Zeros & Ones

The winner takes it all….The loser standing small.

Brief Description

The ISA Server Best Practices Analyzer (BPA) is a diagnostic tool that automatically performs specific tests on configuration data collected on the local ISA Server computer from the ISA Server hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings.

The resulting report details critical configuration issues, potential problems, and information about the local computer. By following the recommendations of the tool, administrators can achieve greater performance, scalability, reliability, and uptime.

The ISA Server Best Practices Analyzer is supplied with two supplemental tools.

• The ISA Data Packager enables you to create a single .cab file containing ISA Server diagnostic information that can be easily sent to Microsoft Product Support Services for analysis.

• BPA2Visio generates a Microsoft Office Visio® 2003 or Visio 2007 diagram of your network topology as seen from an ISA Server computer or any Windows computer based on output from the ISA Server Best Practices Analyzer Tool.

Go there and be the one to use it

I faced problem in implementation Client Web Access server on windows 2003 R2 SP2.

The problem prevent client web access…first I thought it is configuration problem but when I checked the event viewer I saw that Error

ErrorID : 2274

Source : W3SVC-WP

This error on CWA server related to cwsauth.dll file that can’t be loaded.

I contact Microsoft for the error and got the following replay:

Support for 64-bit Operating Systems

Office Communications Server 2007 supports the following tested 64-bit configurations:

• The 64-bit edition of SQL Server™ 2005 SP2 on the Back-End Database of an Enterprise pool or the Archiving and CDR database.
• Running the 32-bit version of the Access Edge Server on 64-bit hardware with WOW (Windows on Windows) 64 mode on the 64-bit edition of Windows Server 2003 SP1 and later.
• Running the 64-bit kernel driver component of the A/V Edge Server natively on 64-bit hardware plus the A/V Edge Server service component with WOW64 mode on the 64-bit edition of Windows Server 2003 SP1 and later.
• Running the 32-bit version of Standard Edition server on 64-bit hardware with WOW64 mode on the 64-bit edition of Windows Server 2003 SP1 and later.

Like you see it does not give any answer for my problem.. Actually deploying OCS in X64 bit system is not the best practice since the setup for OCS and the console run under the WOW64 subsystem since they are 32bit programs.

I searched the internet and find more problems related to this problem

Comment : Deploy your OCS server in win X86 mode..It is better.

Aside:Actually, I think your situation has a better solution that solve X64 problem. I think it is known issue with application running in IIS in WOW64 mode.

If you check your Event Log entries, you will likely find several of the following entry, followed by another entry declaring that the Application Pool is being disabled.

Event Type: Error
Event Source: W3SVC-WP
Event Category: None
Event ID: 2274

Description:
Could not load all ISAPI filters for site/service.

I think the reason why you are getting this event is straight forward:

• On 64bit Windows, the “bitness” (i.e. 32bit or 64bit) of a process must match the bitness of the DLLs loaded by that process. In other words, a 64bit EXE can only load 64bit DLLs, and 32bit EXE can only load 32bit DLLs ( the problem of the cwsauth.dll file ).
• By default, IIS6 on 64bit Windows runs with 64bit W3WP.EXE worker processes
• .NET Framework 2 has ASP.Net implemented through 32bit ISAPI DLLs.

What is happening when OCS wizard install .NET Framework 2 on IIS6 on 64bit Windows is that while IIS6 runs W3WP.EXE as 64bit, you are configuring it to load some 32bit ISAPI DLLs. This does not work and leads to the event log entry. Since the ISAPI DLLs are loaded for every request, this failure immediately happens again and again, thus triggering the “Rapid Fail Protection” health monitoring check of IIS6. This leads to this Application Pool being taken offline .

One way to fix this issue is to:

1. Change IIS6 run W3WP.EXE as 32bit
2. *** IMPORTANT *** Then restart the CWA Application Pool that returns the error since it is stopped. You cannot fix any error without restarting the Application Pool.

Changing IIS6 to run W3WP.EXE as 32bit allows the 32bit ISAPI DLLs installed by .NET Framework 2 for ASP.NET to load and run inside of it. This is done by running the following commandline:

CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1

This command switches IIS6 into running WOW64 (i.e. 32bit compatibility) mode on 64bit Windows on-the-fly so that IIS6 can immediately run 32bit ISAPI DLLs… unless that Application Pool is ALREADY returning 503 errors, in which case you MUST restart the Application Pool to have the bitness switch take effect. It makes sense because a 503 error means the Application Pool is offline and not running, so you must restart it to have setting changes take effect.

