Saturday, July 9, 2011

When you think there is no solution to something, remember there is only one way out...

When you think there is no solution to something, remember there is only one way out...

Thursday, April 14, 2011

Comparison of Exchange ActiveSync Clients

This is an amazing article about comparison of various Exchange ActiveSync clients for all possible/supported EAS clients with all Exchange Server versions:

Friday, March 25, 2011

Client installation error in intranet based machines in native mode - Certificate issued to "xyz" doesn't have private key


I've a dedicated IBCM site for serving intranet + internet clients. I'm unable to install SCCM client on intranet based clients via client push method. I've taken care of ports, admin$ accessibility, client push installation account permissions, server certs, certificate enrollment on client etc.

The client doesn't get installed & I get the below errors/logs:

ccm.log of IBCM server:

======>Begin Processing request: "IYEWCKFT", machine name: "SCCMTESTWINXP-1" SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)

---> Trying the 'best-shot' account which worked for previous CCRs (index = 0x0) SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)

---> Attempting to connect to administrative share '\\sccmtestwinxp-1.GEO.CORP.TEST.IN\admin$' using account 'geo\TESTgsccm' SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)

---> The 'best-shot' account has now succeeded 5 times and failed 0 times. SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)

---> Connected to administrative share on machine sccmtestwinxp-1.GEO.CORP.TEST.IN using account 'geo\TESTgsccm' SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)

---> Attempting to make IPC connection to share <\\sccmtestwinxp-1.GEO.CORP.TEST.IN\IPC$> SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)

---> Searching for SMSClientInstall.* under '\\sccmtestwinxp-1.GEO.CORP.TEST.IN\admin$\' SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)

---> System OS version string "5.1.2600" converted to 5.10 SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)

---> Service Pack version from machine "SCCMTESTWINXP-1" is 3 SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)

CWmi::Connect(): ConnectServer(Namespace) failed. - 0x8004100e SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)

---> Unable to connect to WMI (r) on remote machine "SCCMTESTWINXP-1", error = 0x8004100e. SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)

---> Creating \ VerifyingCopying exsistance of destination directory \\SCCMTESTWINXP-1\admin$\system32\ccmsetup. SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)

---> Copying client files to \\SCCMTESTWINXP-1\admin$\system32\ccmsetup. SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)

---> Copying file "E:\Program Files (x86)\Microsoft Configuration Manager\bin\I386\MobileClient.tcf" to "\\SCCMTESTWINXP-1\admin$\system32\ccmsetup\MobileClient.tcf" SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)

---> Updated service "ccmsetup" on machine "SCCMTESTWINXP-1". SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:19 AM 4352 (0x1100)

---> Started service "ccmsetup" on machine "SCCMTESTWINXP-1". SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:19 AM 4352 (0x1100)

---> Deleting SMS Client Install Lock File '\\sccmtestwinxp-1.GEO.CORP.TEST.IN\admin$\SMSClientInstall.IBC' SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:19 AM 4352 (0x1100)

---> Completed request "IYEWCKFT", machine name "SCCMTESTWINXP-1". SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:19 AM 4352 (0x1100)

Deleted request "IYEWCKFT", machine name "SCCMTESTWINXP-1" SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:19 AM 4352 (0x1100)

<======End request: "IYEWCKFT", machine name: "SCCMTESTWINXP-1". SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:19 AM 4352 (0x1100)

Ccmsetup.log of client:


Source List: ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)

\\GEO-TESTT-SCCMP1.GEO.CORP.TEST.IN\SMSClient ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)

\\GEO-TESTT-SCCMP1\SMSClient ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)

MPs: ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)

GEO-TESTT-SCCMP1.GEO.CORP.TEST.IN ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)

Updated security on object C:\WINDOWS\system32\ccmsetup\. ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)

Sending Fallback Status Point message, STATEID='100'. ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)

State message with TopicType 800 and TopicId {25347404-9ACF-48C7-8CAB-99A38A5CC66F} has been sent to the FSP FSPStateMessage 3/24/2011 6:09:19 AM 3024 (0x0BD0)

Running as user "SYSTEM" ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)

Detected 12981 MB free disk space on system drive. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)

DetectWindowsEmbeddedFBWF() Detecting OS Version ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)

