April 2011

How to Easily Check for a Windows Enterprise CA

Friday, April 29, 2011

I work with a lot of different clients and often need to generate private certificates for applications, such as Exchange, Lync Server, and System Center. I'm often surprised that clients aren't aware if they even have a certificate authority server in their domain and if so, what it's name is.

Here's a simple way to check for an enterprise CA in a Windows domain. Run the following command from a CMD prompt:

certutil -config - -ping

Notice the extra dash "-" between the -config and -ping switches.

If there is an enterprise CA published in Active Directory, you will see a pop-up box asking you to choose the CA to ping, as shown below:

Notice that CA name and the computer that hosts it are displayed. Once you select the certification authority and click OK, certutil will ping the server to make sure that it's online and functioning, as shown below:

Certutil successfully pinged the CA

If certutil is enable to locate and Enterprise CA in the domain, it will display an error message indicating that no active Certification Authorities were found:

Certutil was unable to locate an Enterprise CA in the domain

Issue with IE9 and the Exchange 2010 Management Console

Thursday, April 28, 2011

I ran into this issue today at a customer. With Internet Explorer 9 installed on the Exchange 2010 server, you cannot close the Exchange Management Console. When you try to close it, you get the following message:

You must close all dialog boxes before you can close Exchange Management Console

~~As of yet, this is unresolved~~. See http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/ea4e1ffe-472e-4508-9a14-0735ac6322ca for other reports of the same problem.

The workarounds are to end task mmc.exe every time or uninstall IE9.

10/17/2011 Update:

Finally! A fix is now available for this issue.

See "A fix for the interoperability issues between Exchange 2007 and 2010 EMC and IE9 is now available" on the Exchange Team blog.

Here is the direct link to the Microsoft download page for the hotfixes. There are two versions, one for Internet Explorer 9 for Windows Vista SP2 or Server 2008 SP2 and another for Internet Explorer 9 for Windows 7 or Server 2008 R2.

9/20/2011 Update:

Thank you all so much for the continued community efforts on other workarounds, aside from the known Task Manager route.

In terms of an update, a fix has been developed and is undergoing testing and various other processes we have to do prior to releasing updates. The work is being carried out by the IE team and as soon as we can provide information on a release date we are confident with, we'll post again.

Regards

Mark Feetham Senior Program Manager Internet Explorer Product Quality

8/17/2011 Update:

Tony Redmond is chiming in to see if he can carry any weight in resolving this issue and get a fix from Microsoft more quickly. You can read his article, Why can’t Microsoft get IE9 to work with the Exchange Management Console?

As I wrote below, my contacts at Microsoft said they are planning to release the fix with a Q4 service update for IE9. But for most people this is an inordinate amount of time, being that the issue was reported back in April 2011 and has such a painful effect.

I see two problems here. One is the obviously irritating problem itself, and the other is Microsoft's (the company's) lack of response and information about this issue. I almost think the second problem is more important in this case. When so many users are complaining about an issue and there's little or no authoritative response, it's viewed as a failure and customers don't feel the love.

It's even more aggrivating when the IE9 train keeps coming down the track - IE9 is now listed as an important update in WSUS and will be installed automatically on WSUS clients, MS is pushing IE9 whenever and wherever it can, more companies are deploying it in managed environments. etc. The fact that most users affected are admins running the Exchange management tools from their Win7 desktops is mainly lost here.

Yes, we know we can end task the MMC. Yes, we know that it can be solved by uninstalling IE9 (if possible - it's not in managed environments) and ignore the WSUS update. These do nothing to eliminate the irritation. and having Microsoft seemingly ignore customer complaints does not help.

On a side note, it's noteable that Exchange 2010 is useable and stable enough that (relatively) small irritations like this get a lot of press.

Scott Schnoll of the Exchange Team wrote:

OK, so let's talk about some more details.

Susan mentioned this issue has been around since March. Based on forum threads and emails I have, it looks like late March is when this issue first surfaced. And then in April, the issue started getting reported more frequently (although at this point not an alarming frequency) because IE9 was released to Microsoft Update. As it was reported primarily by Exchange admins on both Exchange 2007 and Exchange 2010 and initially only with the EMC, this was initially thought to be an Exchange bug. But, given the combination of software bits in use (Exchange, MMC, IE and Windows), this could just as easily have been an IE, Windows or MMC bug. We (Exchange) didn't know at this point, but nonetheless our product quality team and others took ownership of this issue and began an investigation in late April.