You can do this by either:

• Restarting the Application Pool in question
• Restarting IIS

  NET STOP W3SVC /y & NET START W3SVC

• Reboot the server
  

  SHUTDOWN -r -t 0

Now, I cannot guarantee that this works for you because you may have other applications that must run as 64bit, in which case you have a conflicting need to simultaneously run 32bit and 64bit code in IIS6, which is not allowed.

See KB 895976 for more details.

• Microsoft System Center Configuration Manager 2007 SP1 introduces a new feature for out of band management.
• Configuration Manager 2007 SP1 provides significant enhancements to the Asset Intelligence feature introduced in Systems Management Server (SMS) 2003 and included in Configuration Manager 2007.
• The length of the evaluation period has changed in Configuration Manager 2007 SP1 to be more consistent with other Microsoft products. In Configuration Manager 2007, the evaluation period is 120 days. In Configuration Manager 2007 SP1, the evaluation period is 180 days.
• The Application Compatibility Toolkit (ACT) Connector and the System Center Updates Publisher are no longer included with the Configuration Manager 2007 SP1 installation media.
• Microsoft System Center Configuration Manager 2007 SP1 provides support for Windows Server 2008 as clients and site systems.

• Application Virtualization management support
• Forefront Client Security Integration
• SQL Reporting Services Reporting – Allows you to report on Configuration Manager activity using SQL Reporting Services
• Client Status Reporting – Provides a set of tools and Configuration Manager 2007 reports to assess the status of client computers, sometimes referred to as “client health.” Clients that show a change in activity patterns might need administrative intervention.
• Operating System Deployment Enhancements
  • Unknown computer support
    In Configuration Manager 2007 R2, you can deploy operating systems to computers using a PXE service point without first adding the computer to the Configuration Manager database.
  • Multicast deployment
    Previously, all operating system deployments used unicast. Multicast can make more efficient use of network bandwidth when deploying large images to several computers at the same time.
  • Running command lines in task sequences with credentials other than the local system account.

Automatic configuration allows Communicator to find and connect to the appropriate OCS server without manually entering a server name into its settings. Communicator has special requirements for DNS and certificates to make this work properly.

The problem that OCS likes other Microsoft UC solutions does not support multiple SIP name. Most of organizations need DNS splitting as security requirement.

Here you are the Scenario: We have organization that its internal domain name is Contoso.ad and have E2K3 server with E-mail Policy @contoso.com, they need to implement new OCS server to support internal and external users.

Easy, maybe it looks like that…The problem that office communicator is designed to log-on using server within same domain name i.e. the OCS FQDN must be in our case OCSSRV.contoso.ad.

Until now, it is okay but the user must log-on with name user@contoso.com so we have to support contoso.com SIP domain.

Are you confused? It is little tricky… here you are the solution

Hosting Domain Contoso.ad, Contoso.com

OCS Computer FQDN OCSSRV.contoso.ad

Supported SIP Domains:

Contoso.ad (default inherited from AD)

Contoso.com

DNS Records (Internal)

Split DNS configuration is a requirement for automatic configuration. Simply put, split DNS means you have two DNS zones for one domain name. One DNS zone exists on internal DNS servers and provides name resolution only for internal clients. Another DNS zone exists on external DNS servers to service external clients.

Split DNS is required so that users can use the same sign-on name in Communicator and have their correct login server resolved inside and outside the network.

First, we have to create primary DNS zone in internal domain with name Contoso.com. Create A record in it for OCSSRV server.

The following SRV records need to be created. Note that these records must be created in the DNS database of the servers authoritative for the particular zone.

Certificate Configuration

To support multiple domains for encrypted communications we require that all front-ends in the Pool be configured with a certificate. The certificate must match the FQDN returned by any DNS SRV query. Therefore, the certificate must contain multiple entries. We call these SANs (Subject Alternate Name) and the certificate must include the FQDN of the pool and one entry for each supported SIP domain.

Subject Name

OCSSRV.contoso.ad

Subject Alternate Name

Sip.contoso.ad

Sip.contoso.com

OCSSRV.contoso.com

OCSSRV.contoso.ad

I tried to do that through the OCS certificate configuration wizard …It should work.

but if it failed you can do it through another way.