Client OS Version is 5.1, Service Pack Version 3 ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)

Client OS is not a supported Windows Embedded Platform ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)

Ccmsetup is being restarted due to an administrative action. Installation files will be reset and downloaded again. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)

Successfully ran BITS check. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)

The 'Certificate Store' is empty in the registry, using default store name 'MY'. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)

The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)

1 certificate(s) found in the 'MY' certificate store. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)

Only one certificate present in the certificate store. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)

SSL Registry key Software\Microsoft\CCM not found, assuming Client SSL is disabled. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)

Certificate issued to 'sccmtestwinxp-1.GEO.CORP.TEST.IN' doesn't have private key. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)

Sending Fallback Status Point message, STATEID='315'. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)

State message with TopicType 800 and TopicId {35618507-3DAE-476D-8521-40E9DC3F9A1A} has been sent to the FSP FSPStateMessage 3/24/2011 6:09:19 AM 2272 (0x08E0)


[Certificate issued to 'xyz' doesn't have private key.]

Yes, installation is failing because Configuration Manager can't find or can't read the private key for the certificate. I don't think you're missing anything simple. If you've deployed the certificate by using autoenrollment, I don't know why this would happen either - I more usually see this error message when the certificate has been moved from one store to another in the Certificates MMC. In this scenario, the Certificates MMC still says the private key is available when it really isn't and we've learned that this isn't a reliable way to verify whether the private key really is available. Try running the native mode readiness tool (Sccmnativemodereadiness.exe from %windir%\system32\CCM - see and check the log to see if this verification tool thinks the private key is available.

As a test, have you tried installing the certificate another way - for example, delete the certificate installed by autoenrollment (unless it's being used successfully by another application) and manually request the certificate from the Certificates MMC. Or, use Certreq.exe with an .inf file.

As a long shot, when you were configuring Certificate Services, did you change any cryptographic selections from the defaults - for example, the hash algorithm for the CA or the CSP selection on the certificate template? Native mode cannot support hash algorithms greater than SHA-1 and the default CSP for the Workstation Authentication certificate template is Microsoft RSA SChannel Cryptographic Provider.

Or export & import the cert!

It looks like the client certificate cannot be used because there is no private key for the certificate selected. Running the Native Mode Readiness tool will also check this - see This test sends the results to the fallback status point, but you can also check the sccmnativemodereadness.log file in the client log folder.

The most common reasons for this include:

  • Moving the certificate from one store (eg the User store) to another (the Computer store) rather than exporting it with the private key and then importing. We see this a lot because the later versions of the Web enrollment pages don't let you save the certificate directly to the computer store, and the Certificates MMC gives you the dangerous impression that you can move a certificate between stores just like you can move files in Explorer.
  • Requesting the certificate from another computer and then exporting/importing it, without the private key.

Do either of these apply to you? Both of these scenarios mean that the certificate template needs to allow the private key to be exported (not enabled by default and considered by many to be a security risk), and then selecting the option to export/import the private key when prompted in the wizard.


Amazing article by Tony Robbins for life!

Article by Anthony Robbins:


On Thanksgiving many years ago, a young family awoke with a sense of foreboding. Instead of looking forward to a day filled with gratitude, they were preoccupied by thoughts of what they did not have. At best, they would scrape together a meager meal on this day of ‘feasting’. If they had contacted a local
charity group, they would have had a turkey with all the trimmings, but they hadn’t. Why? Because they, like many other families, were proud people. Somehow they would make do with what they had.

They difficult situation led to frustration and hopelessness, then to irreparable, harsh words between the mother and father. The eldest sun felt devastated and helpless as he watched the people he loved most become more and more angry and depressed.

Then destiny intervened… a loud and unexpected knock at the door! They boy opened it and was greeted by a tall man in rumpled clothing. He was grinning broadly, caring a huge basket brimming with every conceivable Thanksgiving delight: a turkey, stuffing, pies, sweet potatoes, canned goods – everything for a holiday feast!

The family was stunned. The man at the door said, “This is from someone who knows you’re in need and wants you to know that you are loved and cared for.” At first, the father of the family didn’t want to take the basket, but the man said, “Look, I’m just a delivery person.” Smiling, he sat the basket in the boy’s arms, turned to leave, then called over his shoulder, “Have a great Thanksgiving!”

