Category: Microsoft | Page 5 | A Windows System Admin's Blog

The Network Policy Server Service (NPS or IAS) Fails to Start on Windows SBS Server 2008 with an unspecified error (0x80004005)

February 5, 2016February 5, 2016 John Leave a comment

So I was recently helping out a client clean up their Small Business Server environment, one thing they weren’t using was SharePoint, so we decided to remove it from their SBS 2008 server. The removal went smoothly, simply uninstalling SharePoint Services via Add/Remove control panel did the trick. But after a restart we found that clients were no longer connecting to their Wireless network, so I went did some troubleshooting and found that the NPS service hadn’t started since boot-up.

I then tried starting it up but got an error after trying to start the service with an unspecified error 0x80004005 which was very helpful. After some more digging around and Google-Fu I found that this had to do with permissions on a registry entry for VSS. The following key needed to be updated from the value 1 to 0.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl

Make sure that the setting for NT AUTHORITY\NETWORK SERVICE is set to 1. If this is not and set to 0, change it to 1. Once you have changed the value you can restart or terminate any IAShost.exe that are running via task manager and then start up the NPS service.

This issue has been documented by Microsoft to occur if you remove SharePoint from SBS Server 2008, so just a heads up if you do and rely on NPS for authentication for things like Remote Access or Wireless.

How to log into ASDM for a Cisco ASA when you get the Unable to launch device manager error

January 15, 2016January 15, 2016 John Leave a comment

I like to keep my client’s devices up to date to prevent any issues from arising and have access to the devices latest features. Unfortunately not everyone is happy to pay that little extra to have an on-going support / maintenance agreement. I was recently out at a customer who had an ASA 5505 which had been running for years but needed some new NAT translations added in. So I fired up my laptop and loaded up ASDM Launcher, after typing in the credentials I got Unable to launch device manager on ASA-5505 error. One thing I like to do when this happens is to check why, click on the Java icon in the login window and you will be prompted with the Java console, I saw the following;

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java couldn't trust Server
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)

The main thing sticking out to me was Java couldn’t trust Server to fix this I needed to load up the Java control panel once open navigate to the Security tab > Edit Site List… > Add > Enter the URL of ASDM. In my case that was https://192.168.1.254/ once I added that, click Ok and Apply and close out of your browser / ASDM Launcher. Now if you try to log in again it should let you through into ASDM and allow you to make the changes you need.

Another method to resolve this error is to export the certificate of the device to your computer (use firefox and navigate to the appliance web page and export the SSL certificate) then import it into Java using the control panel method above but hit Manage Certificates…

If you’re running a new version of ASDM, this doesn’t happen, also some say downgrading Java to 1.6 will remove the issue also. Hope that helps someone out.

Random password prompts with users running Windows Phone / Mobile Active Sync for Exchange through ISA 2006 or TMG Reverse Proxy

January 5, 2016December 31, 2015 John Leave a comment

So I recently came across an issue where some end users were getting prompted for their password when running a Windows Phone device (Android and Apple devices seem immune). The client had recently had an Office 365 hybrid configuration completed and where using ISA / TMG as a reverse proxy to authenticate to their local infrastructure for external users. Their move to a hybrid deployment required some changes to the way they had TMG setup (adding another web listener and re-configuring some rules).

Judging from the password prompt, I quickly gathered that the issue was around a web listener, so opening up their one for Exchange, the listener used forms based authentication, so I went to the Forms tab and hit Advanced to see what options had been enabled or disabled. I could see that Apply session timeout to non-browser clients was enabled. After disabling this option and applying the changes, ActiveSync clients stopped prompting users for their passwords and the sessions remained active even after the timeout value expired.

Hyper-V Virtual Machine stops responding to network traffic if VMQ (Virtual Machine Queues) are enabled on a 1GB physical NIC

January 2, 2016January 2, 2016 John Leave a comment

I recently took on a new customer who’s IT infrastructure was a mess. They have good hardware but the setup they had was just awful (it was an internal guy who had great ideas but little skill). They had Hyper-V running on a nice new Gen9 HP Server on Windows Server 2012 R2, which is a nice combination. Once they were on boarded they let us know that the server kept on crashing (they had no idea their setup was virtualised or that they had more than one server…). Virtual Machine Queuing or VMQ allows the “virtualization” of the network allowing for the NIC to create paths to each virtual NIC to offload the traffic.

