Guy Teverovsky, an MVP for Windows Server - Directory Services in Isreal, wrote a GUI application that helps you configure a Windows 2008 Server Core installation without having to go to the dark place.
While I still recommend you thoroughly know and understand how to configure server core from the command line (after all, this isn't going to be installed on every server core installation you come across), this certainly makes it easy.
Download it here.
When you try to start the Automatic Updates service on a computer you may encounter an error stating,
Could not start Automatic Updates service on the local computer. Error 0x8000415: The class is configured to run as a security id different from the caller
I've found that this is usually caused when the service was previously configured as Disabled via Group Policy.
When you configure a service startup mode in Group Policy (Computer Configuration\Windows Settings\Security Settings\System Services), Group Policy first has you configure the security of the service in the registry. The default security settings (before you configure it in the GPO) normally includes Authenticated Users with Read and Start, Stop and Pause permissions. When you configure the service in Group Policy, Authenticated Users have no permissions. This prevents normal users from reconfiguring the service back to Automatic and starting it.
To fix this issue, set the service permissions so that Authenticated Users have Read and Start, Stop and Pause permissions on the service. This can be done the following ways:
This tip applies to any other service configured via Group Policy.
I came across this license plate here in Pacifica and it gave me a chuckle. Fix on, brother.
Get-SendConnectorHere's the one-liner that configures a Send Connector to use port 465:
Set-SendConnector "Your SMTP Send Connector" -Port 465If you're using a Microsoft Edge server, you will need to configure this from any server that is not running the Edge role. You will also need to wait for an EdgeSync operation or force it manually:
Start-EdgeSynchronizationNo services need to be restarted for this change to go into effect.
The first setting enables the RDP protocol on the computer to listen on TCP port 3389. The second setting allows users to login via Remote Desktop. Both settings go into effect immediately and do not require a restart.
Note: If the second setting is not changed to 0 you will get a logon message saying, "Unable to log you on because of an account restriction." You will also get this same logon message if you attempt to logon via RDP with an account that has a blank password. The account you use must have a password to logon using Remote Desktop.
I wrote a batch file that will easily enable or disable Remote Desktop on a remote machine. The syntax is: RDP [computername] [ON | OFF]. Copy the code below and save it as RDP.BAT somewhere in your system path (I use C:\Windows).
---Begin Code---
@echo off
SET RemoteComputer=%1
SET RemoteComputer=%RemoteComputer:\=%
if /i "%2"=="on" goto EnableRDP
if /i "%2"=="off" goto DisableRDP
goto Syntax
:EnableRDP
REG ADD "\\%RemoteComputer%\HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 0 /f
if ERRORLEVEL==1 goto Error
REG ADD "\\%RemoteComputer%\HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
echo.
echo Remote Desktop has been enabled on %RemoteComputer%
goto End
:DisableRDPREG ADD "\\%RemoteComputer%\HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 1 /f
if ERRORLEVEL==1 goto Error
REG ADD "\\%RemoteComputer%\HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
echo.
echo Remote Desktop has been disabled on %RemoteComputer%
goto End
:Error
echo.
echo ======================================================================
echo Make sure the remote computer is online and you have sufficient rights
echo to modify its registry.
echo ======================================================================
echo.
:Syntax
echo.
echo RDP enables or disables Remote Desktop on a remote computer
echo Visit http://www.expta.com for details
echo.
echo RDP [computername] [ON ^| OFF]
echo.
echo ON - Disable RDP on the remote computer
echo OFF - Enable RDP on the remote computer
echo.
:End
SET RemoteComputer=
Note that if Group Policy is configured to disable Remote Desktop (Computer Configuration Administrative Templates Windows Components Terminal Services Allow users to connect remotel using Terminal Services) the HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections setting will revert back to 1 after a Group Policy refresh.
A website that uses directory browsing is a convenient way to display the files and folders in a directory using a web browser. An example of this is demonstrated here.
To configure directory browsing in IIS6, you simply enable the Directory Browsing checkbox on Home Directory tab of the virtual directory. If you want to configure it so that users are required to authenticate to access the virtual directory, you disable anonymous access, enable Basic Authentication and configure the appropriate NTFS permissions on the target folder.
It's slightly different in IIS7 since IIS7 introduces the concept of delegated administration. This means that you can have the IIS configuration in web.config files which reside in the virtual directory. IIS has to read these config files very early in the connection attempt, i.e. when there is no authenticated user available yet. For this reason IIS has to use the process identity (usually Network Service) to read the web.config file.
To configure a virtual directory for directory browsing in IIS7:
If you don't grant the Network Service account read rights on the Vdir, you'll get the following error when accessing it:
500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.