In that moment, this young man’s life was forever changed. With this simple act of kindness he learned that hope is eternal, that people – even “strangers” – really do care. The sense of gratitude he felt moved him deeply, and he swore to himself that some day he’d do well enough to give something back to other in a similar way. And by the time he was eighteen years old, he had begun to fulfill that promise. With his scant earnings, he set out to purchase groceries, not for himself, but for two families he had learned were in dire need of food. He then drove to deliver them, dressed in an old pair of jeans and a T-shirt, intending to present the gift as if he were a delivery boy. When he arrived at the first dilapidated house, he was greeted by a Latina woman who looked at him suspiciously. She had six children, and her husband had abandoned the family only a few days before. They had no food.

The young man offered, “I have a delivery for you ma’am.”

He then went out to his car and begun to carry in bags and boxes overflowing with food: a turkey, stuffing, pies, sweet potatoes, canned goods. The woman’s jaw dropped. The children, when they saw the food brought into the house, let out shrieks of delight.

The young mother, who spoke only broken English, grabbed the young man by the arm and started to kiss him all over, saying, “You gift from God! You gift from God!”

“No, no,” the young man said. “I’m just the delivery boy. This is a gift from a friend.” Then he handed her a note that said,

This is a note from a friend. Please have a wonderful Thanksgiving – you and your family deserve it. Know that you are loved. And someday if you have the chance, please do well enough to do this for someone else and pass on the gift.

The young man continued to bring in bag after bag of groceries. The excitement, joy, and love reached a fever pitch. By the time he left, the sense of connection and contribution moved the young man to tears. As he drove away, looking back at the smiling faces of the family he’d had the privilege to help, he realized that his story had come full circle, that to “horrible day” from his youth was actually a gift from God, guiding him, pointing him toward fulfillment through a life committed to contribution. With this one act, he begun a quest that continues to this day: to return the gift that was given to him and his family and to remind people that always a way to turn things around, that they are loved, and that – with simple steps, a little understanding, and massive action – whatever challenges exist now can be turned into valuable lessons and opportunities for personal growth and long term happiness.

How do I know so much about this young man and his family, not only about what they did, but also how they felt? Because he is me.

I wrote this book because I want you to know that someone cares about you. I want you to know that no matter how daunting or overwhelming your circumstances may seem, you truly can turn things around. You can turn the dreams you once had into reality. How? By tapping into a power that’s inside of you right now as you read these words. This power within you can change anything in your life literally in a matter of moments. All you must do is unleash it.

How can I say this to you with such conviction? Simply because I’ve used the same power to change my own life on a massive scale. A little more than a decade ago, I was struggling and completely frustrated, with little or no hope. I was living in a cramped 400 – square – foot bachelor apartment in Venice, California. I was lonely, miserable, and 38 pounds overweight. I had no plans for my future. I felt that life had dealt me a miserable hand and that there was nothing I could do to change it. I was financially broke and emotionally bankrupt. I felt overwhelmed, helpless and defeated.

I’m here to tell you, though, that in less than one year I changed it all. I lost 30 pounds in less than 30 days. And I kept it off because I didn’t just go on a diet, I changed my mindset. I trained my body into peak physical condition. I developed the confidence that was necessary to make it through the tough times and really achieve the goals I’d dreamed about. My secret was focusing on the needs of other people. I constantly asked the question “How can I add something of value to people’s lives?” Through this thought process, I became a leader. I realized early on that I couldn’t help others change if I couldn’t change myself. Not only was the secret to living giving, but to give, I had to become a better person. In the process of becoming more, I attracted the woman of my dreams,married her, and became a father. I went from living hand-to-mouth to more than a million-dollar net worth in less than one year. I moved from my run-down apartment to my present home: a 10,000 – square – foot castle overlooking the Pacific Ocean.

But I didn’t stop there. As soon as I’d proved I could help myself, I immediately sought out the most profound ways to help others. I began to search for role models, those who could create change with lightning – like speed. These peak performers were some of the top teachers and therapists in the world, those who helped people with their problems in one or two sessions instead of one, two, or more years. Like a sponge, I learned as much as I could and begun applying what they taught me immediately. I began to develop a series of strategies and understandings of my own.