After about a week, I got the call I was waiting for to tell me their server had stop responding, the virtual machine was still up but wasn’t responding to pings or allowing access to network resources (it was their SBS server). So as a quick fix, I disabled and re-enabled the NIC on the server (as a best practice you should have a dedicated Management NIC to allow access to the host), this brought things back online. After having a quick look at the Broadcom NIC it had VMQ enabled, I then set it to disabled and restarted the server out of hours. Since then there hasn’t been any issues with the servers dropping off the network.

The issue hasn’t resurfaced since and is documented in the following Microsoft KB article https://support.microsoft.com/en-us/kb/2986895

It is interesting to note that the server had the latest drivers and firmware installed but was still having the issue, so I’d recommend leaving VMQ Disabled completely as the benefits aren’t that great (unless your high-traffic 10 Gbps).

Specify ClickView Server IP settings via the Registry using Group Policy with an ADMX Template

December 30, 2015February 13, 2019 John Leave a comment

So I was recently going through our Group Policy and found that we were applying a reg file to specify the Server IP for our ClickView Players. I don’t really like this approach anymore and tend to try and have everything nice and neat so I set about creating a ADM file to store the setting, I also wanted the ability to disable the School Bag feature for our Labs.

Whilst creating the file I relied on the Language Reference for Administrative Templates on MSDN. I find it much quicker to build it in Notepad with old Syntax then to go around making an XML based ADMX file.

Once I was done, I then got my hands on Microsoft’s free ADMX Migrator (download here) and used it to convert my ADM file. After a quick clean up, imported them into one of our Domain Controllers and I was then able to manage our ClickView Player a little easier and without having to rely on a reg file. You can download the ADM/ADMX for your Group Policy store below.

ClickView Group Policy ADMX .

Hope that makes life easier for someone.

Use Microsoft Excel to split words into cells for easier data manipulation

December 24, 2015December 24, 2015 John Leave a comment

A client was recently part of an expo and used the opportunity to collect subscribers for their mailing list. Unfortunately the data input method wasn’t designed with their back end database in mind which has a potential customer’s first name and last name separated into different fields. Luckily the data was clean enough that we could use Excel to perform some manipulation and using formula’s pull words apart.

To do this, there are two formula’s that we need to use, one being LEFT and the other is MID. In the example above, we have John Smith as the name, we use LEFT to get John and MID to get Smith into separate cells. The two formulas you need are;

=LEFT(B2,(FIND(" ",B2,1)-1))
=MID(B2,FIND(" ",B2)+1,200)

Using these, simply change the cell location to where your data is (in our case B2). Once everything is split up, the spreadsheet can be exported out and imported into a database table located for example in MySQL.

Setting item level (Calendar, Tasks etc) permissions for Mailboxes and Users with PowerShell for Exchange 2007, 2010 and 2013

December 8, 2015December 17, 2015 John Leave a comment

Every so often I get a request to allow people to view someone else’s calendar. Usually I just tell that person to go and ask whom ever the calendar belongs to, to give them permission. This isn’t always possible though as on a few occasions where I’ve had to give access because that other person is away.

With mailboxes you can use the management tools to give access rights, but what if I just want to give the, access to a calendar or tasks for example. This is where the exchange PowerShell console comes in. I can give a user Permission to a particular object. So for example I wanted to give user1 permission to edit manager 1’s calendar, I would do the following

Add-MailboxFolderPermission -identity manager1:\Calendar
-user user1 -accessrights Editor

You can use the following on all of the Outlook Exchanged based folders like so replacing <User> with the identity of the mailbox with the object you want to modify the permissions of and <delegate_user> with the username of the person of who you are giving permission to;

Add-MailboxFolderPermission &lt;User&gt;:\Calendar -User &lt;delegate_user&gt; -AccessRights Editor
Add-MailboxFolderPermission &lt;User&gt;:\Tasks -User &lt;delegate_user&gt; -AccessRights None
Add-MailboxFolderPermission &lt;User&gt;:\Inbox -User &lt;delegate_user&gt; -AccessRights None
Add-MailboxFolderPermission &lt;User&gt;:\Contacts -User &lt;delegate_user&gt; -AccessRights None
Add-MailboxFolderPermission &lt;User&gt;:\Notes -User &lt;delegate_user&gt; -AccessRights None
Add-MailboxFolderPermission &lt;User&gt;:\Journal -User &lt;delegate_user&gt; -AccessRights None

You can also quickly check who has access to an object (like a calendar) by using the following cmdlet, again replacing <user> with the identity of the mailbox;

get-mailboxfolderpermission -identity &lt;user&gt;:\Calendar

Hope that helps someone.

