Using LDAPS (Secure LDAP Binding) with Moodle for Sign-In running on IIS in a Windows Active Directory Domain

LDAP Server Settings in MoodleThe process for running LDAP queries via secure channel for Moodle is fairly straight forward. This method is not using a trusted certificate but is encrypting the traffic between Moodle and your Domain Controller to prevent snooping. The first thing you will want to do is install the latest OpenSSL binaries onto your Moodle Server. Once this is done, create a folder structure on the C drive like this C:\OpenLDAP\sysconf\ and create a new text file called ldap.conf, in its contents we can enter a single line;

TLS_REQCERT never

Now that OpenSSL is ready to go, restart IIS for good measure. Once things are back up we can enter Moodle, login as an Administrator and change the LDAP query from LDAP:// to LDAPS:// as well as the port from 389 to 636.

Changing the SQL Server Collation After Installation for SQL Server 2012 or 2014 without re-installation

So I was asked recently to setup a test environment for one of our CRM applications. So I went ahead and instead of copying the existing Virtual Machine I decided to create a new one from scratch. Installed SQL Server 2012 and the required application files. As I went to install the database onto the SQL server I had realised that I selected the wrong server database collation during installation (I chose SQL_Latin1_General_CI_AI). I’ve known in the past with 2008 / 2008 R2 I needed to uninstall and reinstall to change the Server Collation. This is no longer the case with SQL Server 2012 or 2014.

After going over the documentation of the software, I needed a Server Collation of SQL_Latin1_General_CP1_CI_AI. I’ll make a couple of recommendations with this method, if you already have databases mounted, back them up, then remove them (as this speeds up the process a fair bit if you have DBs with heaps of rows and indexes). Not sure how supported this is by Microsoft, I’m doing this in an environment where even though it is live data, it isn’t critical.

Anyway, moving on. Firstly, shutdown any SQL Server services that are running and then fire up an Administrative command prompt window and go to the SQL Server Binn directory. Once there, we will issue the following command (you can replace the collation with which ever you need)

sqlservr -m -T4022 -T3659 -s"MSSQLSERVER" -q "SQL_Latin1_General_CP1_CI_AI"

The command above, launches a single user admin mode to connect to the SQL Server -m, enables Trace mode using -t. We specify the instance with -S and set the collation with -q. This will run through the motions and then notify you that the operation has completed and that no user action is required (so close off the window). Start up any SQL services we killed off earlier and the databases will now have the correct Collation (restore if required).

How to remove the Open File Security Warning Prompt during Driver Deployment or User Login when using MDT or SCCM

Security Warning with DriversDuring a deployment of Windows or even after Windows is deployed you see an Open File – Security Warning prompt when a .EXE runs (similar to the one on the right).

This happens because when you download an .EXE, .ZIP, or .CAB Internet Explorer (as well as Firefox and Chrome) saves what is called a Zone Identifier, telling the Operating System the file came from the internet and not a trusted zone.  In certain deployments this can happen several times when a user logs in to load all of the applications into the system tray, some of them being igfxtray.exe, apmsgfwd.exe, apntex.exe, apoint.exe, gfxui.exe, hidfind.exe, hkcmd.exe, igfxpers.exe.

To get around this we need to remove the ZoneIdentifier, we can use a small utility from SysInternals to do it.  Download Streams, copy it to your MDT or SCCM Server and run the following changing the path to a location containing your drivers;

streams.exe -s -d "E:\MDTDeploymentShare\Out-Of-Box Drivers"

Make sure you run that in an Administrative command prompt and accept the license agreement on the first run. Hope that helps.

Getting a machine product name and serial number using WMIC for use with MDT or SCCM

wmic csproduct get name outputQuick post today, I organise my driver folders into manufacturer and model and then use a task sequence to pick machine specific drivers. Getting the exact model name helps and one day to do that is via a WMI query. It’s a command I try to use quite a bit (and tend to forget the command half the time).

wmic csproduct get name

The result should give you the exact name returned by WMI and allow you to use it as a variable in your task sequence. Then, just plug in your model you are targeting into an MDT or SCCM task sequence condition. For an SCCM example;

SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%OptiPlex 9020%"

Another useful one is;

wmic bios get serialnumber

This one shows the machine serial number and if you’re not using SCCM can be useful for warranty claims.