Since then, these techniques have led me to work with more than a million people from forty-two nations in the world, offering them the tools and coaching to help them turn their lives around. This incredible privilege and opportunity to share my work has extended to a wonderful diversity of people from blue-collar workers to blue bloods from royal families around the globe, from presidents of countries to presidents of companies and presidents of the PTA, from movie starts to professional athletes and sports teams, from moms and medical doctors to children and the homeless. And through my books, tapes, seminars, and television shows, I’ve reached literally tens of millions of people. In every case, my goal has been to help people take control of and immediately increase their quality of life.

I don’t tell you this to impress you, but to impress upon you how fast things can change. Once we understand what shapes our thoughts, feelings, and behavior, all it takes is consistent, intelligent, massive action. With this book, I’m volunteering to be your coach in making any of the changes you desire.


Monday, September 21, 2009

Replication technology with Exchange 2010

This topic is related to log file copying and seeding between active and passive databases in Exchange Server 2010. Will Exchange Server 2010 offer changes or improvements in the way log file copying and seeding occurs with Local Continuous Replication (LCR), Cluster Continuous Replication (CCR) and Standby Continuous Replication (SCR) in Exchange Server 2007?

Although the asynchronous replication technology used in Exchange 2007 works quite well, that doesn't mean it can't be improved, right? Exchange Product Group has made several interesting changes and improvements to the asynchronous replication technology with Exchange 2010.

In Exchange 2007, the Microsoft Exchange Replication Service copies log files to the passive database copy (LCR), passive cluster node (CCR) or SCR target over Server Message Block (SMB), which means you need to open port 445 in any firewalls between the CCR cluster nodes (typically when deploying multisite CCR clusters) and/or SCR source and targets. Those of you who work for or with a large enterprise organization know that convincing network administrators to open port 445/TCP between two datacenters a far from a trivial exercise. With the Exchange 2010 DAG feature, the asynchronous replication technology no longer relies on SMB. Exchange 2010 uses TCP/IP for log file copying and seeding and, even better, it provides the option of specifying which port you want to use for log file replication. By default, DAG uses port 64327, but you can specify another port if required. For this, use the following command:

Set-DatabaseAvailabilityGroup -identity -ReplicationPort

In addition, the Exchange 2010 DAG feature supports the use of encryption whereas log files in Exchange 2007 are copied over an unencrypted channel unless IPsec has been configured. More specifically, DAG leverages the encryption capabilities of Windows Server 2008—that is, DAG uses Kerberos authentication between each Mailbox server member of the respective DAG. Network encryption is a property of the DAG itself, not the DAG network. Settings for a DAG's network encryption property are: Disabled (network encryption not in use), Enabled (network encryption enabled for seeding and replication on all networks existing in a DAG), InterSubnetOnly (the default setting meaning network encryption in use on DAG networks on the same subnet), and SeedOnly (network encryption in use for seeding on all networks in a DAG). You can enable network encryption using the Set-DatabaseAvailabilityGroup cmdlet. For instance, if you wanted to enable encryption for log copying and seeding, you would execute the command:

Set-DatabaseAvailabilityGroup -identity -NetworkEncryption Enabled

Finally, with Exchange 2010 DAGs you can enable compression for seeding and replication over one or more networks in a DAG. This is a property of the DAG itself, not a DAG network. The default setting is InterSubnetOnly and has the same settings available as those of the network encryption property. To enable network compression for log file copying and seeding on all networks in a DAG, use the command: Set-DatabaseAvailabilityGroup –Identity -NetworkCompression Enabled. To find the status of the port, encryption and compression settings for a DAG, use the Get-DatabaseAvailabilityGroup –status command.

Question on Multi-subnet clusters and using static routes with Exchange 2007 CCR on Windows Server 2008

Q. We are deploying a multisite Exchange 2007 SP1 cluster using Cluster Continuous Replication (CCR). The two cluster nodes will be located in separate datacenters. Exchange runs on Windows Server 2008 SP2 and we plan to have the public and private interfaces located in different subnets in each datacenter. As you know, this means we must use routing between the cluster nodes.
We have no problem configuring the public interface according to the instructions in "". But when we configure the default gateway on the private interface, we receive the warning message shown in Figure below:

Based on this warning message, we suspect things will not work properly if we specify multiple default gateways on each node in our multisite CCR cluster. This leads us to our question: How should we configure the private network interface in this type of scenario?