I'm attending the Microsoft launch event for Windows Server 2008 today in San Francisco.
It's nice to see so many partners here. The company I work for, Convergent Computing, has a booth discussing our services and raffling off copies of our newest book, Windows Server 2008 Unleashed.
Right now I'm in a session about Windows Server 2008 Hyper-V. There are lots of people here, maybe 800. The speaker and demos are quite good.I bit of disappointment is heard from some that the copy of Windows Server 2008 that Microsoft is giving away to participants is licensed for only one year. :(
Overall, there's been a good turnout and a lot of interest from attendees. It's been worth my time.
In a previous post I mentioned that I was going to upgrade my network to Windows Server 2008. Well, I've completed the upgrade and it ROCKS!
I now have a single W2K8 Enterprise server running Hyper-V RC0. This server hosts two guests, one x86 domain controller and one x64 Exchange 2007 server running ForeFront Security for Exchange Server. The host server is running this blog as well as Exchange 2007 Edge services. The performance is outstanding! Much better than my old x64 Windows 2003 host running VMware.
The Exchange Team posted a great article, Speeding up installation of Exchange Server 2007 SP1 Prerequisites on Windows Server 2008. It offers XML files that configure the Windows Server 2008 prerequisites for Exchange 2007 SP1. While it wasn't that difficult to install everything manually, it would have saved some time for me if I had this before my upgrade.
Last night I completed the upgrade and decommissioned the old W2K3 DC, Exchange and Edge servers.
Please let me know if you have any issues with the blog. The migration went very smooth and I don't anticipate any problems.
First, I thoroughly recommend reading Ben Armstrong's article, "Understanding Networking in Hyper-V," for an explanation of how networking changes on a Hyper-V enabled host. He explains that the real NIC on the host is converted to a virtual network switch and a new virtual NIC is created on the host to access the network using the virtual switch.
Sometimes networking doesn't get setup properly on the host when the Hyper-V role is installed. Here's how to fix it:
1. Open network properties of the NIC and uncheck all the connections on the adapter (Client for Microsoft Networks, IPV4, IPV6, ...everything) and click OK. Obviously, this will disrupt network communication to and from the server, so plan this work accordingly. 
6. Verify that the host has network connectivity, and then check your VM guests for connectivity.
Let me know if this helps you.
If you have an ISA 2006 server between a Microsoft Exchange 2007 Edge server and the Exchange Hub Transport server, you may have a problem where messages queue on the Edge with 500 5.1.1 "unrecognized command" errors.
This Microsoft article partially explains how to resolve the problem. When the Edge Transport server tries to send mail through Microsoft Internet Security and Acceleration (ISA) Server 2006, with SMTP filtering or Secure SMTP (SMTPS) filtering enabled, the SMTP filter blocks the communication. You fix this by either disabling the SMTP filter on the ISA server or adding the verbs (and optionally their maximum length) to the SMTP filter.
What the article doesn't say is which verbs to add or their maximum length. Well, here they are:
All the verbs have an empty maximum length except for possibly SIZE. That should be set to the maximum message size allowed in your org in bytes (for example, 10485760 for 10MB).
Update: I've confirmed that the following procedures work for all versions of Windows and Windows Server.
Here's a 40% off code for NEW Microsoft Technet Subscriptions. It will work with either the Direct or DVD option.
Use coupon code: TMSAL06
The SCOM Team has posted a temporary fix for the "Performance Module could not find a performance counter" we've all been seeing after applying SCOM SP1.
Check out this post on the Operations Manager Product Team blog.
net stop msftpsvc
ping -n 10 127.0.0.1
net start msftpsvc
This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source IIS-FTP is logged in the System event log.
Remember, this will not work with the Microsoft FTP Publishing Service for IIS 7.0 because this service strangely does not log failed logon attempts to the event log. I've posted a request to the IIS7 team for this functionality.
By following this plan, I'll minimize downtime to a few minutes and I'll always be able to roll back to the old server simply by turning it back on.
Sounds like a good plan, but here's why it won't work -- the only tool that can convert VMware VMs to VHDs is Virtual Machine Manager 2007 (Hyper-V can't do this on its own), but VMM 2007 can't create or convert x64 VMs. Both my DC and E2K7 server are 64-bit, so at this time there's no way to get there from here. I only wish I'd have remembered this before I spent 4 hours configuring the VMM2007 server and domain. Doh!
By the way, the failure I got during the x64 VM conversion was on step 1.5, "Make operating system virtualizable." This happened right after the plug and play system reported it was "Installing Microsoft Virtual Server Storage devices."
Microsoft Virtual Machine Manager 2008 is expected to create and convert 64-bit guests, but the earliest bits whon't be available for it till around March.
So, my updated migration plan is this:
