the back room tech

The Technet Group Policy Documentation Survival Guide contains all the information you will need to evaluate, plan, deploy, maintain, or support Group Policy.

The guide is available in HTML and PDF formats.  Note that this guide contains links to where to find the pertinent information - not the information itself.  Microsoft does a pretty good spreading the information around on different web sites, so this guide provides a central starting point to finding the various resources.

Cert has a document that show some specific steps you can take to secure your Internet web browser.  Detailed instructions, including screen shots are provided, along with explanations of what you are configuring and what the potential ramifications are.

The document focuses on IE, Firefox, and Safari and includes supplemental reference links to additional content.  They also include links to configuring similar options for Opera, Mozilla SeaMonkey, Konqueror, and Netscape.

Found via ts/sci security blog.

I was installing Windows Server 2008 Enterprise x64 on Monday, and the installation kept bombing out with the following error message after I entered my volume license product key:

Windows installation has encountered an error and needs to be restarted

I tried re-burning the .iso image, thinking I had a bad burn or defective media, but the install kept failing. I even went back and re-downloaded the same .iso image, but the results were the same.

I was finally able to get the install to succeed by choosing not to enter a Windows product key. Windows balks at not providing the key, but will allow you to continue the install.

After doing some research I found this post that mentions this installation problem is related to using a Technet/volume license key with a trial version of the OS.

One of my clients uses GWAVA for spam filtering on their Netware 6.5.7 / Groupwise 7.0.2 server.  After upgrading from GWAVA 3 to version 4 they kept experiencing problems where no one would receive their daily digests.  The GWAVA support staff diagnosed the corruption in qms_digest.db as the cause of why the digests were not being released.  Their initial throught was some anti-virus program was scanning the database configuration file and was causing the corruption, but the problem persisted even after excluding the pertinent files and directories from the scan.

I was finally able to track the cause of the corruption down to a scheduled nightly reboot of the Groupwise/GWAVA server.  It seems that not unloading the Groupwise MTA before unloading GWAVA was causing the problem when the server auto-restarted.

Here’s my gwreset.ncf file that unloads the MTA, unloads GWAVA, then restarts the server without causing the corruption in the qms_digest.db file.

# begin gwreset.ncf script to restart Groupwise/GWAVA server gracefully
unload gwmta
# delay.nlm waits x number of seconds before continuing
load delay.nlm
delay 30
# gwavadn.ncf unloads all GWAVA4 components in the correct order
GW:\opt\beginfinite\gwava4\assets\bin\gwavadn.ncf
delay 60
reset server -f
# end gwreset.ncf script to restart Groupwise/GWAVA server gracefully

Another problem I was experiencing was using nogwava.ncf instead of gwavadn.ncf to unload the GWAVA components.  nogwava.ncf was the proper script for GWAVA3, while gwavadn.ncf is the correct one to use for GWAVA4.

From the Windows XP General newsgroup, edit for French to English translation issues and brevity:

I just installed SP3 using Windows Update (I had XP SP2 Pro fully
updated). Everything went fine, I restarted the PC and apparently everything
fine after the desktop showed up (no error messages, etc). But after
examining my system I found the following:

The address bar is removed in the main taskbar, so I triedrRight clicking
on the taskbar > Toolbars> but notice that the Address option has been
removed in SP3.

To restore the Address toolbar in the taskbar, in the  %windir%\system32 directory, replace the SP3 version of browseui.dll with the SP2 version.  Windows File Protection gets in the way (and so does explorer.exe for the Windows desktop and some other processes).  The workaround is to use the PendingFileRenameOperations key in the registry.  

Values under this key specify which files to move, replace,
or delete when Windows starts up.  Get the PendMoves.zip file from
SysInternals (now a Microsoft company) which contains the
pendmoves.exe and movefile.exe utilities.  Pendmoves tells you what is
already in that registry key to get renamed on the next Windows startup
(afterwhich this key gets cleared).  movefile lets you add entries to
this registry key.  

If you haven’t yet installed Windows XP SP3, save a copy of the file: 

Start - Run - Cmd
md c:\backup 
copy “%windir%\system32\browseui.dll” c:\temp\

f you have already installed SP3, you will have to get a copy of
browseui.dl_ (ends with the underscore character) from your backups,
from a Windows SP2 install CD, from another of your hosts still running
Windows XP SP2, or from a friend that you really trust.  If you get the
compressed browseui.dl_ file, decompress it:

expand [drive:[path]]browseui.dl_ c:\backup\browseui.dll

Now that you have the old version of the browseui.dll file, you need to
replace the SP3 version with the old version.  Run the following
command in a DOS shell:

copy c:\windows\system32\browseui.dll c:\windows\system32\browseui_sp3.dll
movefile c:\backup\browseui.dll c:\windows\system32\dllcache\browseui.dll
movefile c:\backup\browseui.dll c:\windows\system32\browseui.dll
<reboot>

The assumptions are: movefile.exe is in the current directory or found
by the PATH environment variable and that you saved the old version of
browseui.dll under c:\backup.  

Do NOT use “%windir%\system32\browseui.dll” for the destination since the windir
environment variable won’t be defined when the move operation is
performed during Windows startup.  In the above, I save a copy of the
SP3 version of browseui.dll just in case it is found later that using
the old version causes problems and I have to revert back to using the
SP3 version along with having to sacrifice the Address toolbar.

While this gets back the Address toolbar in the Windows taskbar, the
browseui.dll file is used by lots of different functions within Windows.
So it is possible that reverting to the old version could cause problems
with other functionality. 

Windows XP SP3 is now available for download.  Before you manually update your machine, check out KB936929, Release notes for Windows XP Service Pack 3.  It has links to vaious other KB articles that discuss items such as troubleshooting installation problems.  You can also read the Overview of Windows XP SP3.

Please be aware of the following scenarios prior to installing XP SP3:

If you are an IE 6 user, SP3 will simply updated your IE 6 installation. You will continue to be able to upgrade to IE 7 as an option.

If you are an IE 7 user, it will update your IE 7 installation. HOWEVER, you will NOT be able to go back to IE 6 after applying this service back.

If you are an IE 8 (beta) user, you will need to uninstall IE 8, apply the service pack, and then reinstall IE 8.

Check out Jane’s post for additional information regarding how XP SP3 affects the various versions of Internet Explorer.

If Windows XP SP3 is not yet ready for your environment, you can download the Windows Service Pack Blocker Tool Kit that will keep it from automatically installing the update for 12 months following the service pack’s release.  Please note that this toolkit will not prevent the installation of the service pack from CD/DVD, or from the stand-alone download package.

Saturday I received a frantic call from the network administrator of a client.  Their Groupwise 7.0.2 system that runs on a Netware 6.5.7 server had suddenly become inaccessible from both the Internet and local network for Webaccess clients.  Users who used the full Groupwise client reported no issues.

The local admin had performed some troubleshooting prior to contacting me.  She had rebooted the server several times, confirmed Webaccess was loading, verified Webaccess was inaccessible from both the standard URL and IP based URL, i.e. https://mail.domain.com/gw/webacc and https://10.0.0.6/gw/webacc.  She also verified there was nothing odd logged in the Webaccess log files. 

On the Netware server console I typed m ap* to see if the apache2.nlm was loaded.  The .nlm was not listed, so I typed ap2webup.ncf to try to load the Apache web server.  I did not receive an error about Apache not loading, and the logger screen did not show any errors, but when I typed m ap* again, Apache2.nlm was still not listed.

I was fairly certain this was an Apache, not Groupwise Webaccess problem, so I checked out the most recent error_log file in my Sys:\Apache2\logs folder, where I found the following message:

[Sat Apr 26 13:37:23 2008] [crit] (10022)Unknown error: make_secure_socket: for port 443, WSAIoctl: (SO_SSL_SET_SERVER) Configuration Failed

I did some searching and came across TID 3209228 Apache for Netware will NOT load any longer.  This article pointed to a certificate problem being the reason why Apache would not load.

I followed the TID’s advice and performed the following from the Netware server console:

1. Load pkidiag.nlm
2. Login as admin (or someone with appropriate rights to create certificates)
3. Select options 4, 5, 6, 0
4. Load tckeygen.ncf
5. Rebooted the server

Once the server restarted, Apache loaded succesfully, and the Groupwise Webaccess login screen was once again available for web clients.
 

My Windows XP SP2 machine has once again decided to stop automatically updating itself.  I have Automatic Updates (AU) set to download updates automatically, but to prompt me to install them.  When I initiated the installation procedure AU would run and try to install the updates, but would ultimately fail with error 0×80070643 for KB945185, KB943973, and KB947355.

I found the following messages in Windows XP’s System Event Log:

EventID: 20 Source: Windows Update Agent
Installation Failure: Windows failed to install the following update with error 0×80070643: Security Update for Office 2003 (KB945185).

EventID: 20 Source: Windows Update Agent
Installation Failure: Windows failed to install the following update with error 0×80070643: Security Update for Microsoft Works Suite 2005 (KB943973).

EventID: 20 Source: Windows Update Agent
Installation Failure: Windows failed to install the following update with error 0×80070643: Security Update for Microsoft Office 2003 (KB947355).

The following messages were found in the Windows XP Application Event Log:

Souce: MsiInstaller EventID: 10005
Product: Microsoft Office FrontPage 2003 — Error 25090. Office Setup encountered a problem with the Office Source Engine, system error: -2147023838. Please open C:\Program Files\Microsoft Office\OFFICE11\1033\SETUP.CHM and look for “Office Source Engine” for information on how to resolve this problem.

Source: MsiInstaller EventID: 1024
Product: Microsoft Office FrontPage 2003 - Update ‘Security Update for Office 2003 (KB945185): VBE6′ could not be installed. Error code 1603.

Source: MsiInstaller EventID: 11729
Product: Microsoft Office FrontPage 2003 — Configuration failed.

Source: MsiInstaller EventID: 1024
Product: Microsoft Office FrontPage 2003 - Update ‘Security Update for Office 2003 (KB943973): WORKS632′ could not be installed. Error code 1603.

Source: MsiInstaller EventID: 1024
Product: Microsoft Office FrontPage 2003 - Update ‘Security Update for Office 2003 (KB947355): MSO’ could not be installed. Error code 1603.

I found these messages interesting since I am running Office 2007, not version 2003.  I open Control Panel - Add/Remove Programs and looked at the list of Microsoft programs installed on my machine:

• Office Professional Plus 2007
• Visio Professional 2007
• Live Meeting 2005
• Front Page 2003

I assumed the problems were stemming from the Front Page 2003 and/or Live Meeting 2005 installation.

The first thing I checked is if the Office Source Engine Service was not running as described in KB903774:

“When you deploy software updates and hotfixes to computers in your organization by using Microsoft Windows Server Update Services (WSUS) or by using the Microsoft Update Web site, some Microsoft Office updates are not successfully installed on certain client computers.”

To resolve this issue, follow these steps:

1. Determine the status of the Office Source Engine service. To do this, follow these steps:

a. Click Start, click Run, type services.msc, and then click OK.
b. In the list of services, double-click Office Source Engine.
c. View the option that appears in the Startup type list.

2. If the startup type is set to Disabled, change the startup type to Manual. To do this, click Manual in the Startup type list, and then click OK.

3. Try to install the Office Update packages again.

This was not my solution, since I was trying to use Automatic Updates, while the above solution is for Microsoft Update and WSUS users.

I eventually found the following post, which suggested editing the following registry keys to fix the update problem.  I’ve edited it a bit and posted it below.

Note: Removing the following registry keys may reset customized user settings for your Microsoft Office programs.  You may also need access to your original Office installation CDs in order to repair your Office programs.

Part I:  Reset Office configuration in Windows Registry

1. Close all the applications.
2. Click on Start - Run, type regedit and click OK.
3. Locate and select the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Office\11.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\11.0

4. Right click on 11.0 and rename them to Old11.
5. Close the Registry Editor.

Part II: Detect and Repair Office 2003

1. Click Start - Control Panel.
2. Double-click Add/Remove Programs.
3. Click Change/Remove Programs on the left pane.
4. Highlight Microsoft Office Professional Edition 2003 on the right pane
and click Change.
5. Insert the correct version of CD when it requires. (if your installation files are not cached locally)
6. Select Reinstall and Repair and click Next.
7. Select Detect and Repair errors in my Office installation
8. Click Install and wait for the process to complete.

Now you should be able to install the Microsoft updates.  Even though I had various versions of Office applications on my machine, I only needed to repair Front Page 2003.  You may find that you need to repair the entire Office Suite, or some combination of Office products.