You have to obtain Subject Alternative Name (SAN) to your OCS certificate. The OCS certificate is submitted to a certification authority (CA) that is configured on a Microsoft Windows Server 2003-based computer. The SAN lets you connect to a domain controller by using a Domain Name System (DNS) name other than the computer name. I will explain how to add SAN attributes to a certification request that is submitted to an enterprise CA (ContosoCA)

How to configure a CA to accept a SAN attribute from a certificate request

By default, a CA that is configured on a Windows Server 2003-based computer does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service.

Certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

How to create and submit a certificate request

When you submit a certificate request to an enterprise CA, the certificate template must be configured to use the SAN in the request instead of using information from the Active Directory directory service.

How to use Web enrollment pages to submit a certificate request to an enterprise CA

To submit a certificate request that contains a SAN to an enterprise CA, follow these steps:

1. In Internet Explorer, connect to http://contoso.ad/certsrv.
2. Click Request a Certificate.
3. Click Advanced certificate request.
4. Click Create and submit a request to this CA.
5. In the Certificate Template list, click Web Server.
6. Provide identifying information as required.
7. In the Name box, type the fully qualified domain name of the OCS server.
8. Under Key Options, set the following options:
   • Create a new key set
   • CSP: Microsoft RSA SChannel Cryptographic Provider
   • Key Usage: Exchange
   • Key Size: 1024
   • Automatic key container name
   • Store certificate in the local computer certificate store
9. Under Advanced Options, set the request format to CMC.
10. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:

San:dns=OCSSRV.contoso.com&dns=sip.contoso.com

&dns=sip.contoso.ad&dns=OCSSRV.contoso.ad

Multiple DNS names are separated by an ampersand (&).

1. Click Submit.
2. If you see the Certificate Issued Web page, click Install this Certificate.

Now return to OCS deployment and choose configure certificate wizard,

Choose to assign existing certificate and choose OCSSRV.contoso.ad server authentication certificate.

Assign the certificate in the IIS and restart it.

Now you can sign in with user@contoso.com although your pool is OCSSRV.contoso.ad.

Check this also at the UC Guy

I feel That I owe Riseup something… I am so attracted to idea and proud to be Riseup user.

Blow The story of this great movement.

In our early days, all of Riseup’s servers were housed in people’s basements around Seattle. Though lovely in theory, in practice it meant that power outages, heat loving vermin shacking up with our boxes, and eco-conscious house guests turning off computers, could lead to collective panic. Our motto during this time was “Just as reliable as Hotmail.” We didn’t always know if we were doing the right thing spending so much time writing software, fixing bugs, and providing services, but we hoped it would grow and be good for the movement.

So here we are, seven years later, still hoping we are useful to people.
If you have any stories of how Riseup.net has affected your world, we would love to hear them, and might include a few in our newsletter this year. Please send them to pigeon@riseup.net.

Evaluating Windows Server 2008 software does not require product activation. Any edition of Windows Server 2008 may be installed without activation, and it may be evaluated for 60 days. Additionally, the 60-day evaluation period may be reset (re-armed) three times. This action extends the original 60-day evaluation period by up to 180 days for a total possible evaluation time of 240 days.

How to manually extend the evaluation period

loadTOCNode(2, ‘moreinformation’); When the initial 60-day evaluation period nears its end, you can run the Slmgr.vbs script to reset the evaluation period. To do this, follow these steps:

This resets the evaluation period to 60 days.

 After Long time of waiting Microsoft announce for Vista SP1 Beta Release.

Check this out.

Good Review By Preston Gralla

One of the hardest thing in OCS 2007 implementation is certificate. It keep return errors all the time so you must be careful in every step in it.

While I was in OCS STD implementation I faced a event ID 36780.

I have tried installing multiple certificates, and am having issues with an Schannel event log error .I see the following errors in the event log:

Event Type: Error
Event Source: Schannel
Event Category: None
Event ID: 36870
Date: 12/27/2007
Time: 3:50:18 PM
User: N/A
Computer: OCSSRV
Description:
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0×80090016.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

This problem occurs because of a limitation of the Certificates snap-in.

When you use the Certificates snap-in to copy a certificate together with a private key to the local computer store, the private key is not copied.

This happen when assign certificate you obtain to OCS ( Server Authentication ) to IIS to have secure SSL session.

WORKAROUND

To work around this problem, import the certificate together with the private key to the local computer store. To do this, follow these steps: