10:11:24 AM
User: N/A
Computer:
Description:
Failed to authenticate connection - local machine time may be out of sync with domain controller time. Please restart Windows Time Service.

I eventually found this here: http://supportforums.blackberry.com/t5/BlackBerry-Enterprise-Server/BES-5-0-Post-installation-Issues/td-p/420078 where Keithk23 nails it.

Set the SQL Browser service to automatic and started it and all was well.

Smart Card Error when RDP to server console

When logging into a server console I would get the following error:

"The card supplied was not recognized. Please check that the card is inserted correctly, and fits tightly"

This occured on an HP dv4 laptop.

I found that it only occured when a keybard with "Smart Terminal" was connected to the laptop. Easily resolved by opening the device manager and disabling the smart card reader.

Skype Crashes on Windows 7 x64

After installing Skype on my Windows 7 x64 laptop it would fairly consistantly crash, occasionally taking the laptop down with it.

1. Open cmd prompt (run as admin)
2. type bcdedit -debug off
3. reboot

http://forum.skype.com/topic/426581-skype-freezes-windows-7/page__st__40

XenServer - Disk Access Priority (qos)

Following are steps for setting Disk Access Priority in XenServer 5.5

Note: I found that the Admin Guide and Technote provided by Citrix for making these changes have typos in the commands. This could cause unexpected results and more obviously Disk Priority doesn't work (most notible by the slider not working).

Note the message that is displayed briefly when hovering over the slider "This feature is disabled due to license restrictions on the server" has nothing to do with license restrictions, but rather just that it needs enabled on the SR.

• Shutdown all vm's on the SR
• xe sr-list name-label="srname" (this will give you the SR UUID)
• xe sr-param-set uuid=UUIDofSR other-config:scheduler=cfq
• Detach and reattach the SR (or uplug and replug each pbd for the SR, detach reattach effectively does this)
• Change the slider to the desired setting

If you happened to follow the admin guide or technotes and used the incorrect command (xe sr-param-set uuid=uuidofsr other-config:scheduler-cfq, note the -cfq rather than =cfq) then you will need to clear this setting first.

xe sr-param-clear uuid=sruuid param-name=other-config

http://support.citrix.com/article/ctx122645

Technote - Correct


Technote - Incorrect

Admin Guide - Incorrect





Bug #2

The Disk Access Priority level (highest / lowest) is displayed incorrectly at 0 and 7 settings. They infact show opposite of what they should. (0 = lowest, 7 = higher). This only shows on the VM storage tab. Setting of 8 shows normal. This can be ignored as a GUI / display bug, go by the numbers. 0 - 7 (according to Admin Guide) with 7 having more priority over 0. Unsure if 8 is valid or not although it can be selected.

Should be High

Should be low

Disable Windows Password Caching

A client has a number of laptops that are shared amongst several users using the same local username and password. Problem, if one opens SharePoint, other Internet site, or File Share and chooses "remember my password" then passes the laptop onto the next user... you get the picture.

Disable password caching option:
Group Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - Security Options
Network access: Do not allow sotrage of credentials or .NET Passports for network authentication
Set to Enabled

This will disable the "remember my password" option from both Internet Explorer and File Shares.

Server 2008 Virtual Iron to XenServer winlogon.exe corrupt

During a conversion of Server 2008 to XenServer the first boot worked great. Upon reboot the server responded with an error that "winload.exe - the selected entry could not be loaded because the application is missing or corrupt"

Booting to the install disk and choosing repair then command prompt. I then ran the following:
Bcdedit /set {device} osdevice “partition=C:”
Bcdedit /set {device} device “partition=C:”
Bdedit /set {bootmgr} device “partition=C:”

I then also had to ensure that the device ID (on storage tab) where set properly for each drive.

Reboot and worked fine.