Enable a user to Change their Password if it has Expired using OWA for Exchange 2010 and 2013

OWA Change PasswordIf you work in a place with a lot of remote users and a password policy with expiration set then you need to give your users a way to reset their passwords.  Microsoft ISA / TMG configured with forms based authentication were able to do this out of the box.  The good news is Exchange 2010 and 2013 also have the capability, it just needs to be enabled. Change the following registry entry at your own risk.

Go to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeOWA and then create the following REG_DWORD value if it doesn’t already exist ChangeExpiredPasswordEnabled. Once created set the DWORD value to 1.

Once you have done that simply recycle the OWA Web Application under IIS or give IIS itself a restart and your users will now be prompted to change their passwords if they are expired instead of having to call the IT helpdesk.

Troubleshooting 4.3.1 Insufficient System Resources Error for External Mail Flow on Exchange 2013

EdgeTransport.exe.config QueueDatabasePathI’ve recently been contracting out to an educational organisation assisting with their BAU work as well as helping them modernising some of their processes and server environment. I was recently given a trouble ticket where I had to troubleshoot slow external mail flow. They have an ancient spam filtering appliance coupled with an Exchange 2013 deployment. My first look was onto the appliance, after checking out the inbound mail queue I could quickly see e-mails sitting there with the following response code;

452 4.3.1 Insufficient system resources

The above response code, which indicates a temporary failure generally means that Exchange is running out of resources and you’ll have the Exchange back-pressure issue where the Transport service will reject message submission because there is not enough free disk space (which is by default 10%). From the information I had their databases sat on another disk with at least 50% free space. Going through the even log I could find no trace of this. Their Mailbox Database servers were also Transport servers so they performed messaging queuing that meant I had another database that should be taken into consideration, which is the Message Queue database. By default it sits in the C:\Program Files\Microsoft\Exchange Server\ directory and is not easily configured to be moved like a standard mailbox database using PowerShell.

As I was unsure of their environment, I quickly navigated to EdgeTransport.exe.config file located under the Bin directory and found the value of QueueDatabasePath pointing to their C drive which had only around 5% free space. I then quickly cleared out some log files that are not required and wrote up a PowerShell script that will run nightly until more space is provisioned on those servers.

Moral of the story is always give your Exchange servers plenty of free space to prevent such issues.

PowerShell Script to Install Updates Offline in a WIM image using DISM

WSUS Offline Downloader in actionI’ve been helping out a customer build a new MDT deployment environment and move away from Ghost and the 90’s. As they are not going to be implementing Systems Center Configuration Manager and SUP to automatically maintain their images offline any time soon, we need a way to keep their image up to date with updates, without having to re-build it every time.

I knew you could already do offline servicing with DISM but wanted to make it nice and easy for them. I’m using WSUS Offline Update to download all of the updates in one shot, you could also use WUD but their lists haven’t been updated for a while.  I copied the zip and extracted it to their deployment server and downloaded all of the updates for Windows 7 x64 SP1 and saved them all to a single updates folder. I then built up the below PowerShell script to offline service their image and apply the updates downloaded.

$UpdatesPath = "E:\Updates\*"
$MountPath = "E:\MDTDeploymentShare\Operating Systems\W7X64SP1\Mount"
$WimFile = "E:\MDTDeploymentShare\Operating Systems\W7X64SP1\REFW7X64.wim"

DISM /Mount-Wim /WimFile:$WimFile /index:1 /Mountdir:$MountPath
$UpdateArray = Get-Item $UpdatesPath
ForEach ($Updates in $UpdateArray)
{
DISM /image:$MountPath /Add-Package /Packagepath:$Updates
Start-Sleep –s 5
}
Write-Host "Updates Applied to WIM"
DISM /Unmount-Wim /Mountdir:$MountPath /commit
DISM /Cleanup-Wim

If you have 100+ updates this process can take a while so sit back and drink a coffee while you run the script. Hope that helps.