After investigating the matter in Exchange and IE, it was determined in early May (May 4, to be specific) that this was actually an MMC bug. However, after discussing the issue with the MMC team, the IE team took ownership of the bug. It turns out that there was a similar bug they (IE) fixed in Windows, but that fix did not resolve this issue because MMC hosts the mshtml component directly instead of using a web browser control. So why did the issue appear with IE9, but not, for example, in IE8? In a nutshell, in IE9, the "Internet Explorer_Hidden" window has a property flag on it that did not exist in IE8 and earlier. MMC checks for this flag in its process and if any remain open, it will prevent the dialog from being closed and report the error message we've all come to hate.

In any event, after working with the MMC team throughout May, the IE team retained ownership of this issue. Like all companies, Microsoft has a finite amount of resources (time, money, people, tools, etc.). So, we prioritize the work we do based on a number of criteria. Like all bugs, this one has a specific priority and severity, and like some bugs, it's current status is active, which means the bug is being actively worked on by one or more people. It takes time to work out all of the issues with code bug that can span across multiple products.

So, I would say, first, don't bash the IE team. The actual bug is within the MMC code, and not in IE or Exchange. The IE team has graciously stepped up to take ownership of this issue and to provide a fix in IE so that MMC (and any other apps similarly situated) are fixed. I have personally communicated with the PMs and devs that own this issue and I can assure you that they are well aware of your frustration and that their current plans are to aim for this to be included in the December update. Note, however, that they did not guarantee that, and that I am not guaranteeing that to you.

They did, however, promise to update me late next month as their plans for the December release solidify, so I should know and be able to report back here in a month or so with an answer as to whether or not it will be in the December update.

Some other points worth raising:
•While many of us monitor these forums regularly, these forums are not a substitution for reporting bugs by contacting CSS. If you contact CSS, yes they will ask you for a credit card, but if you are reporting a bug, no charges will be made against your credit card. In other words, calling CSS to report bugs is basically free (except for your time, of course). But it is the proper and official way to notify Microsoft of bugs like this.
•We still want you to report these issues in the forums because lots of us monitor these forums and can take action based on them. But when it comes down to things like prioritizing bug work and stacking bugs, official customer reports via CSS or another proper escalation path are required.
•We have been somewhat vocal about this. I spoke about this publicly at TechEd North America in May, and internally in July (at an internal conference) so that the field, PFEs, etc., could spread the word, too.
•But that said, there really hasn't been much to say about it. We've detailed the workarounds, but we don't have a fix yet.
•As much as I would like to keep the forums up-to-date on this and every other issue, it simply is not practical to post regular status updates about every single bug. Not only would that not scale, it would be unmanageable, as well. That said, I will post back here when I get more information from the IE team in September.
•IMHO, this is a very minor issue that, while frustrating, is not pervasive, does not cause any damage or data loss, has viable workarounds and is really inconsequential from a day-to-day perspective (hey, just leave MMC open <g>).

These are my own viewpoints and they do not necessarily reflect the viewpoints of Microsoft. Nonetheless, I hope they help.

6/22/2011 Update:

I've been working with Microsoft via some of my contacts and I finally have a little information to share.

Officially, the statement is:

The IE9 engineering team is aware of the issue and actively triaging it.
They are considering a fix to be delivered later this year.

Unofficially, the issue has been linked to the Microsoft Management Console (MMC) and Internet Explorer 9. While the issue is primarily in the MMC, the IE9 team can release a fix sooner than the MMC team. They are cautiously optimistic that a fix will be released in a Q4 2011 service update.

That's all I've got, folks. Stay tuned.

Are you an Exchange Maestro?

Wednesday, April 20, 2011

Exchange superstarts Tony Redmond and Paul Robichaux will focus on the key “gotchas” and hurdles experienced by IT professionals in the real world. The workshop will cover Exchange 2010 Service Pack 1 as well as the RTM version released by Microsoft in October 2009.

Paul writes,

The Exchange Maestro program is a 300/400-level blitz of all the major features of Exchange 2010. We assume good knowledge of Exchange 2003/2007, and we have enough new material so that even people with some 2010 experience will learn something useful. In addition to the lecture material, attendees get a full set of Exchange 2010 lab VMs on a take-home disk drive. That frees attendees to focus on learning because they can work on the labs during scheduled lab times, in the evenings, or once they return home.

On the third day we have a sort of capstone exercise where the attendees form teams and design an Exchange 2010 organization, then present their design proposal to Tony, playing the role of a hard-nosed customer CIO.

I have a discount registration code for you to share with your readers: “PAUL” will net $250 off for the US events, and “PAUL100” will net 100 pounds off the London event.

If you administer Exchange 2010, this is a worthwhile opportunity to learn from some of the best!

Use the discount codes above to save $250 in the US or £100 in Europe off regular registration. Read more at the Become an Exchange 2010 Maestro website.

How to set the Default Domain for the Microsoft Lync Server 2010 Web Scheduler

Monday, April 18, 2011

As I posted earlier, Microsoft released the Lync Server 2010 Web Scheduler today. It provides a Web-based online Lync meeting scheduling and management experience for Lync Server 2010.

By default, the Web Scheduler requires that users enter their domain and user name along with their password to login, as shown below:

To configure the Web Scheduler with a default domain, so that users can sign in with only their user name, you must update files in both the Internal (Int) and External (Ext) virtual directories. Luckily the files are identical, so you usually only need to update the files in one directory and copy them to the other.

Here's how to do it:

Install the Microsoft Lync Server 2010 Web Scheduler.
Navigate to the C:\Program Files\Microsoft Lync Server 2010\Web Components\Web Scheduler\Int\Scripts folder.
Edit the WebTicketManager.js file with Notepad or your favorite editor.
Go to line 143 and insert the following line:

userName+="@domain.com"

where domain.com is the FQDN for your internal domain.

Now prepend "//" to lines 144 and 145 to remark them, as shown below:

Save the file.
If your internal domain name matches your external domain name, copy WebTicketManager.js to the C:\Program Files\Microsoft Lync Server 2010\Web Components\Web Scheduler\Ext\Scripts folder. Otherwise, perform the same edit on the C:\Program Files\Microsoft Lync Server 2010\Web Components\Web Scheduler\Ext\Scripts folder.

These edits will append @domain.com to the user name entered, unless the user entered a specific domain as either domain\username or username@domain.com on the logon page.

Now we need to edit the Web Scheduler logon page to reflect the change:

Navigate to the C:\Program Files\Microsoft Lync Server 2010\Web Components\Web Scheduler\Int\UserControls folder.
Edit the LoginControl.ascx file with Notepad or your favorite editor.
Edit line 28 to read "User Name:", rather than "Domain\user name:", as shown below:

Save the file.
Copy LoginControl.ascx to the C:\Program Files\Microsoft Lync Server 2010\Web Components\Web Scheduler\Ext\UserControls folder.

Now all you need to do is try it out!

Microsoft Lync Server 2010 Web Scheduler is now available

Monday, April 18, 2011

Lync Web Scheduler is a resource kit tool for Microsoft Lync Server 2010. It provides a Web-based alternative to the add-in for the Microsoft Office Outlook messaging and collaboration client for the purpose of scheduling a meeting using Lync Server 2010. It also provides a browser-based conference management experience that includes operations such as the following:

Scheduling a new online Lync meeting.
Listing all existing Lync Server 2010 meetings that the user has organized.
Viewing and modifying details of an existing meeting.
Deleting an existing meeting.
Sending an email invitation to meeting participants by using a configured SMTP mail server.
Joining an existing conference.

Compared to the Conferencing Add-In for Microsoft Outlook, Lync Web Scheduler has the following limitations:

Lync Web Scheduler does not support scheduling recurring meetings.
Lync Web Scheduler lists only meetings that were organized by the user. It does not list all meetings that the user is invited to. Further, meetings created using some other tool will not be editable using Lync Web Scheduler.
Lync Web Scheduler is available only in English.
Meeting invitations that are generated by Lync Web Scheduler do not look exactly the same as those that are generated by the Conferencing Add-In for Outlook.
Lync Web Scheduler doesn’t interact with the calendaring server. Calendar updates happen only via email invitations.

Lync Web Scheduler is an ASP.NET application, which must be installed on the same Internet Information Services (IIS) Web server on which Lync Server Web Components are installed.

Get it at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=b7d8f948-fa64-4c51-8b54-2223954d1fa4

One TechEd Story

Friday, April 15, 2011

One of the things I enjoy at Microsoft TechEd is talking with people to get their TechEd story. I like to hear what they think of TechEd and about the value they get from the conference.

Claudia Perez works for Galveston County IT in Texas. She's worked in IT for over 16 years, 15 of them for this same organization. She manages about 1,500 users across 20 departments. Last year she went to New Orleans for her second TechEd.

As you can imagine with any small government these days, budget cuts and staff shortages take their toll and it’s much more difficult to make the commitment to a four day conference. There’s travel and expenses, not to mention the registration costs to contend with. Even though state and local government get a pretty good discount, it’s still hard to justify.

So why does Claudia do it? And just as importantly, how does her boss justify the expense? Here's what Claudia says:

There is more than one reason why I attend TechEd. It is a combination of the sessions, the information, the convenience of having the technologies I use at a single event, and definitely the networking (and The Krewe has a lot to do with this part).
I have to admit that the first time I attended I was overwhelmed. In part because I was still in disbelief that I was approved to attend since I have been requesting the opportunity to go to TechEd for many years in a row with no results. Also, I didn’t know quite what to expect. I was very glad I came across the Krewe group during my first year.
I work for local government where I am not only the Exchange person; I am also the SQL person, the Windows Server person, etc. So TechEd makes it so convenient because I have the sessions, hands on labs, etc. that pertain to my main areas of responsibility all in one event. This way I choose what areas to focus more on depending on what projects I am working on that year. There are also the ‘after hours’ activities organized by other TechEd participants. The Exchange Roundtable is a great example.
I also like to be informed of what is coming up next or what is now available in the market that can help us. Having the ability to interact with so many different vendors in one place makes that also very convenient.
Another great reason is the networking. I have learned over the past few years how important it is as an IT pro to have a great network of IT professionals. The way we stay in touch and exchange information and even tried to help each other has proven to be very valuable. More than once I have come across an issue that I’ve never seen before, I ask the question and I always get tips, ideas, or answers from the network of people I met at TechEd.
Our current boss (for over 2 years now) understands the importance of training and continuous education. He is even pushing now for certifications and more training. That mentality helps a lot when I have to ask for approval for the conference. I also have discussed with him the importance of having a network of professionals and he has seen how valuable it has been when I needed answers. In addition, when I comeback from TechEd, I come back with new ideas and information about how to do things more efficient, how to address some issues we may be facing, information on better practices, etc. We cannot always put new ideas into place, sometimes because of budget restrictions, but at the same time, the information gathered helps us to plan for future projects.

I think Claudia perfectly sums up the value of TechEd. And it's really great that her boss understands this, as well.

I hope to see you all at TechEd in Atlanta in May!

How to fix "550 5.1.1 User unknown" Error when Sending to a Distribution Group

Thursday, April 14, 2011

You may find that after you create a new distribution group in Exchange 2010, you cannot send SMTP email to it from the Internet or internal relay hosts. When you do, you receive a "550 5.1.1 User unknown" error . If you send email to the distribution group internally using Outlook or OWA, it works just fine.

This happens because Exchange 2010 automatically sets the attribute Require that all senders are authenticated to enabled by default.

To clear this setting, view the properties of the distribution group and double-click Message Delivery Restrictions on the Mail Flow Settings tab:

Then clear the checkbox for Require that all senders are authenticated and click OK.

At first I thought this might be due to the fact that my client is using Edge Transport servers and that the Block messages sent to recipients that do not exist in the directory setting was enabled. This is shown below from the Edge server's Recipient Filtering properties:

I tested this by running the following cmdlet:

Test-EdgeSynchronization -VerifyRecipient zzz.domain.com

Sure enough, the result shows, NotSynchronized - Recipient doesn't exist in source Active Directory, as shown below:

Somewhat surprisingly, this result does not change when Require that all senders are authenticated is disabled.

I can't believe I've never run into this until now.

Before you ask, there is no way to change the default behavior of Exchange 2010 to create all distribution groups with the authentication setting set to disabled (unchecked).

MVP Award Unboxing

Wednesday, April 6, 2011

I thought it might be fun to show what the MVP award package looks like, so I took a few pictures.

The box in the box

Opening the box reveals a very nice presentation of the award

The contents include:
A framed personalized certificate, an MVP lapel pin, the MVP rules of conduct, an MVP name badge, and a new 2011 year crystal disk to place on last year's award.

The 2011 MVP Award

Good News, Bad News

Tuesday, April 5, 2011

First, the good news... After a long wait, I finally learned that I'm able to go to Microsoft TechEd in Atlanta! Better late than never. I just hope there's a hotel room left since TechEd North America 2011 is selling out fast. Last I heard a few weeks ago, there were only about 600 discounted rooms left. Since I'm joining the party so late, I will not be speaking this year. It will be great to meet up with The Krewe again!

Now the bad news... It turns out that I can't make the Microsoft Certified Master: Exchange Server 2010 rotation in June due to issues beyond my control (mine, not theirs). I'll be doing the next rotation in September 2011. It's only three months later, but it's still really disappointing. :( Oh well, feces occurs.

See you in Atlanta!

I Feel Great!!!

Friday, April 1, 2011

This morning I received an email announcing that I have been awarded Microsoft MVP for the third year in a row!

I'm very proud of this award. What a great way to end the week!

Dear Jeff Guillet,

Congratulations! We are pleased to present you with the 2011 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Management Infrastructure technical communities during the past year.

The Microsoft MVP Award provides us the unique opportunity to celebrate and honor your significant contributions and say "Thank you for your technical leadership."

Toby Richards
General Manager
Community & Online Support

Pages