A. Because specifying multiple default gateways on a multisite CCR cluster will cause major issues. The proper configuration requires persistent, static routes for each private interface.

To get started, make sure the public interface is listed first on the connection order list under Advanced Settings in the Network Connections control panel. Next, make sure you have specified a default gateway on the public network interface for each cluster node.

Finally, configure routes on the private interfaces so that all traffic that doesn't match the route created will use the default gateway of the public interface

The –P parameter specifies that the created routes are persistent and won't be cleared after a reboot. This configuration will ensure proper networking for each interface in the cluster nodes. Its recommended to configure the private network as a mixed network so that the Enable-ContinuousReplicationHostName cmdlet can be used to direct replication activity over the redundant network.

With the enhancements in Windows 2008 to allow for multi-subnet clustering it is becoming more common to see this utilized with Exchange 2007 SP1 installations.

When implementing a clustered solution, it is a requirement that there be a minimum of two interfaces on each node, and that each node can maintain communications across those interfaces. Two different fashions to implement this requirement with multi-subnet clusters:
  • The “public” interface of each node resides in different subnets with the “private” interfaces residing in a stretched subnet.
  • The “public” interface of each node resides in different subnets with the “private” interfaces also residing in different subnets.
For users that have a configuration where both network interfaces are in different subnets this will generally require routing between those two subnets. A common mis-configuration that I see in this design is the use of default gateways on both of these network interfaces.

When a user attempts to configure two network interfaces each with a default gateway, the error in above screenshot is noted from the operating system.

The text in this message is specifically important as it highlights at this time that this configuration will not produce the desired results.

The most likely cluster configuration where Exchange is used, with this type of clustering, is cluster continuous replication (CCR). When multiple default gateways are defined, users may see inconsistent results in the performance and ability to replicate logs between the nodes. The replication issues between nodes are also exacerbated when continuous replication hostnames are used utilizing the secondary networks with the default gateway assigned. These issues are secondary to any issues that the cluster service many have maintaining communications between the nodes and any communications issues clients may have connecting to the nodes.

If the default gateways are removed from the “private” adapters, reliable routed communications can only occur over the “public” interface. So…if two default gateways cannot be used, how should we ensure proper communications over both the “public” interface and “private” interface where both reside in different routed subnets.

The first part of this solution is to ensure that the binding order of the network interfaces is set correctly in the operating system. To confirm the binding order:
  • Open the network connections control panel.
  • Choose the advanced menu (if menu is disabled, enable it by selecting Organize –> Layout –> Menu Bar).
  • Select advanced settings from the advanced menu.
  • On the adapters and bindings tab, ensure that the “public” interface is first in the list, with all secondary interfaces following after.
The second part of the solution is to maintain the default gateway on the “public” interface.

The third part of the solution is to enable persistent static routes on the “private” interfaces. In terms of the routes we simple need to configure routes to other “private” networks using gateway addresses that have the ability to route between those “private” networks. All other traffic not matching this route should be handled by the default gateway of the “public” adapter.

Let’s take a look at an example.

I desire to have a two node Exchange 2007 SP1 CCR cluster on Windows 2008 with each node residing in a different subnet.

Node A:

  • IP Address
  • Subnet Mask
  • Default Gateway
  • IP Address
  • Subnet Mask
  • Gateway on network
Node B:

  • IP Address
  • Subnet Mask
  • Default Gateway
  • IP Address
  • Subnet Mask
  • Gateway on network
(Note that gateway on network is not the default gateway setting but is the gateway on the private interface network that can route packets to the private network on the other nodes.)

In this case I would want to establish the necessary persistent static routes on each node. In order to accomplish this, I can use the route add command. The structure of the route command:

NodeA: Route add mask –p

NodeB: Route add mask –p

The –p switch will ensure that the routes are persistent lasting after a reboot. Failure to use the –p will result in the routes being removed post a reboot operation.

You can verify that the routes are correct by running route print and reviewing the persistent route information.

By utilizing only a default gateway on the “public” adapter, and static routes on the “private” adapters, you can ensure safe routed paths for client communications, cluster communications, and replication service log shipping.