A client has periodically received the “Unable to Complete Request” message when synching her Blackberry 7100i with Groupwise via Blackberry Desktop Manager.

We previously fixed this error by following the instructions found in Blackberry KB11703, but that only fixes the problem for a few months, and requires Intellisync to be reconfigured. This includes re-entering the Groupwise password, which can be a problem if the user is not around when you are troubleshooting the problem!

Her configuration included the following:

• Windows XP SP2
• Groupwise Client 7.0.2
• Blackberry Desktop Manager 4.2.2.1.4

No relevant errors were shown in the Windows System or Application log files.

Her Blackberry Desktop Manager RIM.log file showed the following error messages:

• “Failed to open device database!”
• “Internal Error #-728.  Translation Canceled!”
• “Internal Error #4238. Translation Canceled!“

I enabled advanced logging for Intellisync by following the instructions in Blackberry KB01451 and found the following errors in the ptTrace.log file:

• Wed Apr 23 12:27:24 2008: Error 1st=1053 (f=0xb006) 2nd=722 (f=0×8a0a2).-728 at D:\TEMPDIR_5154\se_5x_engine\iltif2\TIFSYNC.CPP line 5156
• Wed Apr 23 12:27:24 2008: Error 0×41d.1053.-728 at D:\TEMPDIR_5154\se_5x_engine\iltif2\TIFSYNC.CPP line 4926 
• Wed Apr 23 12:27:24 2008: Error 0.-728 at D:\TEMPDIR_5154\se_5x_engine\ilxtrans\CILTRANS.CPP line 1383 
• Wed Apr 23 12:27:24 2008: Error -728.-728 at D:\TEMPDIR_5154\se_5x_engine\ilsdk\Ilx_sdk.cpp line 337
  12:27:24.921: Translation Unit Status: User=4014a094, rc=-728, Phase=30, TrErr=-728, SysErr=0 at D:\TEMPDIR_5154\se_5x_engine\ilx32\XLATEV3.cpp line 490 
• Wed Apr 23 12:27:24 2008: Error -728.-728 at D:\TEMPDIR_5154\se_5x_engine\ilsync\XLATE.CPP line 3243 
• Wed Apr 23 12:27:24 2008: Error -728.-728 at D:\TEMPDIR_5154\se_5x_engine\ilsync\XLATE.CPP line 2893 
• Wed Apr 23 12:27:24 2008: Error -728.-728 at D:\TEMPDIR_5154\se_5x_engine\ilsync\XLATE.CPP line 2465 
• Wed Apr 23 12:27:24 2008: Error -728.-728 at D:\TEMPDIR_5154\se_5x_engine\ilsync\XLATE.CPP line 3689

To fix the Groupwise calendar synchronization problem I did the following, without re-configuring Intellisync:

1)  Open Blackberry Desktop Manager – Synchronize icon – Configuration tab – Configure Sync button – Configure drop down box – Advanced Settings

2) Select the Field Mapping Button

3) Double Click on Alarm Flag, Free Busy, and Private to make the mapping relationship double arrows disappear.

4) Click OK 3 times

5) Select Synchronize tab – Synchronize Now.  Synchronization should now succeed.

6) Navigate to Configure Sync button – Configure drop down box – Advanced Settings - Field Mappings button.

7) Drag the fields in the right column up or down to align them with matching Handheld fields in the left column.  Click or press the spacebar to map or unmap the fields.  Re-associate the following fields:

I use Outlook 2007 and have experienced crazy formatting problems under certain circumstances that are not always reproducible. Here’s what I did to fix the problem:

1. Close both Outlook and Word if they are running
2. Browse to my C:\Documents and Settings\User\Application Data\Microsoft\Templates directory and rename the normal.dotm and normalemail.dotm files. These files will be automatically recreated the next time you launch Outlook. Note that renaming these files may cause you to lose signatures and other custom settings.
3. Launch Outlook, then close Outlook. This will cause your normalemail.dotm file to be recreated.
4. Launch Word, then close Word. This will cause your normal.dotm file to be recreated.
5. Recreate your signatures if needed.
6. Repeat this process for any other user profiles you may have.

I’m sure there is a more elegant way to fix this problem, but I’ve tried modifying everything I could think of inside both Outlook and Word - styles, formatting, stationary, Outlook templates, etc.