Activating Windows 8.1 clients on a KMS Host running Windows Server 2008 R2

I was recently helping out a friend who had a KMS server activating their Windows 7 machines but when they started moving their fleet to Windows 8.1 they saw they couldn’t install the KMS Host product key for Windows 8.1 recieving the following error:

0xc004f015: The Software Licensing Service reported that the license is not installed. 
SL_E_PRODUCT_SKU_NOT_INSTALLED

To allow Server 2008 R2 to activate newer versions of windows you need to install KB 2885698. The update adds support for Windows 8.1 and Windows Server 2012 R2 clients to Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 KMS hosts (see Windows Server 2012 R2 & Windows 8.1 KMS Service Activation).

Once you install the update you will need to restart the server (so do it out of hours if it’s on a DC or something critical). Once you’re back up and running, you simply need to issue the install product key command with your new KMS Host key.

slmgr.vbs /ipk YOUR-PROD-UCTK-EYHE-RE33

And your clients will begin activating once you hit the 25 client minimum. The key will continue to activate lower versions of Windows and if you install a Server key, it will do both Server and Client editions.

How to Rename a SharePoint 2013 Content database name hosted on SQL Server

Dismounting and Renaming a SharePoint DatabaseSo I’ve been toying with SharePoint 2013 in my lab at home, doing the install and configuration at the moment, setting up my first Site after the initial configuration but noticed that I made a typo in the Database name.  So how do I go about fixing or renaming that database in SharePoint and in SQL Server.

First thing first is we need to know the name of the Content database, in my case it is easy, because we only have one and I can easily see the spelling mistake I made. But if you need to work out the name of the Database, you can look in Application Management > Manage Content Databases and click on the Site Collection you are after; alternatively you can use SharePoint’s management shell and issue the following two cmdlet’s;

Get-SPWebApplication | Select-Object Url, ContentDatabases | Format-List

What sites are using this content database;

Get-SPContentDatabase | Where-Object {$_.Name -eq "SharePint_ContosoContent"} | Select-Object Sites | Format-List

So now we know the name of our content database, we need dismount it before we can rename it in SQL Server. To dismount use the following cmdlet;

Dismount-SPContentDatabase SharePint_ContosoContent

Now the database is ready to rename.  Open up SQL Management Studio and connect to your Database Server hosting SharePoint.  Now usually when you go to rename a database you will get an error message stating that the database is in use.  To get around that we turn our database into Single User mode, rename it and then set it back to multi user mode with the following SQL snippet.

USER Master
-- Set to Single User to prevent unable to lock out
ALTER DATABASE SharePint_ContosoContentDB SET SINGLE_USER WITH ROLLBACK IMMEDIATE
-- Rename Database
ALTER DATABASE SharePint_ContosoContentDB MODIFY NAME = [SharePoint_ContosoContentDB]
-- Set back to multi user for production use
ALTER DATABASE SharePoint_ContosoContentDB SET MULTI_USER

Now once we have renamed the database on our SQL Server, it is time to mount it back onto SharePoint, we do that by issuing the following PowerShell on our SharePoint server

Mount-SPContentDatabase SharePoint_ContosoContentDB -WebApplication http://intranet.contoso.com/

And there you have it, renaming a SharePoint content database if you make a typo like me.

How to reset the Remote Desktop Server Licensing Grace Period on Windows Server 2012 with Remote Desktop Services

So we recently started looking into Terminal Services and RemoteFX to power some of our admin users and move them off to thin clients instead of full blown desktops.  As a trial I begun setting up RDS on one of our Dev machines.  After going through the motions of enabling the Remote Desktop Features and setting up RemoteFX on a Virtual Machine for testing, I found that I couldn’t login via RDP to that machine.  Going back to the RDS host I found the Licensing popup that informed me that the 128 day trial license had expired.  Since this was a test I didn’t want to go using keys to activate or setup a licensing server (purely a PoC for us in IT at this stage).

To reset the grace period there is a registry key that we need to delete. As always when editing the registry, take a backup of the key/s you’re modifying. Navigate to the following location

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

Now there should be a binary key value (like in the screenshot), you first need to have full access permissions to the folder (or take ownership) and then simply delete that value and reboot the server.  Once back up your RDS Licensing should be back at the start of a 128 Day grace period.  I wouldn’t do this if you have already obtained licensing and should definitely not be used in a production environment.