Migrating your whole RADIUS configuration (IAS) from Server 2003 to Server 2012 (NPS)

September 13, 2015September 13, 2015 John 2 Comments

nps I was recently migrating an environment that ran two 2003 servers to two 2012 R2 servers. One of the challenges of migrations is ensuring there is as little disruption as possible, whether it is during business hours or not. This organization had a single RADIUS server controlling access to their 300+ users for Wireless and Remote Access.

One of the useful tools nestled away in the 2008 R2 / 2012 installation media is a tool called IASmigrader.exe. This invaluable little tool can easily migrate the entire IAS / RAdius configuration from Server 2003 and allow me to import it into NPS (better than mucking around with netsh and then manually editing text files). Fine the executable you need in :\sources\dlmanifests\microsoft-windows-iasserver-migplugin\, copy this onto the source machine where IAS is. Once there, open a command prompt and type iasmigreader.exe relative to where you copied it.

Once ran, the tool will export the configuration to %windir%\system32\ias\ias.txt, copy this file across to your new NPS host and open up the NPS console, right click on NPS and select Import Configuration and browse to the text file (you will need to drop down the file type box) and import the configuration, I generally restart the NPS service for good measure. You can also run netsh nps import filename=”C:\migration\ias.txt” in an elevated command prompt.

Wireless Projection / Miracast option disappears from Microsoft Surface Pro 3 / Windows 8.1 after joining a Active Directory Domain

April 18, 2015April 18, 2015 John 2 Comments

We recently deployed some Microsoft Surface Pro 3s (love these devices) for our Executive team along with some new equipment in meeting / board rooms with Wireless Display capabilities. During testing with my personal SP3 (not domain joined) the wireless display worked a treat, so I expected it to work fine on the ones we would be deploying.

After about a week, one of the managers shot me an e-mail saying he couldn’t see the option for wireless display, that night he had performed a reset of the device, came in and had the option, but once we joined it back to the domain, it disappeared. I started digging around Group Policy to see what was causing it to disappear and found that these devices were getting an old “XP” based Wireless Network Policy. I upgraded the policy which then gave us some extra options, including allowing / disallowing Wi-Fi Direct. upgraded policy

Computer Configuration > Policies > Windows Settings >Security Settings > Wireless Network (IEEE 802.11) Policies

The setting Don’t allow Wi-Fi Direct groups which needs to be disabled can be found under the “Network Permissions” tab. From what I can see, any Wireless policy configured for XP doesn’t have this option and a machine will simply disallow it.

How is Miracast or WiDi related to Wi-Fi Direct? Well basically Wi-Fi Direct allows devices to connect directly to each other, without the need for a Wi-Fi AP, which is exactly what your surface is doing when attempting to stream the display straight to a TV / Projector.

Once we had this option turned off, ran a gpupdate on the machine and viola, wireless display showed up and began working.

How to Fix being unable to add, edit or delete domain controllers in the Domain Controllers Computer Set on Microsoft TMG or ISA 2006

April 3, 2015April 3, 2015 John Leave a comment

There seems to be a bug in Microsoft’s TMG (Threat Management Gateway) / ISA 2006 (Internet Security and Acceleration Server) that once installed and configured, prevents an administrator from modifying the entries in the Domain Controllers Computer Set. This Computer set is used in a number of System Policies and if you ever do an IP address change of a DC contained in this group (which is what I needed to do), it needs to be changed for things to continue to function correctly. Firstly, we will need to get into the Registry to verify the GUID of the Computer Set (be default it is generally {F77C3B63-0DD8-440B-9921-A9341533A9C6}). Navigate to HKLM\Software\Microsoft\Fpc\Storage\Array-Root\Arrays\{GUID}\RuleElements\ComputerSets and find the Domain Controllers computer set and note down the GUID.

Now we need to start-up ADSI Edit on the TMG / ISA machine. Connect to localhost on port 2171 with the Naming Context CN=FPC2. Expand to the following CN=FPC2, CN=Array-Root, CN=Arrays, CN={3E5A92A0-0C54-4BD5-A8EB-1A0F1E77FF79}, CN=RuleElements, CN=ComputerSets. Locate the GUID we found before and right-click and select properties. Now under the Attribute Editor find msFPCPrefined attribute and set it from True to False.

Restart the TMG / ISA Console (no need to restart any services) and you should now be able to go into the Domain Controllers Computer Set and perform changes as required.

Share this post with others:

Share this post with others:

Share this post with others:

Share this post with others:

Share this post with others:

Share this post with others:

Share this post with others:

Share this post with others:

Share this post with others:

Share this post with others: